Rothke stimulating your career as an information security professional
Stimulating Your Career as an
Information Security Professional
Ben Rothke CISSP, PCI QSA
Senior Security Consultant
BT Global Services
October 28, 2009
• Ben Rothke, CISSP CISM PCI QSA
• Security Consultant – BT Global Services
• In IT sector since 1988 and information security since 1994
• Frequent writer and speaker
• Author of Computer Security: 20 Things Every Employee
Should Know (McGraw-Hill)
This session is:
• How you can start/further your career in information
• What it takes to be a successful information security
This session is not:
• Comprehensive overview of the information security
• Feel free at any point to make a comment, ask a question.
• This session is an interactive session.
• Information security is among strongest fields in IT sector
for growth and opportunity
• Significant opportunities in both government and private
• Excellent long-term career prospects
• Increasing cybersecurity vulnerabilities
• Internet growth accelerating demand
• Many security professionals retiring next 5-10 years
• Increase in security & privacy regulations and legislation
Why it’s a hot field
• Increasing regulatory compliance
• Requires organizations to adopt security standards and
frameworks for long-term approach to mitigating risk
• Evolving and emerging threats and attacks
• Continual learning of new skills and techniques
• Accountability between information security professionals
and management falls on several key executives to manage
growing risk exposures
• Convergence of physical and information security
Information Security - Where the jobs are
• Jobs in information security
• including architects, analysts and administrators
• among the IT opportunities offering the most
employment security in the current economy.
• Skills in highest demand
• Forensic Analysis
• Incident Handling and Analysis
• Security Architecture
• Ethical Hacking
• Network Security
• Security Management
• Source: Foote Partners, LLC - www.footepartners.com
• Given the continued trend toward connected businesses
and pressure for faster decisions and response, I believe
that information security will continue to be both a very
exciting profession and one of growing importance.
• I believe information security professionals will need to
grow both by being more connected to business and
strategy and by being better able to evaluate and/or
recommend technical tradeoffs.
Steve Lipner, CISSP
Microsoft - Senior Director of Security Engineering Strategy
• Financial services companies drive the market
• employ the most people
• pay the best salaries/compensation packages
• Information security not immune to layoffs
• Products and services firms suffer as well
• Effected by budget cuts/economic climate
• Prevailing mindset of just enough security and do more
• Short talent in technical specialties
• Security vendors are laying-off people
• Services firms are laying-off people
• Seemingly at much lower numbers than the general IT
• As of October 2009, seems like we have bottomed-out
• Many companies still completely clueless when it comes to
• But that does create opportunities for security
Do you have what it takes?
• Which interview do you listen
• Which is the better book?
• What magazine do you prefer?
• Defining a career path and sticking to it
• Information security advances don’t keep pace with
• New technologies, new security issues
• Technical skills quickly antiquated
• Finding organization with same commitment to information
security as you have to your career
• Often job environment may not enable that
• Budgets often smaller than necessary
• Finding a mentor
• Information security still relatively young discipline
• Many processes being developed now
• Not keyword business
• Can’t search for jobs/employees on information security
• Many nuances and skill sets (apps, O/S, networks, etc.)
and people/organizational/business skills
• Understanding critical non-information security skills
• Industry (pharmaceutical, financial, retail, etc.)
