When talking to people about starting or making the transition to a career in security, I'm often asked how to
"break into" the industry. It's a great question -- without any easy answers. For almost every candidate I've spoken to there are as many different stories about how they got their start. That said there have been some traditional entry points into the field such as the military, audit, IT administration and engineering. The good news is that as our profession matures other avenues open.
Hit the books
As few as five years ago it wasn't considered necessary to have a college degree to build a successful career in information security. The demand for security professionals was high enough that degrees weren't considered a hard requirement as long as candidates had experience. In the post dot.com boom era this has changed. In a survey of ten clients that I worked with in 2005, eight out of ten listed a four year degree as a minimum requirement. This is difficult for a lot of industry veterans without degrees who find themselves hitting glass ceilings when searching for new opportunities.
The good news is that more higher learning institutions and universities are offering degree programs in infosec, and some help their students set up internships. According to Krizi Trivisani, CSO of George Washington University, GWU has partnerships with companies that provide paid internships to GWU students. Through these internships students get practical experience and real-world exposure. As a result, the majority of GWU graduates are hired by the companies they intern with, creating a win-win situation for everybody.
Just do it
For those already working in IT, the best way to make a transition into security is by doing it. Nearly every sysadmin and network engineer is involved with security on some level. The same is true for application developers and software engineers. With the high market demand for application security specialists,
anyone who takes it upon themselves to learn secure software engineering practices, vulnerability identification and remediation will virtually be guaranteed a job in security. The key to making this type of transition is in learning and understanding security issues and finding a way to apply the knowledge.
I recently spoke with a candidate who took it upon herself to become her company's resident security subject matter expert. Despite the demands of her daily system administrator job, she used her position at the keyboard to learn everything she could about security and then applied the knowledge to her company's environment. Once she had a good handle on the situation she put together a proposal describing the ways her company could improve their security posture by leveraging existing resources. Her manager was impressed by her work and presented the report to his boss. As a result she was promoted and given a small budget to carry the recommendations that she proposed.
Another way to get valuable exposure is by volunteering to get involved with security related projects with your employer. As security continues to integrate with other areas of IT as well as the business itself, there are more opportunities to be part of a cross-functional project team. This type of role provides a great way to understand how all of the pieces of the puzzle fit together. It's an even better way to make personal connections with people who will be able to act as mentors and help you further your goals. And if there are no internal options available where you work, don't despair. There's no shortage of need for dedicated volunteers in the world. Disaster relief, church groups, international aid, child welfare, public education and conservationism are just a few areas worth considering. It may take some effort and creativity to follow this path, but that's what security is about anyway – going the extra mile and finding new ways to solve tough problems.
When it comes to breaking in to security, certifications represent a bit of a Catch-22. The organizations that develop and maintain security certifications are excellent resources for those who want to deepen their understanding and involvement with security. Many offer technical training that is un-paralleled in depth and focus. Other certifications focus on the "big picture" perspective critical to understanding how security inter-relates with the business it supports as well as other technology disciplines. However, almost all have minimum experience requirements that can be a hurdle to those who want to break in or make a transition. The fact is, there is no work-around to address this and for good reason. Minimum experience requirements ensure that those seeking certifications have demonstrated a proper level of commitment and personal investment in the field. These requirements are one of the ways that certification organizations maintain standards of credibility.
So, it goes back to what we've already touched on. If you want to get into security you have to find ways to get involved and pay your dues. Formal education aside, hands-on experience gained in the trenches is invaluable. This is true regardless of whether you're pursuing an operational or management track. A solid education and a foundation in systems administration, engineering and/or development are part of the "apprenticeship" that every security professional goes through.
About the author
Jeff Combs has been with Alta Associates since 1999. Jeff has a depth of experience recruiting information security and IT risk management professionals at all levels for corporate clients, professional services firms and security vendors.