There's always a pivotal moment in a person's career when they realize they need to become more proactive.
That moment came for Todd Bell in the months following the 9-11 terrorist attacks on the World Trade Center and the Pentagon and the simultaneous dotcom implosion. Bell had been making good money for several startups during the tech boom and not long after 9-11 found himself on a low-level job at Hewlett-Packard just to pay the bills and keep food on the table for his family.
Equipped with only an undergraduate degree in business information systems, Bell knew he needed to offer prospective employers more. In the next two years he earned a Certified Information Systems Security Professional certification from (ISC)2, as well as a Project Management Professional Certification from the Project Management Institute.
But he didn't stop there. By 2004, Bell also completed a master's in business administration (M.B.A.) from Regis University in Denver.
“I hate to say it, but the M.B.A. opened more doors than any other qualification,” he admits. “However, with the CISSP and PMP I tripled my salary and then within a few years of getting my M.B.A. I doubled my salary again. There's no question that the M.B.A. put the CISSP and project management certifications in a different light and made me more valuable.”
Today, Bell works at California-based cybersecurity advisory company Intersec Worldwide as vice president of enterprise security, earning the top end in salary for a CISO, which is well into the six figures. He often works as a CISO for three months to a year, setting up and rebuilding teams and helping them revise their security program.
Bell's experience maps well to what analysts, vendors and officials from the certification organizations told SC Magazine about developing a career as an IT security professional. Certifications and extra courses are important – they will land you a higher-paying, hands-on security position – but nailing down that executive-level job requires taking some extra steps.
“What companies tell us they need today are multidimensional security people who can translate technology risk into business risk and speak a language that can be digested by the people who control the funding and resources for IT security,” says Bill Reynolds, a research director at Foote Partners, which publishes IT skills demand and pay benchmark research drawing from 2,700 employers. “In the past, it's been hard to justify spending on IT security. But now managers understand that a security incident can cost them market share, which is why people who can communicate the need for IT security are extremely valuable today.”
Robert Stroud (right), recently elected the international president of ISACA and vice president of strategy and innovation at CA Technologies, agrees with Reynolds that it takes more than security knowledge alone to be effective today.
“We need people who can look for unusual and unplanned behaviors, not just people who can technically perform monitoring,” he says. “And we also need people who understand data analytics and the business outcomes of exposures to security incidents. Security professionals today have to presume that security incidents will occur.”
That's not to say that people who simply enjoy hands-on tech work looking for career growth can't find it in the IT security industry. There's no question that there's great opportunity out there.
Cisco's “2014 Annual Security Report” estimates that as of this year the industry has a shortage of one million security workers worldwide. The shortage has resulted in companies offering excellent salaries for people with the right qualifications.
Foote Partners reports that for the six-month period from Jan. 1, 2014 to July 1, 2014, market value went up 42.9 percent for a GIAC Certified Penetration Tester, 33.3 percent for a CWNP/Certified Wireless Network Administrator (CWNA) and 25 percent for a GIAC Exploit Researcher and Advanced Penetration Tester.
“People are paying attention to workers with the right qualifications,” says Reynolds of Foote Partners. “Penetration testers, auditors and even those with wireless security skills are getting noticed.”
Meanwhile, CompTIA reports that 53 percent of IT workers would like to further develop their security skills in the next two years. And for good reason. The average salary for an information security analyst is $86,170 – and workers who combine the security training with advanced degrees or specialties in IT architecture or data analytics can easily command six-figure salaries.
Almost everyone we talked to agrees that there's a fundamental shift in how IT departments look at security.
Tom Gilheany, product manager at Learning@Cisco, says in the past, security people would focus on what he likes to call the “castle” approach. He says companies would deploy a virtual private network, firewalls, intrusion detection/protection and secure the routers and then hope for the best.
With mobile malware on the rise, along with hacking-for-profit criminal organizations and intrusions from nation states and/or potential cyber attacks by terrorists, IT organizations now have to work from a premise that it's only a matter of “when” they will be attacked as opposed to “if” they will experience a security incident.
Gilheany says Learning@Cisco has responded in two important ways. First, along with teaching students how to set up the core technology, the Cisco Certified Networking Professional (CCNP) course covers functional areas such as mobility, edge networking, threat management and application security.
“Today, hackers are looking for the weakest link and that is typically exposure to malware by mobile devices and the edge of the network,” says Danny Tomic, marketing manager, security certifications at Learning@Cisco. “Companies want a comprehensive, end-to-end approach and we are evolving the program to give students the architect's view.”
Learning@Cisco now also offers a new Cybersecurity Specialist certification as part of its specialist courses. Tomic says this course is geared for security professionals who want to work in a more proactive mode. In this course, the student looks inside a test network and the instructors launch attacks so students can see how the equipment responds under a simulated security incident.
“There's a big question today as to whether or not we are getting on top of the problem with security incidents,” Tomic says. “This new certification is for people who want to take on a first-responder role and actually work on networks that have been attacked. It's a big issue that won't go away.”
Other certification groups have responded with courses that seek to develop skills for responding to security attacks. In October, GIAC announced a new certification, the GIAC Network Forensic Analyst (GNFA), which will teach students how to analyze the network following a hacking or security incident. The GNFA certification will be released in early November and pre-registration is now available with the SANS Institute's Advanced Network Forensics and Analysis course.
D'Arcy Davis (left), technical director at GIAC, says that students who successfully complete the certification will have demonstrated that they are capable of collecting and filtering evidence of abnormal or malicious activity from diverse network sources such a log files and network packet captures. He says they will have shown that they are familiar with the tools and techniques they studied in the SANS course Advanced Network Forensics to examine the network-based activity to extract and analyze artifacts and activity left behind from unauthorized activity or network-based attacks on an organization's intellectual property or personally identifiable information.
In another highly-technical hands-on course, Reverse-Engineering Malware: Malware Analysis Tools and Techniques, students can learn to reverse engineer malware, which is the process of understanding how the malware attacked the network following an incident. Students will not only learn how to analyze the malware, they will learn to develop code that ultimately prevents a subsequent attack.
“These are pretty high-level skills,” says Davis. “Somebody coming into this course has to have a fair amount of programming background, as well as a good foundation of security skills.”
Finding a niche
The recent overhaul of the health care system under the Affordable Care Act combined with the increased use of electronic medical records has caused a tremendous need for more experienced IT security professionals in the medical field.
In response to the growing need, (ISC)2 developed the Healthcare Information Security and Privacy Practitioner (HCISPP) certification, a course that's geared to many health care workers, including compliance officers, information security managers, medical records supervisors and risk analysts.
“This course is for anybody in the medical field who touches medical data,” says Rae Hayward, senior manager, product development at (ISC)2.
The course covers six domains: the health care industry, regulatory environment, privacy and security, information governance and risk management, information risk assessment, and third-party risk management.
“We cover the ins and outs of how medical data affects health care,” she says. “We teach people how to write appropriate policies and procedures and how to have risk analysis and assessment in place.”
With so much at stake in the job market and people's personal career growth, James Stanger, senior director, product development at CompTIA, says whichever path a security pro takes, they must understand that they are working in an increasingly complex attack surface. The threat landscape has changed dramatically in the last three to five years.
“Security workers also need to understand the cloud and how to work with BYOD and mobile devices," he says. “But the main issue is to understand the sophistication of the hackers as well as the devices. As we automate with robotics and build smart homes, a worm or virus can attack those systems as well.”
And that's when the project management skills that Todd Bell developed become so important. Moving forward, security professionals will be expected to roll out a security program and put all the pieces together. Companies want security. And they want the whole package.