Rothke stimulating your career as an information security professional


Published on

Stimulating Your Career as an Information Security Professional - Presentation given by Ben Rothke at the CSI 2009 conference

Rothke stimulating your career as an information security professional

  1. 1. Stimulating Your Career as an Information Security Professional Ben Rothke CISSP, PCI QSA Senior Security Consultant BT Global Services October 28, 2009
  2. 2. About me • Ben Rothke, CISSP CISM PCI QSA • Security Consultant – BT Global Services • In IT sector since 1988 and information security since 1994 • Frequent writer and speaker • Author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill)
  3. 3. Agenda This session is: • How you can start/further your career in information security • What it takes to be a successful information security professional This session is not: • Comprehensive overview of the information security career space • Feel free at any point to make a comment, ask a question. • This session is an interactive session.
  4. 4. Opportunities • Information security is among strongest fields in IT sector for growth and opportunity • Significant opportunities in both government and private sectors • Excellent long-term career prospects • Increasing cybersecurity vulnerabilities • Internet growth accelerating demand • Many security professionals retiring next 5-10 years • Increase in security & privacy regulations and legislation
  5. 5. Why it’s a hot field • Increasing regulatory compliance • Requires organizations to adopt security standards and frameworks for long-term approach to mitigating risk • Evolving and emerging threats and attacks • Continual learning of new skills and techniques • Accountability between information security professionals and management falls on several key executives to manage growing risk exposures • Convergence of physical and information security
  6. 6. Information Security - Where the jobs are • Jobs in information security • including architects, analysts and administrators • among the IT opportunities offering the most employment security in the current economy. • Skills in highest demand • Forensic Analysis • Incident Handling and Analysis • Security Architecture • Ethical Hacking • Network Security • Security Management • Source: Foote Partners, LLC -
  7. 7. The Future • Given the continued trend toward connected businesses and pressure for faster decisions and response, I believe that information security will continue to be both a very exciting profession and one of growing importance. • I believe information security professionals will need to grow both by being more connected to business and strategy and by being better able to evaluate and/or recommend technical tradeoffs. Steve Lipner, CISSP Microsoft - Senior Director of Security Engineering Strategy
  8. 8. Current State • Financial services companies drive the market • employ the most people • pay the best salaries/compensation packages • Information security not immune to layoffs • Products and services firms suffer as well • Effected by budget cuts/economic climate • Prevailing mindset of just enough security and do more with less • Short talent in technical specialties
  9. 9. Current State • Security vendors are laying-off people • Services firms are laying-off people • Seemingly at much lower numbers than the general IT sector • As of October 2009, seems like we have bottomed-out • Many companies still completely clueless when it comes to information security • But that does create opportunities for security professionals
  10. 10. Do you have what it takes? • Which interview do you listen to? • Which is the better book? • What magazine do you prefer?
  11. 11. Career Challenges • Defining a career path and sticking to it • Information security advances don’t keep pace with computing advances • New technologies, new security issues • Technical skills quickly antiquated • Finding organization with same commitment to information security as you have to your career • Often job environment may not enable that • Budgets often smaller than necessary • Finding a mentor
  12. 12. Career Challenges • Information security still relatively young discipline • Many processes being developed now • Not keyword business • Can’t search for jobs/employees on information security • Many nuances and skill sets (apps, O/S, networks, etc.) and people/organizational/business skills • Understanding critical non-information security skills • Communication • Budgets • People • Processes • Industry (pharmaceutical, financial, retail, etc.)
