Wednesday, April 18, 2007

Entering the IT Security field

I have answered some career-related question in another blog, and I feel that it's a good info to mirror into this blog, as well.

Common mistake
Being in the IT field for more than 15 years and teaching folks since 1993, I know quite a bit about the IT, and particularly about IT security. I began my journey in that field by taking the responsibility for managing one firewall. It was a good start. It gave me a lot of exposure to the IT security, forced me to read about various protocols in depth, concepts, and it forced me to learn UNIX. The common mistake is to start the career by taking the certification classes or exams. The concept "certification" is about certifying the skills you already have. So, my suggestion (if you really want to be a high-level professional), start with hands-on experience. If you want to know more about certifications, read my article published in 2002 that (some people believe) still has some value:
Find the way to get some exposure to the security appliances (firewalls, proxy servers, content filters, IDS), software (basically the same but software-based), tools (scanners, packet capturing/analyzing, sniffers, etc), and as a “must” read the literature and security-related articles that will expand your horizon. Be a volunteer, find a mentor, or at least build a small network at home and play with the evaluation copies (or freeware) of various software utilities/programs/firewalls. Learn how to harden the OS or web server, etc. Build a Linux server and workstation. Talk to your management and express your interest to get more exposure/responsibilities to IT security. Show it as a potential benefit to your organization.

Another suggestion is not taking the short-term training classes but rather buying the multimedia-based self-training software with live instructors that present the topics you want to learn. There are many benefits (like repeating, stopping, portability, rewinding, pausing, etc). Some of the vendors also offer online mentoring in addition to the software. All this works fine if you have enough self-discipline. If you follow the path that I suggest, the certifications will be achieved easier and will add the value to your hands-on experience. Don’t forget that in the security field the employers are looking for real-world experience. So, the abbreviation letters after your last name will be more powerful if you have something in your resume that highlights your hands-on skills. I would not suggest the CISSP certification at all at this stage of your career. The CISSP certification is valuable when you have substantial experience (5-7 years) in the information security field. It is mostly designed for the management (or at least, senior-level) security professionals. That certification can give you more opportunities to get better paying job but at the right time. If some of the folks disagree with me I would forward them to the article above where I describe the dentist who just got certified.

If you still seriously consider CISSP as one of your choices, at least you can get more information and links about it here: (this site also has a comprehensive Index of free IT security resources).
Best of luck in your career!

1 comment:

Mike Scott said...

Sounds like some really good advice. I had considered trying to get into security, and you pretty much highlighted the same path I was planning on taking.

I'm really glad you found my blog, because I hadn't been to yours before and it is a great resource. Keep those posts coming!