Getting Started with a Career in Cybersecurity

Getting Started with a Career in Cybersecurity

So, I just finished reading an article posted via link on Twitter which offered some sound advice for anyone wanting to start a career in Cybersecurity. Article: Getting a Career in Cybersecurity

My advice to young folks wanting a good career is to focus on IT certification and programming skills first. That’s because there many more jobs available to IT folk that are often more easily accessible than cybersecurity jobs. Remember, a career in cybersecurity means you’re capable of everything a traditional IT person is capable of, and more. You’re defending against IT and programming mistakes and using all of your IT skills to push back the bad guys.

So a start in IT will get you some experience and money, and you can grow from that into cybersecurity.

The author does provide some motivating stats about the growth of the career field and potential for higher than average salary.

By 2019, the worldwide need for cybersecurity professionals is expected to reach 6 million jobs — but companies will likely be able to only find 4.5 million people able to do the work.

That means there is the potential of 1.5 million jobs — high paying jobs at that — that can go to anyone with the qualifications. Burning Glass, a job posting site, reports that they had 50,000 postings for candidates with CISSP (Certified Information Systems Security Professional) certification.

The one issue I have with the article though, is he failed to explain WHY there is currently a shortage. This shortage is because the CISSP certification (and others similar to this certification) requires a set minimum number of years in the field, working in InfoSec that must be reviewed, and approved by the certifications governing body.

The Certification That Inspires Utmost Confidence
If you plan to build a career in information security – one of today’s most visible professions – and if you have at least five full years of experience in information security, then the CISSP® credential should be your next career goal.

The CISSP was the first credential in the field of information security, accredited by the ANSI (American National Standards Institute) to ISO (International Standards Organization) Standard 17024:2003. CISSP certification is not only an objective measure of excellence, but aglobally recognized standard of achievement.

For your CISSP credential, your professional experience has to be in two or more of these 10 (ISC)² CISSP domains:

  • Access Control
  • Application Development Security
  • Business Continuity and Disaster Recovery Planning
  • Cryptography
  • Information Security Governance and Risk Management
  • Legal, Regulations, Investigations and Compliance
  • Operations Security
  • Physical (Environmental) Security
  • Security Architecture and Design
  • Telecommunications and Network Security

Do you have the proper experience for your CISSP® credential?
You must have a minimum of five years of direct full-time security work experience in two or more of these 10 domains of the (ISC)² CISSP CBK®:

  • Access Control
    Concepts, terms of subjects and objects, implementation of authentication techniques
  • Application Security
    Security and controls of the systems development process, life cycle, application controls, change controls, data warehousing, data mining, knowledgebased systems, program interfaces, and concepts used to ensure data and application integrity, security, and availability
  • Business Continuity and Disaster Recovery Planning
    Preservation of the business in the face of major disruptions to normal business operations
  • Cryptography
    Business and security requirements for cryptography, principles of certificates and key management, secure protocols
  • Information Security and Risk Management
    Identification of an organization’s information assets and the development, documentation, and implementation of policies, standards, procedures and guidelines that ensure confidentiality, integrity, and availability
  • Legal, Regulations, Compliance and Investigations
    Computer crime laws and regulations, the investigative measures and techniques which can be used to determine if a crime has been committed, methods to gather evidence if it has, as well as the ethical issues and code of conduct for the security professional
  • Operations Security
    Identify the controls over hardware, media, and the operators with access privileges to any of these resources
  • Physical (Environmental) SecurityThreats, vulnerabilities, and countermeasures that can be utilized to physically protect an enterprise’s resources and sensitive information
  • Security Architecture and DesignConcepts, principles, structures, and standards used to design, implement, monitor, and secure, operating systems, equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity, and availability
  • Telecommunications and Network Security
    Structures, transmission methods, transport formats, and security measures used to provide integrity, availability, authentication, and confidentiality for transmissions over private and public communications networks and media

Note that if certain circumstances apply and with appropriate documentation, candidates are eligible to waive one year of professional experience:

  • One year waiver of the professional experience requirement based on a candidate’s education Candidates can substitute a maximum of one year of direct full-time security professional work experience described above if they have a four-year college degree OR Advanced Degree in information security from a U.S. National Center of Academic Excellence in information Security (CAEIAE) or regional equivalent.OR

One-year waiver of the professional experience requirement for holding an additional credential
on the
(ISC)² approved list
Valid experience includes information systems security-related work performed as a practitioner, auditor, consultant, investigator or instructor, that requires Information Security knowledge and involves the direct application of that knowledge. The five years of experience must be the equivalent of actual full time Information Security work (not just Information Security responsibilities for a five year period); this requirement is cumulative, however, and may have been accrued over a much longer period of time.

Simply wanting to “kick off” a career in InfoSec is not something easily done and this should have been elaborated on more within the article.

Another issue not mentioned by the author is the need for an InfoSec Candidate to have diverse IT background. In other words, they need to have a solid foundation of knowledge within many areas of IT to have a better understanding of how the puzzle pieces fit together; understanding how networks work, the role(s) a Sysadmin assumes, how firewalls and DMZs work. While, not absolutely disqualifying a candidate by not having this foundation, it will more than makes up for the time and effort to learn and build it. This will also lead to better pay potential.

Leave a Reply