Planning a Career Ladder in Information Security

Sandeep, a mid-level IT professional working as a systems administrator in a tough labor market, finds himself stuck in his current position. Ed recommends a double dose of infosec certification to help ease his woes, and propel him higher up the career ladder. His prescription: an entry-level cert like Security+, GSEC, or SSCP, followed by one or more of CISSP, CISM, and C|EH certifications.

Dear Sandeep:

Based on your educational background and number of years of experience, I would put you at the mid-career phase: no longer just starting out, but not senior enough to have advanced to heavier responsibilities and the bigger pay to go with it. Given that you do have some substantial experience, even though you’re interested in a move from systems administration into a more security-focused role, I don’t think that means you need to start over in terms of responsibilities or pay. It’s highly likely that you have at least some security experience: it’s hard to administer systems nowadays in the absence of security. And in fact, managing and administering systems almost always includes a security component if not an outright security focus.

My advice to you is to stay on in your current position while pursuing a typical security certification ladder that I will happily explain. First, you’ll want to get your feet wet with an entry-level credential, like the CompTIA Security+, SANS GSEC, or the ISC-squared SSCP. This will probably take you three to nine months to work your way through, depending on how much free time you are willing to allocate to study and exam preparation, and whether or not you pass your chosen exam on the first try.

Your next credential could and probably should be one of the following:

  1. CISSP — if you’re interested in working in security policy, security management, and so forth.
  2. CISM — if you’re interested in managing security as a full-time, workaday position.
  3. C|EH or other EC-Council security certifications —  if you’d prefer to specialize in ethical hacking, penetration testing, and so forth.

Once you gain more experience in the field, and your interests begin to make themselves known, you can start mixing and matching information security training and certification to help you develop the collection of skills and knowledge you need.

Your second, more senior security certification will not only add to your employability, it should probably help open doors for you to transition into a more focused and full-time security role. Expect to spend one to two years prepping for and getting past the exam of your choice. Once you’ve earned that level of certification, you can think about looking for another job in the security field, and probably see a nice increase in pay and responsibility at the same time.

[Read  More]