I am wondering how someone with my background and experience might most effectively transition to the field of information security. For the past four years, I have been -- and, thankfully, still am -- employed in the public sector as an Oracle Certified Professional Application Developer (Oracle Developer 6i) working within a strictly client/server context. During the course of that employment, I had the opportunity to author and implement application and menu security by: Defining and configuring database roles; writing and incorporating a rather involved security-dedicated PL/SQL library; and employing light encryption/decryption to conceal references to passwords.
Having recently become aware of the competitive landscape that is taking shape in the IT field, in particular the growing trend toward the commoditization and offshore outsourcing of computer programming and application development functions, I have decided that trying to maintain my competitive position as a programmer/application developer over the long term would likely be a losing proposition.
However, I have also decided that I would very much like to continue working within the IT field; hence, my interest in transitioning to information security. Specifically, I am wondering about the following:
1. Although I consider myself to be a strong Oracle professional with respect to both front and back-end development, for all intents and purposes that skill set itself, along with some data modeling experience, pretty much defines the outer limits of my information technology expertise -- let alone my experience with security. Additionally, I lack a formal computer science or engineering background. In your opinion, is it practical for someone of my skill level and experience to aspire to specialize in information security?
2. What resources would you recommend (e.g., books, magazines, Web sites) that you believe could help someone like myself gain a general knowledge of the information security field, as well as of the specializations within information security?
3. Do there exist certifications that could help me segue into the information security field? Although I am intrigued by (ISC)2's vendor-neutral CISSP certification, I am concerned that the security experience I have is not sufficient to fulfill their applicant requirements for taking the exam.
Thanks for your kind words, and for your questions, which I'll do my best to answer in the paragraphs that follow.
1. Is it practical or reasonable for somebody with your background to pursue infosec?
That depends on your interest level and how much work you're willing to do to really dig into this field. I suggest you do some reading and studying as well as start working in the technology, and take an entry-level cert seriously enough to decide this for yourself. Can you do this? Absolutely! Should you do this? Only you can decide if curiosity turns to genuine engagement and a willingness to work long and hard in this field.
2. Resources! Wow, what a question. Certainly this very Web site isn't a bad place to start. Also visit my two-part story at www.informit.com entitled "The Computer Security Bookshelf" (pick "Articles" from the pull-down menu, then enter "Tittel security bookshelf" in the search text window). Also see our great collection of security URLs. This combination of points of departure will provide you with more resources than you can access in a lifetime!
3. The CISSP certification is a good place to wind up, but meeting its work experience requirements -- three years of direct, relevant hands-on infosec experience if you hold a college degree from an accredited institution or four years otherwise -- means you couldn't really qualify for it immediately anyway. (However, it's possible your security programming experience might actually redound to your benefit here.) My advice is to try to start working in and around infosec as much as possible right away, while working your way through one or more of these more introductory certifications. (You can avoid overlap, however, as you see fit, so that both Security+ and TICSA is probably overkill):
>> Intermediate, pre-CISSP certs: SANS intermediate level stuff for firewalls, IDS, incident handling, Windows, Unix, etc.
Once you get through those, get some experience, do a LOT of reading and studying, and you'll be ready for the CISSP.
For more info on this topic, please visit these SearchSecurity.com resources:
- On-demand webcast: Security certifications -- What's hot, what's not
- IT Career Expert Tip: Leveraging recruiters
- Best Web Links: Infosec training, careers and events
This was first published in August 2003