Perhaps this could also be entitled: How to specialize and carve a niche for yourself while becoming a subject matter expert (SME).
If you’re just getting started or thinking about jumping into Information Security as a career you may not know where to get started. From my experience, a lot of professionals get started with conducting security assessments; whether it’s FISMA SA&A’s (formerly C&A’s) within the government realm, or Security Impact Assessments as Jr. Analysts.
SANS has put together a great list of the Top 20 Coolest Jobs in Information Security that provides a ‘How to be Successful’ blurb for each role. Below is the list, however, I’ve stricken out the roles in the list that I don’t agree with:
- Information Security Crime Investigator/Forensics Expert
- System, Network, and/or Web Penetration Tester
Forensic Analyst(this can be lumped into #1)
- Incident Responder
- Security Architect
- Malware Analyst
- Network Security Engineer
- Security Analyst
Computer Crime Investigator(again this can be lumped into #1) CISO/ISO or Director of Security(this doesn’t happen until you’ve already shown your expertise…usually)
- Application Penetration Tester
Security Operations Center Analyst(this is more of a hybrid of #7/#8 and only applies if you’re in a SOC) Prosecutor Specializing in Information Security Crime Technical Director and Deputy CISO Intrusion Analyst(see #4)
- Vulnerability Researcher/ Exploit Developer
Security Auditor(being an auditor does not require specialization, generally speaking) Security-savvy Software Developer Security Maven in an Application Developer Organization Disaster Recovery/Business Continuity Analyst/Manager(related to #4)
Don’t get me wrong, SANS’s list is great and extremely helpful, however, I view it as a bit too high level. If you really want to get into the weeds and deeper in security, I suggest following these few principles:
- Learn a new technology; whether it’s firewalls, intrusion detection, or log analysis. If you’re stuck in an analyst position and are looking for a way to carve that niche, knowing Cisco routing and firewall configuration principles will definitely help with transitioning over to a position as a Network Security Engineer (#7 on the list).
- Don’t be afraid to ask your project manager for added responsibility, or volunteer for it. Showing that you are eager to contribute will increase your added value to the team or company, thus making you more indispensable, then say poor Billy who only does what he’s done a million times before and is essentially a paper pusher with no drive.
- Contributing to the security community. Showing that you know your stuff and willing to share it with others will help make a good name for yourself. Perhaps start off by tutoring your coworkers or when there’s a company training event, volunteer to conduct a training workshop for the company.
- Lastly, being a lifelong student is key. Learning something new on a regular basis is what keeps our minds sharp. If you are constantly learning and practicing, you will only get better and your knowledge base will only continue to grow. This can only help your career. When hiring someone, I take a look at what they’ve done and what they’re currently doing. I’m not satisfied with a snapshot in time. I want a dynamic candidate, not someone who is stagnant and happy just doing their job.
With all this being said, remember to choose what interests you and what excites you. Don’t be satisfied with the status quo - get out there and challenge yourself!