How To Be a Security Babe
If you want to do IT security because it’s “hot” right now, or because you think that’s where the money is, forget it. If you truly love the field, read on.
- By Roberta Bragg
If you want to do IT security because it’s “hot” right now, or because
you think that’s where the money is, forget it. If you truly love the
field, read on.
First, let me assure you that I’m using the word “babe” in a purely gender-neutral
manner and don’t mean to imply that men can’t be security gurus. We often
use the term “babe” to refer to members of both sexes. There’s Babe Ruth,
Babe the dinosaur, Babe the pig (http://www.babeinthecity.com/),
hunter and fisher Babe Winkelman (www.winkelman.com/),
and Sonny and Cher’s immortal “I Got You Babe.” I’m also not implying
that you have to be a hottie to succeed in security. With the exception
of Scottie (my personal trainer) and a guy from some country I can’t pronounce
who wants to be my intern, no one would ever associate me with that particular
So what do I mean? Perhaps you’re one of the many who have written for
my help in “getting into security” or pursuing a security career. Perhaps
you wonder if security is an area for you. Maybe you want the big bucks.
Maybe you’re out of a job, find your engagement calendar empty, or otherwise
think it’s time to change your game plan.
You Missed the Wave, Dude
Security isn’t the answer to your shrinking paycheck:. It won’t
bring you fame and fortune; it won’t even get you an interview. If you
don’t already have deep security knowledge, you don’t have time to gain
it in order to ride the current wave. The days of success are long past
for those armed with minimal knowledge and a pre-programmed security vulnerability
scanner. The word “Security” in your title or your company’s name will
get you no instant appreciation now. The market for security goods and
services is more sophisticated than it was. To make your way, to survive,
you have to be able to do more than know a few buzzwords.
This market isn’t a Mecca for those who want to relax, either. Security
is 10 percent pure panic and 90 percent drudgery. It’s long hours with
no reward. You’ll generally only get recognition when you fail. For me,
it’s like I’m always hanging from a cliff by my fingernails and struggling
to keep up with the dual demands of rapidly changing information and rarely
changing attitudes. Sure, it’s fun to ramble about the foibles of most
infrastructure gurus and rant and rage my way through a speech on security
practices. But I can’t even talk about my greatest jobs, those where my
input or my design prevented the success of a very determined attacker.
The Four-Step Program
Are you still reading, even after my attempts at dissuasion? You
haven’t given up in despair? I don’t understand it, but OK. Since I haven’t
managed to discourage you yet, let’s talk. You say you want to be a security
babe, and you realize it’s not an easy thing. Here, in my humble opinion,
is how to fulfill that goal. Your program should include these four steps.
Need Not Apply
|If you think that hacking into Web sites,
writing and releasing malicious code or breaching security
at Fortune 500 companies, government offices, utilities
or other well-known entities is a precursor to or a guarantee
of a security career, you’re dead wrong. Doing these things
is just plain stupid. You can disrupt business, shut down
basic utilities and kill people. There’s a new hardened
attitude out there, and you may just find yourself doing
time instead of working for the company of your choice.
Step One: Narrow Your Options
Your first step should be to determine exactly what you mean by
“security.” Do you want to specialize in some technical aspect of security,
say establishing and configuring perimeter defenses such as firewalls?
Do you absolutely love decoding packets to figure out what’s happening
on the wire? Are you obsessive-compulsive about the code you write? Does
implementing technology excite you, or does the fact that your mistakes
might provide a venue for an attacker to steal credit card numbers off
your servers grab your guts? Would you rather manage or do? Does creating
policy—written words which set the goals to which IT will have to aspire—float
your boat? As you can see, there’s a wide range of careers in security.
I know security officers who have never touched a server, and system admins
who never should have.
To help you find your niche, consider attending a security conference.
You’ll meet people who already work in the field, gain some security knowledge,
and maybe make a few useful contacts. Check out the sites listed below
and the conferences and seminars they offer. They represent many different
sides of the security game. Just don’t assume you’ll see all security
careers represented at any one event, or that you’ll be accepted with
open arms when you say the words “Microsoft” and “security.”
