Security /

So you want to be an Infosec Jedi Knight?

By Jim Reavis
Network World on Security, 10/20/99

Congratulations! As Obi Wan would say, you've taken your first step into a larger universe. The information security industry has many needs, and having enough qualified professionals is probably the biggest one. Government and private industry are scrambling to get information security professionals in place. In a classic tale of good news/bad news, the security threats caused by the bad guys seems to portend long-term, full employment for you. As you have probably already learned, there isn't a simple road map for an Infosec career path - there are several ways to contribute, and leveraging your existing skills may be more helpful than you think.

Jobs for Hackers?

Sure, opportunities for hackers abound in corporate environments. The trend seems to favor contracting these services vs. hiring, which tends to suit both parties. The exception to this is with professional services organizations that perform ethical hacking and provide intrusion-testing services.

The reality is that good hackers understand the components of computer networks on a level that us mere mortals can only hope for. Companies are increasingly realizing that they need to go to these experts to find where the holes in their systems really are. Because of this, companies are markedly less judgmental about issues such as personal appearance, but not when it comes to illegal or unethical activities. There is still plenty of room to have fun in the boundaries between pinstripes and prison stripes.

The best way to find these jobs is by building a reputation within respected hacker circles: mailing lists, Web sites, conventions, etc. Being able to code a security utility or demonstrate an exploit of a new systems vulnerability will get you noticed. It will also weed out script kiddies who are only capable of using or slightly modifying existing code to exploit existing vulnerabilities.

I'm from the Government, and I'm here to help

The government will continue to be a large employer of security professionals. For those looking for information security work as a way to further their education and accomplish larger career goals, the Federal Cyber Service Initiative proposed by the Clinton administration includes something called the Cyber Corps. This is meant to attract young bright technologists, who would serve as federal computer warriors in exchange for computer-science scholarships. Congress has passed several bills to increase funding for cyber security, and we can expect this to accelerate Post-Y2K. Those who have worked within the military on information security issues are increasingly in demand within the civilian sector as having the proper sense of urgency to deal with infosec problems.

Specialization

The key to maximizing your value is to specialize in a niche market of information security. For just about any technology you can think of, cottage industries have popped up to focus on the security aspects of that technology. If you have experience as a Sun administrator, Cisco engineer or Java programmer, leverage that knowledge and build a reputation for understanding all of the security issues within that niche. Companies will see more value in Dr. Solaris Security, Dr. Router Security than people billing themselves as a jack of all trades. A person who has administered a Solaris network will not only have a strong grasp of the operating system, but will know how administrators think: what daily pressures they have, what holes they are likely to leave open, what standards they are likely to follow. Some people seek to make a clean break with the past when they make career changes, but don't throw away what you have already learned. Instead, find ways to adapt your skills into the Infosec realm.

Training & Certification

While certification is not a substitute for experience, the right combination of real world experience and acronyms on your resume can make a real difference in your asking price. Many vendors have security-related courses and some even have security-focused certification programs. However, you may need to stretch your training & certification dollars and make some hard choices. One of the most frustrating parts of paying for an expensive vendor course is how quickly the technology becomes outdated. Although the very focused knowledge and specialization is critical, I would recommend using constrained training & certification dollars to get a more general certification to round out your specialized skills.

The most widely respected nonvendor certification in the information security field is the Certified Information Systems Security Professional (CISSP), from the International Information Systems Security Certification Consortium, also known as (ISC)�. (ISC)� has a certification exam based upon what they call the information systems security Common Body of Knowledge, consisting of the following test areas:

Access Control Systems & Methodology.
{Computer} Operations Security.
Cryptography.
Application & Systems Development.
Business Continuity & Disaster Recovery Planning.
Telecommunications & Network Security.
Security Architecture & Models.
Physical Security.
Security Management Practices.
Law, Investigations & Ethics.

There is information on exam preparation at the (ISC)� Web site, and related educational programs. Get your technical training from real world experience, or make the vendor pay for it. Use your own dollars to get a certification that will last longer than the next revision of a product.

The training offered by CERT for incident response and general security issues is excellent as well. Most courses are held in Pittsburgh, with a few also available in Arlington, VA.

The worst thing most of you can do, no matter how smart you are, is to take some training and hang out your shingle as an Infosec expert. You need to first participate on some security-related projects, whether within your company or volunteering through the Net. Taking incremental steps towards your goal, include moonlighting, if allowed by your organization, because it removes much of the risk in a career transition while you are earning your stripes.

Infosec career pathing may wind up being best accomplished by leveraging your current field expertise. Augment this with the appropriate field training. Finally, add a respected certification such as CISSP to your name and you will find increased opportunities in the industry and greater personal rewards. Above all, if you want to be an Infosec Jedi Knight, the most important personal asset you can have is a sense of humor. The next few years in information security will give you ample opportunity to use it.