Let me preface this as saying I’m not an expert. I have had the benefit of meeting some very smart key individuals who have helped me along the way. I feel that because I received help in the form of advice and teachings that it is my responsibility to pass this knowledge down. With that now being said let’s get started.
Before you make a decision on a career path in security know that there are different avenues of security, which are vastly different. The different roles of security will require different skillsets and perform different tasks regularly. This list will not entail every security positions available but I can list a few which areas.
Information Security Consultant is a popular position and extremely common. Info Sec Consultants will work with their organization or clients to achieve a strong position in regards to compliance. An Info Sec position is a less technical position. Traditionally Info Sec members should have IT experience and understand the system their auditing. However, today it is very common for Info Sec professionals to have little to no IT experience and learn the particular framework, which their clients or organizations are trying to strive to achieve. These frameworks are usually based on NIST CSF or ISO 27001. This position will spend a large majority of time working in Policy/Procedure documentation. Additionally, creating Policy/Process documentation or working with an organization to improve their documentation is something Info Sec individuals will do consistently. To succeed at this position you must have strong reading comprehension skills, excellent writing skills and an eye for detail. Info Sec positions will vary with regards to the IT skills required but overall from my experience the Info Sec crowd is much different from the engineering team. The InfoSec crowd will focus on creating/reviewing and updating the policies/procedure documentation for organizations. Organizational policies/procedures will need to align and match the compliance/legal requirements of the specific regulatory compliance standards such as PCI, FISMA or HIPAA/Hitrust. The InfoSec team will also need to review implementations of the technical controls which will require advanced IT knowledge to truly assess the organizations security posture.
To obtain employment in the field of Information Security it is important to have a strong background in advanced writing and reading comprehension. I’d say a Bachelors degree is more important for a career in Information Security as having the experience of advanced writing will be extremely important. I’d also suggest learning about the basics of networking, access control
The Security Engineer is a different path for security professionals. As a Security Engineer you will need a strong technical background in IT. As a Security engineer you will be expected to understand at a minimum the basics of networking, server administration, access controls, web services and secure communication protocols. Additionally, skills such as programming, and report writing will be extremely helpful. Security Engineers will have a less predictable day to day as the tasks they face can be drastically different. A Security Engineer can review vulnerability scans or parse through logs of different equipment as examples of things performed regularly. Security Engineering roles often have different responsibilities including implementing projects, automating tasks, responding to alerts/threats and working with the compliance folk. A security engineer will work to remediate, and increase the security posture of an organization. As excitement goes the Security Engineer will face a different set of challenges, which can be exciting at times.
To become a security engineer I’d suggest one of two routes. The first route would be to obtain a computer science degree and have a strong foundation in programming. Expect to be forced to learn IT and spend extra free time on learning how the infrastructure works. The reverse is also true; my route to security came from working in IT. Starting in IT and learning different aspects such as networking, servers, applications and access controls can lead to a promising security career. As any security engineer will tell you this job does not end once you’re off the clock. Security engineers who thrive in this business will tell you that spending your free time reading about new threats, and learning new skills will be a regularly occurrence. IT/Security advances very quickly and it doesn’t take long to become obsolete.
A career in Security can be extremely rewarding and profitable. However, it can be extremely challenging and difficult which is why it is profitable. The Security industry requires constant self-study and continuing education. In Security you can truly advance as far as your capability and determination will take you.