We started out as a small endeavor to reach out and get the opinions and thoughts of people in the IT security field, and the response was overwhelming, we had close to 100% response rate. Its my pleasure to introduce them and also thank each one of them for their time, insights and advice.

Keith Crosley: An email security evangelist/researcher, Keith is the key spokesperson for Proofpoint, the leading independent provider of email security, email archiving and data loss prevention solutions. You can follow him on his blog or on twitter	Misha Hanin: 10+ years technical experience in systems administration, network administration, Misha is an expert at managing Microsoft, Novell networks including managing the ceurity of the networks. He is a frequent contributor to the Network Administrator blog on ITKnowledge exchange, ITStuff.ca, thesystemadministrator.com.
David Oxley: Specializing in Malicious Code Analysis, Digital Forensics, David is currently enrolled in a Masters program in Security Informatics at Johns Hopkins. David started his virus fighting days back in 6t grade. He was a volunteer at Malwareremoval.com fighting malware. He has a Bachelors in Computer Science from Emory. He aspires to serve the US Government in an information security role, especially as a malware analyst, incident handler, or computer forensics expert. His blog covers News and stories from the war on cybercrime.	Darrell Jones: With past expeirnces such as Director of App Engineering Operations at Kaiser and IT Director at Guaranty Bank, Darrell has the unique ability to manage numbers, people and processes. Darrell has a Masters with a focus on IT Security. He is currently the National IT Program Portfolio Liaison  at Kaiser Permanente.
Robert Newby: 10+ years as a security consultant blue chip, government, and security vendors on enterprise level projects, Robert is currently the Principal Consultant at  Symantec. His blog, "IT Security: The view from here" covers IT security in Europe.	Lawrence Pingree: Vice President of the Digital Forensics Association, Member of the Open Web Application Security Project, Member of the Silicon Valley chapter of the ISSA (Information Systems Security Association), Lawrence has over 13 Years of Information Technology and Security experience. His certifications include CISSP, CCSA, CCSE, CCSI, NSA, ICE, NSS, NCSA, NCSP. He covers hot topics in IT Security in Pingree on Security - Information Security Simplified.
Robert McArdle: Having worked in Symantec and currently working at Trend Micro, saying Robert is interested in security and Malware would be redundant. He is a mentor for the SANS Incident Handling and Hacker Exploits Certificate (GCIH) and also for their Security Essentials Certificate (GSEC), as well a member of the SANS Advisory Board. His current title at Trend Micro is "Senior Antivirus Specialist". He blogs at Info Security / AV / Inane Ramblings	Sebastian Bortnik: Working as a security analyst in ESET, Sebastin's job is to conduct research in Security and Malware. He is an active participant in security conferences and seminars. His blog
Shakeel Ali: one of the core founders of Cipher Storm Company, Shakeel's expertise in security industry has put up marvelous benefits to various businesses and government institutions. He currently holds the industry leading certifications including CEH, SnortCP, OSCP, CCNA and MSc InfoSec. Shakeel is also an active and independent researcher who has been evangelizing security practices via articles and blog at Ethical-Hacker.net. He has also assessed and measured the security of several business applications and network infrastructures for global organizations. He manages Ethical Hackers -A Security Driven Knowledge	Richard Stiennon: A veteran of the security industry and as an industry analyst, Richard advises enterprises, and government agencies better protect their networks, and helps vendors serve those needs. He is currently writing "Surviving Cyber War" to be published fall, '09. He covers security news, events and his thoughts in Threat Chaos
Vijay Vedanabhatla: A senior consultant in the Enterprise Risk Services practice of Deloitte & Touche, Vijay specializes in the area of Security & Privacy Services.	IT Security - Need a Degree, Certification or Background? IT Security - Technical or Management IT Security Certification - Is it a Must?  IT Security & the Down Economy - What to do? The Burning Issues in IT Security Meet the IT Security Experts

 

---

What do you need to become a successful IT security expert - skills, degree, certification, or background?

This is part of the What it takes to be successful in IT Security series. Click Here to see more

Keith Crosley: You have to keep in mind I'm answering this from a marketing point of view. My role as Director of Corporate Communications at email security vendor Proofpoint is a marketing and communications role, but one where my technical background comes in very handy. I've been with Proofpoint since its relatively early days and so my job has had many different elements to it, including technical marketing aspects such a healthy dose of product marketing and, to a lesser extent, product management type activities.

As for being an "expert," I'm certainly perceived as something of an expert since I am relatively visible in my work as a spokesperson for Proofpoint. I am regularly quoted in technical, trade and business press on various topics related to IT security, email security and related technology issues. But when I make those statements, there are often-times a lot of other smart people (whether engineers, product managers, industry analysts) behind me informing those opinions!

