Problem solve Get help with specific problems with your technologies, process and projects.

Straight from the inbox: Your infosec career questions answered

Lee Kushner and Mike Murray answer this month's batch of information security career questions. Readers asked about the value of infosec certifications, information security officer training and online master's degrees.

This month, as part of their monthly Information Security Career Advisor tip series, Lee Kushner and Mike Murray of answered your questions on infosec jobs, training and career paths. Below they address the best information security certifications, the expectations of information security officer training and the value of an online master's degree in information security.

Have your own information security career questions that you'd like Lee and Mike to answer? Email us at Also, read the rest of their Information Security Career Advisor tips.

Q: I am a technical manager. Twenty-five percent of my job is managing a help desk and computer operation, and 75% of it is acting as a technical systems administration for iSeries, Domino and Websphere. I think broader security knowledge will assist me in doing my current job. It is an area that I'm genuinely interested in, but I also think it will make me more marketable.

As a result, I have been researching the area of security certifications. At work, we make fun of the radio commercials that tell you for a small fortune you can have a new career. I think there are a large number of valid security certifications, but I am concerned that it has become the flavor of the month for everybody.

Are security certifications truly valid, and will they be for the short term? Also, how does one choose a path? For example, I'm looking at studying for ITIL and COBIT and then thinking towards CISM and/or CISSP. My intent is to look at the broader picture first because I think it is more relevant to a technical manager. Is this a bad idea? Are there better approaches?

More from Lee and Mike

Want more advice on how to get the infosec job you're looking for?

Read all of Lee Kushner and Mike Murray's Information Security Career Advisor tips at
A: We often joke that our least favorite question as career coaches is: "Which certification should I get?" The reason for this is that every situation is different, and the certification should match your career goals, not the other way around.

Right now, what we hear you saying is: "I want to be in security because it's a 'hot job' and I like some of what I've done." Unfortunately, as you intuit, "security" is such a large and diverse field that becoming certified just for the sake of having a "marketable certification" is akin to getting an MD just because doctors make a lot of money. That's totally fine if you're a doctor. But if you're an engineer, the MD won't make you any more marketable (and will take a lot of time and effort to get).

Our advice: Figure out what you want to do next. Each of the certifications you mentioned (ITIL, COBIT, CISM and CISSP) are all valuable for certain job paths and not valuable for others. Attack the task by figuring out what you want to spend your days doing, then figure out what certifications people of that profession have. For example, if you decide you want to manage the company's compliance process and discover that nine out of 10 compliance managers have a COBIT foundation cert, it might make sense to pursue that.

But certifications for the sake of certifications will only lead you to being one of the people who you laugh about: someone who spends huge amounts of time and energy to end up with a piece of paper but no new career.

Q: At present, I am working on a security module for a client project with complete exposure to the Software Development Lifecycle (SDLC), which involves Kerberos, IPsec, AKA(sip) and TLS. Previously, I had the privilege to work on a board support package (BSP), which was very challenging and interesting. However, I feel I have made a mistake of accepting the security module project.

About the authors

The columnists, Lee Kushner and Mike Murray, bring with them different perspectives on career related topics. Together Lee and Mike have advised many information security professionals in various stages of their career development and are regular speakers at industry conferences on information security career-related topics.

Their blog can be found at

Lee Kushner is the President of LJ Kushner and Associates, an executive search firm that has been dedicated to the information security profession since 1999.

Mike Murray is an information security professional and career coach. Mike has held leadership positions in environments that include professional services, security product vendors, and corporate environments.
I am a bit confused and concerned on selecting the career path in network security or BSP. My interest is in software development, and I also feel bad that I have missed an opportunity to go to the U.S. Please shed some light on the path that I can select and how to move ahead in the path in this competitive world.

A: It sounds like you have started off your career the way most people do: exploring different options. Mike went to school to get a philosophy degree and then was a Unix system administrator. I started out in sports marketing (working for the Los Angeles Dodgers) before becoming a recruiter in the security space. It's normal to explore a few different paths before settling on one.

Both of the two career paths you mention (network security and software development) are incredibly challenging and valuable. They each have many opportunities (both at home and abroad) and, assuming you excel in whichever you choose, you will be able to find success in either one.

We can't tell you what to settle on. What do you enjoy? What do you work on in your spare time? Do you read security books for fun? When you're alone in your car, do you think about security problems?

Ultimately, the career that you choose needs to be your own. It needs to fit with your skill set and what you enjoy doing most. We can't tell you what those things are; as the Doctor said to Macbeth, "therein the patient must minister to himself."

Q: Do you know what type of training is offered to information security officers by their employers when they start a new job and are continuing education thereafter?

A: Every company is different and this should be something that you discover during the interview process. When interviewing for a position, ask the hiring managers about their commitment to training and professional development. Many times, a company's attitude toward this topic can help determine your decision to accept or decline an offer for employment.

That said, the one most important security trend over the past few years is that employees are increasingly being required to invest in their own career. No amount of employer-provided training can make up for you not being willing to invest time, money and energy in your own career development.

We recommend developing a career investment plan that maps to your career plan -- this includes books that you need to read, courses that you need to take, conferences you need to go to and activities you need to undertake (e.g. networking, blogging, etc.).

If you have one of those investment plans, your employer's training may fit in to it. But the employer will likely always provide less investment than you truly need.

Q: I'm doing virtualization using Hyper-v, but I still like security, which is what my master's concentration was on. Are there any certifications that have to do with security and virtualization?

A: The biggest challenge with working at the front-end of technology trends is that there are never going to be certifications that map to what you're looking for. The question that we would ask is: Why you are looking for a certification? If you have a background in security and a large amount of skill using Hyper-v, you should be able to market yourself effectively without a certification.

Certifications aren't a cure-all -- especially in this case. Not having a certification is most likely not your problem; you more likely have a personal branding/resume/interviewing problem. You need to do things to make yourself known within your industry and get your name out there. For a bit more information about that, we talked about personal branding and interviewing in previous columns.

Q: I have a BS in information systems. I have 17 years of IS experience, the last eight in information security. I am looking to get my master's in infosec. However, I need to do so via online learning. Do you have any recommendations for accredited institutions that offer MS in information security via distance learning?

A: The one thing we always say about investment in your career is this: You get what you pay for. This especially applies to graduate school. When selecting a school, it is important to think about the brand that is associated with the university. As a test, think of the first idea that comes into your mind when you learn that someone has received a degree from a specific university. While a degree from Harvard Business School (or, in security, Carnegie Mellon) might be more expensive and difficult to complete, it is quite impressive.

This leads us to the simple question that you need to ask yourself: "Why am I interested in a master's?" Your level of experience suggests that this isn't about finding a job role. And, in most cases, the reason to do a graduate degree comes down to one of two reasons: either you want the knowledge or you want the prestige.

If it's a knowledge question, you may want to make sure that the knowledge that you gain from this program is unique to the degree program itself, and worthy of both the money and time that it will take to achieve. If you determine that it isn't, you should think of other sources of gaining this knowledge: books, specialized courses (many of which are available as free downloads via iTunes and other sources), conferences, seminars, etc.

If the prestige and the access that a graduate degree conveys is what is attractive to you, we urge you to look into which universities are the most respected for information security programs and investigate those. A good way to determine the industry's effectiveness is to learn about the university's alumni and the positions that they hold. If you can locate some alumni that have had successfully achieved career goals similar to your own, you may have found the school best suited for you.

This was last published in November 2009

Dig Deeper on Information security certifications, training and jobs

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.