Q&A: How to Get and Keep a Security Job

Focus on social networking, ongoing analysis of today’s most-needed information security skills, and a diverse training regimen.

Want to get or keep a job in information security? If so, keep your focus on social networking, a diverse training regimen, and maintaining the security skills most demanded by today’s information security job market.

So says Aaron Bayles, co-author of “InfoSec Career Hacking: Sell Your Skillz, Not Your Soul.” To learn more, Security Strategies spoke with Bayles, who, as a senior security consultant with Sentigy Inc. in Houston, regularly conducts penetration testing, vulnerability assessment, and risk assessments for enterprise networks.

How did the book come about?

My basic IT background was building home PCs, setting up home networks, as well as playing around on the Internet in the ’90s, and with BBSes in the ’80s—modems and all that—and I thought, it would be really neat if there was something to help people who are just starting out.

So when starting out, how do people get information security jobs?

It really depends on where they’re coming from. Obviously your basic experience is critical on this, and it doesn’t have to be a proper, professional work environment. That’s something a lot of people don’t think about. … You can do volunteer work, or even just home research, if you have your standard [non-information security] 8-to-5 day job. Or if you’re in school and work on this at night. The fact that you’re doing this primary research really helps. …

Also, seek others out. You have to do the groundwork yourself here. Depending upon where you are, say a major metropolitan area, there might be 2600 groups, or Defcon groups, or local chapters of InfraGard, with the FBI. There are groups out there where you can meet people of like mind.

So as in any field, social networking is especially important?

Social networking is one of the first things you have to do … because those are people who can help vouch for you. … It doesn’t matter if you’ve been working at Burger King for two years, because at night you’re here helping discover vulnerabilities … or learning about database security. You need to find the people who can help you get those skills. That’s the first thing, is to find and meet those people. Then, talk to them … and learn. …

Then look at the jobs around you. Are you wiling to relocate? Are you willing to go where a job is? It might not be in your city, or home state, or even your country. … I made a tremendous jump when I was a systems administrator here at a university in Texas, to go to Washington D.C., because it was a hotbed of activity … and it still is.

A lot of security professionals also seem to come from a military background.

A tremendous number [do]. That was one of the largest employee bases I found in D.C.—people who had done [military service] and … come out with a lot of these skills intact. Either they were doing information security in their jobs; or physical security, like for data centers; or security audits, based on clearance levels.

One of the [book’s] co-authors, Chris Hurley, mentions that … military service is always an option. It might not be for everyone, obviously, but if you’re to the point to where you don’t have any inroads, and if you’re interested in military discipline … the military is a great way to get a security background.

So what you’re saying is people can get the skills they need without necessarily landing an information security job first?

Right, and those are the people I’m writing the book for: people who don’t have much in the way of marketable skills, or professional information security experience … and who want to make that leap to where they get paid for writing secure code everyday, or securing an enterprise network, … or even, if you’re into it, writing [security] policies and procedures.

Policy and procedure-writing jobs don’t get discussed as much as more technical jobs.

Well, if you have a head for regulations and policies and procedures, there’s a huge need for that right now. … And it’s also good for people who might not be the most technically skilled. …

Because, yes, you always hear about penetration testing, and wireless scanning … but any mature security program has to rely on policies and procedures and processes. Without those, all the technology won’t make you secure, and people who have good writing skills, who can understand the gap between where you are now and where you need to be—called a gap analysis—those are tremendously important skills.

What about going to school to get information security skills?

A lot of the people I’ve worked with have their four-year degrees in computer security … and some of the sharper people I’ve known have a general degree in business or [even] geology. But the only really focused [information security] programs I’ve seen are at the Master’s level, for information assurance. Norwich University up in Vermont has a pretty popular information assurance program. George Mason University, around D.C., has one as well.

How’s the outlook for information security jobs?

The outlook is definitely [better] than in other IT-specific fields. Back in the so-called dot-bomb, of course, IT was just a runaway trend, and since then a lot of companies have been hesitant to spend more money on IT. …

But research by IDC and Gartner [says] of all IT disciplines, information security is the only one projected to grow over the next five years. … But regardless, there’s much less work you have to do now than five or 10 years ago to set up an enterprise environment, or even a small office or home network. So people are not going to be spending as much as they were 5 or 10 years ago, because the infrastructure is more in place.

[That said,] I have definitely seen information security is a very growing field. I’m seeing more job postings for information security engineers or analysts … and IT auditors are definitely on the upswing because of regulatory issues.

Should people who want to transition to information security pay for training?

With education, if you can get your employer to pay for it, all the better. … Some classes are obviously very expensive and are out of reach without your employer. … That being said, there’s a lot you can do on your own without these really expensive training classes—though I’m not saying there isn’t value in those. …

Now if your employer doesn’t want to pay for it fully, look for ways to work it out with them. Maybe don’t have them pay hotel and airfare, but the entrance fee to the conference. … There are always ways to lower the cost of training, and a lot of employers are willing to work with you. Flexibility is always a key word.

How often should people train?

You always need to ensure your skill sets are as current as you can afford—and not just in money, but time. I spend a lot of time on forums, newsgroups, talking with people in the IT security field, and I go home and play around on my home network, and download tools to run against my home network and test beds. So there’s always a lot of time you have to spend to be in step with the information security community.

What’s your one best tip for potential information security professionals?

To get out there and get active. Look for people you may be able to form a connection with, either in person or online. Say, "Look, I’ve got common interests with you, or I share a friend, or family, or a co-worker."

A lot of times people say it’s who you know, and I wouldn’t say it’s just that, but a lot of times, a big part of it is social networking. So if you can get ahead with that, you’ll find there are a lot fewer problems down the road.

Related Articles:

Few Organizations Increase Spending to Improve Security

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.