In terms of my own background, I have a B.S. in Mechanical Engineering and also did several semesters of graduate studies in English Literature. Overall, my specialty is really communicating about technical topics, whether those are press releases, product collateral, audio or video media, social media, etc.

Before joining Proofpoint, I certainly wasn't an IT security professional. My own background has been primarily in technical communications or marketing communications roles in high-tech startups. While there are many excellent marketers in high-tech without technical backgrounds, I do feel that having some sort of technical credentials and education is extremely helpful.

In addition to being a communicator, I'm a technologist. Having programming, web development, and other technical skills has been crucial to my success in many different sectors (I've had a pretty varied career that has included scientific software, consumer entertainment, semiconductors, enterprise software, etc.). I think it's important for marketers to understand the technologies that are at the core of their businesses. To me, those skills are always transferable, regardless of the specific industry focus of your current company.

Misha: I think it's important to have a right skills and background, but may be most important, wanted to be a EXPERT :).

David Oxley: While certifications and degrees are very helpful in the industry, there is no replacement for raw skill and hands-on abilities. Knowledge of a range of operating systems and technologies, a good understanding of the current threat landscape and events in the infosec world, and the ability to show hands-on knowledge are far more crucial to being competitive.

In addition, building relationships with others in the industry will always give you a leg up, if only through getting to know people who know security better (or differently) than you do.

Darrell Jones: Degrees are useful to initially begin ones career, but experience is the key success factor for any IT professional. Until you have experienced an attempted or successful systems penetration, the complexities of role are truly not understood. Obtaining a strong background in systems engineering and administration is key. Until you understand how the items such as Active Directory, DMZ's, and storage work and are managed; you will not be anymore affective than a firewall log watcher.

Robert Newby: You need to be able to think logically and to understand how IT 'fits together'. It's basically a matter of experience, and a certain amount of intelligence. Certification does not make an expert, it proves you have reached a certain level, and is a useful benchmark in getting jobs, nothing more.

Lawrence Pingree: First, look at everything with the question: "How can this be broken, thwarted or hacked?" I feel it is important to have a good background in network and systems as an administrator in both. I personally believe that a person must have worked for a small company where they must wear multiple hats in their IT department so that they have experience in the roles they will be responsible for making policy for as a security person. It also has the added effect of educating a person in multiple technologies in a fast paced environment.

Robert McArdle: More than anything else you need to have a passion for security, as opposed to simply IT in general. In security you are constantly trying to keep one step ahead of the current attacks, and that means keeping up with blogs, papers, tools etc on a regular basis - something thats hard to do if your heart is not 100% in it. For those who do enjoy security however the rewards far outweigh the downsides.

In terms of skills etc a couple of key areas spring to mind. People who do really well in security tend to have a naturally curious nature; the type of people who really enjoy puzzle solving. A computer science degree with a strong grounding in networks is definately a good start. After that there are some excellent professional courses which are definately worth a look such as CEH, CISSP and the excellent courses offered by SANS.

As a starting point I would also recommend subscribing to some security blogs. Start with only a small amount, and then gradually add more (and remove others) as you go along, otherwise the amount of posts will be a bit overwhelming. Some useful security blogs are Bruce Schneiers, EWeek, SecurityWatch and the blogs of the antivirus vendors.

Sebastian Bortnik: I'll answer in two parts.

To be a security expert is necessary to study ... a lot. And it is also necessary to practice and be persistent in learning. As other technology related topics, the scenario is changing and new things appear every day.

Obviously, a degree or certification will be an added value to the job search and to be assisted in the training. But knowledge on the subject, along with experience, will always be the key skills to become a security expert.

Now, to become a SUCCESSFUL security expert, it will depend on what is success for each one, and the social and labor environment in which each unwrap.

Shakeel Ali :Generally speaking, a core security background is always needed on the top of degree or certifications. This is because IT Security is much more technical and cover almost every part of IT systems. However, getting certification and other relevant qualifications can add value and prove your skills level to the employer.

Richard Stiennon: Of course a degree and certification are nice to have but the most important aspect for a career in security is hands on experience. So, look for opportunities with smaller consulting groups doing security assessments. Look at those that do post-event forensics. You could also join a security product vendor in a role as a researcher or in customer support. Look at MSSPs (Managed Security Service Providers) for a fast ramp up as they see all the problems every day.
If you are currently employed as an IT person see if you can transition to the security team within your current employer.

