So, you want to know how to get into IT Security?
We’ve heard about it and seen the predictions in hundreds of articles. Countless blogs, websites, & white papers have mentioned that “Cybersecurity” will have a shortage of qualified applicants that will grow steadily over the next 4 years. While these numbers vary wildly on the estimated amount of total jobs that may go unfulfilled (I’ve personally seen anywhere from 500,000 to 3.5 million vacancies as the listed number,) one thing remains consistent throughout all of these projections and estimates. Opportunity has-a-come-a-knocking!
As an experienced professional who transitioned into IT Security as an analyst (and currently holds the position of IT Security Architect,) here are some of my observations and tips for getting into IT Security.
As someone who had several years of experience before moving into IT Security, here are a few tips and observations I’ve made
Understand the full impact of the roles and skills you have used and leveraged over your career.
More often than not, as one gains more experience, insight, and awareness, workers are able to understand where they “fit” within business processes and information technology. Many times, when looking back over a position you may have held in the past, you may realize that you were exposed to various technologies and skills that are security related. Stress, frustration, excitement and the pressure of learning your position can sometimes cause one to miss these overlapping functions that you perform day-to-day. Those functions may have been roles or assignments (task) that support your transition into Security.
Have you ever worked on endpoints and were tasked with hardening the Operating System? Were you responsible for removing low-level commodity-based malware (toolbar’s, pup’s, adware?) Were you server side and responsible for creating group policies that may have lowered the risk of vulnerabilities being exposed by internal users. Performing access control administration, and provisioning permissions to objects, files or folders? Many experience professionals moving into IT Security may have already had task or multiple task in which the purpose of the activity was to reduce and mitigate risk as it relates to people, processes, and technologies.
Reviewing your resume, and the task you performed in previous positions, may shine light on your exposure to Security; and you may be surprised at just how much you have been exposed to. However, one must understand the basics about what is expected from security before they could hope to successfully map out all previous task to roles that may have had some “security flavor.”
Get Security+ (Or other entry level certifications).
Over the years my understanding of how important certifications are as an aid to your career has varied. As someone who carries multiple certifications, I can say that I have seen the return on that investment, even though it may not have been monetarily. Your understanding of process can improve by understanding the frameworks, theories, and concepts that the certification process can help develop in your methodologies & practice. I believe that certifications play a role in developing well-rounded professionals. In my observation, experience and mentorship easily come in as the 1st and 2nd most crucial factor to the growth and development of individuals. So, I preference this by saying that getting Experience and “Mentorship” in Security will do more for you (as it relates to gaining valuable insight that could help and organization.) than anyone 1 certification.
With that being said, Security+ is recommended if you are moving into IT Security. I strongly suggest that this certification is earned before entering the field. I don’t know how many times I’ve worked with someone who has stated that they were studying to get a certification just to watch them get hired and see that it never was really something they could make the investment in. When you obtain the Security+ you show that you have invested at least 20-40 hours into learning about Security at a fundamental level. While the Security+ will never be mistaken as the world class indicator of someone’s security prowess, it does separate you from the pack, and give you a knowledge and skill advantage over those whom don't have experience & mentors. If you and another candidate are identical besides the certification, it could put you over as the hired analyst. Also, as was mentioned earlier, it can help you fill in gaps with task and functions you performed in the past, increasing your chance that you can highlight your security related exposure in a standardized security language, learned from Security+. Confidentiality, Integrity, and Availability anyone??
Do some reading!
Yeah, this one is a real shocker, right? Reading, that fundamental thing that brings so much success, vision, and creativity to those who partake. There are many whitepapers and best practices out there that you can began to get familiar with so that you are not starting at a disadvantage. NIST Special Publication 800-61 (For Incident Handling), CIS top 20 Critical Controls, and your choice for Risk frameworks. By understanding the industry standards and guidelines within security, one can already start to “tinge” the light at which one observes things. It takes a while before you see things from a security perspective. Transitioning from an Enterprise Engineer to an IT Security Analyst, I was appalled at how little I was aware of “staunchly regulated, and control based security” and how it was missing from my day to day awareness. While I was an Enterprise Engineer that performed security related functions, I did not see at the time what I had been addressing from a security perspective framework point of view.
I believe looking at things from the eye of someone who is thinking “how will this ‘change’ impact the risk or exposure of our organization?” is someone that will go a long way to being able to protect that organization. By becoming familiar with the standards, frameworks, objectives, goals, and strategies of IT Security, you will quickly be someone who becomes familiar with the themes and patterns of what makes for good security. Also, don’t forget to stay up to date by subscribing and bookmarking sites that would keep you in the loop about the latest technology, exploits, trends, and methods of protection.
Network - Network - Network
Networking will probably provide you the biggest bang for your buck over the long haul. Staying connected with the people and companies that are looking for some of the talents and skills you are accumulating is a sure-fire way to increase your rate of opportunity. This is a high yield dividend stock. Your returns will be there in many ways, but they will be consistent and pay out over time. Attending functions, webinars, & conferences are a good way to get face to face and hear from other pros and vendors about trends they are seeing within the field. Getting some business cards and rubbing some elbows may be the break that gets you into the field of your dreams, so while you don’t have to go crazy and attend 50 conferences a year — 1-2 may provide enough ROI to be worth your TIME.
There are various other strategies, tactics, and ways to get into security, so doing the above isn’t guaranteed to get you in or keep you out. However, I believe that the foundation that the items above provide are well worth consideration and adoption if you are interested in switching career paths or hoping to join IT Security sector after leaving school.
Do you have other strategies or opinions for getting into IT Security? Please feel free to leave feedback and tips!
Until Next Time!
~TechJacks
Leave A Reply