What do you need to become a successful IT security expert - skills, degree, certification, or background?

This is part of the What it takes to be successful in IT Security series. Click Here to see more

Keith Crosley: You have to keep in mind I'm answering this from a marketing point of view. My role as Director of Corporate Communications at email security vendor Proofpoint is a marketing and communications role, but one where my technical background comes in very handy. I've been with Proofpoint since its relatively early days and so my job has had many different elements to it, including technical marketing aspects such a healthy dose of product marketing and, to a lesser extent, product management type activities.

As for being an "expert," I'm certainly perceived as something of an expert since I am relatively visible in my work as a spokesperson for Proofpoint. I am regularly quoted in technical, trade and business press on various topics related to IT security, email security and related technology issues. But when I make those statements, there are often-times a lot of other smart people (whether engineers, product managers, industry analysts) behind me informing those opinions!

In terms of my own background, I have a B.S. in Mechanical Engineering and also did several semesters of graduate studies in English Literature. Overall, my specialty is really communicating about technical topics, whether those are press releases, product collateral, audio or video media, social media, etc.

Before joining Proofpoint, I certainly wasn't an IT security professional. My own background has been primarily in technical communications or marketing communications roles in high-tech startups. While there are many excellent marketers in high-tech without technical backgrounds, I do feel that having some sort of technical credentials and education is extremely helpful.

In addition to being a communicator, I'm a technologist. Having programming, web development, and other technical skills has been crucial to my success in many different sectors (I've had a pretty varied career that has included scientific software, consumer entertainment, semiconductors, enterprise software, etc.). I think it's important for marketers to understand the technologies that are at the core of their businesses. To me, those skills are always transferable, regardless of the specific industry focus of your current company.

Misha: I think it's important to have a right skills and background, but may be most important, wanted to be a EXPERT :).

David Oxley: While certifications and degrees are very helpful in the industry, there is no replacement for raw skill and hands-on abilities. Knowledge of a range of operating systems and technologies, a good understanding of the current threat landscape and events in the infosec world, and the ability to show hands-on knowledge are far more crucial to being competitive.

In addition, building relationships with others in the industry will always give you a leg up, if only through getting to know people who know security better (or differently) than you do.

Darrell Jones: Degrees are useful to initially begin ones career, but experience is the key success factor for any IT professional. Until you have experienced an attempted or successful systems penetration, the complexities of role are truly not understood. Obtaining a strong background in systems engineering and administration is key. Until you understand how the items such as Active Directory, DMZ's, and storage work and are managed; you will not be anymore affective than a firewall log watcher.

Robert Newby: You need to be able to think logically and to understand how IT 'fits together'. It's basically a matter of experience, and a certain amount of intelligence. Certification does not make an expert, it proves you have reached a certain level, and is a useful benchmark in getting jobs, nothing more.

Lawrence Pingree: First, look at everything with the question: "How can this be broken, thwarted or hacked?" I feel it is important to have a good background in network and systems as an administrator in both. I personally believe that a person must have worked for a small company where they must wear multiple hats in their IT department so that they have experience in the roles they will be responsible for making policy for as a security person. It also has the added effect of educating a person in multiple technologies in a fast paced environment.

Robert McArdle: More than anything else you need to have a passion for security, as opposed to simply IT in general. In security you are constantly trying to keep one step ahead of the current attacks, and that means keeping up with blogs, papers, tools etc on a regular basis - something thats hard to do if your heart is not 100% in it. For those who do enjoy security however the rewards far outweigh the downsides.

In terms of skills etc a couple of key areas spring to mind. People who do really well in security tend to have a naturally curious nature; the type of people who really enjoy puzzle solving. A computer science degree with a strong grounding in networks is definately a good start. After that there are some excellent professional courses which are definately worth a look such as CEH, CISSP and the excellent courses offered by SANS.

As a starting point I would also recommend subscribing to some security blogs. Start with only a small amount, and then gradually add more (and remove others) as you go along, otherwise the amount of posts will be a bit overwhelming. Some useful security blogs are Bruce Schneiers, EWeek, SecurityWatch and the blogs of the antivirus vendors.

Sebastian Bortnik: I'll answer in two parts.

To be a security expert is necessary to study ... a lot. And it is also necessary to practice and be persistent in learning. As other technology related topics, the scenario is changing and new things appear every day.

Obviously, a degree or certification will be an added value to the job search and to be assisted in the training. But knowledge on the subject, along with experience, will always be the key skills to become a security expert.

Now, to become a SUCCESSFUL security expert, it will depend on what is success for each one, and the social and labor environment in which each unwrap.

Shakeel Ali :Generally speaking, a core security background is always needed on the top of degree or certifications. This is because IT Security is much more technical and cover almost every part of IT systems. However, getting certification and other relevant qualifications can add value and prove your skills level to the employer.

Richard Stiennon: Of course a degree and certification are nice to have but the most important aspect for a career in security is hands on experience. So, look for opportunities with smaller consulting groups doing security assessments. Look at those that do post-event forensics. You could also join a security product vendor in a role as a researcher or in customer support. Look at MSSPs (Managed Security Service Providers) for a fast ramp up as they see all the problems every day.
If you are currently employed as an IT person see if you can transition to the security team within your current employer.

Vijay Vedanabhatla: Skills: should have worked in atleast the domains of risk management, access controls, network security & infrstructure/application security.
Degree: Does not matter. But a math background would be helpful to understand risk assessments. Functional background is helpful too.
Certification: I am not a big advocate of certifications but the market demands CISSP or equivalent.
Background: does not matter.

More Questions Answered

• IT Security - Need a Degree, Certification or Background?
• IT Security - Technical or Management
• IT Security Certification - Is it a Must? 
• IT Security & the Down Economy - What to do?
• The Burning Issues in IT Security
• Meet the IT Security Experts 

Invite Your Comments