Vijay Vedanabhatla: Skills: should have worked in atleast the domains of risk management, access controls, network security & infrstructure/application security.
Degree: Does not matter. But a math background would be helpful to understand risk assessments. Functional background is helpful too.
Certification: I am not a big advocate of certifications but the market demands CISSP or equivalent.
Background: does not matter.

More Questions Answered

• IT Security - Need a Degree, Certification or Background?
• IT Security - Technical or Management
• IT Security Certification - Is it a Must? 
• IT Security & the Down Economy - What to do?
• The Burning Issues in IT Security
• Meet the IT Security Experts 

---

Is IT security becoming a more technical position or becoming more management-oriented, like planning, assessment, compliance etc.?

This is part of the What it takes to be successful in IT Security series. Click Here to see more

Keith Crosley: Well, there are definitely changes on both fronts. As security threats proliferate and become more diverse, there are new specialty areas opening up. For example, one might specialize in email versus web security. But really, you only see that level of specialization in larger organizations. In a lot of IT organizations, IT security is just one of many hats worn by an IT manager or director.

As regulatory compliance becomes more important and affects a larger number of organizations (I'm thinking here of things like US state encryption laws, data protection regulations and guidelines, which are really proliferating) there are more and more IT security roles that are management oriented. Keep in mind, however, that roles like CSO (Chief Security Officer) and CISO (Chief Information Security Officer) are still relatively uncommon compared to the number of CIO roles out there (not to mention the more rare Chief Compliance Officer, Chief Privacy Officer, etc.)!

But overall, I would say that security is a clear growth area inside of IT.

Misha: Of course, it should combine all of the mentioned, may be less management-oriented.

David Oxley: I think it's going in both directions. As management and the compliance side of things becomes more and more important, people with a deeper knowledge of the technologies involved are that much more important.

Darrell Jones: It is becoming more management oriented. With federally mandated rules such as HIPPA or SOX, there has been extensive review and action to sure up the security of organizations systems and data. Today, penetration tests are common place. Therefore, a security professional is more in a consulting/managerial role because of all the specialization in the security field. In the past, security leaders start off their careers in technical roles, but all the positions including the hands on technical roles are becoming more consultative.

Robert Newby: It depends on which route you take. I have been technical support, sales engineer, product manager, architect and now a consultant - I started off technical and realised I wanted to do more on the management side, so worked my way towards it. You tend to move into more management orientated jobs with experience and length of time served in a company. I've moved companies and contracted, so never got into senior management positions, but my work is very much management orientated.

Lawrence Pingree: IT security will always be solution oriented, so it is important to understand solutions when trying to secure environments. Compliance is only a portion of the security job and of course good security supports compliance activities, however security is NOT compliance. Security is about risk reduction, compliance is the lowest bar to achieve, it is important that security practitioners set the bar higher. This way you will be in compliance even if laws/regulations get tougher, focus on risk reduction.

Robert McArdle: It really depends to be honest, I think it is about finding the balance between the two. Some security roles will be very technical, others quite management-orientated, and lot more will fall in the middle ground. The security industry is quite broad in its scope including everything from reverse engineers, penetration testers, system security engineers, qa, consultants, managers and a whole lot more.

Whether you find yourself leaning more towards the technical side or the management side there will certainly be roles that suit you focus, so it is best to concentrate on the areas that most interest you.

Sebastian Bortnik: IT security is becoming increasingly a matter of management. For proper management of information security in an organization, it is necessary to supplement the technology with process management, human resources, training and other non-technical factors.

However, this doesn't mean that there aren't issues or jobs for more technical skills.

But definitely, the CISO (Chief Information Security Officer) role needs management knowledge.

Shakeel Ali : Due to the vertical growth in new and advance technology, it is quite acceptable that many companies required more technical expertise than just management. Although, for higher-level positions such as, Chief Information Officer or Chief Technical Officer, it is quite often that both skills are necessary to run the organization. Thus, IT Security has become a mixture of technical and management areas.

Richard Stiennon: It is splitting. On the one hand researchers and product developers are facing a continuous change in the technology of attacks as well as defenses. On the other hand regulatory compliance is pushing a huge boom in the managerial side.

Vijay Vedanabhatla: It is becoming more business specific. There are numerous tools/methodologies that help you in identifying vulnerabilities. But how do these relate to the specific business? This will be the question moving forward. Moreover during these crunch times, its all about ROI.

• IT Security - Need a Degree, Certification or Background?
• IT Security - Technical or Management
• IT Security Certification - Is it a Must? 
• IT Security & the Down Economy - What to do?
• The Burning Issues in IT Security
• Meet the IT Security Experts 

---

What do you think will be the burning issues in IT Security in the next 2 - 5 years and what skills do you need to handle such a job?

