tiero - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Where are all the entry-level security positions hiding?

Entry-level security jobs can be hard to come by, but the industry still needs more talent. Expert Mike O. Villegas discusses how to break into the security industry.

Breaking into the security industry can often be difficult because the staffing shortage is really with senior positions. What are some ways people who are interested in security as a career can get started? Are there specific entry-level security positions I should look at?

Breaking into the field of information security is a recurring question from recent computer science and technology graduates. Having worked in information security, IT risk management, IT governance, professional services and systems auditing for over 35 years, I cannot think of a more rewarding profession. It's true that most staffing shortages are for senior level positions. Entry-level security employees have a difficult time finding work that will allow them to obtain the experience required to improve their proficiency.

There are three areas to focus on in the beginning of a security career, and they all require resolve, passion, patience and hard work. They also require becoming active in a network of information security professionals. These areas are education and certifications, participation in professional groups and mastering at least one specific security topic.

Computer science degree-holders are good candidates for entry-level security jobs. Some universities now have undergraduate and graduate programs in information security. These degrees are impressive and prove the applicant has a good foundation and aptitude for information security. Entry-level workers can attain certifications such as the CISA, CISSP, Security+, among others that open further opportunities. Most certifications require three to five years of experience; however, if an entry-level candidate has taken the exam and successfully passed it, it sends the employer a clear signal of the candidate's serious intention to grow into the position.

Entry-level security candidates should become involved in professional organizations such as ISACA, ISSA and OWASP. They should volunteer to help in monthly meetings, conferences and seminars sponsored by that organization. Volunteer opportunities include manning the registration table, being a proctor for conference sessions, reaching out to members and working with experienced chapter members on special projects that might include research and whitepaper development. The purpose is to become visible and, more importantly, remembered. Network with experienced working professionals so that if an entry-level position becomes available, they will remember the candidates desire to learn.

Information security professionals apply protection measures on multiple disparate environments. They know enough to deploy such measures for identification, authentication and authorization of users to IT resources and data. They may not be experts in the IT platform or system being protected but they are knowledgeable enough to deploy security and controls. However, the information security field has morphed into numerous specialties that are evolving into fields of their own. These include specialties in computer forensics, penetration testing, encryption, network security, security monitoring, incident event handling, Web security, secure coding, malware detection and reengineering and many others.

The entry-level security candidate should be well-versed in the information security common body of knowledge, but should strive to be a master of at least one specialty. Once identified, the entry-level candidate can then target industries and companies where he can hone those skills. If he expresses the desire to develop a specialty and can demonstrate a more than general knowledge, the employer may be more motivated to hire him.

The demand is clearly for skilled experienced information security professionals but employers should consider and budget for entry-level security staff. If mentored by experienced staff, the benefits would be better coverage with a larger staff. Entry-level security staff can perform less technical functions that would allow those more experienced to focus on more complex challenges. Professional firms can also leverage the cost of an engagement in the same approach and price the overall engagement with a more attractive blended rate and better margin.

Entry-level security staff should not be disillusioned on finding work. Seek proper education and certifications, become involved in information security professional organizations and find your niche. You will find this profession challenging, rewarding and exciting. Until information security is developed into a do-everything chip, there is plenty of work for all those that seek it.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn more about the CCSP certification

Find out the best way to prepare for ITPM certification

Learn what to look for when hiring a CISO

This was last published in January 2016

Dig Deeper on Information security certifications, training and jobs