  13. 13. Career Planning is Essential • Information security professionals made, not born • Your responsibility is to effectively manage your career • Employer won’t necessarily do it • Those who are passionate and motivated will succeed • Continually assess career to determine if current path will get you to long-term ambitions
  14. 14. Essential skills & requirements • Common sense • Practical eye for what really works and what doesn’t from a procedural and technical perspective • Informed decisions • Salesmanship • Sell security to executives and employees • Focus on risk, not FUD • Sell security controls as method of mitigating possible financial losses associated with security breaches or information loss • Dealing with change • Continually learn new skills and techniques
  15. 15. Essential skills & requirements • Long-term thinking • Supports short-term requirements • Focus on risk management, not putting out fires • Communication skills • Written and spoken skills, up and down the business • Senior management and others often clueless • Conflict resolution • Dealing with those who see information security as impediment • Create mutually acceptable security control levels, without hindering business activity • Politics and turf wars
  16. 16. Essential skills & requirements • Strategic thinking • Understanding big picture - how each functional branch contributes to overall mission • Leverage one functional area to support security controls of others • Team player • Know what you know, and what you don’t know • Leverage expertise of others • Trust • Information security all about trust • Personal integrity/reputation fundamental to advancement • Community is small; work on keeping good name
  17. 17. Essential skills & requirements • See technology as a means, not end • Know technology, laws, and legislation to write/enforce good policies • Make informed decisions on info security controls • Thinking out of the box • Understanding vulnerabilities and weaknesses • Policy maker who develops strategies to mitigate risk • Leadership skills • Take-charge attitude • Vision • Passion for security
  18. 18. Getting started - Newcomer • Bachelor’s /master’s - logical starting point • College degree baseline for hiring • Lack of degree may be issue • More colleges offering infosec majors • Number still small, not enough graduates • Online programs offered by Univ. of London, Royal Holloway - MSc in Information Security, and more • Most relevant majors • Computer science • Engineering • Information security
  19. 19. Core Security Curriculum • Programming principles • Secure programming techniques • Applied cryptography • Networking/data communications • Network security principles • Security tools • Systems analysis and design • Secure systems design • Databases • Secure database structures • Security tools for data management • Operating systems • Secure configuration
  20. 20. Experienced IT Professionals • Have IT experience? • Choose information security path based on career goals • Strategic/management • Consider ISC2 CISSP or ISACA CISM certifications • Tactical/hands-on • Consider ISC2 Systems Security Certified Practitioner (SSCP) certification • Those working toward/already attained Senior Network Security Engineers, Senior Security Systems Analysts or Senior Security Administrators • First step on information security career path
  21. 21. Certifications • Chose one or two from: • CISSP, SSCP, CISM, PCI QSA, CISA, Security+, SANS GIAC, Cisco, Microsoft, RSA, Check Point, TICSA/TICSE, CEH, CCO, SCNA, GCWN, CWSP, BS7799 Lead Auditor, SCNP, SCNA, CISFI, HISP, CGEIT. • At least one - especially CISSP – is definite must • Certifications used as baseline by employers and clients • Certification not true indication of an information security expert Hands-on, practical, real-world information security experience ultimately best for career
  22. 22. CISSP Certification • Gold standard in security certification • Offers a career differentiator, with enhanced credibility and marketability, hopefully leading to better salary, benefits, etc. • Confirms commitment to the security profession • Required by many prospective employers • Accredited under ISO/IEC 17024 • Global benchmark for the certification of personnel, ensuring knowledge and technical competency in different professions.
  23. 23. Security Boot Camps • Can’t hurt • Any investment in career is good one • Expensive • Often crams too much into 1-2 weeks • Little recall 1 month later
  24. 24. Where are you today? • Tier 1: Security newbie • Little relevant experience • Tier 2: Moderate security professional • Professional with relevant knowledge and experience • Tier 3: Experienced security professional • Security manager • Security architect • Technical specialist
  25. 25. Security newbie • Spend first few years mastering fundamentals • Get involved in as many systems, apps, platforms, languages, etc. as you can • Key technologies and areas • Relevant security experience • Compliance/regulatory/risk management • Encryption • Firewalls • Policy • IDS/IPS • Programming and scripting
  26. 26. Moderate Experience • Beginnings of security leadership • Focus on becoming: • Security architect • Security group leader • CISO
  27. 27. Career Paths • Product and technology implementation • Implement/integrate new security products and technologies into current infrastructure • Requires solid network foundation/integration skills plus understanding how security mechanisms work together to provide required protection level • Consulting • Help various clients with security and privacy requirements • Requires knowledge of vulnerability/penetration testing, current security technologies, O/S security, best practices.