This is part of the What it takes to be successful in IT Security series. Click Here to see more

Keith Crosley: There's no single security issue that will dominate, I think. Rather, I believe that IT security will be more central to everyday decisions about technology use and deployment. IT roles, in general, will require candidates to be more cognizant of security risks that come with any enterprise technology. IT staff will also need to be more familar with the compliance landscape - e.g., what regulations, especially around data privacy and protection, does your organization have to comply with and how will you meet those requirements?

David Oxley: I don't think the situation will be all that different in 2-5 years. Compliance, data breaches, and the emerging threat of cyberwarfare will continue to wreck havoc, as will XSS attacks, exploits, etc. People with strong backgrounds in networking, web languages, Linux and Windows system programming, malware reverse-engineering, forensics, and specialized skills in foreign languages, financial industries, and the like will certainly stay busy.

Darrell Jones: I believe that in 2 to 5 years, storage of company data in SAAS or cloud systems will be the most pressing security issues. Organizations that have moved their data into one or both of these systems will desire, or require, proof of data integrity. Penetration testing and social engineering testing will be skills needed by customers to ensure that their systems providers are fulfilling the security needs of their customers.

Robert Newby: People. Security is always about people, and the mistakes they make, maliciously or benignly. Management skills will be what are needed. Technical skills can only go so far, and they are becoming commoditised. Management is something which everyone thinks they can do, but few people can do effectively or well.

Lawrence Pingree: Data leak protection will be the most implemented technology, and a convergence in the security industry occurring now will lead to technology integrations that don't exist today, such as the integration of compliance into and the compliance tools will then select the appropriate compliance/audit policies to enforce.

Robert McArdle: This is the million dollar question, and the person who can answer it will be a wealthy person indeed! For me it is clear that in our daily lifes more and more of the things we use everyday will move onto the web (or "into the cloud" if you prefer buzzwords), and as a result the web will need to be more and more accessible on the move. This will lead to more mobile devices, and stripped down laptops in regular use.

More importantly the current trend of everything we do being online can only increase - we already use the web for email, office applications, hosting pictures, games and social networking. As more and more applications move to the cloud our reliance on the operating system will become less and less, we are already seeing a lot of netbooks running linux variants for example.

As such understanding how to secure a highly mobile userbase using multiple device types to connect to your network, quite often remotely will be key. Another critical area will be to understand all of the attacks that criminals can use to target resources in the web, and how to protect against them.

Of course I could be completely wrong - but here's hoping thats not the case :)

Sebastian Bortnik: In the next few years IT security will be more important issue to organizations. It is time to understand the information security problem, in every company, as a process, as a management matter. In the next years, it will be important to implement security solutions, in different layers, and to mix technical and non-technical controls.

Compliance will be a big thing in this matter too. Certifications like ISO 27000, SOX or PCI are becoming compulsory in a lot of markets and companies.

So, people who can face this scenario, and develope complex solutions to the information will be valued.

You can have compliance experience, and be an auditor. Or you can have exploiting experience to be a pen tester. IT Security is a big thing with a lot of job opportunities.

Shakeel Ali :A recent rise in Cloud and Grid computing has put new challenges for IT security professionals to conform with industry standards, regulations and compliance. Due to their level of complexity, it may require extra skills in understanding the inner workings of the distributed systems and platforms. Similarly, the fast adoption of RFID technology by several Commercial and Government institutions will make a challenging future for IT security professionals.

Richard Stiennon: The security industry is easy to understand. The threats will continue to rise, the investment to counter them will also continue. Learn how to use investigative tools, Palinter, Analyst's Notebook, etc. Get networked. IT security is going to become somewhat militarized so get thinking in a defensive mode.

Vijay Vedanabhatla: Targeted attacks on individuals & businesses. Be it social networks or disgruntled employees, information will be available more easily for malicious purposes. The next generation of hackers will have the focus of stealing money or identity rather than just being geeky!

 More Questions Answered

• IT Security - Need a Degree, Certification or Background?
• IT Security - Technical or Management
• IT Security Certification - Is it a Must? 
• IT Security & the Down Economy - What to do?
• The Burning Issues in IT Security
• Meet the IT Security Experts 

 

---

What advice do you have for people who may lost their jobs due to the bad economy?

 This is part of the What it takes to be successful in IT Security series. Click Here to see more

Keith Crosley: This is sort of an aside, but I just completed some research where we found that the increasing number of layoffs is definitely having a negative impact on companies' IT security readiness. About half of large US companies told us that increasing numbers of IT staff have negatively impacted their ability to protect confidential, proprietary or sensitive information in the past 12 months!

