1. Get the Job
  2. Get Ahead
  3. Office Life
  4. Work-Life Balance
  5. Home Office
Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.
Build Your Career Get Ahead

Planning a Career Ladder in Information Security

Unified threat management Credit: wk1003mike/Shutterstock

Sandeep, a mid-level IT professional working as a systems administrator in a tough labor market, finds himself stuck in his current position. Ed recommends a double dose of infosec certification to help ease his woes, and propel him higher up the career ladder. His prescription: an entry-level cert like Security+, GSEC, or SSCP, followed by one or more of CISSP, CISM, and C|EH certifications.

Dear Sandeep:

Based on your educational background and number of years of experience, I would put you at the mid-career phase: no longer just starting out, but not senior enough to have advanced to heavier responsibilities and the bigger pay to go with it. Given that you do have some substantial experience, even though you're interested in a move from systems administration into a more security-focused role, I don't think that means you need to start over in terms of responsibilities or pay. It's highly likely that you have at least some security experience: it's hard to administer systems nowadays in the absence of security. And in fact, managing and administering systems almost always includes a security component if not an outright security focus.

My advice to you is to stay on in your current position while pursuing a typical security certification ladder that I will happily explain. First, you'll want to get your feet wet with an entry-level credential, like the CompTIA Security+, SANS GSEC, or the ISC-squared SSCP. This will probably take you three to nine months to work your way through, depending on how much free time you are willing to allocate to study and exam preparation, and whether or not you pass your chosen exam on the first try.

Your next credential could and probably should be one of the following:

  1. CISSP -- if you're interested in working in security policy, security management, and so forth.
  2. CISM -- if you're interested in managing security as a full-time, workaday position.
  3. C|EH or other EC-Council security certifications --  if you'd prefer to specialize in ethical hacking, penetration testing, and so forth.

Once you gain more experience in the field, and your interests begin to make themselves known, you can start mixing and matching information security training and certification to help you develop the collection of skills and knowledge you need.

Your second, more senior security certification will not only add to your employability, it should probably help open doors for you to transition into a more focused and full-time security role. Expect to spend one to two years prepping for and getting past the exam of your choice. Once you've earned that level of certification, you can think about looking for another job in the security field, and probably see a nice increase in pay and responsibility at the same time.

If you're willing to invest some time and effort, and some modest expense, in helping to advance your professional skills and knowledge, you should be able to realize some benefits from those investments of energy, money, and effort. Best of luck with your career and certification planning and preparation. Thanks again for posting to our survey. I hope you find this information useful and worthwhile.

 
Ed Tittel

Ed is a 30-year-plus veteran of the computing industry, who has worked as a programmer, a technical manager, a classroom instructor, a network consultant and a technical evangelist for companies that include Burroughs, Schlumberger, Novell, IBM/Tivoli and NetQoS. He has written for numerous publications, including Tom's IT Pro, and is the author of more than 140 computing books on information security, web markup languages and development tools, and Windows operating systems.