Information security is a multi-disciplinary profession. You have to be good with technology and the issues surrounding data confidentiality, integrity, availability, access, authenticity, risk management and security classification. You have to understand people and company culture. Above all, you have to think like a bad guy.
Information security specialists need to take on the mindset of a hacker – someone who wants to break into a company’s system to steal data, or corrupt the system with malware or infect it with a virus. They have to be able to identify a system’s vulnerabilities. As Will Kruse, a software security consultant with Dulles, Va.-based Cigital, says: "You have to think like an attacker. You have to think about things like, ‘How can a system fail? How can it break?’"
Information security continues to take on a greater importance as the black market for e-commerce data has grown. In addition, companies now face a slew of regulations to comply with, while financial fraud has become an area of greater concern. Because of these factors, investments in security aren’t likely to subside, even in the midst of an economic downturn. Certainly, the federal government is doing its part to keep the sector healthy. As part of the economic stimulus package signed into law in 2009, about $99 million of a $524 million capital investment fund will be available to the U.S. Department of State to carry out responsibilities under the Comprehensive National Cybersecurity Initiative, a highly classified effort aimed at bolstering the ability of the government to detect, respond and mitigate cyber threats. And that is just one example.
"The opportunities for someone coming out of college are huge right now," says Kruse. "There is an opportunity to get your hands dirty with a lot of real-world problems."Kruse says companies are putting a lot of effort into recruiting "young folks," adding, "We need young, enthusiastic blood."
Roles and Career Paths
But, make no mistake, you need skills, too. On a high level, many organizations now employ an information security officer to craft its security policies and guidelines. Depending on the vertical industry, this person also ensures the company is complying with the numerous government regulations that have emerged in recent years. Someone looking to work on this level needs to be intimately familiar with such regulations as the Health Insurance Portability & Accountability Act (HIPAA), the Gramm-Leach Bliley Act, the Sarbanes-Oxley Act, security breach notification laws or the Family Education Rights and Policy Act.
Like many IT jobs, the security profession can be sliced into many forms. A newly emerging role is that of the database security analyst, according to Noel Yuhanna, a Forrester Research security analyst. Oftentimes, adherence to an organizationÂ¿s security policies falls on the database administrator’s shoulders, though the actual enforcement tends to be last their to-do list. Now, database security experts are working alongside DBAs to ensure enforcement. Such professionals not only need to have security expertise but a familiarity with Oracle, SQL Server or IBMÂ¿s database software. They also need to know about application stacks, along with firewalls and networks
There are other more narrowly defined security jobs. A security manager, who typically has seven to 10 years of IT work experience in all aspects of business planning, systems analysis and application development, is involved in the development and delivery of IT security standards, best practices, architecture and systems to make sure data is secured across the enterprise, according to Gartner’s 2008 IT market compensation study.
A security analyst generally has about four to six years experience of combined IT and security work with exposure to system analysis, application development, database design and administration. He or she develops and manages security for more than one IT area – such as data, systems, the network or the Web. These professionals also prepare status reports on security matters to develop risk scenarios and possible responses. The network security specialist, who has about three to five years of combined IT and security experience, assists in the development and implementation of security policies, procedures for the network.
Certain colleges and universities are providing master’s degrees or Ph.Ds for people who want to approach IT security on a different level. For example, someone with a financial background can focus on financial forensics to investigate and prevent financial fraud. Such a person needs the ability to analyze financial data. Insurance companies, says one industry observer, "are desperate for these people."
Skills and Qualities
- Ability to understand law and regulatory policies
- Comfortable working with multiple departments