I enjoy teaching. This, in part, led me to join the EC-Council and contribute to their CCISO program. This also explains why I dedicate significant time in service as a volunteer with the ISSA. My role as the Director of Academic Affairs for the Metro Atlanta ISSA leads to many interesting conversations about career advice and professional development with our student members. One of those conversations from this week is worth sharing.


Student Question: “I am reaching out to gather information regarding beginning a career in IT security – with no experience. If possible, would you please outline a best path of certification/education as well as entry level employment opportunities, training seminars, etc. I am looking for a 1-year road map to employment in the IT security field.”

My response: Honestly, no direct path exists.

A successful career in information security requires a strong information technology background. If this is missing, you should spend some time learning how IT works in an enterprise environment and how it contributes to a successful business. Next, you must identify what you enjoy about information security. Many people start careers in this industry because of the great income potential, but find themselves dissatisfied because the work is hard and often unforgiving. The income quickly loses its luster if you do not enjoy what you are doing. Focusing on the area of information security that you enjoy the most is critical for long-term success.

You should also know whether you aspire to lead an information security program, lead a particular area within a program, or just do good work as an individual contributor. Different levels of leadership require different competencies and experience. The answer will help identify additional non-technical training that you may need to investigate. I highly recommend project management training, if not certification, if you are going down any leadership path.

Ultimately, the aspiring security practitioner must learn to understand the following ideas to support a successful career:

- What does the business that you are supporting really do?
- How, in terms of business processes, does the business do it?
- What threats, risks, or events could disrupt the processes that support what the business?
- What controls do you put in place or manage to limit the potential impact those threats, risks, or events?
- Developing an understanding of each point will require experience in a variety of roles and organizations. Information security is similar to the practice of medicine from the perspective that many component parts and activities work together to support the overarching goal. In medicine, the goal is the health and wellness of the individual. In information security, the goal is effective risk management (not compliance). Understanding how everything works together takes time, but is worth the effort for long-term success.

Final thoughts:

- Find opportunities to work as an intern and gain experience while you are still in school.
- Consider working for experience, not for income at the beginning of your career. Every opportunity to learn is a good opportunity.
- Pick the industry certifications, educational programs and available information that will help you learn everything possible about your concentration once you determine what you enjoy most.
- Find good mentors. You should work with an experienced mentor with an IT or security background. You should also work with an experienced mentor with a business background who can provide non-technical guidance.
- What do you think? Did I miss any advice that would help an aspiring information security practitioner enter this industry and have a successful career?

Read more posts by Keyaan on LinkedIn.