Step Two: Get Naked
Second, take a long look at yourself. Carefully review your background,
successes and failures, dreams and reality. As they say in the weight-loss
biz, stand in front of the mirror naked and take a good, long look. A
clear understanding of your abilities, aptitudes and experience is the
starting point. Having a clear goal will help you identify the path to
take. Does something in your background fit your idea of this long-term
goal? If your experience lies in networking or systems administration,
you have a good foundation to build upon. Writing solid code and understanding
good coding practices is paramount to many security careers. If you don’t
have either of these skill sets, why are you reading this article? Seriously,
while many security jobs don’t require you to code or to configure systems,
they do require you to have knowledge in these areas. Get some. If you’re
struggling in IT because of a lack of ability to do a job for which you
were trained, what makes you believe that you can enter the security arena
without any experience or education at all?
Now the good news—maybe: If you stop and think about it, much of what
you do in IT is security-related. Most systems administrators spend a
fair amount of time granting or preventing resource access. Security is,
in large part, about exercising controls in order to protect resources.
If, however, you get your chuckles from making complex systems work, or
writing elegant code, or getting the best performance or throughput, or
the most “bang for the buck,” then security may not be a wise choice for
On the other hand, if you feel that someone’s always looking over your
shoulder; if you have multiple online personalities; change out your hard
drive when you go online; subscribe to multiple security newsletters (and
actually read and follow their advice); have been to Defcon or a CSI conference;
downloaded all the NSA guidelines; know who Stephen Northcutt, Bruce Schneier,
Mudge and cDc are; purchased the SANS checklists; and have www.microsoft.com/security
as your default home page, you probably have the necessary makeup for
the security field.
Do Certifications Fit In?
Can a security certification serve as a validation
of expertise? That depends. No certification is your
ticket to a job, but two security certifications have
been around for some time and are well respected in
some portions of the community.
CISSP—The International Information Systems
Security Certification Consortium (isc2.org)
produces the Certified Information Systems Security
Professional (CISSP) certification. Long heralded as
the security certification, this vendor-neutral,
broad-based certification gets you big-time recognition
with many long-term security pros. Be prepared to take
a four-and-a-half hour, 250-question proctored exam
and spend time studying any of the 10 tested knowledge
areas in which you’re weak. Visit www.certcities.com/editorial/exams/story.asp?
EditorialsID=25 for a review of the certification.
Note that a new change means they’ll be requiring proof
of experience in the field. This is a smart move that
may just keep the CISSP as the premium security certification.
(ISC)2 now also offers another exam with a more technical
orientation, the Systems Security Certified Practitioner.
The cert hasn’t been out long enough to gauge how valuable
it may become.
CISA—The Information Systems Audit and Control
Association controls the Certified Information Systems
Auditor (CISA) certification. Unless you’re an auditor,
or work for one, this cert may not make much sense.
It’s a cert the IT auditors take, not one that folks
take to become IT auditors.
Step Three: Get Trained
Now that you know where you are and what you want to do, determine
what you need to do to get there. Each security opportunity may require
a different skill set, a different level of education. Where not long
ago there were no “security degrees” and only a smattering of certifications,
both formal education and a plethora of certification programs now exist.
The opportunities for education have multiplied like hack attacks on a
new IIS server.
Are formal education programs the way to go? Remember: Security as a
career has gone through its first two phases. In the first one, a need
evolved as the natural result of the mainframe culture. Many people got
trained on the job, some were trained by the military, and others were
gifted with deep talent and mathematical education. Few had formal training
in computer security, per se. In the second phase, a large demand meant
even inexperienced people could earn money peddling security advice, and
many self-proclaimed hackers—the guys with the experience—were able to
cut their hair and morph into security consultants.
Now we’re in stage three. There’s still a large demand, but buyers are
more knowledgeable. To get hired, you need some proof of expertise. If
you don’t have experience, do you have certification or education? Employers
today are certification-shy, and bad experiences with paper MCSEs have
contributed to this. Several very good education alternatives exist, and
you should start at www.nsa.gov/isso/programs/nietp/newspg1.htm.
