An information security career: What does it take?

Getting that first information security career break is still elusive for many Indian IT pros. KK Mookhey details essentials for an infosec career break.

The field of information security is exciting, challenging and very dynamic. For a young IT professional it offers a wide array of opportunities to grow. In this article, I'll try to explore some of the avenues that an aspirant can consider, as well as the background skills and training required to excel in this field.

Infosec career tips
Security certifications: Are they worth the trouble?

CISO career 101: Chief Information Security Officer route basics

How to prepare for a layoff or 'career incident'

For a fresher
Like in any other field, your challenges are greater as a fresher, when it comes to an information security career. But the beauty of information security is that it offers you numerous options to conduct independent research. If you can demonstrate to a potential employer that you have done some original research, scripted tools or utilities, write a blog on the subject, or have done freelance projects, your chances of landing a job dramatically increase.

As an employer, I receive dozens of resumes every day, and what makes the special ones stand out is the spark of passion and self-motivation that is evident from the work a person has done, even though he may not have received any remuneration for it. For example, I hired a guy simply because he demonstrated immense passion for the field and listed solving the Rubik's Cube as one of his hobbies.

For someone starting out in this field, it is advisable to keep your mind open, and not restrict yourself to any specific domain. But as you go ahead, you can either become a generalist information security expert, or specialize in the following:

1. Computer forensics – Learn forensic investigation tools and techniques to investigate cyber crimes and financial crimes.

2. IT security auditor – Focus on auditing capabilities. As part of this, you must explore platforms like mainframes, SAP, and core banking platforms as your areas of expertise.

3. Application security specialist – Specialize in areas like secure coding, security testing tools and techniques, secure design of web applications, and threat modeling.

4. Compliance specialist – Focus on helping organizations comply to standards and regulations such as ISO 27001, PCI DSS, HIPAA, FDA and Sarbanes-Oxley.

5. Security solutions architect – Specialize in secure network architecture, security solutions procurement and deployment, and hardening of infrastructure.

6. Security trainer – Focus on spreading knowledge about information security, and create awareness at all levels.

7. Cyber law expert – Combine knowledge of the Indian IT Act 2008 with IT knowledge and forensics know-how.

Information security careers for mid-level IT professionals
A mid-level IT professional such as a systems administrator or network administrator who wants to make the jump into information security can do so by getting himself properly trained or certified. Typical job opportunities exist as security administrators, security auditors, and even as security consultants.

Certifications and training sessions that an IT professional may go in for can be either the CISA (Certified Information Systems Auditor) or the CISSP (Certified Information Systems Security Professional). In case you don't meet the requirements for either of these certifications, you can go in for training that covers subjects such as ISO 27001, business continuity, and ethical hacking. Your target should be either the role of a Chief Information Security Officer (CISO) or a senior security consultant.

Senior professionals and information security careers
The information security industry offers career opportunities for all levels of professionals. As an experienced IT professional, you could look at acquiring a bunch of certifications such as the CISA or the CISSP along with PMP (Project Management Professional) and ABCP/CBCP (Business Continuity Planning). Your past experience and knowledge in IT can help you get a quick launch into the role of a CISO or a senior security consultant.

This also brings me to the point where I'd like to discuss some of the skills or traits I like to see in security professionals. So in addition to strong communication skills and analytical abilities, the following are key success criteria:

1. High level of passion - Security changes on an almost daily basis – there are new tools, attack vectors, and vulnerabilities being discovered almost hourly. A security professional can remain ahead of the game only by constantly updating himself, and this requires a high amount of passion for the field.

A security professional should not only be well-versed with a wide range of technologies, but also be reasonably acquainted with the basics of psychology, economics, finance, and physical security.

2. Creativity - Be it a penetration test or developing an automated way to carry out a particular activity, a high level of creativity is a must in every aspect of a security professional's job. Thinking out of the box is an almost daily activity for a security professional.

3. A never-say-die attitude - Security issues are typically complex, and often there are no easy solutions. Quite often, the situations are also very high-pressure – the client's been hacked, or someone inside leaked out critical internal data, or systems have to be hardened before going live. A seasoned security professional knows that there is a solution on the other side of every problem. And he is willing to do what it takes to be as resourceful in finding the right solution.

4. Grasp of a wide range of subjects - Security is not just about policies and procedures or buffer overflows or SQL injection. Most security issues stem from, and can be resolved, by human intervention. A security professional should not only be well-versed with a wide range of technologies, but should also be reasonably acquainted with the basics of psychology, economics, finance, and physical security.

About the author: K K Mookhey is the founder and principal consultant of NII Consulting, which provides services in IT audits, risk management, compliance and computer forensics.

Read more on IT technical skills