Global Security, Privacy, & Risk Management

Getting into Information Assurance Careers June 2, 2015

I have had a number of folks email me asking about becoming an InfoSec worker so I am writing this post to (hopefully) help those who are interested.  In 2001, I landed in InfoSec by pure luck and I have never looked back.  It is an amazing field and a great career path.  First..for some marketing.  According to the InfoSec Institute, the average CISSP Salary in 2014 is over $100,000 per year.  In 2013 there were 209,000 job postings for CyberSecurity Jobs and it is estimated that in 2015, there are 40,000 more jobs than people to take them.  In short, it is a very high demand field.

InfoSec?  CyberSecurity? Information Assurance?  WHAT?

It is even confusing to me sometimes.  At a high level I use the term Information Assurance as it encompasses all of the elements of protecting data.  This includes data security (protecting data), CyberSecurity (protecting the systems, and infrastructure), Privacy (appropriate use of information) and Compliance (ensuring your company complies with relevant regulations) and Risk Management (evaluating the security risk of your organization).  While this short post does not allow for a more comprehensive overview, these are the generic ‘pillars’ that we consider.

What types of Jobs are Out There?

Generally, an infosec pro will either work ‘in house’ for an organization or as a consultant.  Working ‘in house’ can entail working as a Security Analyst where you may be responsible for reviewing logs, alerts, and supporting configurations.  As you move up you can take roles such as a Chief Information Security Officer (CISO) or Chief Security Officer.  These are folks responsible for the overall security of the information assets.

As a consultant you will be paid to go ‘onsite’ with clients and provide services such as auditing or assessing against a standard.  In addition, you may be asked to support clients by evaluating firewall configurations, writing security policies, assessing against an ISO standard or providing security architecture support.  The list goes on. The key to remember is that 1) consultants travel..a LOT (upwards of 50%) and 2) you get paid very well compared to internal folks.

Do I need a Degree? 

The answer is a qualified ‘No’.  Depending upon what specifically you want to do a degree may be required or at least helpful.  Generally, there are very technical skills such as digital forensics, application programming, or penetration testing that often require a degree or are at least easier to obtain if you have a degree.  In the other fields (network architecture, compliance, etc.) typically certifications are sufficient to get into the field.  Remember that as a consultant, “soft skills” such as writing and speaking are as important as being able to read a firewall configuration.

What Certifications Do I Need??

While there is debate over the usefulness of the certification, the Certified Information Systems Security Professional or CISSP is considered the defacto certification required to get into the infosec field. For those without sufficient experience to sit for the CISSP can sit for the more junior SSCP certification until they gain the appropriate experience. ISACA”s Certified Information Systems Auditor or CISA is also a very valuable and respected certification.  Finally, SANS has some great certifications (GIAC) and SANS even has degree programs!. Last but not least, people can look at Certified Ethical Hacker (CEH) or for those who like privacy work, the Certified Information Privacy Professional (CIPP).  While these ‘industry certs’ are necessary to get a job, they are not worth anything without a basic understanding of networking and system administration…at a minimum.  For those brand new in the field and starting out..I recommend that you get some networking certs such as CISCO’s CCNA and CCDA, basic Microsoft System Admin Certs such as Microsoft Certified Professional (MCP) and COMPTIA’s Security+ Cert.  Keep in mind these are baseline certs.  You will build up experience and want to expand on your knowledge.

How Long Does it Take to Get Certified?

That depends. It can take a dedicated person 6 months from start to finish to get the basic certs of well over 2 years.  It all depends upon your starting knowledge and how much you are willing to put into the study.

What Can I Expect to Make Starting Out?

Like Everything..that depends.  Statistically, the median salary for a CISSP is about $100K per year.  The top 10% make over $138K and the bottom 10% make $50K.  Truth be told, with a CISSP or even SSCP, making a starting salary of $50K per year is not out of the question.  As a new consultant you can still expect to be over $60K per year and with a couple of years of experience with large clients and with a reputation for good work hitting $100K is not unheard of.  When compared to the median personal income of people in the US of about $32K per year, InfoSec pros are very well paid.

What is the typical Day Like?

I can only speak as a professional consultant.  Typically consultants work from home.  You need to be able to get to a major airport to travel and you are on the road up to 50% of the time.  For those of us who like being consultants, the travel is great.  In fact, I get ‘itchy feet’ when I am home too long.  Typically, you will be scheduled to travel to a client’s site.   You will show up, do your onsite portion then fly home to write the reports etc.  At home you work on ‘big boys/big girls’ rules.  Nobody is watching you or harassing you.   You are well paid and professional and expected to get your work done.  As a new consultant you will ‘2nd seat’ with a more senior consultant who will show you the ropes and handle the client issues.  Miscommunication, missing info etc. can create a sometimes tense environment.  This is not unexpected.  I have often said that if you are sensitive about being yelled at, called names, or fired…being an infosec consultant is not for you!  Ask anyone in InfoSec and they will all tell you they have been fired from a client at least once, probably made someone cry, been cursed at and called names.  It is just the business and nothing personal. Thin skin doesn’t work well.

What Other Skills are Needed?

Specifically to be a consultant I believe you need to have the following skills.

-project management skills

-speaking/writing skills

-“customer facing skills”…communication

-Time management skills

-ability/desire to work independently

Some are more important than others and some can be learned.

OK..I am certified…now where do I get a job?!

Start at Monster.com and Dice.com  Set up a LinkedIn account and start looking! It will not take long to find work…then you are on your way.

For those who are supersmart and motivated, you can even get into Credit card security!.. Check out the PCISecurityStandards.org website and seeing about becoming a PCIP or QSA!.