Your career in information security

How to start your career in information security? Is “hacking” essential? Do you need technical skills? We talk about careers in information security.

Always stay in the loop!
Subscribe to our RSS/Atom feed.

TL;DR

  • Forget Hollywood-style hacking in information security.
  • Decide which InfoSec domain is the most interesting for you (technology, organization, humans).
  • Don’t forget soft skills, English, and basic knowledge of scripting.

InfoSec isn’t about Hollywood-style “hacking”

People who are new to the broad topic “information security” may know Hollywood-style “hacking”: A hoodie-wearing guy sits in front of dozens of monitors, the room is dark, data flowing everywhere, and he types commands at the speed of light. Another extreme are nerdy cryptography experts who break codes by looking at them.

In reality, you won’t find this “hacking” in information security. InfoSec people wear suits or business casual, depending on their company and job. Most InfoSec people aren’t “hardcore coders” who know every programming language. They are normal people specialized in securing information. Forget the Hollywood action, and start with a solid foundation.

A solid foundation

The first step on your road to becoming an information security expert may be a bachelor’s degree. Companies may require other qualification, of course. You don’t need a Computer Science degree in any case. Let’s look at the three basic domains of information security: technology, processes/organization, and humans.

Technology

Technology (the “hackers”) is 33% of InfoSec. However, technology differs: “Traditional” information technology (IT) focuses on securing IT components as found in office environments. Then, there is operational technology (OT), focusing on OT components like industrial control systems in production and manufacturing environments. IT and OT differ in many aspects. For instance, OT components may conduct time-critical operations. Availability of OT components has the highest priority while confidentiality isn’t important. OT components may consist of special hardware, developed for a specific purpose, and may run special operating systems that can’t be updated easily.

OT networks may be isolated from the internet. In recent times, OT networks get more and more connected, and operators become aware of security aspects in their networks. OT security professionals who understand the special implications of industrial networks are required.

Starting your InfoSec career with an emphasis on technology may require an STEM degree (science, technology, engineering, and mathematics). No, you don’t need a Bachelor of Science in Computer Science. Security companies may recruit people with a degree in mathematics or engineering. Universities may offer special study programs in information security.

Examples of InfoSec job titles with an emphasis on technology are forensics experts, incident responders, vulnerability assessors, penetration testers, code auditors, threat analysts, security engineers, security consultants, security architects, security analysts, and security administrators.

Processes and organization

Processes and organization are another crucial aspect of information security. Technology on its own isn’t sufficient to secure anything. A company needs guidelines, policies, and processes. Someone has to define rules for humans and technology. How to react in case of security incidents? How to store backups? What are acceptance criteria for new software? How to manage vulnerabilities? These are typical questions of information security management, needed to govern information security in companies.

A career in information security management may not require a Bachelor of Science in Computer Science. For instance, a degree in business information systems may be suitable. Universities may offer special study programs in information security management.

Examples of job titles in information security management are (chief) information security officers, security specialists, security software developers, security managers, security directors, and security auditors.

Humans

Finally, we, the humans, exist. Companies need to raise awareness for information security since technology and processes/organization can never achieve 100% security. We as humans can bypass technical security measures, or ignore defined rules. Human error also exists. It’s even worse: Many social engineering techniques work without technology being involved. Someone must address humans.

Starting a career in information security awareness may not be easy. Many companies focus on technology and processes/organization when it comes to information security. However, more and more companies realize full-time employees in InfoSec awareness are required. These professionals must understand how humans “work,” and need a decent amount of well-developed soft skills. InfoSec awareness may not require STEM degrees.

Examples of job title in information security awareness are (chief) security awareness officer, cyber security awareness and training specialist, and information security awareness manager.

What you can do in general

You may decide later if you are uncertain about your InfoSec career path. To get an idea of the “real” day-to-day business, you can intern at companies, or work as a student employee. Make use of these possibilities to gain experience.

Keep in mind getting a degree in something doesn’t imply that you get your hands on the latest technology, or findings. Studying is about learning the basics.

We recommend to learn at least one scripting language and basic Linux commands. “Learn” means you understand concepts of the language and can automate basic tasks without copying code from the internet. Python is universally usable, and easy to understand if you know programming languages.

Soft skills are crucial. InfoSec folks aren’t hoodie people but social creatures. Make use of any possibility to improve your soft skills.

Learn and improve your English if you aren’t a native speaker. Communicating in English may be required on a daily basis.

Get specialized

After getting a solid foundation for your chosen career path, you may specialize in your domain by getting a Master’s degree. Some universities offer study programs focused on information security management; others offer programs focused on security in industrial or automotive environments.

We don’t recommend a general Master’s degree in Computer Science after getting a Bachelor’s degree in Computer Science since it is broad-ranging and not focused on information security. Use specialized study programs to gain experience, and focus on information security. Companies may offer financial support to get a Master’s degree.

Keep in mind academic degrees aren’t always necessary to reach your favorite job position. People with several years of relevant job experience may get the same jobs.

Get certified

A giant market of InfoSec certifications exist. Some people consider certificates to be useless. We think certificates matching your career path may help you attaining relevant knowledge and may even boost your career.

We recommend to go for vendor-independent certifications. CompTIA’s certifications in cyber security (Network+, Security+, CySA+, CASP+, PenTest+) may be a good starting point.

You may need to renew your certificates after some time. For us, this makes sense since a decade-old certificate without any related work experience isn’t meaningful. Keep in mind getting certified doesn’t imply using the latest tools or trying out the “newest hacks.” Getting certified is about learning basics to reach a defined level of qualification that is comparable.

Build a (social) network

Social skills are crucial. Another important part is your social network (no, we don’t think of Facebook here). Attend well-known security conferences and workshops. Use these opportunities to get in touch with other security professionals to share ideas and knowledge.

You can be an active part of these events. Look for “call for papers” and apply for giving a talk. Help organizing these events.

Summary

If you don’t know your ultimate dream job in information security, intern at companies, learn scripting languages, and improve your soft skills. Gain work experience as a student employee, read job postings, and understand what companies need.

Choose an InfoSec topic for your thesis.Get vendor-independent, known certificates to specialize and demonstrate your knowledge.

We republished this article in September 2021.