One of the most common questions readers ask me is how they can break into an IT security job. Normally they already have a job in IT, but they have a special interest in security and want a career in it. They are usually frustrated because, like any job seekers, they realize that without the necessary experience it's tougher to get a good paying job doing what they would love to do.
Here's what I always reply.
[ Find out how to block the viruses, worms, and other malware that threaten your business with hands-on advice from InfoWorld's expert contributors. Download the PDF today! | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
First, you need to decide what to specialize in. The computer security field is huge and covers dozens of disciplines, including firewalls, IDS, SIEM, security assessment, host hardening, and patching. You can make a decent living doing almost any of these things. If you have a special affinity for any of these, it'll go a long way toward helping you enjoy your career, which usually translates into better job performance and compensation.
A personal lesson learned
Years ago, driven solely by salary potential, I took a job with a CPA firm after passing the CPA exam. As it turned out, I hated accounting and definitely did not fit into the world of suits. That year was hell. Not only was I a horrible CPA (I literally did not finish one job assigned to me), but I was a glaringly bad fit for my coworkers and the firm. I asked too many questions, didn't do enough research on my own, and generally had a miserable time.
One day the partners invited me to a meeting in the boardroom scheduled for the next morning. An invitation to meet the partners in the boardroom meant one of two things: You were in trouble, or you were going to get accolades -- and I had done nothing to deserve praise. The morning arrived, and I felt like I was waiting outside the principal's office in high school.
Just before the meeting, one of the partners asked if I could help with an emergency situation. One of the other partners had accidentally deleted a Lotus 1-2-3 spreadsheet that was needed to secure a client's $5 million bank loan. I showed up with all my tools (Norton Disk Doctor, PC Tools, and so on), recovered the file, and was cheered and celebrated. It was a defining moment. I realized I was in the wrong profession.
The next day I quit my accounting job and embarked on a career in computer security. I've barely had a bad day since.
Do I need a college degree?
Lots of readers ask me if they need a college degree to get hired in IT security, and if so, what they should get their degree in.
Not to equivocate, but some companies require degrees or give preference to candidates who have them, and some don't. In many if not most organizations, experience trumps a degree. This is true not only in security, but in other areas as well, such as application development. Much depends on company culture.
All things being equal, of course, a college degree will help, even if it's in the liberal arts. For most hirers, a degree signals that the candidate was able to set a goal and achieve it. By the same token, an advanced degree will trump a four-year degree.