DiceTV: Feds Focus on IT Security Skills

Dear Cat: I was laid off some time ago and need some insight into what’s hot in IT. Any ideas? Thanks. Brian.

Okay, Brian, one word: Security. The federal government’s becoming increasingly concerned about the vulnerability of its networks.

The Department of Defense alone has spent $100 million over six months to repair the damage from cyber attacks. The Wall Street Journal says DoD logged 360 million hacking attempts in 2008, up from 6 million in 2006.

In May, the White House released a cyberspace policy review that proposed a number of measures to bolster security, suggesting centralization of security efforts, and the creation of partnerships with the private sector and academia to coordinate its ultimate security objectives.

And, the report recommends investment in processes, technologies, and infrastructure that will help prevent security breaches and other incidents.

So: Where will the government invest? Will new jobs be created? Who’ll get them?

Well, security experts are sitting pretty. Industry observers say the demand for tech professionals skilled in information security is greater than ever, both in government and in the private sector.

At least for the foreseeable future, developing those skills looks like a very good career investment.

While IT and security used to be two separate groups, today they’re often merged on the corporate organization chart.

This means nearly every IT job now requires some level of security knowledge. Two hot areas right now: Web application security and compliance automation. Good areas to brush up on.

If you have a question for me, send it to feedback at dice.com, and put “Ask Cat” in the subject line. That’s feedback at dice.com.

Comments

17 Responses to “DiceTV: Feds Focus on IT Security Skills”

July 14, 2009 at 9:44 am, Ron Reid said:

HI, I am a Computer hardware Tech. wanting to exspand my carrier.
I am very aware of the need for IT security and want to know if you can direct me to some on-line training and
certifacations and their values.

Reply

July 16, 2009 at 1:26 am, Dice Learning said:

Ron – the CISSP is the foremost important certification for government-sponsored and sanctioned network security. Check out Dice Learning at learning.dice.com and enter keyword CISSP to review. The two authorities on network security are ISC2 and SANS. Good luck.

Reply

July 17, 2009 at 3:18 am, Malcatraz said:

I would recommend Network Security. The CCNA certification is a good start. I’m studying for this Certification. I recommend Trainsignal if you prefer computer-based training.

Reply

July 22, 2009 at 4:46 am, Dynamix said:

While I respect everyone’s input regarding IT security and the “perceived” best approach on dealing with the issues, the fact remains that is difficult to really assess the magnitude of all cyberspace attacks given that government and private industries tend to keep these incident confidential in order to not alarm customers, shareholders, etc. which is the advantage that the black hat community understands and exploit to the fullest, all while government LAN’s and WAN’s networks are being hacked daily around the clock as we speak, why is that you ask? My experience in the field tells me that the motives are different, be it political, disgruntled ex-employees, etc. but one trend I’ve notice over the years is that while companies want to protect their resources, hackers always tend to be one to ten steps ahead of the game, because they understand the basics, in other words, while everybody is trying to figure out what stupid cert to pursue not to mention the ridiculous amount of time and MONEY all coming at your expense, hackers I’ve spoken with religiously believe this is the Achilles heal of governments and the private sector overall, cyber and network attacks is like trafficking narcotics, is big business in the shadows, these guys make millions of $$$ while we’re living paycheck to paychecks, the intentions of CISSP, SANS, ISC2 is all a business at the end of the day, frustrating its pursuers, with no guarantees coupled with an enormous amount of ass kissing while looking for meaningful work that employers understand, I’ve been in the industry since 2000 only with the A+, Network+, Security+, iNet+ from CompTia while also attending Hacker Conventions in Las Vegas all in order to understand your enemies frame of mind, little do these entities know that your enemy is often not across borders but within the network itself, as far as certs, my opinion is don’t peruse them unless your employer pays for it, that way he/she understands your value in the company, any other way is just simply a waste of money and time on your part, stick to the basics my friends, Befriending a Black hat individual also helps.

Reply

July 22, 2009 at 5:19 am, Edtech said:

The CISSP, SANS GIAC and ISC2 certs are helpful but does not guarantee a job, not to mention the ridiculous amount of time and money invested at your expense, the reality is that these attacks are hard to determine given that companies tend to keep these incidents confidential, you always read articles like this, companies spending million on IT security, but you never hear how the money is actually being spent, I’ve been in the industry since 2000 with the A+, Network+, Security+, iNet+ all paid by my employer, this is the only way it makes any sense to pursue any cert in the industry, as far as attack goes, just keep in mind that the enemy is often within the network itself, attacks can also come from cyberspace but the source is often closer than you think, stick to the basics folks, if you understand your companies network infrastructure, patching holes, software updates, disabling unused ports and a strong enforceable security policy, is all you need to be on your way to good security, the rest is just a bunch of Security Certification Hype.

Reply

July 22, 2009 at 7:20 am, Tim said:

I would recommend both the CISSP, and the SANS GIAC. The CISSP is really good for overall security, and the SANS GIAC offers a lot of more specialized security focused certifications, such as firewall, wireless, incident response, etc.

Reply

July 22, 2009 at 7:26 am, Wes said:

You might want to start with your spelling.

Reply

July 22, 2009 at 7:56 am, Jeff said:

Meh, I read the ISC2 initial cert book, for SSCP. You’re supposed to swear to at least a year of focused IT security experience to take that exam – and ten years before you can take the actual CISSP, I believe.
You’d need to be previously invested in the field to take advantage of this trend anytime soon.

