Security Field Entry Advice

Friday, June 08, 2012

Jayson Wylie


Government reports show that there is up to a fifty percent gap for information security needs to those able to fill them.

This means that more and more people will attempt to enter into the information technology security field as the compensation for those who have security talent rises.

I have been in technology, if you count the eight young years of programming, for thirty some years.  I have seen what it takes to be successful, or at least productive, in the field.

Now I’m doing security work.  

I believe successful information technology professionals constantly pursue knowledge in the focus they go for and it is possible to be cross-trained.

I’ve heard many theories on how to get into security, but I would like to suggest for people to better learn systems they would like to work on and how to secure them.

Go for the technical side because that is where the necessity for talent is. 

Many people are able to write documentation for upper management, to review, but they are not actually able to harden the systems. This gives a false perception on the true posture of the organization at the top.

Newcomers do not need to get security-focused certifications to be proficient.  It is actually possible to learn everything in good books - or even better, on the Internet.

Technology systems revolve around end-points, servers, networks and applications. Training is suggested as a full time pursuit because there is always something new to learn.

There has to be an interest in and understanding of what people read.  There are other security jobs with requirements of a proficiency in writing as well.

Research the security problems and the solutions or the mitigations for them.  Learn how the detect threats or weakness and how attacks work so you can secure a system from them.

I can’t think of any certification without a technical base that would help one keep up in a security technical interview, and that is a big determiner in landing jobs.

All certifications help with getting the interview, but once you are in the process there is a lot of conversation.

Possibly Related Articles:
Security Training
Information Security
Certification Employment Training Careers Information Security Infosec Education Professional Jobs
Post Rating I Like this!
jamal elmellas I came through the technical ranks, I done the hardening, configuring etc, Im now a consultant and deliver strategy as well as defence in depth consultancy, you know why? It pays more, a lot more. I agree, there is less people whom really understand the technical side of security, but thats because it just doesn't pay. :(
Jayson Wylie Your statement goes along with my theory that vast amounts of money are being allocated and put to less effective usage.

I don't want to put down anyone's efforts or accomplishments in any certifications or achievements.

I would like people to start thinking correctly about security and stop the theoretical debate and paper foundation.

Security is being pushed down from the top in most cases and the O's want documentation that with serve all sorts of purpose without actually securing anything.

Since those closest to the top get paid big dollars and deliver crisp and well worded strategy they will get compensated better.

What most people don't understand is the the "trickle down" of caring about these initiates let alone doing something to help the cause whether the abilities are inherent or not, leave a big gap in the perception of posture and the actual security state of the environment.

The NSA defense in depth paper is short. Strategies incorporating a layered approached to slow down the attack can be PPT'd to top management.

What doesn't get explained as much is how to monitor and operate a much more complex environment. I think the money is put in the wrong direction but I don't know of training or certification that improves this. I endorse intensive self study and experience.

How many quality intrusion and access control analyst are out there compared to the PO's for intrusion detection appliance or systems to incorporate better security because of audit findings or policy.

Talent should be compensated and I am not unsatisfied with mine. It' all relative.

The problem is that not all management understands what security talent is unless they have a hand in the game.

These security managers surround themselves with talent of all aspects and abilities in the security field and usually have a technical background and not a EC Council CISO cert.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.