How to land a job in IT security

To be a security pro, decide on a specialization, then learn as much as you can through formal channels or by self-education

One of the most common questions readers ask me is how they can break into an IT security job. Normally they already have a job in IT, but they have a special interest in security and want a career in it. They are usually frustrated because, like any job seekers, they realize that without the necessary experience it's tougher to get a good paying job doing what they would love to do.

Here's what I always reply.

First, you need to decide what to specialize in. The computer security field is huge and covers dozens of disciplines, including firewalls, IDS, SIEM, security assessment, host hardening, and patching. You can make a decent living doing almost any of these things. If you have a special affinity for any of these, it'll go a long way toward helping you enjoy your career, which usually translates into better job performance and compensation.

A personal lesson learned

Years ago, driven solely by salary potential, I took a job with a CPA firm after passing the CPA exam. As it turned out, I hated accounting and definitely did not fit into the world of suits. That year was hell. Not only was I a horrible CPA (I literally did not finish one job assigned to me), but I was a glaringly bad fit for my coworkers and the firm. I asked too many questions, didn't do enough research on my own, and generally had a miserable time.

One day the partners invited me to a meeting in the boardroom scheduled for the next morning. An invitation to meet the partners in the boardroom meant one of two things: You were in trouble, or you were going to get accolades -- and I had done nothing to deserve praise. The morning arrived, and I felt like I was waiting outside the principal's office in high school.

Just before the meeting, one of the partners asked if I could help with an emergency situation. One of the other partners had accidentally deleted a Lotus 1-2-3 spreadsheet that was needed to secure a client's $5 million bank loan. I showed up with all my tools (Norton Disk Doctor, PC Tools, and so on), recovered the file, and was cheered and celebrated. It was a defining moment. I realized I was in the wrong profession.

The next day I quit my accounting job and embarked on a career in computer security. I've barely had a bad day since.

Do I need a college degree?

Lots of readers ask me if they need a college degree to get hired in IT security, and if so, what they should get their degree in.

Not to equivocate, but some companies require degrees or give preference to candidates who have them, and some don't. In many if not most organizations, experience trumps a degree. This is true not only in security, but in other areas as well, such as application development. Much depends on company culture.

All things being equal, of course, a college degree will help, even if it's in the liberal arts. For most hirers, a degree signals that the candidate was able to set a goal and achieve it. By the same token, an advanced degree will trump a four-year degree.

Which certs should I obtain?

Like degrees, certifications can only help you. Personally, I'm not a huge fan of the (ISC)2 Foundation certifications, although Certified Information Systems Security Professional (CISSP) cert remains one of the most requested and respected general certifications. In my personal opinion, it suffers from a poorly designed test. Most people walk out of that test shaking their heads because it seldom maps to the expensive study materials students were told to buy. But the certification covers a wide range of security topics, and studying for it will only make you stronger.

I like any of the ISACA certifications, such as the Certified Information Systems Auditor (CISA) cert. If you're seeking a job in IT management, it can give you a leg up.

I'm also a big fan of exams from CompTIA. They are often considered basic or beginner's exams, but I guarantee you that even a hardened veteran will learn something studying for one. EC-Council certifications are fairly good. The tests sometimes need work, but the course materials and experience you'll gain from studying for these exams are valuable.

Best of all are the SANS certifications and degrees. Unfortunately, they also tend to be expensive. But if I see that someone has a SANS certification, then I know they're on top of their stuff. SANS has awesome practical training, great instructors, and great books -- on top of tons of free information you can download from the SANS website. If you're going to be in charge of particular hardware or software, it helps to have the certs involving those items, such as Microsoft, Cisco, and the rest.

If you can't easily pick up degrees and certs, become an expert. Read everything you can about your intended field of study. Buy books, read all the online information you can find, subscribe to blogs, and try your best to hang around (at least digitally) with people who are the experts in the field. The more you learn, the stronger you'll be as a candidate.

Arm yourself to the teeth

For the actual job you're seeking, prepare like you're going to war. Go to the employer's website and learn everything you can about the company: its history, its organizational structure, its products. Learn about its biggest competitors and the industry in general. Then try your best to throw in a response or two in the job interview that shows you know about the company you're applying to and the industry in which they operate.

Your resume should be customized for each job you're interviewing for. The desired skill sets the employer is looking for should be listed on the top of your resume. Most people tend to put their most recent or best skills first, and that's OK. But it's better to put the requested skills on top where the hiring manager can see them.

If you're interested in the job, make sure you tell the interviewer you really want it. I've given many jobs to candidates who seemed highly interested in the job, even if they had a little less experience or qualifications than others. Follow-up emails and letters can't hurt, but don't stalk the interviewer. If they want you, they will call.

There's no secret to obtaining your first IT security job. Make the best of what you have. And if you don't have the necessary expertise, go get it. There are millions of pages about your desired skill set waiting to be read and downloaded off the Internet. Inventory your strengths and weaknesses, improve what you can, and go and get that job!

Copyright © 2014 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!