  28. 28. Career Paths • Forensics • Investigate computer crimes, collect evidence to be used in court • Requires knowledge of: • Intrusion operations/detection, hacker methodologies and techniques, deep understanding of various O/S, use of different forensics tools and software packages • Local and international laws • Security officer • Day-to-day oversight of regulations, policies and standards
  29. 29. Career Paths • Auditor • Reviews systems for security problems and vulnerabilities • Requires understanding of methods to be implemented for compliance with standard, laws and regulations and how to test for these methods. • Ethical hacking • Help organization take preemptive measures against malicious attacks by attacking the system itself • Broad /deep knowledge of O/S, hacking tools/techniques, C++, XML and PERL programming, SDLC in large enterprise, more
  30. 30. Career Paths • Secure software design/code review • Implement/review security functionality into apps • Requires programming skills and how different programming methods introduce various vulnerabilities • Vendor – pre/post sales engineering • Present technical and business solutions to customers and partners with widely varying levels of technical understanding • Requires in-depth knowledge of how product works and how to implement it in different environments
  31. 31. Career Paths • Security awareness and training
  32. 32. Security jobs hot list • CISSP Certified • CISM or CISA Certified • PCI DSS Consultants • Good security sales & pre/post technical sales people • Penetration tester • Forensics specialist Source: Geoff Harris ISSA-UK President Director – Alderbridge
  33. 33. SANS Career Path 1. Information Security Crime 11. Application Penetration Tester Investigator/Forensics Expert 12. Security Operations Center Analyst 2. System, Network, and/or Web 13. Prosecutor Specializing in Information Penetration Tester Security Crime 3. Forensic Analyst 14. Technical Director and Deputy CISO 4. Incident Responder 15. Intrusion Analyst 5. Security Architect 16. Vulnerability Researcher/ Exploit Developer 6. Malware Analyst 17. Security Auditor 18. Security-savvy Software Developer 7. Network Security Engineer 19. Security Maven in an Application Developer 8. Security Analyst Organization 9. Computer Crime Investigator 20. Disaster Recovery/Business Continuity 10. CISO/ISO or Director of Security Analyst/Manager
  34. 34. SANS Career Roadmap
  35. 35. Kushner’s Questions 1. What are my long and short term plans? 2. What are my strengths and weaknesses? 3. What skills do I need to develop? 4. Have I acquired a new skill during the past year? 5. What are my most significant career accomplishments and will I soon achieve another one? 6. Have I been promoted over the past three years? 7. What investments have I made in my own career? 8. Am I being impatient? • Lee Kushner, founder and CEO, LJ Kushner and Associates- Information Security Recruitment Firm
  36. 36. The Experts Speak • Insights from the pros • And a contrarian view
  37. 37. Ron Baklarz • Ensure you are well grounded in understanding technology as you absolutely need to have credibility and trust with technical staffs. • At some point you’ll have to make a choice between technical and management paths. • If you choose a management path, understand that it may be a sacrifice as it’s difficult to let go of the day-to-day, hands-on satisfaction from working directly with technology. • Know your personal goals and career aspirations. Good technologists do not necessarily make good managers and leaders. • Be cautious in situations where someone gets promoted and you move into their old position and you also report to them. • What can sometimes happen is that your boss will not relinquish their hold and influence over the old (your new) position. You will be in “lame duck” status as people will go to your boss rather than you while you are trying to get up-to-speed. • Understand that the security field requires continuous learning and you should take the approach that you are a student learning every day. • Ensure that you continue your personal development pursuing the premium certifications such as from ISC2, ISACA, Microsoft and Cisco.
