Thursday, July 18, 2013

a breakout of breaking in (to infosec)

Someone asked me recently how to "break in" to Information Security from another IT field. Thinking my response might be useful to others, I'm sharing it here.

Note: a colleague corrected me on the number of years you need in the industry for the cert...thank you!

*****
Hi Dave,

Thanks for contacting me and I hope you're well. Here's some information on how to break into Infosec. 

I got lucky, I got into Infosec when it was a new thing, but now it's a pretty competitive field. The most important thing is to have a certification, because the US Government has decided that's how to tell if someone knows what they're talking about, and the rest of the country has followed suit. 

There's more than one certification, but the one that has the most prestige (currently and for the last 15 years) is the CISSP, administered by ISC2. You can find out a lot of information on their website (https://isc2.org) but here are the basics:

  • Along with the certification is the expectation that you have worked in the field of Infosec for five years (in two of the "domains", listed below). If you have not worked in the field for five years, you can still be awarded the certification as an "Associate". It's the same as the full certification, and when you've been in the industry for five years, you're a full member without having to do anything else. You can also possibly get a year "off" this requirement if you have (for example) a degree in Infosec or another related certification.
  • The certification period is for three years, after which, if you've fulfilled certain requirements, you will be recertified. If you have not fulfilled the requirements, you will have to retake the certification test. You don't want to have to do this.
    • Each year you have to pay an $85 annual maintenance fee. Currently, they're letting people defer the fee until the recertification period, meaning that you can choose to pay three years' worth of fees all at once (with a small discount). Some companies will allow you to claim the fee as an expense.
    • During the recertification period you also have to earn Continuing Professional Education points, or CPEs. You need to earn 120 every three years and at least 20 per year (i.e. you can't earn them all in the last year). This is to prove you're staying on top of the industry. Earning CPEs is really easy; you typically get one for every hour you spend doing something related to the industry (aside from actually working). So if you attend online classes and webinars, go to conferences, write articles on Infosec, read/review books, and so on, you'll have no problem. I'm usually drowning in CPEs. 
  • It's not necessary, but it's a really good idea to take some sort of training for the CISSP exam. This could consist of buying one of those thick books with the CD in the back, or you could take live or computer based training. This can vary in price, but as an example, what ISC2 charges for their Live Online Seminar series is $2,495. In comparison, their official textbook is $79.95. 
  • ISC2 does have, for free, a webinar series to give you information on what you need to know for the exam. You can sign up for this at  https://www.isc2.org/cissppreview/Default.aspx.
  • The current price for the CISSP exam is $599, and they give you six hours to take it in (I don't test well, and I needed about four). You can take it online, which wasn't an option when I took it, or you can take it at a test center. Typically if you take a training course, the course offers an opportunity to take the exam at the end, and I would definitely recommend doing this if you took a class. Otherwise it's more convenient just to schedule the test online and take it in the comfort of your home. 
  • The exam is 250 multiple choice questions.  25 of the questions are experimental questions which are not graded - they're always changing the content of the test. A score of 700 will give a passing grade; however, you are not told what your score was when the test is graded, just if you passed or failed.
  • The content of the exam involved knowledge of ten "domains" of expertise:
    • Access control
    • Telecommunications and network security
    • Information security governance and risk management
    • Software development security
    • Cryptography
    • Security architecture and design
    • Operations security
    • Business continuity and disaster recovery planning
    • Legal, regulations, investigations and compliance
    • Physical (environmental) security
  • Once you pass the exam, you must find another CISSP holder in good standing to endorse you. This should be someone who knows you well in a professional capacity. 
  • There is a "junior" version of the CISSP, the SSCP, but there's no sense in getting it - you're much better off with the CISSP.
Having a CISSP will automatically open a lot of doors, because without it, most employers won't even talk to you about Infosec jobs. If you can demonstrate that your CISSP plus a knowledge of good coding practices makes you more valuable than someone who (for example) has been working in Infosec longer but doesn't have as diverse a background, you'll be in good shape.

In Infosec, you will never make BAD money. I had issues finding work in the Hampton Roads area, but that was because I didn't have a lot of gov/mil experience, and that's what that particular area demanded. The NY/NJ corridor has a lot of opportunities in the private sector. 

Once you've decided to definitely go for getting your certification, I have some useful employment contacts. My employer is great and I really love working for them. They won't pay any of your certification-related fees, though, which is typical of smaller gov/mil contractors. A lot of private sector companies will pay those fees. 

Please let me know if you have any questions about any of this. I'll be happy to help out however I can.