Rob Newby kicked off with his Seven Stages of Security Man and Andy ITGuy also posted his guidance on Why become an IT Security Professional. I often get asked on how to start a career in information security so I thought that I would chip in my €0.02 worth.
This post though is aimed at those looking to get involved in information security within Ireland. Ireland poses a unique challenge for companies selling information security services. Firstly the majority of companies in Ireland are classified as SMEs. In actual fact 97% of Irish businesses are classified as belonging in the SME sector. In Ireland an SME company is classified as having less than 50 employees and an annual turnover of less than €10 million.
So for someone looking to start their career in Ireland this represents a unique challenge. As in many other countries, most SMEs say they care about security but actually will not pay for it. While the larger companies tend to stick with the big consultancy firms or use inhouse teams. So where do you start, try and become an evangelist for information security within a small company or join one of the big consulting firms? That can depend on what you want to achieve. In a small firm you will get a better hands on experience in many different fields, whereas with a larger firm you may end up specialising in one area.
Most people who ask me about starting in information security ask about getting involved in specific areas such as forensics, penetration testing, incident response or firewall management. The problem with a lot of the areas mentioned, incident handling, forensics, etc. is that they are deemed the “sexy” side of security. However, they often are not the main job of a security professional. After all if you do things right you shouldn’t have to worry about incident responses or forensics as much as the guy who doesn’t do things right! These areas can also be very boring and tedious work, especially forensics, and if you make mistakes from a process point of view and invalidate the case by mishandling evidence etc. you could have a very torrid time if the case ends up in court.
I often recommend that instead of concentrating on the sexy side of security you should be looking at the basics and ensure you have the proper understanding and skills to design, architect and defend your networks properly. In most cases if you can build on your existing networking knowledge and learn to apply those skills with security in mind, then this will make a great foundation for your infosec career. The reason I say this, is that if you can fully understand and design your network properly you will know where the weaknesses lie and therefore know where best to deploy your defences. You will also know how everything works and therefore can grow your skills in the other “sexy” parts of infosec. If you are already offering services to clients in the technical area, I suggest you become certified to the security level in those products. This gives you the advantage of remaining in the field you are in and earning a living through it while also expanding your knowledge and skills in the security field.
You can then look at other certifications once you feel more confident. Now I am not one that gets all excited about certifications as I believe that it in someone’s ability to deliver on the technology rather than being able to pass an exam. But certifications do give you some credibility, especially with those tasked with hiring consultants/contractors as all they want is someone who fits a certain profile. I explain more of my thoughts on certification schemes and I also compiled a list of all the certifications relating to security that I could find.
You can then build your skill set into the management side of information security. This is where the exciting world of policy design, risk management etc. become the main things. But in my opinion having a strong technical foundation will make you a better infosec manager. At that stage you can consider seeking a CISM or CISSP type certification to back up your skill base.The other reason I recommend seeking certifications in the general technical areas first is that this may provide a better long term investment in your career. Who knows you may not like the infosec world and decide it is not for you. Remember information security can be pretty unforgiving career choice as the only time people care about your role is when you try to prevent them from doing something or there is a breach. Having a good technical base will enable you to move into other areas if you feel a career in information security is not for you.
Once you feel that yes information security is the field for you, I suggest you think about what area of security you want to get into and why? For example are you more an infrastructure person and want to get involved in firewalls, routers etc. Or is your preference in applications and designing and developing secure applications? Or is it in incident handling, forensics, pen testing etc. Or is it more management and policy development type stuff. There are quite a lot of fields within the infosec field so I suggest you root around and determine which area you want to get involved in.
Of course you also need to ensure that you can make a living out of it as well, no point being an expert on cryptography if your clients do not want to use your services. And as Andy the ITGuy points out, if you think you can make a lot of money from information security you had better think again, although I do like the second comment on this post.
Finally, read as much as you can. There are numerous books on the subject and also plenty of great blogs out there where people are sharing their knowledge and experience for free. In particular have a look at the Security Catalyst Community. There are also lots of web resources such as the SANS Institute and in particular their reading room and also SecurityFocus.