In this article, we discuss the steps you should take to start and build a successful career in information security.

1. Work out if it’s right for you

You can enter the field from school, college, from another tech discipline or, with enough planning, persistence and personal development, from an unrelated discipline. But before you start the journey, you need to make sure it’s a good fit. You’ll need passion to make a success of it, so don’t just follow the paycheck. While there isn’t a formula, common character traits of successful information security practitioners include being analytical, persistent, curious and perceptive. They like solving problems and have an engineering mindset: they revel in details, want to know how things work and enjoy the challenge of fixing them when they break. Soft skills become more important as your career develops. But because threats and breaches often impact different areas of an organization, you must be a good communicator – able to talk in business not just technical language – and an active and positive team player. You’ll also need to work out-of-hours on self-development since the threat landscape and response tools change so often that it’s difficult to commit enough time during the workday to keep on top of the latest information.

2. Narrow down your options

The days of the “security expert,” who knows about everything, are over. The focus is now on niche specialists. These days, you can specialize in areas such as web application security, forensics, compliance/risk management, auditing, network security and identity management. You’ll find a good list of roles here. Choosing a specialty won’t stop you from moving to another later in your career, but in the early days, it’s best to pick an area that has a buoyant job market and that serves as a cornerstone for future career development. Search current hot topics and find out what commentators and practitioners are tipping as future market trends. No one can predict what will happen for sure, but it will help shape your career plan. Remember, there are employment opportunities in the private and public sectors. Although many of the roles and skills are the same, the characteristics of each are different. Some people intuitively don’t want to work for the government, while others see it as a high-profile employer and a relatively safe long-term career option. As for the private sector, you might get more variety, but working for an information security service provider also means you quickly tire of airport lounges. Each option has ups and downs, and not every path will suit everyone.

3. Self-development can get you a long way fast

To defend something from attack, you need a good grasp of how it works. To understand or prevent network intrusions or attacks, you need to understand network architecture, and to help address system compromises, you need to understand system architecture and programming basics. So before you wade too deeply into security matters, make sure you know the technology. Beyond the huge number of sites with free resources, including from Infosec, there are specialist information security books and conferences such as the big annual events like Black Hat, DEF CON and RSA, and a host of smaller, local events that are often free and a great networking opportunity. Social media – Reddit, Stackexchange or the many groups on Twitter and Facebook – has endless tips and guides, and lets you keep track of hot topics and job opportunities.

Get practical experience applying what you learn

Information security is a good example of a career where experience counts for more than formal education. Every job, even entry-level, asks for some experience as a prerequisite for an interview, so get as much of it as you can. Many practitioners have their own lab setup. Aside from adding to your IT knowledge as you build and maintain it, a lab means you can exercise different security scenarios without bringing someone’s system down. It used to be expensive to buy the software and hardware and energy-hungry to operate, but now you can hire most things from cloud-based suppliers. Hackathons, capture-the-flag exercises or hacker playgrounds are a good way to try out your skills for real. Once you’re a step further on, you can find software bugs for vendors and earn in the process.

4. Getting certified deepens your knowledge and opens more doors

For some people, self-development is enough to get their career going, but others will want to add formal training and certifications. Most employers value experience, critical thinking, self-learning and motivation more than certifications, but large corporations or government bodies are different. If you’re aiming to get hired in that sector, you need to consider it. If you’ve got a degree in a computer science subject from a credible institution, that’s a big help, but otherwise or in addition to that there’s a range of organizations offering certifications recognized industry-wide. CompTIA, (ISC)², ISACA, EC-Council and GIAC are the most popular, as well as vendor-specific certification bodies like Cisco and Microsoft. Other popular entry-level certifications are Security+, offered by CompTIA, and the Certified Ethical Hacker, offered by EC Council. DoD-approved certifications can also help open the door to working in the sizeable defense market.

5. Work hard at getting that first job

Chances are your first information security job won’t come quickly or easily. With any luck, your social media networking will get you a foot on the ladder. Otherwise, you’ll be in the same cycle as every other job hunter: search, apply, repeat. On the upside, there are lots of information security job opportunities, so the process shouldn’t be too onerous. Just be prepared to persevere and be patient. Some employers offer internships which, with little or no salary, aren’t a great option. However, they can be beneficial if you view them as an opportunity to get through the door of an attractive employer. If that’s you, then commit to making a success of it quickly and getting onto the proper payroll fast.

Create a resume that will get attention

Your resume is most likely to be the first thing a potential employer sees, so take time to get it right. There’s a lot of resources available to help, but the main things to remember when you are at the early stages of your career and have little, if any, employment to leverage are:

Experience needs to be front and center. The areas we described above are all relevant, so describe them in detail. Tailor your resume to the job ad; don’t just send the same one to each potential employer (as most applicants do). Read the job ad properly (most people don’t do that either) and provide examples of how you meet the characteristics and skills they’re looking for. Keep it short. Most recruiters will only scan a resume to see if it ticks their boxes. Faced with a pile of resumes to get through, they’re most likely to throw out the long ones straight away.

If you get a positive rejection — they like your resume but you don’t have enough of the right experience — ask for a referral to a company that might be a better fit. You might be lucky and get a few tips. Once you’ve written your resume, contact a few recruiters. They know what skills clients are buying, and some will give you good advice on the measure of your resume against market demand.

At the interview

It’s sadly common for candidates to inflate their credentials, so expect to be challenged at the interview. Employers have been burnt too many times to take things at face value. The selection process often involves facing off against an expert and might include practical tests, so brush up beforehand. A good knowledge of the current threat landscape and high-profile attacks, particularly how they apply to the employer’s business, shows you’re thinking about the business implications and not just the technical ones.

6. Take full advantage of your first job

The priority is to work hard and deliver what’s asked of you, but you should be mindful of the career development benefits too. Develop your soft skills and learn to speak in a language that the general corporate worker understands. This will be important as you move into other information security roles: auditing, for example, where you must communicate with a lot of different stakeholders. Take advantage of any training that’s offered and ask to attend conferences — funded, of course, by the employer. Find a mentor, someone that’s been around the security block and can give you invaluable career guidance but also some help on technical challenges. And as you develop, become a coach to others that are just joining the organization. Push to get involved in the big, high-profile projects and don’t shy away from the challenges. Finally, move on at the right time. At the early stages of your career, that’s usually easy to figure out: it’s when you’ve stopped learning.

7. Don’t stop when you’ve just started

Building a successful career in information security is a long-term commitment. Self-learning doesn’t stop and, since you’ll face more responsibility and greater challenges, it takes on even more importance. Rather than use social media or conferences to soak up knowledge, you can gradually move towards becoming a contributor. Running your own blog or publishing software tools to help other practitioners are ways of establishing your credentials and getting a reputation that will help you move forward to even better jobs

Sources

Cybersecurity Jobs Report 2018-2021, Cybersecurity Ventures Information Security Analyst Salary, Payscale DEF CON 26, InfoSec Resources Bug Bounty List, Bugcrowd Government, CompTIA