  38. 38. Matt Curtin - Interhack Corporation • This is work: train yourself to be methodical, to plan the work, and to work the plan. Aimlessly frobbing stuff or just poking around isn't going to result in something that people are willing to pay for. • It is a profession: there are standards of ethics, behavior, presentation, baseline knowledge, etc., that need to be met. Being great at one bit, especially one technical bit, isn't a recipe for success unless standards are kept in the other areas. • Study science: sorting out noise from signal is something that science does. There are lots of threats out there, but if you focus exclusively on that, you sound like a government spook no one believes. • You have to understand impact and likelihood—and no one is buying the hand- waving "ooh, more risk, or less risk" argument anymore. Quantitative analysis and skillful presentation of quantitative data are a must for anyone who is going to get beyond the entry level. • Be not only willing, but desirous, of spending lifetime learning. Only the naturally curious, with curiosity channeled through an analytical thought process, are going to be able to take it in the long run. • Develop people skills, not just the entry-level for any profession type, but really work at being the sort of person that people will rightly trust. Honesty, integrity, openness, and that entire sort of thing.
  39. 39. Assaf Litai VP - Strategic Accounts – Websense • The affinity of information security to IT is growing ever thinner, while the propensity to compliance, ediscovery and data management grows ever stronger. • Security is becoming a business concern. • The ability to think business, write and present high level concepts coherently and succinctly becomes ever more important.
  40. 40. Char Sample Scientist - BBN Technologies • Learn as much as you can about the area in which you want to focus. You will understand flaws, fixes and impacts. • Learn generalist skills. Provides background and discipline which will serve you well. • Question everything. The best security experts know not only how something works, but can determine how things can go wrong. Provides a unique ability to not only find a problem but to also be able to fix the problem. • Don’t become overly focused on security as the ultimate solution. Good security solutions support a business, acting to ensure that business objectives are met without any problems. • Don’t attempt to learn security through hacking. The end result can be quite myopic. Hacking rarely provides context for events. The worst case scenarios result in experts warning of problems that customers may never face. This of course causes irreparable harm to your reputation.
  41. 41. Jennifer Bayuk Former CISO - Bear Stearns • Protecting your information security career requires a much deeper understanding of the information security function itself and how it is evolving. • Being prepared for the future, which means investing time and effort in understanding data handling and classification from a business perspective and focusing on the business need for securing data. • A business understanding of security is crucial in today's marketplace and goes a long way in making individuals valuable to their organizations.
  42. 42. Arthur Lessard Chief of Information Security - Mattel, Inc. • Security is a big topic, encompassing diverse areas such as architecture, compliance, operations, governance and more. • Decide what you want to be as a security professional • Recognize that a job in governance will not be a technical gig, and may be a big transition for the technically oriented. • CSO/CISO - Not necessarily a natural infosec progression path. CSO is more about leadership and management than technical security. • Certifications such as CISSP are almost a must these days; but certainly not a guarantee of a job; given competitive market conditions. • Don’t underestimate the value of publicizing yourself • Speaking gigs, blogs, white papers, articles, etc., give you a creative opportunity for garnering recognition and providing thought leadership.
  43. 43. Jim Routh • Conventional risk management philosophies/methodologies often include the concept of risk transfer and risk acceptance. • More recent innovation in risk management practice evolution discards these concepts for the principle of managed risk. • Those new to the industry have an opportunity to learn more innovative techniques and practices to manage risk vs. adopting risk acceptance and/or transfer. • Another recent phenomenon is the changing threat landscape based on threat trend data. Therefore, those new to the information security field should consider investing in understanding current threat trends and the evolution of controls to mitigate these threats. • Another area of interest to those new to the industry for technically oriented professionals is the evolving role of rule based technologies (SIEM, DLP, Network Behavioral Analytic tools) applied to a large volume of data. Those professionals with understanding of how to apply these types of tools will continue to be in high demand.
  44. 44. David Mortman CSO-in-Residence, Echelon One • Technologies change fast, processes change faster. • Learn about the latter if you want to keep up.