Reply

July 22, 2009 at 7:59 am, Jeff said:

Not that there’s anything particularly difficult or technical in that SSCP book, mind you. It’s all about forming committees and other political schlock.

Reply

July 22, 2009 at 8:37 am, dbrassle said:

Ron,

Over the past few years, I¿ve spent a considerable amount time and money on information security (aka information assurance in government circles) education and training. Here¿s my two cents¿

Despite the hype of articles like this, information security is still a relatively small field and you need to set your expectations accordingly. There are few jobs and fewer still that don¿t require a lot of practical experience. If you are seeking a government job, they often require years of experience working with government standards, while private companies want years of security experience in a HIPAA / SOX / GLB etc. environment. In my experience, entry-level job postings are virtually non-existent.

I would never discourage anyone from expanding their personal knowledge through education and training, but be aware that CISSP, GIAC, Master¿s degrees etc. are not sure-fire tickets to a rewarding job. In today¿s environment you will need persistence (and probably a large dose of luck) along with education and training to break into the field.

The security skills that the government and industry are looking for involve an understanding of how people and processes (not just technology) are used to reduce an organization¿s risk. Studying information security means you will spend much time understanding things like security frameworks, for example. People that have spent time in ¿info security¿ jobs at small organizations are sometimes surprised that their technical experience is a (very) small part of understanding information assurance, and that their tech experience doesn¿t count for much when looking at most InfoSec jobs.

If you look at the CISSP, note the time requirement ¿ you need years of experience in information security to receive a CISSP. ISC2 has another cert for those that haven¿t met the time requirement, but I don¿t see many (any?) job postings that mention the lower-level certs.

Vendor certs like CCNA /MCSE etc. can help you get a job, but these certs are very narrowly focused on a small subset of technical skills. If you were to seek an InfoSec job, these certs aren¿t likely to help much.

Best of luck everyone!

Reply

July 22, 2009 at 8:41 am, dbrassle said:

Despite the hype of articles like this, information security is still a relatively small field and you need to set your expectations accordingly. There are few jobs and fewer still that don¿t require a lot of practical experience. If you are seeking a government job, they often require years of experience working with government standards, while private companies want years of security experience in a HIPAA / SOX / GLB etc. environment.

I would never discourage anyone from expanding their personal knowledge through education and training, but be aware that CISSP, GIAC, Master¿s degrees etc. are not sure-fire tickets to a rewarding job. In today¿s environment you will need persistence (and probably a large dose of luck) along with education and training to break into the field.

Reply

July 22, 2009 at 8:46 am, dbrassle said:

In addition, the security skills that the government and industry are looking for involve an understanding of how people and processes (not just technology) are used to reduce an organization¿s risk. Studying information security means you will spend much time understanding things like security frameworks, for example. People that have spent time in ¿info security¿ jobs at small organizations are sometimes surprised that their technical experience is a (very) small part of understanding information assurance.

As others note here, CISSP has a time requirement ¿ you need years of experience in information security to receive a CISSP. Vendor certs like CCNA /MCSE etc. can help you get a tech job, but these certs are very narrowly focused on a small subset of technical skills. If you were to seek an InfoSec job, these certs aren¿t likely to help much.

Reply

July 22, 2009 at 9:53 am, kjonthom said:

So what certs do you think would be helpful, dbrassle?

Reply

July 22, 2009 at 10:28 am, ddeleau said:

As a fed contractor working on some of the largest firewalls, on one of the largest enterprise networks I can say that certs ain’t all that. WAN experience & Juniper/Cisco command line exp are what got me in. Looking ahead I see more focus on DNSSEC than the FWSM itself. Focus on troubleshooting for email, DNS and routing. Skills that are always in demand.

Reply

July 22, 2009 at 10:28 am, dbrassle said:

The SANS GIAC and ISC2 certs are helpful, my intent was not to diminsh them, just letting people know that if they are spending their own dollars that ROI is difficult to figure. Once you’re in the field of InfoSec, certs and (perhaps) formal education have value. The problem is getting into a information security job so that you can get real experience. If I were to do it over again, I’d probably focus on GIAC or the Associate of ISC2 program in an attempt to gain entry to the Infosec / IA field. Once you gain entry, the CISSP is the best thing to have (IMO, but search and I think you’ll find more jobs looking for CISSP) but again, you need some years of experience to sit for the CISSP. Formal education (Master’s degree) I wouldn’t do unless I was already in InfoSec and my employer paid for it — not enough potential bang for the buck, IMO.

Reply

July 23, 2009 at 1:15 am, Karen said:

As a Business Analyst, albeit unemployed analyst, I’ve noticed that security is becoming one of the non-functional requirement project areas.

Given the spaghetti code of legacy systems, it isn’t easy to address technically. However, before you even begin to address it technically, it has to be understood and addressed at the business level. So the question becomes, what tools do businesses, analysts and project managers use to address security? Comments?

Reply

July 24, 2009 at 7:09 am, Mary said:

I have been unemployed for a month and am just receiving a bachelor’s in IT with a concentration in forensics. I don’t have any certifications yet, and unfortunately don’t have any IT experience. My previous employment history is mostly administrative work and some tutoring in software applications and programming in Cobol. My question is how do I get a job in the IT field with little experience and no certifications?

Reply

Post a Comment

Your email address will not be published.