Career Planning is Essential
• Information security professionals made, not born
• Your responsibility is to effectively manage your career
• Employer won’t necessarily do it
• Those who are passionate and motivated will succeed
• Continually assess career to determine if current path will
get you to long-term ambitions
Essential skills & requirements
• Common sense
• Practical eye for what really works and what doesn’t
from a procedural and technical perspective
• Informed decisions
• Sell security to executives and employees
• Focus on risk, not FUD
• Sell security controls as method of mitigating possible
financial losses associated with security breaches or
• Dealing with change
• Continually learn new skills and techniques
Essential skills & requirements
• Long-term thinking
• Supports short-term requirements
• Focus on risk management, not putting out fires
• Communication skills
• Written and spoken skills, up and down the business
• Senior management and others often clueless
• Conflict resolution
• Dealing with those who see information security as
• Create mutually acceptable security control levels,
without hindering business activity
• Politics and turf wars
Essential skills & requirements
• Strategic thinking
• Understanding big picture - how each functional branch
contributes to overall mission
• Leverage one functional area to support security
controls of others
• Team player
• Know what you know, and what you don’t know
• Leverage expertise of others
• Information security all about trust
• Personal integrity/reputation fundamental to
• Community is small; work on keeping good name
Essential skills & requirements
• See technology as a means, not end
• Know technology, laws, and legislation to write/enforce
• Make informed decisions on info security controls
• Thinking out of the box
• Understanding vulnerabilities and weaknesses
• Policy maker who develops strategies to mitigate risk
• Leadership skills
• Take-charge attitude
• Passion for security
Getting started - Newcomer
• Bachelor’s /master’s - logical starting point
• College degree baseline for hiring
• Lack of degree may be issue
• More colleges offering infosec majors
• Number still small, not enough graduates
• Online programs offered by Univ. of London, Royal
Holloway - MSc in Information Security, and more
• Most relevant majors
• Computer science
• Information security
Core Security Curriculum
• Programming principles
• Secure programming techniques
• Applied cryptography
• Networking/data communications
• Network security principles
• Security tools
• Systems analysis and design
• Secure systems design
• Secure database structures
• Security tools for data management
• Operating systems
• Secure configuration
Experienced IT Professionals
• Have IT experience?
• Choose information security path based on career goals
• Consider ISC2 CISSP or ISACA CISM certifications
• Consider ISC2 Systems Security Certified Practitioner
• Those working toward/already attained Senior Network
Security Engineers, Senior Security Systems Analysts or
Senior Security Administrators
• First step on information security career path
• Chose one or two from:
• CISSP, SSCP, CISM, PCI QSA, CISA, Security+, SANS GIAC,
Cisco, Microsoft, RSA, Check Point, TICSA/TICSE, CEH,
CCO, SCNA, GCWN, CWSP, BS7799 Lead Auditor, SCNP,
SCNA, CISFI, HISP, CGEIT.
• At least one - especially CISSP – is definite must
• Certifications used as baseline by employers and clients
• Certification not true indication of an information security
Hands-on, practical, real-world information security
experience ultimately best for career
• Gold standard in security certification
• Offers a career differentiator, with enhanced credibility
and marketability, hopefully leading to better salary,
• Confirms commitment to the security profession
• Required by many prospective employers
• Accredited under ISO/IEC 17024
• Global benchmark for the certification of personnel,
ensuring knowledge and technical competency in
Security Boot Camps
• Can’t hurt
• Any investment in career is good one
• Often crams too much into 1-2 weeks
• Little recall 1 month later
Where are you today?
• Tier 1: Security newbie
• Little relevant experience
• Tier 2: Moderate security professional
• Professional with relevant knowledge and experience
• Tier 3: Experienced security professional
• Security manager
• Security architect
• Technical specialist
• Spend first few years mastering fundamentals
• Get involved in as many systems, apps, platforms,
languages, etc. as you can
• Key technologies and areas
• Relevant security experience
• Compliance/regulatory/risk management
• Programming and scripting
• Beginnings of security leadership
• Focus on becoming:
• Security architect
• Security group leader
• Product and technology implementation
• Implement/integrate new security products and
technologies into current infrastructure
• Requires solid network foundation/integration skills
plus understanding how security mechanisms work
together to provide required protection level
• Help various clients with security and privacy
• Requires knowledge of vulnerability/penetration
testing, current security technologies, O/S security, best
• Investigate computer crimes, collect evidence to be
used in court
• Requires knowledge of:
• Intrusion operations/detection, hacker
methodologies and techniques, deep
understanding of various O/S, use of different
forensics tools and software packages
• Local and international laws
• Security officer
• Day-to-day oversight of regulations, policies and
• Reviews systems for security problems and
• Requires understanding of methods to be implemented
for compliance with standard, laws and regulations and
how to test for these methods.
