Working in InfoSec
The realm of Information Security or InfoSec as it is more commonly known holds an array of possibilities for those wishing to work within its domain. Rooted in a desire both to understand how things work as well as for the necessary industry standards and the field itself, InfoSec requires candidates who can demonstrate their commitment via self-sought practical experience with non-work projects and continued education, whether in the pursuit of certification or not.
Knowing the right people is a helpful advantage to those wanting to get a job in Information Security, not only in mentor positions but additionally your senior colleagues in IT. Don’t be afraid to wear your career expectations on your sleeve as the more people who are aware of your interest in working in InfoSec the more opportunities they may open up. From who to what, as far as certifications go, they are certainly useful, particularly so for InfoSec jobs based in government agencies and large corporations who value degrees. Within these organisations, a degree could mean the difference between a promotion and salary increase compared with a candidate coming in without one. The lesson here is to research into the requirements at the place you’re looking to become employed.
Practical experience, however, is generally more valuable to employers than academic prowess. Simply put, an employer wants to see your passion and dedication to the field through the personal projects you’ve undertaken in your own time as you build your understanding of the mechanisms of operating system architecture, hard drive construction and programming fundamentals that would lead you to identify a malware attack. Having some practical experience, ideally spanning over two years, makes you a more financially feasible option in a pile of job applications.
IT programs such as Computer Science, Computer Engineering and Network Engineering are good routes in for entry level candidates, and bear in mind that employers are also looking for individuals coming from degree courses that also furnish you with general business skills such as presenting and report writing. Non-technical skills are just as important to a security career.
Though undoubtedly, certifications such as GREM, CREST CMRE, CISSP and GPEN are all valuable assets to tout on your resume depending on which area of InfoSec peaks your interest. InfoSec is made up of many incongruent fields so being able to hone in on the area you’d like to specialise in as the best fit to your skillset is an important step to working in InfoSec. To simplify the two options available for a career in InfoSec; the first typically ascribed to penetration testers and the like is the offensive team while security analysts, forensic analysts, auditors and those with governance and compliance experience, security engineers and incident responders are classified as the defensive team.
Skills expected of those opting for offense come down to a solid and extensive knowledge of multiple operating systems, networking systems and social engineering tactics. Someone coming from a foundation in psychology for example would be bringing a strong understanding of people and the way they work which is crucial to the role of a pen tester, physical and traditional. Computer science and electronic engineering skills, reverse engineering skills and that passion for researching and understanding how things work are also key skills for someone testing systems for vulnerabilities.
Security or SOC Analyst positions are a common route in for those wanting to bolster the security lines of defence. Offering training on the job and opportunities for continued learning and cross training across multiple roles is the sign of a good analyst role. Understanding operating systems, hard drives and memory function, being analytically minded, able to communicate effectively and work well under intense stress and pressure at all hours of the day and night are just some of the skills needed to work on the defensive line within InfoSec. Knowledge of Windows, Centos and Linux are expected for security engineering roles as well as scripting expertise, while knowledge of industry standards and report-writing skills are required for roles in IT Audit.