How to Become an IT Security Professional
IT security has become the “next big thing” in the job market — more IT professionals, regardless of background and experience, have been rushing to get into this field. Many people want the coolness and prestige that comes with being “Firewall Guy” or the girl who stops hackers in their tracks with some quick, deft keyboarding in the critical pinch. Unfortunately, many are finding out that the world of network security is not as glamorous as TV and films might portray.
Successful IT security people work long, tiring hours, often with no reward other than knowing that if everything is going right, and the network is secure, no one notices. Unsuccessful ones, on the other hand, find that in the event of a security breach, everyone usually notices because of data theft, denial of service attacks, viruses, potential downtime and other unpleasant things.
Additionally, successful network security professionals are not often the most well-liked individuals in the organization because they have the heavy responsibility of being the “bad cop,” enforcing security policy when everyone would like to be playing computer games, downloading illegal music and playing fantasy football. In the event of a serious security breach, unsuccessful ones are liked even less.
Achieving that pinnacle of becoming a network security engineer is not an easy road to success, either. Most people who are successful have many years of experience in a wide variety of IT fields, all of which definitely are useful as an IT security professional. Having experience in only database design, for example, can be very useful if you are tasked with only securing databases, but unfortunately, it won’t help you configure the company firewall.
In this respect, generalists are usually more successful than specialists — a good security engineer has experience in databases, client/desktop support, networking system administration, computer maintenance and programming. These are the key areas that a security engineer must draw from when designing and configuring enterprise-level networks.
In addition to the concrete technological skills, the ideal network security engineer must posses some soft skills, as well. Customer service skills, problem solving skills, the ability to think clearly and reason through tough situations, deal with management, communicate clearly and write well are things that make the difference between a “smart” but unsuccessful engineer and a successful one.
Once IT professionals have made the choice to become the all-knowing, all-seeing Superbeing known as the network security engineer, they have made a choice that will drive everything they learn and do from that moment forward. Playing with every new security tool known to man, reading security articles and books, learning everything from protocol analysis and packet structure to firewall and router configurations, and keeping up with the latest vulnerabilities and security strategies — these are just some of the new hobbies the IT security wannabe will have to take up.
Typical IT security job titles and roles, in addition to the coveted title of network security engineer, are security specialist/technician, security analyst and security auditor. Additionally, depending on how the organization is structured, security roles might be broken down further by department or function. Titles such as application security specialist or infrastructure security technician aren’t at all uncommon. Keep this in mind: Even in the bigger organizations that have dozens of IT people working for them, functions, titles and roles can get a bit fuzzy, and they usually are tailored to the needs of the organization.
Also keep in mind that our discussion mainly revolves around enterprise-level security job roles. In the smaller organizations that might have only a limited IT staff or even the “one-person-IT shops,” the client support specialist, systems administrator and network security engineer might all be the same person, in addition to being the receptionist or facilities manager. With that in mind, here’s a brief description of the various levels of IT security professionals, what their duties might encompass and some of the qualifications they should have.
A security specialist or technician is typically the entry-level or junior position in the IT security field. These people usually are just starting out in the security arena, possibly coming from the help desk or mid-level support tiers such as junior-level systems administration. Their duties typically include managing only certain specialized aspects of security such as maintaining the antivirus and security patch servers or reviewing the firewall logs. They might be responsible for applying security measures to servers after system administrators have built them, but before they are connected to the network. Additionally, they assist the engineers in the day-to-day security tasks. This is a learning position, and as such, it does not require an extensive set of credentials — a good working knowledge of operating systems, computer repair and a solid foundation in networking are important to the junior security professional. Other technical skills such as database or programming skills are a plus. As far as education goes, an associate degree in a general computer- or technology-related field is probably sufficient but not necessarily required. IT professional certifications that would be helpful are CompTIA’s A+, Network+ and Security+. Having a SANS GSEC certification would put them ahead of the power curve at this stage of their career.
At the mid- or experienced professional level, we can assume security specialists or technicians already would need to be in the security field for possibly two or more years, or at the very least they would be experienced, midlevel professionals in another closely related field such as systems administration or software development/engineering. At this level, the position will require them to be more involved with the day-to-day security tasks, as well as lead security implementation projects such as installing and configuring a new firewall array or conducting vulnerability assessments on the enterprise infrastructure. They also can lead small teams of other security technicians.
These midlevel security specialists should require little supervision and could accomplish most tasks alone. They also assist the security engineers as needed, and they should already know basic security principles and terminology such as those tested by the Security+ exam. At this level, they might have some college or a four-year degree in a computer-related field. They should at least have or be working toward vendor-neutral certifications such as the SCNP or ISC2’s SSCP, or a more technically-focused security certification such as the SANS GCFW, GCWN and GCUX. They also might have more vendor-specific certifications such as the MCSE: Security or Red Hat. Representative job titles might be security specialist, analyst, senior technician, etc.
Finally, at the top of the heap, so to speak, we have the network security engineer. This is usually the most senior, technically and professionally demanding level a security professional can reach. IT professionals making it to this level probably have five or more years in the security field. At this level, they might be leading other security professionals in the organization, they might be in charge of the security division or they might be on the chief information officer’s staff.
They’ll likely be responsible for security design and architecture, strategic planning, and maybe even the testing and evaluation of new products. As senior-level security professionals, they might be expected to advise the CIO or CISO on all information security issues that affect the organization. They also might be expected to work compliance and regulatory issues for upper manage