• Ethical hacking
• Help organization take preemptive measures against
malicious attacks by attacking the system itself
• Broad /deep knowledge of O/S, hacking
tools/techniques, C++, XML and PERL programming,
SDLC in large enterprise, more
• Secure software design/code review
• Implement/review security functionality into apps
• Requires programming skills and how different
programming methods introduce various vulnerabilities
• Vendor – pre/post sales engineering
• Present technical and business solutions to customers
and partners with widely varying levels of technical
• Requires in-depth knowledge of how product works and
how to implement it in different environments
• Security awareness and training
Security jobs hot list
• CISSP Certified
• CISM or CISA Certified
• PCI DSS Consultants
• Good security sales & pre/post technical sales people
• Penetration tester
• Forensics specialist
Source: Geoff Harris ISSA-UK President Director – Alderbridge
SANS Career Path
1. Information Security Crime 11. Application Penetration Tester
Investigator/Forensics Expert 12. Security Operations Center Analyst
2. System, Network, and/or Web 13. Prosecutor Specializing in Information
Penetration Tester Security Crime
3. Forensic Analyst 14. Technical Director and Deputy CISO
4. Incident Responder 15. Intrusion Analyst
5. Security Architect 16. Vulnerability Researcher/ Exploit Developer
6. Malware Analyst 17. Security Auditor
18. Security-savvy Software Developer
7. Network Security Engineer
19. Security Maven in an Application Developer
8. Security Analyst
9. Computer Crime Investigator 20. Disaster Recovery/Business Continuity
10. CISO/ISO or Director of Security Analyst/Manager
1. What are my long and short term plans?
2. What are my strengths and weaknesses?
3. What skills do I need to develop?
4. Have I acquired a new skill during the past year?
5. What are my most significant career accomplishments and
will I soon achieve another one?
6. Have I been promoted over the past three years?
7. What investments have I made in my own career?
8. Am I being impatient?
• Lee Kushner, founder and CEO, LJ Kushner and Associates-
Information Security Recruitment Firm www.ljkushner.com
The Experts Speak
• Insights from the pros
• And a contrarian view
• Ensure you are well grounded in understanding technology as you absolutely
need to have credibility and trust with technical staffs.
• At some point you’ll have to make a choice between technical and
• If you choose a management path, understand that it may be a sacrifice as it’s difficult
to let go of the day-to-day, hands-on satisfaction from working directly with technology.
• Know your personal goals and career aspirations. Good technologists do not
necessarily make good managers and leaders.
• Be cautious in situations where someone gets promoted and you move into
their old position and you also report to them.
• What can sometimes happen is that your boss will not relinquish their hold and
influence over the old (your new) position. You will be in “lame duck” status as people
will go to your boss rather than you while you are trying to get up-to-speed.
• Understand that the security field requires continuous learning and you
should take the approach that you are a student learning every day.
• Ensure that you continue your personal development pursuing the premium
certifications such as from ISC2, ISACA, Microsoft and Cisco.
Matt Curtin - Interhack Corporation
• This is work: train yourself to be methodical, to plan the work, and to work the
plan. Aimlessly frobbing stuff or just poking around isn't going to result in
something that people are willing to pay for.
• It is a profession: there are standards of ethics, behavior, presentation, baseline
knowledge, etc., that need to be met. Being great at one bit, especially one
technical bit, isn't a recipe for success unless standards are kept in the other areas.
• Study science: sorting out noise from signal is something that science does. There
are lots of threats out there, but if you focus exclusively on that, you sound like a
government spook no one believes.
