Think twice before pursuing a career in information security...

...not because its a bad idea. But a little planning and introspection will go a long way towards charting a course that you'll be happy with.

Over the past few years I’ve had the opportunity to do a fair amount of recruiting and hiring, with a focus on engagement and retention over the long term. One of the great things about the job is to see people find the right role fit and really take off.

Broadly speaking, Information Security is a great field to be in. By nature of the work, it offers many of the things that drive employee engagement: job challenge, variety, and opportunities for advancement. But some of these roles can also be high pressure and require long hours. Stakeholders can be difficult at times, and by definition there are limited opportunities for visibility and recognition for the highly sensitive roles. Stress and burnout are common risks.

Recognizing and addressing these issues is a key role of management. But staff, especially new staff, should be aware of these potential pitfalls when charting their career in information security. 

If you decide you want to work in Information Security, check out these guides as they point you toward the technical skills you will need. But also be intentional about where and how you want to work. It will make all the difference in the world.

If you have a role that leverages your strengths, you’ll feel energized by the challenge, even if its high pressure and high stress. And likewise, any role that consistently requires traits and skills where you don’t perform well will be draining and can potentially burn you out.

Nearly identical roles in two different organizations may need very different things from the person they hire. It depends on a number of factors including the maturity of the organization, the culture of the team, the industry they support, and the threat environment they face.

The best candidate for a specific job is the person whose strengths and interests align with the needs of that function, and who’s attitudes, habits, knowledge and skills qualify them for the role.

Below is a high level overview of the kinds of roles that will exist in an effective security organization. It may not be representative of a specific company, or include everything that a security program does. But these elements will be present, and the level of emphasis for each category will depend on the needs of the organization:

Business Information Security Officer (BISO) - This role (not necessarily a title) is a stakeholder-facing representative of the security organization. They ensure that the capabilities of the security organization are integrated within the business. It can also include assessments of internal security projects and external vendors. Information classification, risk assessments, and prioritization of security technology deployments via an information security roadmap can also be included. This is the “sales force” of information security. BISOs learn about business goals, match capabilities to business needs, translate security requirements into business terms, win buy-in, and keep the program moving. Typically this role is more interpersonal than technical.

Security Operations - These are the request-driven functions that involve repeatable processes such as Identity and Access Management, break/fix support and exception management for user-facing security tools such as endpoint protection, device control, or data loss prevention. Firewall/VPN management can also be a Security Operations function. Some requests are simple, others can be complex. The work is process driven, and there’s consistent customer interaction. Its a mix of interpersonal and technical, but once you master the learning curve, the work can become routine. From a delivery perspective, the work is measurable and this makes it a good area for driving process improvement. Many of these responsibilities are also prone to offshoring, which means that retained roles within the organization are often specialized or involve inspection and oversight of offshore resources. Organizations that like to create a ‘pipeline’ of talent can bring in candidates into Security Operations due to the (relatively) short learning curve, and then advance the high aptitude team members that excel.

Governance, Risk and Compliance - GRC analysts help define the policies and standards that ensure internal compliance and external regulatory requirements are met. They assess the current control environment and identify missing capabilities, evaluating the risk to the organization posed by those gaps, enabling senior business leadership to decide which risks to accept and which need to be addressed. These roles are often less technical, although a background in IT Operations is very helpful. 

Cyber defense - On the surface, these are considered the “fun” roles of infosec, such as threat management, vulnerability management, penetration testing, forensic investigations and incident response. All are technical, and sometimes high stress. Long hours are common. Depending on how the roles are structured, processes can also become very routine. Except at the management level, these functions can have less direct end-user contact than BISO or GRC. Skills aside, not everyone has the temperament to really dig in on these kinds of roles and thrive over the long haul. Some organizations mix GRC, Cyber and BISO work within the same role so that the work isn't repetitive. But generally speaking, the larger the organization, the more specialized the responsibility.

Security Engineering and Architecture - in a “plan, build, run” IT model, this function does the plan and build. It can also include application security, data sanitization and other highly technical functions. This team evaluates the limitations of existing capabilities and prepares the case for adding new functionality. Once chosen, they properly size the solution for the environment, and start the process of integrating these capabilities. They also interface with peers across the rest of IT, vendors and professional services organizations to integrate these solutions. Project management discipline is important here, along with defining and also adhering to technical standards. As with cyber defense, these roles are highly technical. Depending on how the work is structured, it can have less contact with business stakeholders than most of the other roles.

Is this everything a security organization does? No - there's a lot more that could be said about Privacy, Disaster Recovery, or other domains of information security. But as a general rule, at minimum, effective organizations contain these functions. 

In Managing Oneself, Peter Drucker opens with these 4 questions:

• What are my strengths?

• How do I perform?

• Where do I belong?

• What is my contribution?

The more you know about what drives and enables you to make the biggest contribution to an organization, the better prepared you will be to target the right roles for you. 

Two caveats:

• Sometimes you'll have strengths that aren't needed at the entry level, but they become critical at higher levels of the organization. Be patient, work hard and grow. In basketball they say “let the game come to you.” Its true in InfoSec too. In a healthy organization, talent is a magnet for new work.

