Recent events have shown that the threat of information
security (INFOSEC) breaches is very real and frightening. In a recent
CSI/FBI survey, nine out of ten organizations reported a
breach within the past year, and many of these reported
significant financial losses as a result of these breaches.
IT practitioners need to be aware of the following topics in
order to ensure the security of their vital information:
Networks and Telecommunications, Cryptography, Access
Control, Security Architecture and Models, Applications
and Systems Development, Security Management Practices,
Operations Security, Disaster Recovery Planning/Incident
Response, Risk Management, and Law, Investigations, and
Ethics.
If you are seeking to go into the INFOSEC profession, your
goal should be to land a job where you are likely to gain
experience in one of the following areas:
- Secure Applications and Systems Development
- Implementation of Network, Telecommunications, and
Internet Security
- Cryptography and Cryptographic Applications
- Management or Administration of Security (Operations
Security, Network Security)
- Design and Implementation of Access Control Systems
- Development of Security Architectures and Policies
- Implementation of Audit and Monitoring, Performing Audit
Analysis
- Performing Risk Management, Response and Recovery
Such jobs include software or systems engineering,
programming, systems analysis, systems administration, or
database administration.
Look for a job in which some part of your primary duties is to
design or implement security. Once you have gained a few years'
experience in one of these fields, then perhaps you are ready to
begin looking for a role as a security administrator or INFOSEC
analyst.
Note, however, that if you continue to work as, say, a
programmer doing security-related work, you are in the
INFOSEC field. You do not have to have "security" in
your title to be in the INFOSEC profession.
Besides gaining experience in the field, formal education is
getting to be an increasingly important component to landing a
good INFOSEC job:
- I would look into one of these graduate programs: http://www.nsa.gov/isso/programs/nietp/newspg1.htm
Here's a good article on the INFOSEC profession: http://www.INFOSECuritymag.com/2002/apr/INFOSECprofession.shtml
Finally, I highly recommend reading this Slashdot interview
with Fyodor, the creator of the very useful Nmap scanning tool:
http://interviews.slashdot.org/article.pl?sid=03/05/30/1148235&mode=thread&tid=126&tid=172&tid=95
He has a lot of good ideas for how to build up your INFOSEC
knowledge.