Among the offerings on the National INFOSEC Education & Training Program
Web site are the 36 universities designated “Centers of Excellence in
Information Assurance Education” by the National Security Agency. Take
a look at these programs; you’ll find that not one of them is a short-term
answer to your goals. Most are traditional four-year undergraduate programs,
or master’s and doctorate programs. Some of the more well-known of these
Be sure to check out the new Federal Cyber Service: Scholarship for Service
programs if you’re studying information security in college. U.S. citizens
can get two years of their information security education paid for in
return for two years of government information security work. Pay attention
to the qualifications: Not every program—nor every candidate—qualifies.
You must be enrolled in an info sec curriculum in one of several qualifying
colleges before you can apply. Several of the programs referenced above
participate in the program. Your best source of information is their Web
And don’t forget that good old practice of studying on your own or with
your buds. I don’t have to tell you that many of your peers in IT run
extensive home test networks. If you’re thinking of hitting the consultant
career path, this is essential. It’s my belief that you can earn the equivalent
of a master’s degree if you’re willing to invest in a subscription to
MSDN and TechNet, cobble together a few boxes in your basement and spend
hours and hours with them. Note that it’s my belief: I know of no college
that will give you credit for your wee-hour explorations of PKI, IPSec,
kerberos, group policy or other security-related items.
Many vendors have certifications, too. If you work extensively with their
products or wish to, these certs, listed in Table 1, may help. Experience
is more important, but studying for certification isn’t a bad way to develop
well-rounded product knowledge
|Table 1. Certifications
Offered by Security Vendors
Step Four: Market Research
Research the job market. IT security employment is currently suffering
a softening of the market. Visit IT recruiter L.J. Kusner (www.ljkushner.com/)
to get the skinny on where they think it’s headed; if you’re qualified,
post a resume.
Visit popular headhunter sites and do a search on information security.
At Career Builder (www.headhunter.net)
I found more than 3,000 jobs from the keywords “information security.”
Granted, a lot of jobs didn’t fit my definition of info sec, but many
did. Poring over the possibilities might just reveal some ideas you hadn’t
considered. How about being a senior fraud examiner, security manager,
risk management-security and regulatory manager, security engineer, IT
auditor, security engineering specialist, IT risk management specialist,
policy maintenance senior specialist, acquisition security specialist,
network security integrator, chief information privacy officer, security
analyst, security system installer, director of IT security, or HIPAA
information security officer? Job listing sites are an excellent way to
learn about the various security job categories and required experience
level. You may be startled to learn that many pay less than a good network
Graze through popular security product sites. Many of them have employment
sections. Working for a security consulting firm or product company can
boost your career. A word to the wise: Research the financial stability
of these companies before you join. Many security startups got their funding
during the high-tech expansion wars, when the word “Internet” was synonymous
with “Cha-ching!” and adding the word “security” was a double guarantee.
Many of these companies are just treading water now; make your own inquiries
before diving in.
Think outside the box. Did you notice the acronym “HIPAA” in the job
list above? It stands for Health Insurance Portability and Accountability Act
of 1996. Some of the regulations of this act mean radical changes in the
way hospitals, doctor offices, insurance companies and anyone who handles
patient information must do their job. While many institutions have a
strategy in place, others are still trying to understand what they need
to do. In either case, there will be a continued demand for IT security
people in the health care industry.
If You’re Still Interested…
By now you should have an idea that being a security babe is not donning
a 10-year-old’s T-shirt or doing the rock star strut across a stage. There’s
no surgical security implant or Viagra for the brain. You’ve found there’s
a crying need for those who know IT security, but no money to pay them;
hordes of security babe wannabes; and an immature industry where even
the definition of “security professional” is undecided. If somehow you’ve
made it to this point, you probably still want to pursue the dream, so
go for it. I’ve got you, babe, or am I mumbling through my fingers?