• What if you're not sure which functional area is best for you? You may want to work in a smaller organization, or one that defines security boundaries per region. This gives you the best opportunity to sample multiple responsibilities. Another option is to network within the organization, and volunteer for cross-team projects. Explore within the organization, but don’t job-hop unless you have a good rationale for it.

With this in mind, do all the homework in advance that you can to chart the course that’s best for you. Use LinkedIn, job postings and other details to map out organizations that you're interested in. There you’ll find your best chance for success.

Best of luck!

Security career snapshot - January 2, 2009

Now that the holiday break has ended and everyone is heading back to work, it seems like a good time for information security professionals at every level to take stock of available opportunities and chart a course for the new year.

Is it safer to stay put, or move?

While there's an abundance of forecasts available that predict where 2009 is headed, most are discouraging, few will turn out to be correct, and there doesn’t seem to be a method for sorting between the good and bad estimates that’s any more trustworthy than the estimates themselves.

Instead, I'd argue that it makes more sense to take a second look at the current role, the financial health of the organization, external opportunities, and the stability of the regional and national economy ... and plan according to current actualities.

To cut through that uncertainty, I spent some time over the break going through online job postings to compile a snapshot of security jobs that are currently open and available. I looked at job titles, years of experience required, expected regulatory / compliance background, certifications, and the most active hiring locations. This snapshot won’t show hiring trends for 2009, but my hope is that it’ll at least make a decent starting point for figuring out where the holes in the resume are, and which types of work assignments today may open doors for the next role.

I started with a query of security jobs using an aggregator site, and randomly selected a subset of 200 for analysis. I downloaded each full post directly from the offering website and parsed them locally using some scripts. Below are some of the high points. The margin of error on the survey should be plus or minus 7%. If you want a detailed look at the approach, or the data itself, just drop me a line.

Here’s what I found:

Most common job titles
A bit less than half of all security job openings are for the role of engineer, analyst, or administrator. Managers jobs appear less than 5% of the time, and director level only 1%.

Without more information it's tough to be definitive, but the numbers could imply a couple of things: first, that security organizations may be flattening right now as managers hire more staff; and second, that “individual contributor” roles may have more mobility across organizations than leadership positions. It’s also possible that management roles are filled through other means (internal candidates, etc.) more frequently than staff positions are.

Position title	Number of postings	Percent
Engineer	45	(22.5%)
Analyst	30	(15.0%)
Administrator	14	(7.0%)
Manager	9	(4.5%)
Consultant	9	(4.5%)
Architect	5	(2.5%)
Director	2	(1.0%)

Years of experience expected for each role
Across all positions, five years was the median level of experience required. Only 30% of positions expected two or fewer years of prior relevant work history. One interesting fact was that out of 41 postings with a specific requirement, that requirement was described 21 different ways (e.g. 1 to 4 years, 2 or more, 4-6 years, etc.) It seems the industry has generally standardized on which certifications and skills are expected, but not the level of experience associated with those skills that represent appropriate minimum requirements.

Years of experience required	Number of job postings
0 to 1	3
2 or more	10
3 or more	3
4 or more	2
5 or more	12
6 or more	3
7 or more	2
8 or more	1
9 or more	1
10 or more	5

Most common regulatory / compliance keywords
Not every posting specifically cited regulatory requirements or security framework experience. But for those that did, the following are the most commonly listed:

Regulatory or governance requirement	Number of postings
Federal Information Security Management Act (FISMA)	14
Code of practice for information security management (ISO 17799/2701/2702)	12
Sarbanes-Oxley (SOX 404)	12
Payment Card Industry Data Security Standard (PCI DSS)	12
Health Insurance Portability and Accountability Act (HIPAA)	7
Gramm-Leach-Bliley Act (GLBA)	3

Most common certifications
As of early 2009, candidates with a security certification have an edge over non-certified candidates, but certification is not usually a make-or-break requirement. Less than half (47%) of all security job postings examined had listed certification as a requirement; around 20% described certification as “required” or “highly desirable.”

CISSP is the most commonly listed credential, although it often is provided as one of several examples e.g. “Professional security certification such as CISSP, CISM, GIAC, CCNA, CCSP, CCNP, MCSE, Security+, Network+.”

Security Certification (n=94)	Number of postings	Percent
Certified Information Systems Security Professional (CISSP)	48	(52.7%)
Other (Cisco, etc.)	12	(13.2%)
Certified Information Security Manager (CISM)	11	(12.1%)
Certified Information Systems Auditor (CISA)	10	(11.0%)
SANS Global Information Assurance Certification (GIAC)	10	(11.0%)

Most active hiring locations
Finally, the top ten states (and Washington D.C.) listed by frequency of job posting:

State	Number of postings (n=200)
California	32
Virginia	32
Maryland	24
Washington D.C.	17
Texas	11
Massachusetts	11
New York	8
New Jersey	6
Illinois	6
Pennsylvania	4

So if you're a Security Engineer with a CISSP and five or more years experience in your current role, with a strong background in FISMA, SOX and ISO 17799 who lives in the Washington D.C. area ... relax ... even in the midst of this economic mess, it looks like the world is still beating a path to your door. For the rest of us, though, we probably have some work to do.

Best of luck to everyone trying to improve their skills and find the right organizational fit in 2009. I hope this was helpful; if you have questions about specific skills, opportunities or regions not listed in this overview that you haven't been able to ferret out using the job search engines - let me know and I'll help if I can.