Over the past several months, several readers have contacted me requesting career advice for how to start their career in the information security field. I was genuinely surprised that they were seeking my suggestions (I didn't dare tell them that the last person I gave career advice to mysteriously ended up on Easter Island, but I digress...). Each of these individuals were in different stages of their career (one having just entered post-secondary education, one having worked 10+ years in a network administrator role, and the other a project manager responsible for security projects). Furthermore, they were all located in different areas of the world (United Kingdom, Australia, and the United States). After pondering their questions, I couldn't help but associate it with the old adage "all roads lead to Rome" — meaning that there are many different ways to reach the same outcome or destination. For those of you that cannot see where I'm going with this, let me spell it out: there are many paths to becoming an information security professional regardless of your location on your career road.
For those of you beginning your post-secondary education and keenly interested in working in security, there is no shortage of options. Your undergraduate studies could concentrate on computer/network security, computer science, or engineering. I truly believe in a well-rounded education; avoid focusing purely on technical skills. Studying other disciplines such as business, sciences, statistics, or liberal arts will provide you with invaluable "soft" skills and context that will allow you to be more effective when interacting with your future business colleagues. The security professional that develops a balanced slate of technical, communication, and business skills will be highly sought.
Check if your program offers co-op or work experience opportunities. This will allow you to experience (and to apply what you've learned) working life before graduating. An excellent education guide can be found on SC Magazine website (towards the bottom of the main page). Unlike professions such as doctors or lawyers, which cannot easily cross country boundaries, information security (and IT as a whole) is quite universal (IT is IT regardless of your geographical location), so pursuing global opportunities is another option. Entry-level security jobs are becoming more and more common so you won't necessarily have to pay your dues through junior network admin or junior helpdesk positions.
If you did not study much security in your undergraduate program do not despair. The CompTIA Security+ certification is a globally recognized certificate that demonstrates to potential employers that you have a strong foundation of security concepts and knowledge. I highly recommend this certification for anyone with a technical education background that wants to take that first dabble into security.
If you are an experienced IT professional, undoubtedly you have acquired many security (or transferable) skills along the way. As a network administrator you likely have experience with patch management, server/OS hardening, implementing/monitoring network security devices, and project management. These are all skills that would serve you in good stead as a security pro. Develop a daily routine of reading various security blogs, technical/security websites (such as TechRepublic), security magazines, and Twitter feeds of respected security practitioners. Keeping the pulse on the latest in security news, technologies, risk assessment, strategies is a great way to build your security knowledge and expertise (I'll save the specifics for a future article). Volunteer for work opportunities at your company to work alongside the security team. Seek someone from the security team and see if there would be a chance to job-shadow them or work with them on projects. Building such connections is crucial for your long-term success.
Other study opportunities can be found through educational organizations such as SANS. They offer outstanding courses in nearly all security disciplines through various delivery formats (in-person, online, one-day workshops). Determine an area of security that interests you the most. For example, if you are a developer, you could focus on secure development lifecycle classes. Application security is a hot area within security (and severely lacking in qualified individuals).
Become involved in your local security community by joining a security association - Information Systems Audit and Control Association (ISACA) or Information Systems Security Association (ISSA) offer a great chance to meet local security pros and discuss pressing security issues (I mentioned both of these in my last post on knowing when to move on with your career). I cannot emphasize enough the importance of career networking. It is through your career network that you will eventually find your "ideal job." Another avenue for sharpening your security skills (if you do not have the opportunity at your current employer) would be volunteering at organizations such religious institutions, schools, or small/midsize local business that cannot afford a full-time information security employee. These are relatively low-stress environments that would serve as an excellent proving ground for you to put your security skills to practice.
A terrific career resource site that I have consulted since my early university days is Information Security Leaders. The site is specifically geared to the career plights of the infosec pro and expertly run by two of the more pre-eminent career gurus in information security, Lee Kushner and Mike Murray. The two have a long track record of providing excellent career advice for those working in security. Every week they answer burning career questions. Check their website, chances are your question has already been answered!
Remember that the above is only advice. The final decision is yours and yours alone. There is more than one correct path — as security professionals are fond of saying, "It's not the destination that counts, but the journey along the way."
A special thank you to the gentlemen that contacted me requesting career advice. I hope my suggestions prove useful. Best of luck to all of you in your endeavours as information security professionals. I always enjoy discussing security topics with readers and fellow IT and security colleagues. Send any questions, comments, or future column ideas (don't be shy) to me on Twitter @domvogel or on Google+. I promise you won't end up on Easter Island.
Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.