• You have to understand impact and likelihood—and no one is buying the hand-
waving "ooh, more risk, or less risk" argument anymore. Quantitative analysis and
skillful presentation of quantitative data are a must for anyone who is going to get
beyond the entry level.
• Be not only willing, but desirous, of spending lifetime learning. Only the naturally
curious, with curiosity channeled through an analytical thought process, are going
to be able to take it in the long run.
• Develop people skills, not just the entry-level for any profession type, but really
work at being the sort of person that people will rightly trust. Honesty, integrity,
openness, and that entire sort of thing.
VP - Strategic Accounts – Websense
• The affinity of information security to IT is growing ever
thinner, while the propensity to compliance, ediscovery
and data management grows ever stronger.
• Security is becoming a business concern.
• The ability to think business, write and present high level
concepts coherently and succinctly becomes ever more
Scientist - BBN Technologies
• Learn as much as you can about the area in which you want to focus. You will
understand flaws, fixes and impacts.
• Learn generalist skills. Provides background and discipline which will serve you
• Question everything. The best security experts know not only how something
works, but can determine how things can go wrong. Provides a unique ability to
not only find a problem but to also be able to fix the problem.
• Don’t become overly focused on security as the ultimate solution. Good security
solutions support a business, acting to ensure that business objectives are met
without any problems.
• Don’t attempt to learn security through hacking. The end result can be quite
myopic. Hacking rarely provides context for events. The worst case scenarios
result in experts warning of problems that customers may never face. This of
course causes irreparable harm to your reputation.
Former CISO - Bear Stearns
• Protecting your information security career requires a
much deeper understanding of the information security
function itself and how it is evolving.
• Being prepared for the future, which means investing time
and effort in understanding data handling and classification
from a business perspective and focusing on the business
need for securing data.
• A business understanding of security is crucial in today's
marketplace and goes a long way in making individuals
valuable to their organizations.
Chief of Information Security - Mattel, Inc.
• Security is a big topic, encompassing diverse areas such as
architecture, compliance, operations, governance and more.
• Decide what you want to be as a security professional
• Recognize that a job in governance will not be a technical gig, and may be
a big transition for the technically oriented.
• CSO/CISO - Not necessarily a natural infosec progression path. CSO is
more about leadership and management than technical security.
• Certifications such as CISSP are almost a must these days; but certainly
not a guarantee of a job; given competitive market conditions.
• Don’t underestimate the value of publicizing yourself
• Speaking gigs, blogs, white papers, articles, etc., give you a creative
opportunity for garnering recognition and providing thought leadership.
• Conventional risk management philosophies/methodologies often include the
concept of risk transfer and risk acceptance.
• More recent innovation in risk management practice evolution discards
these concepts for the principle of managed risk.
• Those new to the industry have an opportunity to learn more innovative
techniques and practices to manage risk vs. adopting risk acceptance and/or
• Another recent phenomenon is the changing threat landscape based on threat
trend data. Therefore, those new to the information security field should
consider investing in understanding current threat trends and the evolution of
controls to mitigate these threats.
• Another area of interest to those new to the industry for technically oriented
professionals is the evolving role of rule based technologies (SIEM, DLP,
Network Behavioral Analytic tools) applied to a large volume of data. Those
professionals with understanding of how to apply these types of tools will
continue to be in high demand.
CSO-in-Residence, Echelon One
• Technologies change fast, processes change faster.
• Learn about the latter if you want to keep up.
Geoff Harris - Director – Alderbridge, UK
• Planning and developing your information security career
• Identify where you want to be in 5 years
• Target your next step in line with your goal and write your CV with
• Home study projects, write/present papers, research/student projects
• Seek mentoring programs
• Demonstrate your passion
• Be proactive
• Join industry associations to network with your peers
• Raise your profile - speaking, volunteering
• Don’t just focus on your day to day agenda within a job - look at the
• Don’t be afraid to move on after 2-3 years
• Work towards additional qualifications and certifications
Joe Bernik - former CISO of LaSalle Bank
• Expose yourself to a broad range of technologies. A good Infosec pro should have an
understanding of all aspects of computing.
