• United States




7 keys to a successful IT security career

Mar 21, 20199 mins

Learn these traits and realities of being an IT security professional if you want a long, successful and happy career in the field.

woman leader career growth equality diversity
Credit: Thinkstock

I’ve been in an IT career since 1987, starting as a PC troubleshooter and security consultant. Then I went on to be a trainer, network technician, network supervisor, director of networks and technology, VP of IT, principal security architect and finally evangelist. I changed companies along the way and sometimes stuck it out for over a decade with the same company. I’ve hired hundreds of people, read thousands of resumes, and fired a few dozen people. I’ve had success and luck through most of it.

Though not a career expert, I’ve been around long enough, as both an employee and a boss, to see what qualifications and traits allow a person to have a long, successful, gratifying IT security career. Here are the seven I think are most important:

1. Be a self-starter

Hiring managers have a bare minimum set of qualifications that a prospective job candidate must possess to make it to the in-person interview. Once you are sitting in that interview chair, whether you are hired comes down to a trait that you either have or you don’t, and that is whether you are a self-starter.

All hirers want to think that the person they are hiring for the position can be told what needs to be done and have it done well without a lot of handholding. If I interview someone and feel that they are not only smart and capable but will make my life easier for hiring them, I try my best to make them an employee. These prized candidates bring me a history of success, don’t blame others for failures, and can hit the ground running.

I’ve often hired people who didn’t have all the necessary skills or knowledge because I knew they could get up and running quickly, and once they had the necessary skills and knowledge would excel. Employers want to hire go-getters, who once you give the orders to know how to carry out the job and don’t need to be told to get started.

2. Learn the trade and show what you know

This comes down to education or certifications. How about a little bit of both? Employers want to know that the person they hired is knowledgeable about the job and tasks they are going to do. Most employers, once past the prerequisites, want knowledge and experience, and I don’t know a single employer who is locked into only approving one type of learning.

I do think a degree or certification tells an employer something that self-study learning and experience doesn’t. A degree or cert doesn’t mean the person who obtained them is smarter in a particular subject, but it does show some propensity to goal setting, project management, and success. Those qualities aren’t hurtful.  

Also, the best employees hang out with people smarter than themselves in their intended field of knowledge. It’s easier today than ever. Whatever your security field of interest is, you can join multiple groups, blogs, websites and chat rooms that have many professionals discussing related topics. Even if you don’t think they know more than you about something, there is always something to learn. You want to get smarter? Hang out with smarter people.

3. Re-invent your skills every five to ten years

This is one of the most important recommendations. Twenty-five years ago, I was great at disassembling DOS computer viruses into assembly language. Then I became a master of macro and email viruses in the 1990s. In the 2000s I learned all I could about Windows viruses. In 2010, I started to concentrate on advanced persistent threats (APTs), crimeware and Active Directory security, moving on to cloud security as cloud technologies started to take over.

The IT world completely changes about every five to ten years. So, too, should your skills. It will ensure that you are one of the go-to people on the latest trends. This can be tricky. Not all fads become long-lasting trends — like when Apple and Microsoft got into mobile devices in the 1990s. (Remember the Apple Newton and Microsoft Windows CE clamshell devices?)

The trick is in figuring out what technology is going to have staying power. My rule of thumb is that when multiple companies are spending billions on something (e.g., virtualization or cloud), then there’s a good chance the fad is going to become a long-term trend. Following this advice, you might not always be right, but you’ll be right most of the time.

Want a good emerging example that is playing out today? Quantum computing. You’ve got hundreds of companies and a dozen countries spending billions on quantum computing. Another example? Containers and microservices. Every new emerging technology brings its own security issues and challenges, and if you get ahead of the curve you can become an expert in that technology — and that expertise commands top dollar.

4. Hone your communication skills

It goes without saying that having good verbal and written communication skills makes you more valuable than someone who doesn’t have them. Warren Buffett heavily recommends it. If you’re a geek, you can still get a job if you’re a bad communicator, but your potential employer has to overlook and figure how to work around that fact to hire you.

I’ve written 10 books and over 1,000 magazine articles on computer security. Initially, I started writing because I was a horrible writer. I had an early employer tell me so. I still need heavy editing, and you won’t get an email from me without multiple typos, but the process of having to write has made me a better written communicator. Plus, when you write about computer security, it forces you to learn more about what you’re writing about.

5. Understand the importance of security

It’s important to understand the real role of computer security in the grand scheme of things. In our sometimes myopic view of the world, all we see is heightened risk and people ignoring our best efforts to better secure them and their data. If only all these people would listen to us more, they would be better protected.

Once you learn that computer security isn’t the primary concern of most organizations or people, you’ll be able to understand the business behind everything that you do. Look at the way we handle the vast majority of financial transactions in our lives. We pull out a credit card and insert it into the reader. That’s it. That’s all it takes. Maybe you will be required to sign something, which is a signature that no one will ever look at or contest. It’s pure security theater. Banks and nearly every financial institution accepting that card allow you to spend money using the barest of validations. For the most part it works.

There’s lots of security looking over those transactions, of course, and it’s very good. If the credit card company sees a suspicious transaction, it halts the transaction and asks for more validation. The bank is far more interested in keeping you happy and using its card than they are in catching 100 percent of the fraudulent transactions.

Understand that business exists to do business. It wants and needs computer security, but not as the number one goal. The number one goal is revenue and everything else is secondary, including computer security. In fact, business really doesn’t value computer security at all until some lesson forces consideration. The sooner you realize this fact, the better your career will be. The best IT security people recognize when they need to speak up and when they need to listen.

6. Pick your battles

You will be faced with frequent security/usability trade-offs, many times feeling that the organization short-shrifted security in the name of revenue. I can’t tell you how many times I vigorously disagreed with a business decision that I felt did not adequately account for the security risk.

Rarely did that “wrong” business decision lead to a security event. Security is not binary. It’s all about risk tradeoffs. If you believe in something, make your pitch. Then live with the business decision regardless of your beliefs. Only fight when you are absolutely ready to expend political capital (you never have as much as you think) and learn when to back down even then.

I’ve been surrounded by countless super-intelligent computer security people who tenaciously fought every fight they thought was worth fighting. No matter how smart they were, they usually fight themselves out of a job. They either get fired or quit in frustration. If you want a new job every few months, fight every battle. Otherwise, pick your battles and enjoy longer longevity.

7. Enjoy what you do

You have a lot of ways to make money in computer security. My number one advice is to pick a field that you really, really like. You’ll not only do better at it but on all those days when you’re doing something boring (like paperwork, budgets or sitting in meetings) the parts you like will keep you going for the long term. People rarely get to do what they want to do (otherwise our professional football and baseball teams would be much larger), but you can pick your favorite part of the career you decide to be in for a lifetime.

I’m lucky. I’ve followed or learned these keys to a successful IT career. Sometimes I’ve learned them ahead of time and others I’ve learned through the experience of many hard lessons. If you take them to heart, I know you’ll have a long and successful career that you enjoy. Good luck.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author