In terms of people who are seeking jobs in today's environment, I'd definitely encourage them to use social media and social networking as ways of connecting with opportunities. Things like Facebook, Twitter, LinkedIn, etc. really have critical mass now and they make it much easier to "network" than in years past. Proactively let people know what you are looking for and what unique value you can bring and enlist your network of contacts to help find things that might be a match.
My other tip applies at any time -- not just in a recession -- as a hiring manager, one thing that constantly amazes me is when interviewees don't express any enthusiasm for the job. When you get to the interview (and I know that's harder to get to that point right now than it's been at other times), if you're really interested in the job, make sure the hiring manager(s) knows it. Often, that's the thing that sets llone candidate head-and-shoulders above the rest. Enthusiasm wins.

Misha: Keep going in everyday knowledge / skills improvement.

Davd Oxley: Get connected! Join professional IT security groups, attend conferences, network with other professionals...the number of ways to do so are ever-increasing. Subscribe to blogs and stay abreast of recent happenings in the infosec world. Consider investing a bit in yourself in terms of books and software if you're really willing to put in the time and effort to learn the material.

Darrell Jones: Expand your search beyond your immediate skill/responsibility sets. Flexibility in ability and attitude are keys to success in a down economy. Additionally do not look at a demotion in responsibility as all together bad. It could provide for addition opportunities to learn new skills or even spend more time in your personal life. The last piece of advice I would provide is to remember that nothing last forever. Things will change.

Robert Newby: Use the time you have wisely, talk to everyone you can about jobs, but don't compromise on what you want. This downturn won't last forever, and when we come out the other side, you don't want to be in a job you hate, having to look for for another position.

Lawrence Pingree: Personal marketing, blogging, writing books and writing whitepapers is essential for you to become "known" in your industry. Think about it, why is Michael Moore popular? Why is Barack Obama well known? Mostly because they are good speakers and they do it often.

Robert McArdle: A lot of people are going through some very difficult times at the moment, in every country in the world and in every industry, but the IT security industry has actually survived better than most - even when compared to other IT sectors. Most modern successful businesses now realise that securing their companies networks and information is of critical importance in the world they find themselves in, and as a result security spending is one of the very last things to be cut from a budget.

For people who have lost their jobs but are interested in security, now is a good time to look at upskilling themselves. I've already mentioned some excellent course but these can cost quite a bit of money, however the investment can certainly be worth it. There are loads of free/cheap resources available however to introduce people to this industry - all of the blogs mentioned above and excellent books like the CISSP handbook, Hacking Exposed series and there are lots of good books on specific areas such as systems hardening and reverse engineering. Makes sure to put any skills you pick up to the test. For example, take a windows machines and learn how to harden it or create a virtual machine, setup a lab, and carry out your own pen tests. Learning security skills really improves the more hands-on approach you take.

This downturn can't last forever (I hope), and having a good solid base of skills will definitely help when job markets pick back up.

Sebastian Bortnik:I'm not qualified for giving advice in this matter. This kinds of problems in economy, and the crisis, are too difficult. Also, I have the luck to be employee and I have no experience in this environments.

But, to give an answer, I think could be a good tip to be flexible. If you lost your job, you could take advantage of new technologies to look for a job: internet, work from home (and to other cities or countries), social networks (like linkedin) and those kind of things, can be an opportunity.

Shakeel Ali :The recession period of 2008-2009 has left many of us unhappy. But trying to get another job is not that hard if proper skills and commercial experience is in your hand. Improving your skills and getting job specific certifications are considered more useful to get better placement. However, many employers prefer to have multiple set of skills (technical+management) to get the job done. On the other hand, from economy crisis perspective, it worth noticing from various media and conservative market research reports that the need for information security professionals will increase during 2009-2012. This may happen because of an active role of various government and commercial organizations to take e-security more diligently.

Richard Stiennon: No time like a downturn to switch your career direction. Get networking and I must say get writing. Start a blog on your uphill battle to switch careers. Post every day. Share what you are learning. People will find you!

Vijay Vedanabhatla: Its a good time to re-look at your priorities in life. There are many ways of getting food to the table. Choose the one that has been your hobby or passion. You might be surprised.
 

• IT Security - Need a Degree, Certification or Background?
• IT Security - Technical or Management
• IT Security Certification - Is it a Must? 
• IT Security & the Down Economy - What to do?
• The Burning Issues in IT Security
• Meet the IT Security Experts 

---