There is a clear need today for experienced information systems security professionals, and increasing numbers of IT professionals are rushing into to fill the gap.
While there are not enough candidates for information security staff openings today, there may be a surplus in the not too distant future. Based on employment trends, as well as research completed by Capella University in developing a security specialization within its master of science in information technology degree program, the most competitive men and women in the security field will base their career strategies on three pillars of success: security certification, degree education and experience.
Organizations want employees and consultants to offer proof of their mastery of information security concepts and practices. This is where certification comes in. Employers also want to be assured that the security expert has strong communications skills, understands business processes and has been exposed to best practices in project management, which a degree education would help ensure. Finally, management wants security professionals who have demonstrated accomplishments in the workplace to assure themselves the applicant functions effectively as a member of a technical team and has workplace skills that lead to results. This is where relevant experience verified by credible references comes into the picture.
No one starts out with all three career pillars solidly in place. Instead look at them as career-enhancing goals – the stronger each pillar is the more you will be highly valued by a prospective employer or client. And with the uncertainties in long-term employment, those with certification, degree education, and experience have a strong base for consulting and short- and long-term project work to fall back on.
Certification
Understanding operating systems, networks and the internet are essential for moving into a career in information systems security. To help you gain this knowledge, research and evaluate the following introductory certifications: CompTIA Network+ and i-Net+, Cisco CCNA and CCNP, Microsoft MCSA and MCSE, and Novell CNA and CNE. If you are interested in Linux, research the CompTIA Linux+, LPI Levels 1 and 2, and the extensive offerings by Red Hat. Earn a combination of these certifications and you will have laid a foundation for what will come later in security.
In terms of security certifications, a successful strategy will be for you to earn both vendor-neutral and vendor-specific certification. Vendor-neutral certification demonstrates your breadth and flexibility. Vendor-specific certification demonstrates your depth of product understanding and expertise. Organizations maintaining respected vendor-neutral security certifications today include CompTIA, (ISC)², SANS, ASIS, ISACA, CIW, and TruSecure, among others. The 'Gold Standard' in management-level security certifications is (ISC)²'s Certified Information Systems Security Professional (CISSP) with its rigorous exam, Code of Ethics and experience requirements. The major hardware, software and security products suppliers offer vendor-specific certifications.
Education
A successful career in information systems security requires the ability to work with management at all levels. You will also be working with many different types of people from other departments and disciplines. If you set your sights on being a consultant, you will work with clients who demand more than technical competence. Written and verbal communications skills and a comprehensive educational experience are going to help ensure you are comfortable, confident and successful in all of these interactions.
Furthermore, as a specialist in security, you will need to understand the psychology of attackers and hackers as well as the motivators required to change people's perceptions of security. You will need to understand business processes and how IT supports these processes in terms of improving both productivity and security. You will be asked to remain current on federal and state regulations for information confidentiality. There are ethical issues surrounding security that you must not only understand, but also factor into your work. You will be responsible for planning and implementing projects. A well-rounded educational experience can assist you in all these areas.
Today many educational institutions have set up programs specifically designed to meet the needs of working adults. To reduce time and cost for the learner, an expanding number of educational institutions are accepting certifications for academic credit when combined with professional experience. If you already have an associate's degree and certifications, you may be closer to a bachelor of science degree than you thought.
If you have a bachelor's degree and certification such as a CISSP, even a master of science degree in IT may be as close as 12 months away. A masters-level specialization will set you apart and potentially open up top positions to you – chief security officer, director of security or consultant.
Presently, IT professionals with a master's degree make over $25,000 more per year than those with an associate's degree or IT trade school education (Source: Information Week 2003 salary survey). It is imperative to note that any university you select should be regionally accredited from reputable accrediting bodies such as the NCA or SACS.
Experience
If you have not had any experience in information systems security, look for ways of moving into network administration with some emphasis on security. Obtaining networking certifications will improve your worth to potential employers. Once you have some practical experience, begin studying for foundation-level security certification. If you are a student or in a different field, put your foot in the door by developing a list of credible references. Volunteer at non-profit organizations or help small businesses with their security needs.
Networking with teachers, fellow students and those holding security certifications is a proven strategy. Additionally, there are magazines and a number of Web sites devoted to security. These, along with security organizations such as the Information Systems Security Association (ISSA), can help you remain current and stimulate ideas. Even during tough times there are opportunities to gain experience. You have to be prepared to dig in and be creative and persistent in finding them.
As you pursue your long-term career goals it will be important to remember that the three pillars of success -- certification, education, and experience -- build your credibility and attractiveness to potential employers and clients. Employers and projects come and go. The pillars you've built for yourself can stand forever.
Jack Krichen is faculty director of the School of Technology at Capella University in Minneapolis. Capella University is a fully accredited online educational institution offering bachelor's completion, master's, and doctorate degrees.
