Monday, September 19, 2016

The Path to a Cybersecurity Career…

This blog originally appeared on my Medium site on April 18,2016.

For quite a while now, I have been thinking about the lack of real world technical training in colleges and universities. Then, I see the story from CloudPassage that basically confirms what I have thought all along, at least in regards to information security — that most of the top colleges and universities DO NOT pay attention to cybersecurity in any way, allowing today’s computer science grads to receive their diploma without ever taking a class in computer / information security.

(You can read the link or check out the infographic if you choose — I am not going to rehash their study, except to say that it contributes to an alarming trend in the information security industry.)

I belong to several LinkedIn groups on information security, and one of the continued topic is how does one “break” into (no pun intended) the information security career path? As the article above demonstrates, the best colleges and universities will likely not help you. So the best I can do is share with you a few ideas how I think one might be successful in information security, mainly the path I chose to get the InfoSec career that I have.

Johannes factotum (Jack of All Trades, Master of None)

For every aspect of information technology that someone interested in an IT career can learn, there is a parallel subset of information security. Gaining experience in networking, systems architecture, systems administration, database administration and storage infrastructure is a critical starting point. From there, learning physical security, regulatory compliance, and encryption become easier, mainly because you have a foundation to build from. Trying to tackle complicated security controls necessary for some of the various compliance standards is nearly impossible if you don’t have a strong background in the “basics”.


Arguably, the moment you start down the IT career path, you should invest in technical certifications. CompTIA offers some excellent, vendor agnostic certifications (thinking A+ and Network+ here), and those will help you get in the door. Once there, you can decide on some vendor specific certs, like those from Microsoft and Cisco. After that, and after you have gained about 3–5 years of experience, you need to decide how to specialize in IT –if it is InfoSec or some other niche specialty that you want to concentrate on. In the InfoSec world, there are a number of specialty security certifications — vendor specific ones from Cisco, Microsoft, and others, and vendor agnostic ones from SANS. But the best general information security certification — and arguably the most difficult one — is the Certified Information Systems Security Professional (CISSP). The CISSP is the “gold standard” of IT certs — respected by pretty much everyone in every business vertical — for the skills that the certification represents. It is a bear to get (at least it was for every single person I have ever talked to about it, including myself), but it opens nearly all of the information security doors.

Constant continuing education

Information security is rapidly changing. The great part is that it is constantly evolving, providing interesting new challenges and directions. The bad part is that it is constantly evolving, proving excruciating challenges and problems. Information security types always have to keep up, through continuing education or self-study. There are great conferences available to get the latest, but they tend to be a bit spendy. Most of the higher end certifications discussed above require you to maintain your certification through continuing professional education (CPE) credits. Keeping track of your CPEs can be a challenge in and of itself, but worth it, considering the alternative is to let your certification lapse (a friend of mine let his CISSP lapse and was punished by having to retake the CISSP exam. The guy had been working InfoSec for 10+ years, and still failed it the first time when he had to retake it).

I hope the major university programs clean up their act when it comes to information security training and education. But even if they do not, the path outlined above requires very little in the way of formal university training, and will lead you to an eventual information security position.
I am not one of those guys that believes that the sky is falling — not even close. But the InfoSec career path is a little different, and those that are trying to become a security professional often have a difficult time navigating their way through the different expectations. But in the IT industry, the demand is extremely high for these kinds of professionals, and shows no signs of slowing any time soon.

Best of luck, and ping me if I can help!

NOTE: I am not a developer, nor do I play one on TV. While the experiences are helpful and the advice is relevant, it is more focused on a traditional IT route, instead of programming. Programmers and developers should concentrate on programming best practices and foundational programming security. Having experience in the “hands on” IT world will only help a developer / programmer better understand the things they are programming for.


Post a Comment