• Seek work with a government agency or not for profit.
• These jobs often don’t pay as much as the private sector but the barriers to entry are not as
high and the experience they provide can be extremely valuable.
• Keep your skills sharp by maintaining a home lab. Nothing beats hands on
experience and as you work your way up it’s always good to have that experience.
• Stay involved in the infosec community. It’s full of bright and motivated individuals.
• Remember that nothing is ever as easy as it seems and that the same problems tend
to resurface over and over again.
• Learn to translate technology risk to business risk. The business representatives may
not share your zeal for pure security.
• Form a network of colleagues and friends that share your interests
• Keep a couple of case studies or war stories fresh in your mind. People need to hear
tangible examples of what can go wrong.
• Stay on the right side of the law and don’t fraternize with those who do not
• Don’t be too critical of others remember it is much easier to find a problem than to
Joe Krull - Senior Manager - Accenture
• Looking to enter the security field? Do your homework to see what’s involved. Amount of
knowledge required to be successful is daunting and as security is ever-changing, the need to
stay current is not for the lazy. Once you make the commitment to a security career, you’ll
need to devote a lot of effort to reading and collaborating with your security peers.
• If you’re still in school (or thinking about going back), look for curricula that introduces
• Don’t specialize too heavily in one area of security. Security generalists are always in great
demand and are much more flexible to fill open roles.
• It’s great to be an expert in a demand area such as biometrics or wireless security, but not at the expense
of knowing how all of the key pieces of security fit together.
• Get certified ASAP. Certifications are the basic ticket to entry for security and underscore
that you are serious about this complex career track.
• Focus on widely recognized certifications such as CISSP/CISA/CISM and ignore some of the certifications
that have not reached critical mass. Vendor certifications are good, but do not replace the need for
• Develop people and communications skills. Even the smartest security technologists are
overlooked when they can’t explain their work in simple terms or struggle to collaborate with
• Learn the business you are working in as you’ll need to contribute to the success of your
organization and your understanding of things like shareholder value, profit margins, supplier
diversity and cash flow.
Director - Global Information Security - major advertising company
• General progression in the industry in the past has been through the technical
ranks to gain base experience in security technologies and implementation.
• Along the way earn certifications and understand where you want to go in the
industry (Technical or Management).
• Many companies state that they are looking for security management which is no
more than glorified technical staff unfortunately. They are looking for cheaper
technical labor in the mask of looking for security management.
• Understand your industry, you can specialize and in some cases some industries
specifically require experience in their areas before you can get a job there.
Especially in management.
• Join industry associations to improve your skill set and network. Understand where
industry skill needs are, forensics, vulnerability management, IAM, etc.
• Be prepared to work long hours and many hours.
SVP - Information Security and Risk - HSBC
• It’s not a job – it’s an adventure
• You need to have drive and you must have a passion for this.
• While certification is great, more important than CISSP is learning
the technical skills and getting real experience.
• Always be open to always learning new things.
• Think outside the box because that is how hackers think
• Get a mentor
• Read a lot, from different angles. Don’t rely on just one viewpoint.
• Anyone who has knee jerk reactions will not be an effective security
professional – be quick, but methodical.
• Security is not an easy field to enter. Be persistent and creative.
• Read voraciously. Stay on top of what's happening in the
• Take advantage of all of the information freely available on the
• Understand TCP/IP - ports, protocols, how things work.
• Try to understand business. Learn to speak the language of the
business people you interface with. They understand business-
speak not techno-security-speak.
• Learn to communicate effectively, both in writing and speaking.
If you can communicate effectively, you can do almost anything.
