Where Are You Going?

While hiking in the hills near our mountain cabin one day, I realized that I was looking down at each step. The terrain was unlevel, full of brush, rocks, critter holes, and other obstacles. In a moment of realization, I stopped and looked out in front of me. I realized that, for several minutes, I was not looking at where my walking was taking me.

Our jobs and our careers are like a hike on uneven ground. We make small and large decisions, interact with people, often only in the moment, without pausing to look up to see where these daily activities are taking our careers. When working only in the moment, we are surrendering control of our careers to others and to chance, rather than taking the reins and going where we want.

Like walking or hiking, it’s essential to make good in the moment decisions, but we must occasionally stop to see where our steps are taking us, and change direction when needed.

Also, remember to stop and enjoy the view.

Career advice: how to begin a security career

Today a colleague from Melbourne wrote me and said,

Hi Peter,

Greetings from Melbourne, Australia.

It was refreshing to read your site esp your Christian perspective on the profession.

I’m after some career guidance if you don’t mind –
I have a Business Analyst background and am currently working in IT consulting for a company that specialises in custom app development and systems integration. I have taken a keen interest in Info Security and will sit the CISSP exam at the end of this year with the intention to certify as an ISC2 associate (until such time as I possess the relevant experience to be a CISSP)…

In terms of specialising in the Information Security field are there any particular areas where demand will be highest? (application, network,governance etc.) Also, what blend of technical/personal abilities will the profession require of its practitioners going forward… any insight you can provide will be much appreciated. Thank you.

Cheers,

(name)

* * * * * * *

Hi (name),

Thank you for your message and your kind comments.

If you were in the U.S., I could give you more precise perspective on what’s in demand.  But I have an idea.

I suggest you find a local chapter of ISSA and/or ISACA (the ‘owner’ of the CISA and CISM certifications) and sign up.  This will give you many networking opportunities to meet and know others in the information security profession.  Through your contacts and communications with local members, you should soon get a good idea of what’s in demand.

But I stress this: the best people in information security are those who already have technology experience, and begin to build expertise on the risks in that technology.  So I see you are in an app dev and integration firm.  I’ll presume that this is a field where you have good expertise.  So what I would suggest is that you begin to build your security experience by beginning to understand the risks around “safe coding” principles and the processes to ensure that the entire SDLC (systems development life cycle) includes procedures to ensure that the proper measures are taken to ensure that changes to software do not introduce vulnerabilities at any level.  So if s/w dev is your thing, you might pick up a copy of Michael Howard’s book, Writing Secure Code (or something close to that – a huge best seller).

For me, my career was in computer operations, systems administration, software engineering, and network engineering.  Then, it became my job to secure systems and networks, so I began to read all I could and made systems and networks secure.  Then, I branched out from there to better understand other sources of risk, like unauthorized intruders and secure coding.

So my advice is, begin to build security expertise in the area of technology where you are most familiar, and branch out from there.  Networking with others will help to broaden your knowledge about risk overall.

Hope this helps,

Peter