  45. 45. Geoff Harris - Director – Alderbridge, UK • Planning and developing your information security career • Identify where you want to be in 5 years • Target your next step in line with your goal and write your CV with that focus • Home study projects, write/present papers, research/student projects • Seek mentoring programs • Demonstrate your passion • Be proactive • Join industry associations to network with your peers • Raise your profile - speaking, volunteering • Don’t just focus on your day to day agenda within a job - look at the bigger picture • Don’t be afraid to move on after 2-3 years • Work towards additional qualifications and certifications
  46. 46. Joe Bernik - former CISO of LaSalle Bank • Expose yourself to a broad range of technologies. A good Infosec pro should have an understanding of all aspects of computing. • Seek work with a government agency or not for profit. • These jobs often don’t pay as much as the private sector but the barriers to entry are not as high and the experience they provide can be extremely valuable. • Keep your skills sharp by maintaining a home lab. Nothing beats hands on experience and as you work your way up it’s always good to have that experience. • Stay involved in the infosec community. It’s full of bright and motivated individuals. • Remember that nothing is ever as easy as it seems and that the same problems tend to resurface over and over again. • Learn to translate technology risk to business risk. The business representatives may not share your zeal for pure security. • Form a network of colleagues and friends that share your interests • Keep a couple of case studies or war stories fresh in your mind. People need to hear tangible examples of what can go wrong. • Stay on the right side of the law and don’t fraternize with those who do not • Don’t be too critical of others remember it is much easier to find a problem than to fix it.
  47. 47. Joe Krull - Senior Manager - Accenture • Looking to enter the security field? Do your homework to see what’s involved. Amount of knowledge required to be successful is daunting and as security is ever-changing, the need to stay current is not for the lazy. Once you make the commitment to a security career, you’ll need to devote a lot of effort to reading and collaborating with your security peers. • If you’re still in school (or thinking about going back), look for curricula that introduces security concepts. • Don’t specialize too heavily in one area of security. Security generalists are always in great demand and are much more flexible to fill open roles. • It’s great to be an expert in a demand area such as biometrics or wireless security, but not at the expense of knowing how all of the key pieces of security fit together. • Get certified ASAP. Certifications are the basic ticket to entry for security and underscore that you are serious about this complex career track. • Focus on widely recognized certifications such as CISSP/CISA/CISM and ignore some of the certifications that have not reached critical mass. Vendor certifications are good, but do not replace the need for industry certifications. • Develop people and communications skills. Even the smartest security technologists are overlooked when they can’t explain their work in simple terms or struggle to collaborate with non-technical people. • Learn the business you are working in as you’ll need to contribute to the success of your organization and your understanding of things like shareholder value, profit margins, supplier diversity and cash flow.
  48. 48. Jim Huddleston Director - Global Information Security - major advertising company • General progression in the industry in the past has been through the technical ranks to gain base experience in security technologies and implementation. • Along the way earn certifications and understand where you want to go in the industry (Technical or Management). • Many companies state that they are looking for security management which is no more than glorified technical staff unfortunately. They are looking for cheaper technical labor in the mask of looking for security management. • Understand your industry, you can specialize and in some cases some industries specifically require experience in their areas before you can get a job there. Especially in management. • Join industry associations to improve your skill set and network. Understand where industry skill needs are, forensics, vulnerability management, IAM, etc. • Be prepared to work long hours and many hours.
  49. 49. Mitch Zahler SVP - Information Security and Risk - HSBC • It’s not a job – it’s an adventure • You need to have drive and you must have a passion for this. • While certification is great, more important than CISSP is learning the technical skills and getting real experience. • Always be open to always learning new things. • Think outside the box because that is how hackers think • Get a mentor • Read a lot, from different angles. Don’t rely on just one viewpoint. • Anyone who has knee jerk reactions will not be an effective security professional – be quick, but methodical. • Security is not an easy field to enter. Be persistent and creative. Differentiate yourself.
  50. 50. Danny Harris • Read voraciously. Stay on top of what's happening in the security world. • Take advantage of all of the information freely available on the net. • Understand TCP/IP - ports, protocols, how things work. • Try to understand business. Learn to speak the language of the business people you interface with. They understand business- speak not techno-security-speak. • Learn to communicate effectively, both in writing and speaking. If you can communicate effectively, you can do almost anything. • Be passionate about what you do. If you are passionate about security, others will sense that passion and become energized about it.
