How to get work in Information Security

I was browsing through job listings looking for examples of advertised jobs within information security. A number of adverts had me scratching my head. Read this one then ask yourself: What is the agency really looking for?

Are you a Security Specialist? Are you CISSP qualified or have commercial experience to that level? [agency] client require a Security Specialist (CISSP) with excellent understanding and practical use of security principles (CIA, AAA etc). As the Security Specialist you will be the lead in the design and implementation of 3rd party clients Security solutions – you will be required to have extensive experience of Solaris, AIX, Cisco devices, Networks and Microsoft Windows. As the Security Specialist you will be responsible for creating and maintaining a 2-year security technology roadmap and define projects to deliver the roadmap – therefore you must possess a strong understanding of the software development life cycle and development languages including C++, Java and .NET. Apply now for immediate consideration!!!

Taking the advert listing literally the agency is looking for a CISSP certified person who is perferably also a certified information auditor. Someone who can design AND implement solutions. Create AND maintain a security strategy AND define the projects to fit the roadmap! Crikey – sounds to me like they are looking for a very strong tail to wag the dog. It goes on: someone who can also provide hands-on technical support AND hands-on development. If such a person exists, please contact me but don’t attach your 40 page CV, just turn up so that the rest of us can go home and have a nice cup of tea. Doubtless, said person can also fly a helicopter whilst writing custom NASLs with his teeth.

Why am I so interested? Somebody recently asked me how they might go about moving into a security role. I’m not sure there’s an easy answer because most of the professionals I speak to worked their way into their roles through having a deep interest in the subject. The same is true of my own path into my present job: I became interested in the subject whilst serving in the military, worked and paid my own way through a CISSP certification and a chance conversation at a photocopier with an IT Manager led me to applying for my first security specific role – for which I got turned down due to a lack of experience! So, I took a big chance – and so too did the organisation in question – I offered myself up as a contractor for a couple of months with the proposal being that they set me some objectives and then keep me on full time afterwards if I met them.

The rest is history, and I’ve been fortunate to have landed jobs working for and with some of the best people in the security industry. So really, I got into security through a combination of my interest, enthusiasm, skillset, luck, and talking to the right people. This blog post on provides some excellent feedback to a graduate looking for his first security role: What I would recommend is steering clear of responding to job adverts such as the example above. That one sounds either like an organisation with no idea of what to look for or expect from a security professional or an agency that’s been asked to write an advert without having any job spec to go on. Here’s another good blog entry with useful information:

Bruce Schneier makes some comment about the value of certifications on his blog here: Bruce states “When I’ve hired people to design and evaluate security systems, I’ve paid no attention to certifications. They are meaningless; I need a different set of skills and abilities.” It’s a fair point but bear in mind that security certifications helped me when I already had a toe in the door but wanted to push my whole leg through.

So, bottom line, if you’re looking for a job in security, then it’s no different from trying to get work in any other field. Don’t sit on the fence, show commitment and interest, network with people working in the profession already, and become a member of an institute such as the IISP which offers an affiliate level membership.

Let me know your thoughts on this subject because I know it’s something often debated.