The Information Security market is forecast to burgeon from $75b in 2015 to $170b in 2020. With one million current job openings, what does it take to succeed in this industry? Although this advice will not apply to everyone and is not exhaustive, here are some ideas:
Breadth and depth. For most, it is useful to have a broad overview of a range of InfoSec issues, as well as deep knowledge of specific areas. The core foundation underlying InfoSec is technical – there is no escaping a level of technical knowledge. A broad security overview helps in understanding relationships between elements and how parts fit into the whole. Becoming an expert in a specific area requires depth – you need to drill down, like going down a mine shaft and shining light on deeply hidden complexities. At times you may need to continue descending down the mineshaft until you reach bare silicon. Enlightenment deep down can yield valuable gems. Once you have deep understanding of an area, you perhaps proceed laterally, connecting to other deep technical areas. Many who enter the industry in technical roles relish the challenge of the deep-dive into complexity. InfoSec professionals should hone their skills in flitting between the broad and the deep.
Speaking and writing. Everyone can speak and write properly, can’t they? Unfortunately, not. To advance in any industry you need to be able to communicate your ideas well. Whether writing an email, a whitepaper, or soliciting help from colleagues during a scrum meeting, it is essential that you are skilled in persuading others to your viewpoint. Many InfoSec practitioners, taciturn in nature, need to advocate their viewpoints more assertively. Improving speaking and writing skills should be a life-long quest. We spend such a lot of time speaking and writing, it is worth investing time and energy to improve.
Continual learning and adapting. InfoSec is an industry that changes more frequently than new messages arrive on your smartphone. Every day new technologies, new vulnerabilities, new exploits and new counter-measures are unveiled. To thrive and succeed, you need to assiduously keep abreast of changes. Many roles require hours studying new developments every week. To keep up to date, I listen to InfoSec podcasts (such as this one) during the daily commute, monitor my Twitter List, and scan or read a large number of articles each week. Refine your own methods of keeping up to date with developments and figuring out the implications of changes for you.
Innovation and creativity. Writing code is basically solving problems. In getting software to work as designed, a developer constantly needs to solve programming problems. This is good groundwork for developing a creative, innovative mind-set. From time-to-time seemingly insurmountable obstacles block the way, and one needs to be particularly creative or restate the objective in order to examine issues from a new angle. There is no shortage of problems to fix in InfoSec – the scope and rewards for innovative solutions is enormous. Those who innovate do well.
Multi-tasking and time management. Success in any field requires a significant energy and time commitment. Multi-threading, task-switching, multi-purposing, and jettisoning time-wasting activities are essential techniques and well covered in this post by Troy Hunt.
Certification. Whether you like it or not, certification is important in InfoSec. To expand one’s breadth of understanding, most practitioners should aim to achieve at least CISSP certification where the syllabus represents a vast floodplain rather than a mineshaft. CISSP is useful for filling out the blanks, the security domains in which you have not yet been exposed to in your career.
Exercise and fun. Most of us in InfoSec spend a great deal of our working day sitting down in front of a screen. This sedentary workday is about as unhealthy as hacking the FSB from a Chernobyl café. A challenging physical exercise programme should be built into your weekly routine to counter-balance the hours of inertia. It is also important to enjoy the fun that tech provides. It can be stimulating understanding new technologies, learning the workings of new threats and developing or implementing countermeasures.
The information security industry has a bright future and opportunities abound. Whether you are new to InfoSec or an adroit practitioner, the beginning of 2016 is a good time to set objectives and get on track for success.