Friends: As a consultant I have seen a wide variety of people who consider themselves security practitioners, from the firewall installer to the chief security officer. I have observed that there are two categories of security folks: technical and governance. There are a great many security technicians out there, and on average are compensated up to a certain point that becomes a sort of "ceiling," past which very few attain. Then there are those who practice security from a business perspective but have a very good understanding of the technology issues. These are the practitioners who usually inhabit the upper management or very senior consultant roles. Information security is much more than technology - it is the implementation of security principles and fundamentals as they pertain to the particular circumstance. IT governance is the key, the practice of which sets the security practitioner apart from his or her peers, which many (but not all) times equates to greater compensation. In almost every circumstance, the economic buyer at a corporation (the person who signs the check, or the person who makes the decisions - like the CIO/CTO) will better relate to the governance practitioner. The CIO usually could not care less what security product is used or how a Unix server is locked down; he or she cares that company assets are well protected through the use of sound policies and procedures that encompass the entire business without prohibiting productivity. First and foremost, you must decide which side you want to be on, and if you want both, you need a plan to get there. If you've had primarily security technology experience (e.g., firewalls, IDS, pen testing, etc.) but want to branch out into the governance side, begin to understand the company's business model and the role that IT governance plays in the enhancement to the bottom line and the smooth continuity of business. Information security is a natural part of that process. Access the right resources to begin your study. Here are some outstanding non-technical resources I have used and continue to use. Remember, not all resources you use to improve your security knowledge are security related. - IT Governance Institute (www.itgovernance.org) - especially COBiT - Information Systems Audit and Control Association (ISACA) (www.isaca.org) - CIO.com (www.cio.com) - a great insight into the business leader's issues I also recommend these resources for constant study materials: - SecurityFocus (www.securityfocus.com) - naturally ;-> - @Stake (www.atstake.com) - especially reading the security news every day - NIST Computer Security Resource Center (csrc.nist.gov) - and too many more to list... And one last thing: if it is at all possible, become a consultant. You simply cannot beat the depth and wide range of experience you will gain from working in many different environments. If it is your desire, expand your horizons and try to at least experience something new every once in a while. Book smarts can never be a substitute for hands-on experience. If you'd like to discuss this more, feel free to e-mail me off-list. Florindo -----Original Message----- From: Sharon Joyner [mailto:smarie99at_private] Sent: Thursday, April 26, 2001 11:29 AM To: SECURITYJOBSat_private Subject: Re: Network Security On Wed, 25 April 2001, Charles England wrote: > I have been trying to change my career focus from Jack of all Trades > in a high paced service environment to network security. Despite > banging on many doors I have up to this point come up empty. I have been having a similar problem with my job hunt. I've been what my company calls a "Information Security Analyst" for about 6 years and have worked on mainframe, client-server, network and web security administration and projects for all that time. I can honestly say that I'm very good at my job. I understand the operating systems and applications that run on them and can secure them, even when one system doesn't want to talk the same security language as another. I have a global view of the systems and how they work together, but also understand the details of how they work individually. We have a systems group that is responsible to build our network and database servers, so I haven't had the hands-on experience of building a server from scratch. I have configured security and worked with systems folks on the system design to make sure security issues were handled correctly. I have the responsibility for securing the systems after the servers are up and running. Could I build and maintain a server - sure, I could, it's not rocket science - have I actually done it, no. This one gap in my experience has made it almost impossible to find a company who will allow that I have the knowledge they need and grant me an interview. For most companies "Security Administration" has come to mean build the server, keep it running AND administer security all at once. When HR people or IT managers find that I haven't built my share of servers, that's it for me. I'm out of the running. That's my sad story, but I see it as a bigger problem in the security industry, because, to be honest, I haven't always been impressed with the ability of the systems people to deal with security issues. In my experience, most of them aren't trained in basic security and control issues and sometimes they aren't even interested. Their focus is to keep the system up and running and security usually takes a back seat. As far as certification goes, my CISSP certification has gotten me a couple of phone interviews, but that's as far as it's gone. As far as what certifications are important, get an MSCE and you'll probably get hired, though you sure won't know any more about security. My 2 cents. Sharon Joyner smarie99at_private Find the best deals on the web at AltaVista Shopping! http://www.shopping.altavista.com
This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 20:36:25 PDT