• Be passionate about what you do. If you are passionate about
security, others will sense that passion and become energized
• Learn as much as possible while building a knowledge resource
network (people, sites, books, etc.) that you can leverage
throughout your career.
• Manage the efforts used to secure assets and understand the
implications of a security lapse.
• Become an expert on where you want your career to go.
• If becoming a CISO, broad is better than deep.
• If starting a pen testing business, focus on technology and app
security. Windows vs. Linux/Unix vs. mainframe.
• Don't be afraid to ask for help.
• Many people have been in the same position and are more
than willing to point you in the right direction (resources,
industry meetings, etc.)
Director of Security Solutions - Intel Corp.
• Diversify - don’t get pigeonholed into one area. Get training on various areas of security
and on multiple threat vectors. This will help you to respond to new threats, maintain
your value to the organization as priorities change and evolve as the technologies and
• Attend conferences – RSA, BlackHat/Defcon, CSI, etc. and attend the sessions and
networking events. A lot of what security professionals do is bounce ideas and concepts
off each other, compare best practices, and overall keep fresh on what is happening in
• Learn business speak – Be able to translate security concepts and objectives into
language that can be digested by the folks that hold the funding and resources, business
• Learn developer speak - Be able to translate security concepts and threats into language
that developers and development managers can understand and incorporate into their
• Think outside the box and have an open mind – Be open to new ideas and concepts and
don’t accept the status quo or current solutions you are fed as the only answers to the
security challenge you are facing. That’s how you move from tactical to strategic roles.
Principal - Advisory Services – PricewaterhouseCoopers
• Know the company and understand its business model
• So you can talk about how security supports the business objectives
• Communicate what value you bring and how can you add value from
your experience into the new role
• Make sure you identify and communicate that value
• I know firewalls, so can understand the impact helping the company define
and implement third party connections.
• Think about if you can fit in the company
• Be honest with yourself to know your strengths, weaknesses and working
• Process consulting / business requirements gathering - need good
communication skills and the ability to collaborate.
• Application security testing / security coding and development - strong tech
skills but like to work alone for periods of time.
• It’s a great career if you enjoy being constantly defeated.
• When I got into information security, there were still a lot of
undefined areas in the field.
• So I found I could be valuable by learning/thinking/defining an area
and then teaching people.
• In general, if you want to show how useful you can be, in any area
of life, that's a good strategy: find an interesting problem, solve it,
and explain your solution to others.
• That’s the right way to learn, establish credibility, and move your field
• Right now, information security is about to become dominated by
lawyers, standards weenies, and auditors.
• It is much easier and cheaper to not do something stupid than it is
to do it safely.
Quote from recent security professionals laid-off and looking for work
• All I can say right now is that staying hands-on is pretty good but
there is a career ceiling there, and going beyond that makes getting
a job a bit more difficult.
• There are jobs, but I don’t want to have to relocate.
• It seems that the jobs are going to cheap H1B applicants.
• Where are these so-called CISO jobs?
• CSO Undercover: A Painful Lack of Security Jobs
For More Information
Decoding the Information Security Profession
Information Security Hiring Resource Center
Hiring Guide to the Information Security Profession
2008 Global Information Security Workforce Study
20 Coolest Jobs in Information Security
Foote Partners Q3 IT Skills & Certifications Pay Index
For More Information
• Women and Cyber Security: Gendered Tasks and
• Deciphering Information Security Job Titles, Roles and
• While dated (report is from 2003), still good information
• Careers in Information Security: Letter to a Student
• Information Security Leaders
• Thousands of corporate networks and tens of billions of
lines of code waiting to be secured and organizations are
struggling to find security professionals to help them cope.
• Your ability to succeed in information security will be
determined by your raw talent, combined with your ability
to define a career path & sticking to the path.
• Once recession is over, there will be more than enough
work out there for all of us.
Contact info / QA
Ben Rothke, CISSP PCI QSA
Senior Security Consultant
BT Professional Services