Careers: Getting and Keeping an Information Security Job
Tips for starting out, furthering your information security career
We hear two questions frequently repeatedly at Enterprise Strategies: "How do I begin a career in information security?" and "How do I further my career in information security?"
Good questions, says the person we turned to for answers—Dow Williamson, communications director for the International Information Systems Security Certification Consortium Inc.—also known as (ISC)2. Based in Vienna, Va. (ISC)2 is a global, not-for-profit information security organization that administers the Certified Information Systems Security Professional (CISSP) and System Security Certified Practitioner (SSCP) credentials. Williamson holds a CISSP.
Both credentials indicate information security experience. Either can be acquired only after passing an exam and maintained only through continuing education.
A question we often hear: “How do I get started in information security?”
From a career path standpoint, the logical starting point for people who want to get into the information security area is a good undergraduate degree.
Which schools are known for their information security programs?
The National Security Agency has just come out with a list of 50 or so colleges that are part of its Centers of Academic Excellence in Information Assurance Education, schools that profess to have the level of expertise that you need to get started. So a good starting point is a degree from one of those institutions.
Does the NSA program offer money to students?
I believe the NSA is awarding scholarship grants to a certain very limited number of individuals who want to pursue a career in the information security world, and they can take that grant or voucher and go to one of the 50 or whatever the number is, to one of the colleges that's been [certified].
What if you’re not an undergraduate, or you’ve already graduated?
What you need to do from our standpoint is get into a professional career path orientation. They can try to follow one of two paths depending upon what they think they want to do. Either a strategist/manager career, or more of a tactician's career path. What that means from a practical perspective is, the first thing you do when you get out of college, if you think you have the technical skills, you take one of two exams: the CISSP [for strategist/managers] or the SSCP [for tacticians].
What about after graduation?
From an ISC standpoint, we would welcome you into a program we just started called the Associates of (ISC)2. You take the CISSP or SSCP, and if you pass those, it means that the college has given you the [required] technical knowledge. What the Associate program means is you don't have the requisite professional experience to [completely] pass the CISSP or SSCP.
However, once you're an Associate, and sign the (ISC)2 Code of Ethics, you become part of the ISC’s specialized [online] forums, peer networking, and other information we have available.
What’s the required professional experience to gain credentials?
For the CISSP, designed to be the more mid-to-high-level management certification, with a big-picture, strategic understanding of information security issues, it’s four years. For the SSCP—the tactician or system administrator track, if you will—it’s one year of professional experience.
Then after you acquire the necessary experience, and get an endorsement from someone else who already holds the credential, then you can be awarded the full either CISSP or SSCP credential, and you can continue on in that career path.
So you’ve gone from getting out of college to going on in the career path that you choose.
What if you’re making a career change?
We can point people to resources and make recommendations on the other materials that might be appropriate to build their knowledge foundation.
In addition to that, in conjunction with our partners, (ISC)2 also conducts training at about 40 locations around the U.S., and even more around the world, so people have the opportunity to go to what we call review seminars, either one or two weeks long, to give you an overview of the high level things you might see on the CISSP or SSCP exam. It's not meant to teach the exam, more to convey these are the kinds of things you'll see on the exam, and to convey the kinds of things you should have been studying over the last couple of years in preparation for the exam.
Does the SSCP also require previous information security experience?
It's meant for system administrators, network administrators, security administrators—more of the hands-on, tactical or technical aspects of the career field. In the case of the CISSP, there are 10 different domains or areas or topics that encompass the CISSP credential. In the case of SSCP, there are seven domains, and they're more technically focused and narrowed in on the security and network administration.
That's why there's only one year experience required before you can gain the SSCP credential, and in terms of the actual exam, there are 150 questions, versus 250 for the CISSP. So it's a slightly different track to credentialing the information security professional.
So current IT folks who want to move into security need to get relevant, information security experience to take the exams?
Yes, or take academic classes from one of the 50 universities. Capella University offers a nice online masters in information security as well.
I really think you need to start with an academic foundation as much as possible. Then there's really no substitute for actual experience, and that’s why we require four years [for CISSP] or one year [for SSCP] of experience, because you can gain book knowledge, but there's really no substitute for hands-on experience.
Talk about the continuing education component.
The information in this business changes so quickly, so a continuing part of our certification is continuing education. Once you get the certification, [it’s] part of your requirements to maintain that credential. [It] requires people over a three-year period to do certain things to keep their knowledge up to date.
There’s also a peer network. It’s a great way to keep you up to date and continue in this profession.
NSA Centers of Excellence: http://www.nsa.gov/ia/academia/caeiae.cfm
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.