Sunday, April 5, 2015

Starting Information Security Career?

A lot of people ask me every now and then on how to start a career in information security? These people range from young graduates to mid-level professionals and to even manger level professionals. So, I thought of writing a blog post that would help hundreds of these knowledge pursuers and career changers to effectively enter the rich and broad field of information security. The post has been made from the perspective of service providers (joining one is the best way to learn ins and outs of information security!).

To keep it very simple, there are two major domains in information security field:

1) Technical
2) Managerial

In technical domain of information security, as the name suggests, almost all the work is technical. You (can) work on technical solutions and services either in R&D, pre-sales, post-sales, training and or support. Each of these are explained as follows:
  • R&D: You find out how different technologies work and gain expertise on them in your test environment (to start with). Or, you develop a technology solution or service or training of your own that helps protect organizations in their security goals and endeavors. 
  • Pre-Sales: You face customers! You pitch them your solutions and services. The pitching can range from presentations to demos to PoCs to running pilots to drafting RFP to complying with them (the requirements) via RFP response to designing BoQ. The majority of selling happens here! 
  • Post-Sales: Once the pre-sales ends successfully -- the post-sales phase kicks-in. In this phase, you implement and deploy solutions for the customer or provide services as per the defined scope and acknowledged project plan. The major component of this phase is helping customers in designing, configuring and implementing the solution or service in a way that benefits them the most.   
  • Training: The trainings can be product based or product independent and focusing on developing a particular skill. Usually, once the solution or service has been successfully implemented -- the customers desire to have a hands-on training to enable their resources to ensure they are able to handle daily routine operations associated with the solution or service. That is one aspect of training. Training can also be provided independently as well to enable customer resources to perform a particular area of their job (for example, incident response, malware analysis etc.) effectively. There are a lot of training bodies as well (EC-Council, (ISC)2, ISACA, etc.) -- delivering their trainings can be quite product financially and a lot of solution / service providers do this and have dedicated training teams and departments. 
  • Support: Support is an essential part of solution and service selling. Support ensures that business flow is continuous and customer retention is effectively 100%. In support phase, customers are able to get their issues fixed (via support engineers) swiftly in the solution they have deployed or the service that is being used.        
In order to be able to perform any of the above activities (or the activities associated to the phase of your interest) -- you need to have good technical research, knowledge acquiring and knowledge transferring skills. Often, technical people think -- they do not need to work on their soft-skills -- assumptions like that are very wrong. Good soft skills are a must for any information security professional and are very essential for growth!  

Now, coming to the second major domain of information security; the managerial part of information security encompasses security management practices varying from policy development, risk management, compliance assurance to process optimization, standards' implementation, suggesting controls, ensuring they are implemented and reviewing their effectiveness.

The managerial domain is more focused on people and processes and is interlinked with technical domain via use of technology. Managerial domain aligns information security with business goals of the organization and frequently takes into account ROI while reducing the risk at the same time. Different ISMS standards like ISO 2700x and BCM standards like ISO 22301 / 22313 come directly under managerial domain of information security.  

My recommendation for entering in information security has always been to start from technical domain, get a feeling of working in information security and then choose where you want to go. If you want to stay on technical side, following are some of the fields:
  • Work with security related solutions like endpoint security, vulnerability assessment, security information and event management, identity and access management, data leakage prevention, two-factor authentication, database security, web application firewalls, next generation infrastructure firewalls, IPS, IDS, advanced threat detection solutions and so on. 
  • Work with security related services like vulnerability / threat assessment, penetration testing, network design review, source code review, digital forensics, incident response, malware analysis / reverse engineering and so on.
  • Work with security related trainings to enhance skill of knowledge-seekers. Apart from trainings or courses offered by governing bodes -- trainings can range from integrating secure software development lifecycle to performing black-box / white-box penetration tests to performing incident response or doing malware analysis and so on.   
My other recommendation particularly for young graduates is to work with IT technologies first; get a good understanding of how stuff works, go in-depth and gain expertise of implementing them. Once, that is done -- you are in very good position to be able to either circumvent or protect these technologies and information systems. Changing role from implementing a technology to protecting becomes easy, this way. For a technical information security professional, high paced research and gaining quick knowledge of technologies is key to success alongside good soft-skills. 

Working in a technical domain for starting career in information security helps a lot in understanding intrinsic technologies and how can they be vulnerable (to attacks) and putting the right controls to keep them protected effectively and efficiently. This path also helps in entering managerial domains without much effort -- all you need to do is study ISMS or BCM standards and develop an understanding of performing thorough risk management or business impact assessment. Once you have developed a good understanding of how different standards work and can be implemented -- you are ready to work as Consultant for firms that want to implement or have their ISMS reviewed. 

The key skills generally needed to become an information security professional are as follows: 
  • Focused research 
  • Persistence and hard work
  • Communication (both oral and written)
  • People skills
The top certifications to transform your career in information security are as follows: 
  • CEH or CPTE (technical)
  • CHFI or CDFE (technical)
  • OSCP (technical)
  • CISSP (managerial)
  • ISO 270001 Lead Implementer / Auditor (managerial) 
  • BCI certifications (mostly managerial) 
I hope the information presented in this post would assist immensely in choosing information security as your career path. In case, you want to discuss this further -- please feel free to reach out to me on wajahatrajab[@]gmail[.]com.

No comments:

Post a Comment