Back to Insights
10 Tips For Breaking into the Infosec Field
August 1, 2016 | Certifications and Training
By Kevin Beaver, IANS Faculty
There’s a saying that “experience is something you don’t get until just after you need it," and I cannot imagine a field of work in which this applies more than information security. Hardly a day has passed in my 27 years working in the field where I have not learned something new.
I don’t envy newcomers to information security given how complex the field has become. There are technical elements of security that you have to learn about, but that’s the easy part – most of this can be learned in school or through self-study. Everything from computer and network architectures to the TCP/IP family of protocols to software development – each of these areas contributes, in some way, to the field of information security. I cannot imagine being where I am today without having known the fundamentals of all of these areas.
You have to be careful and look beyond the “bits and bytes.” What’s not taught in school, outside of basic security management best practices, are the things that matter most: people and processes. The following lessons are what I would consider to be the top things that are not taught in school (whether it’s an information security specialty or other area of focus) and, therefore, need to be on the radar of anyone wishing to get started in – and ultimately succeeding in – this field:
1. It’s not about IT
Every business exists for one reason and one reason only: to acquire and keep customers. It’s all about sales. IT and security certainly complement those functions and can create a competitive advantage, but the business does not revolve around them.
2. Security policies aren’t the be all end all
You could spend years putting written policies in place that define how things are supposed to be done in the organization yet, minute after minute and day after day, people continually violate those policies. They do this because their desire for gain is greater than the risk of getting caught. Other common oversights include people not even being aware of the policies or the lack of technical controls to actually enforce the policies. A strong security awareness program is therefore critical.
3. Compliance drives everything
As much as some managers want to claim that they are spending money on security because it’s the right thing to do, the driving force behind security is compliance. In other words, businesses are doing it because they’re being forced to. It pays to understand the fundamentals and the politics associated with compliance regulations.
4. Business executives and lawyers may have already made up their minds about security
For reasons mentioned previously, many business leaders already have their minds made up regarding security. In fact, you will often get pushback to the point where you’ll question why an information security function even exists within the organization. Oftentimes, policies do not apply to this group as well, either through mandate or general fear on the part of IT and security staff. Learning to manage these relationships and effectively communicate to these individuals is a critical component of the information security profession.
5. It’s not about what you know
This is not unique to information security, but it’s often taken for granted. Much of information security is about who you know and who knows you. Politics know no boundaries, especially when it comes to spending money or implementing security controls that get in the way of doing business. Learn how to play the game.
6. Soft skills are where you should focus your efforts
Many people are so busy putting out fires and chasing down this or that technical rabbit hole that they often forget to focus on bettering themselves. Information security professionals who not only understand the underlying technical issues but can also communicate effectively to their peers and management are very hard to come by. Furthermore, these people really stand out in a positive way and tend to rise to the top.
7. Goal management and time management are critical
Time is the most precious asset for information security professionals, yet it’s often squandered by those who get caught in the weeds, majoring in minors. This is often brought about by a lack of vision/goals. In many cases, when goals are in place, they are not properly managed. You should document your goals, outline specific steps in order to achieve them and hold yourself accountable with specific deadlines.
8. Research studies and statistics say it all
We keep making the same mistakes and it all revolves around information security basics that continue to be ignored. The fundamental principles of information security have been around for decades. The book “Security, Accuracy, and Privacy in Computer Systems” by James Martin is a great example, as it covers most of the fundamentals that businesses struggle with today. It was written in 1973. The ongoing research uncovers the same core findings, such as weak passwords, gullible users and missing software patches year after year, yet many people keep hoping for something different. You cannot secure what you don’t acknowledge.
9. You can’t do it all by yourself
Along the lines of several items mentioned above, information security requires numerous people/roles to
be involved to make it all work. From HR, to operations, to the helpdesk, to the Board of Directors, you absolutely have to team up with, lean on and learn from others in the organization who can help carry the information security torch and get things done.
10. Credibility is the cornerstone of your career
Information security is often viewed as that function of business that continually tells everyone “No, you can't do that.” Rather than being a dictator, though, you have to figure out how you can become a person of value to help your subordinates, your peers and your executives get what they want, while, at the same time, you are able to reasonably secure your network environment. Build relationships, do what’s necessary to keep them going and never be seen as a hindrance.
I strongly believe that success in information security is all about understanding the inner workings of human beings. Unless and until these areas are properly addressed, there are no college degrees or security controls in the world that will keep things in check otherwise.
Secure Developer Training at Scale: Know the Options
Poll: Top Grad Schools for Cybersecurity
RSA 2018: Where Does Infosec Go From Here?
Beaver: Address Security Opportunities or Remain on the Path to Mediocrity