Working as an IT Security Professional
The influx of infamous worms like Sobig, Blaster and Welchia has brought the information security field lots of new interest and attention. Working as an information security professional offers lots of interesting opportunities, but also requires significant dedication and focus. That’s because security is as much a matter of process and routine as it is a matter of learning and applying specific concepts, practices, principles and policies.
At last count, nearly 40 vendor-neutral and nearly 30 vendor-specific information security credentials were available. There are numerous entry- and intermediate-level credentials, with a range of specializations from computer forensics to security management to government-focused security and more. Given the vast array of choices, how can a savvy professional pick those most likely to boost his career?
Making the right selection depends on answering a few key questions, which will enhance your ability to pick and choose:
- How well is the credential recognized in the marketplace?
- How well known is the sponsoring organization?
- How good is the technical content of the credential itself?
- How often does the credential get mentioned in the trade press? In job postings or classified ads?
- How much time, effort and expense is involved?
For vendor-specific credentials, you’ll want to answer the foregoing questions, tempered by these additional items:
- Are the vendor’s equipment and products used at your current job? At a job you’re interested in? In general? (This corresponds to some rough measure of market share.)
- Can you get access to the vendor’s equipment or products for practice?
The only credentials worth pursuing nowadays are those that don’t cost too terribly much (at least, not when compared with their income-boosting potential) and those that will make a difference in your current or next job.
For vendor-neutral credentials, this means that the CompTIA Security+, the SANS GIAC Security Essentials Certification (GSEC) and, to a lesser extent, the TruSecure ICSA Computer Security Associate (TICSA) and Security Certified Professional (SCP) certifications are most worthy of consideration at the entry-level. The same is true for the (ISC)2’s Certified Information Systems Security Professional (CISSP), ISACA’s Certified Information Security Manager (CISM) and intermediate-level SANS GIAC certifications on the next step up the information security certification ladder. After that, more homework is needed to deal with more specialized and more senior vendor-neutral credentials.
For vendor-specific credentials, market share tells much of the story without requiring consideration of workplace specifics. This works for me as I write this column, but I urge you to factor in your own circumstances and future goals as you determine how what you read here relates to you. Purely from a market-share perspective, Cisco, Check Point and Symantec are all noteworthy, but other vendor-specific certifications may weigh into your plans depending on what’s in use in your current (or next) job.
The elements of routine and maintenance can’t be overstated for current or would-be information security professionals, either. A large part of the job consists of staying informed about what’s happening, security-wise, in the broader world, and maintaining and monitoring the state of security for the systems and networks for which one is responsible.
From the first perspective—let’s call it a “current events” view—this means reading security advisories and alerts, keeping up with updates, patches and fixes for the operating systems and applications in use and keeping an ear to the ground for breaking news and events of security import. Far better that you should learn about threats and vulnerabilities by reading about somebody else’s heartaches early on than falling prey to such things at any point along the way.
From the second perspective—let’s call this the “walking the beat” view—it means monitoring logs from key systems and security infrastructure elements, keeping up with new hardware and software introductions, regular security scans of your systems and networks, and working through occasional security audits as well.
A ton of responsibility rests on those who work in security. But for those who can handle the constant activity and learning and cope with the occasional pressures of “incident handling” (a polite euphemism for what happens when you come under attack or discover evidence that a successful attack has already occurred), working in information security can be rewarding in many ways, personally, professionally and sometimes even financially. With demand for infosec pros on the rise, it’s worth pondering for IT professionals of all stripes.
Ed Tittel is president of LANwrights Inc. and is contributing editor for Certification Magazine. E-mail Ed with your questions and comments at firstname.lastname@example.org.