ITKE member frankAZ posed this question:
I am new to the information
security field and need some help with a class assignment. If anyone could take the time to answer any or all of the following three questions, it would be greatly appreciated.
- What is happening today in the field of Information security?
- What is the greatest challenge facing a security specialist?
- What advice would you give to someone who is embarking on an information security career?
ITKE member GrayHat replied:
In my opinion, I find that malware is happening. Hackers and viruses are also making headlines. It is also worth noting that information theft and insider threats are on the rise; in fact, 70% of security incidents occur from inside an organization. Lack of security awareness and lack of security policies are also making headlines today. With this in mind, I believe that the greatest challenge a security professional will face is keeping one step ahead of the attacker. Because an attacker only needs to find a single vulnerability to cause damage, today's security practitioner needs to ensure that their tools and applications are protected. Therefore, my advice to those just starting out would be to get experience. Seek out a formal qualification, start out slow, and build on what you know.
ITKE member CheckSix replied:
I find the field is receiving a lot of attention due to some high profile incidents, SOX and because hackers and spammers are beginning to work together in an effort to increase their profit. I also find that companies typically do not want to spend their time or resources on mitigating threats, unless they have been exploited or can see one coming. Because of this, I believe the most difficult thing about being a security specialist today is creating a solid business case for security recommendations, and getting organizations to involve security from the start. With that said, I would advise those starting out to be prepared and put your time in. Volunteer for everything; Get to know everyone -- the security guards, risk management team, facilities managers, programming staff -- Everyone!!! Study for exams and certifications, the CISSP alone has ten domains to choose from. If you want to pursue this cert., I suggest you become an expert in two of these domains, and expose yourself to the others. Most, importantly, have fun through it all, and don't sweat the detours.
ITKE member atomas replied:
In my opinion, there is only one answer to these questions; it all depends on you. If you go into information security and don't know where your interest lies, I'm afraid you might get lost. Ask yourself -- What attracted you to this field? Governance? Firewalls? Forensics? Pen testing? Audits? Disaster recovery planning? Cryptography? Law? Standards? Because, in today's infosec field, you can't just say to yourself: "I think today I want to be a security specialist."
ITKE member ronboviscous replied:
In addition to achieving a formal certification, expose yourself to as much as you can. Join a local security group, attend security seminars, and subscribe to several newsletters and forums (like this one). Little by little, you'll pick up industry hot spots, best practices, terminology, etc…
ITKE member Whitecap replied:
If you want to know what's happening today, you should realize that the information security field is not just about technology, it's about people and protecting information wherever it is while still being able to share that information with clients, partners and customers. As far as challenges are concerned, I find that the greatest obstacle the security practitioner must overcome is getting the buy-in from senior management, though, factors such as SOX and other regulations have made this easier. For those starting out, I recommend that you work towards a reputable certification/qualification, e.g., CISSP (there are many others.) Contact others in the industry, like ISSA, who have mentoring programs for new entrants.
ITKE member ITDefPat1 replied:
If you want to learn what's happening in today's infosec world, there are numerous Web sites, like SearchSecurity.com, sans.org, Bruce Schneier's blog, out there that will help you find what you need. Many of them have RSS feeds and e-mail newsletters, which you can subscribe to. Now that we've covered what's happening, here's my advice to those starting out in the business:
Attend conferences that offer training, like SANS, MISTI or CSI. SANS offers an intro to infosec program, either way, think broad…
If you want to focus on the technology side, get vendor/tech certified, such as Cisco and several others. CWSA's Wireless cert is another good one.
Get professionally certified. Certs include: SSCP, CISSP and some Cisco as well. Most are not technology-focused or vendor specific, they are broad, general, and (not introductory). IMO, the CISSP is the ultimate certification.
At any point, participate. Join groups like ISSA and ISACA. Publish and present (MISTI and CSI both call for papers and their conferences).
Note: this is more than "starting out" advice; start at the first step and continue along a similar route. To find out more about certifications and the sort, visit SearchSecurity.com's tip section, they have some good tips!
ITKE member richl01 replied:
IMO, what is happening is compliance. New regulations are making companies examine, and spend money on security; something they should have been doing all along. In my experience, I have found that the greatest challenge a security practitioner will face is how to deal with the user. Determining how the user will circumvent your security practices, before they actually do, can be a challenge. I also find that keeping the users that don't care about security, compliant with the programs will be an issue the security pro will see. Also, making sure the user can securely do their work and it job properly, will also be a challenge.
On a final note, my advice to those embarking on a new infosec career would be to start out achieving a certification from a specific area, like network security or compliance regulations. Then, after you've mastered that sector, look for others that are similar to build a foundation.
This was first published in April 2006