Outsmarting the bad guys is an age-old pursuit. In 2014, anyone with such a proclivity for keeping intruders at bay and the folks at home safe can consider the option of a lucrative career in information security. Naturally, it requires serious preparation.

Options for education and training include getting a degree in computer information systems, or for people already out of school or looking to move into the field, getting certifications like CISSP or the various Cisco options (CCNA, CCIE).

“If probed, most security professionals would likely respond that they were ‘self trained’…learning their trade through on-the-job experience combined with personal investment in research and testing,” said Alex Moss, managing partner of information security consulting firm Conventus. He emphasized experience.

“Security as a profession is still in its early stages of development and, as would be expected, lacks the traditional mechanisms/processes for career development so most are left to rely on a ground floor approach and build their career through an application of expertise, experience, and insight,” he said. Moss also recommended for newcomers, familiarizing themselves with “the core domains of security identified by ISC2.

Here are some big ideas to consider when chasing a career in information security.

Jobs gap

Someone looking for a job in security can let go of a little stress – the gap between talent and available jobs is large. “When the demand is high, the supply is lacking, there’s a skills gap, that’s the right place to be when it comes to careers,” Tejas Vashi, director, marketing and product management for Learning@Cisco said.

The U.S. Department of Labor predicts that from 2012 to 2022, the growth rate for the job of information security analyst, for example, will be 37%. For perspective, average job growth for all occupations is 11%.

Even within the government, there are set to be more cybersecurity jobs. In December 2013, The Washington Post reported that the Air Force alone will add more than 1,000 cybersecurity roles. Both the Navy and the Army plan to add cybersecurity personnel as well.

Not just engineers and analysts

Krishnamurthi also said that there’s a demand not just for engineers, but for management positions like CISOs, partly because security is such a growing concern for so many.

“Not just technology companies, but every company has a CIO or CISO, who are management folks within the organization,” he said. “It’s across the board.”

When hiring, Mark McChesney, information security officer at Kentucky Retirement Systems, looks for people with a range. “When I build a security staff now, I look for diversity. We need people with programming backgrounds, network experience, big data analysis, business knowledge,” he said.

Everything needs to be secured

Along those lines, Vashi talked about how many more areas now require security than once did. He gave an example of a city’s bus line. Public buses with sensors that track the location of the bus en route could be a major danger if that information were to be exploited. “Can you imagine hacking in and figuring out where every single city bus is in the metro area?” he said.

“Companies are only gradually understanding the threats they face, especially as they start to connect their industrial control systems to the internet,” wrote TechRepublic UK editor Steve Ranger in his recent piece, “Inside the secret digital arms race: Facing the threat of global cyberwar.

Proactive thinking

McChesney said that even with as many intelligent, hardworking security professionals as he knows around the world, and even with efforts toward educational and collaboration opportunities like conferences, etc., keeping up with new threats is still a challenge.

“Cyber criminals are probably going to stay ahead of us in many ways… I think one of the big challenges is that technology has become more and more pervasive in our business, as well as personal lives,” he said. “While I love technology, that pervasiveness creates challenges for our profession. Business users and consumers have powerful tools in which to do great things. Those technology tools can also be very dangerous if somebody does not understand all the impacts and risks associated with them.”

Sudarshan Krishnamurthi, senior product manager for security and IoT education strategy at Learning@Cisco said one of the biggest shifts happening in security is the switch from reactive to proactive thinking. Whereas security professionals would learn lessons after a breach, and fix whatever vulnerability, that way of operating is no longer good enough. There’s too much at stake. He gave an example of a manufacturing floor at Ford – that network can’t go down. Security professionals need to figure out vulnerabilities before they can be exploited and end up costing companies untold amounts of damage.

How exactly those in security outsmart the hackers is still a big question. Krishnamurthi said the Cisco cybersecurity expert certification, for one, emphasizes using data to predict breaches.

Keep learning

Like many other parts of IT, security is no exception when it comes to the need for professionals to stay abreast of changes and developments in the field. TechRepublic columnist Michael Kassner said that in his interviews with academics who teach information security, he finds they’re aware that much of what they teach is out of date. Though, he also said that people looking to get into security need to know as much about IT and computer science as possible if they want to deeply understand digital security.

One way to keep up to date is joining a local chapters of information security organizations, like ISSA, Kassner said. “Being in the trenches, the members will also know the latest threats and what to do about them,” he said.

In sum, he offered this mindset: “If the field of information security is something that interests you, make sure you are willing to devote an inordinate amount of time keeping up with the latest exploits, what works against them, and what industry experts are saying.”

Also see: