Securing a Security Career

Date:   Tuesday , January 31, 2006

Even as security professionals go about tightening the insecure nuts and bolts of the organization’s networks, they cannot act after a worm or a hacker has got it right. They have to be pro-actively ahead in this race within the hairpin bend. This is what separates the effective security specialist from the spectators. “To be a good security professional one needs to know that security is not only a major technical problem but is a big business problem,” advises Srinivasa Vaduguru, Senior QA Manager, McAfee India.

People Involved
Information security specialists are broadly divided into two–those involved with product development and services; and those involved with managing the information infrastructure. Product and services specialists are involved in various areas:
1. Programmers are those who build the secure software, deal with threat modeling and code review.
2. Testing specialists do functionality tests from a security perspective.
3. Research specialists indulge in threat detection, analysis and development.
4. Consultants do all the above procedures.

What Counts?
An engineering degree is definitely an advantage to enter into the security arena, however any kind of computer software or hardware background is fine to begin one’s career. After you earn the degree, research to know where you want to head in the security space in terms of employment. It is better to find a good pure play security company, preferably a product company and a role.

The Tools to make it Here
There are very few institutes in India offering courses in Information Security (Among the IITs, IIT Chennai offers a course in Cryptography and System Security at the M.Tech level); hence it is better to go for certifications especially those needing continuity of education requirements.

Certifications are broadly of two types: vendor based and broad based. Vendor certifications come from Microsoft, Cisco, Check Point among others. These help you acquire knowledge of how to build and manage networks. The CCSP (Cisco Certified Security Professional) is a good professional level recognition for designing and implementing Cisco networks in a secure way. The MCSE (Microsoft Certified Systems Engineer) is a certification for the Microsoft servers and networks. Red Hat certified security specialist is a certification for the Red Hat Linux.

There are two broad-based certifications:
1) For beginners:
a) Security Plus from CompTIA (Computer Technologies Industries Association) - is a foundation level course for IT professionals with 2 years experience.
b) Certified Ethical Hacker is for people who want to be penetration testers.

2) Advanced:
a) CISSP (Certified Information Systems SecurityProfessional) - from the (ISC)2 (Inter-national Information Systems Security Certification Consortium) is almost a benchmark certification.
b) CISA (Certified Information Systems Auditor) is for people who want to develop career in auditing.

“Hyper-specialization in areas like data forensics does have its disadvantages if there is a lack of demand later on. It should be an added feather in the cap and not the only feather in the cap,” advises Gokul Janga, GM, Aventail India.

Technical skills required of security aspirants are that they must be very good in googling, networking (solid foundation in networking protocols) and how operating systems internals work. General skills required is the ability to understand and appreciate the big picture of the systems, prioritizing security risks, understand the risk trends and mitigation plans. A strong ethical practice is called for. For social networking purposes, aspiring security professionals can take part in forums initiated by Nasscom and other industry bodies.

The Market Offerings
McAfee, CA, Symantec, Cisco, Aventail are the big names in the security space in India. Major service providers like IBM, Infosys and others have specializations in this area. Banking and finance; defense, telecom and mobile are the top verticals. Hot market trends in the information security field are tilted towards intrusion prevention; mobile-wireless and seamless secure access to enterprise systems.

Well, what do these companies, sectors and developments mean to you in monetary terms? The salaries in the security space at any level are at a premium of 10-20 percent compared with what other IT professionals get. A beginner will easily get between Rs. 3.5 Lakhs per annum depending on various factors. This being a premium segment, the compensation appreciation per annum based on performance is 25-30 percent upon your initial salary. Consultancy services pay you higher because you are on your own. Systems administrators, programmers, testers, team managers and security officers’ get salaries in the ascending order. “Attrition rate in the security industry in India is 15-20 percent, because the market is very attractive. People feel they have to constantly move to make the best use of the opportunity. This is wrong because careers are made on being with companies for considerably long to enable to take on greater responsibility,” underlines Janga.

Sore Points
“A prime glitch of being a security specialist is that unlike other IT streams a security professional has no way of postponing addressing problems to another day,” avers Janga.

The Future
According to a study by the IDC India would need 77,000 security professionals by 2008. This portends well for a career in this field. “The opportunities in the security arena are unlimited. If we get people, now we would love to get more people. Personally it is quite cool to be here with the security arena being different and having a history of just 15 years,” proclaims Vaduguru confidently.