  51. 51. Chris Ekonomidis • Learn as much as possible while building a knowledge resource network (people, sites, books, etc.) that you can leverage throughout your career. • Manage the efforts used to secure assets and understand the implications of a security lapse. • Become an expert on where you want your career to go. • If becoming a CISO, broad is better than deep. • If starting a pen testing business, focus on technology and app security. Windows vs. Linux/Unix vs. mainframe. • Don't be afraid to ask for help. • Many people have been in the same position and are more than willing to point you in the right direction (resources, industry meetings, etc.)
  52. 52. Steve Orrin Director of Security Solutions - Intel Corp. • Diversify - don’t get pigeonholed into one area. Get training on various areas of security and on multiple threat vectors. This will help you to respond to new threats, maintain your value to the organization as priorities change and evolve as the technologies and architecture change. • Attend conferences – RSA, BlackHat/Defcon, CSI, etc. and attend the sessions and networking events. A lot of what security professionals do is bounce ideas and concepts off each other, compare best practices, and overall keep fresh on what is happening in security. • Learn business speak – Be able to translate security concepts and objectives into language that can be digested by the folks that hold the funding and resources, business people. • Learn developer speak - Be able to translate security concepts and threats into language that developers and development managers can understand and incorporate into their development process • Think outside the box and have an open mind – Be open to new ideas and concepts and don’t accept the status quo or current solutions you are fed as the only answers to the security challenge you are facing. That’s how you move from tactical to strategic roles.
  53. 53. Mark Lobel Principal - Advisory Services – PricewaterhouseCoopers • Know the company and understand its business model • So you can talk about how security supports the business objectives • Communicate what value you bring and how can you add value from your experience into the new role • Make sure you identify and communicate that value • I know firewalls, so can understand the impact helping the company define and implement third party connections. • Think about if you can fit in the company • Be honest with yourself to know your strengths, weaknesses and working style. • Process consulting / business requirements gathering - need good communication skills and the ability to collaborate. • Application security testing / security coding and development - strong tech skills but like to work alone for periods of time.
  54. 54. Marcus Ranum • It’s a great career if you enjoy being constantly defeated. • When I got into information security, there were still a lot of undefined areas in the field. • So I found I could be valuable by learning/thinking/defining an area and then teaching people. • In general, if you want to show how useful you can be, in any area of life, that's a good strategy: find an interesting problem, solve it, and explain your solution to others. • That’s the right way to learn, establish credibility, and move your field forward. • Right now, information security is about to become dominated by lawyers, standards weenies, and auditors. • It is much easier and cheaper to not do something stupid than it is to do it safely.
  55. 55. Recently laid-off Quote from recent security professionals laid-off and looking for work • All I can say right now is that staying hands-on is pretty good but there is a career ceiling there, and going beyond that makes getting a job a bit more difficult. • There are jobs, but I don’t want to have to relocate. • It seems that the jobs are going to cheap H1B applicants. • Where are these so-called CISO jobs? • CSO Undercover: A Painful Lack of Security Jobs •
  56. 56. For More Information Decoding the Information Security Profession • Information Security Hiring Resource Center • Hiring Guide to the Information Security Profession • 2008 Global Information Security Workforce Study • 20 Coolest Jobs in Information Security • TM Foote Partners Q3 IT Skills & Certifications Pay Index •
  57. 57. For More Information • Women and Cyber Security: Gendered Tasks and (In)equitable Outcomes • • Deciphering Information Security Job Titles, Roles and Responsibilities • • While dated (report is from 2003), still good information • Careers in Information Security: Letter to a Student • • Information Security Leaders •
  58. 58. Conclusions • Thousands of corporate networks and tens of billions of lines of code waiting to be secured and organizations are struggling to find security professionals to help them cope. • Your ability to succeed in information security will be determined by your raw talent, combined with your ability to define a career path & sticking to the path. • Once recession is over, there will be more than enough work out there for all of us.
  59. 59. Contact info / QA Ben Rothke, CISSP PCI QSA Senior Security Consultant BT Professional Services