How to be a good Information Security Professional ?

Hello Guys,

What are the essential skills a good Information Security Professional must have?

I know that one must know about Penetration Testing,Compliance/Auditing, What else should I focus on?

do i need to know more about COBIT,ITIL,ISO 2700:1,Risk Management,Business Continuity Planning to start with? or about Information Systems from Oracle and SAP?

My plan in the near future is to start from Security+ and aim for the CISA/CISSP/CISM after 1 to 2 years.

Your replies will be very appreciated!

Thanks!

Find more posts tagged with

Comments

paul78

It largely depends on what area of information security that you wish to pursue. And the skillset required will vary just as greatly.

Penetration testing for example may hold little value to someone that focuses on risk management. And even with penetration testing, the skillset will depend on whether the individual is focused on perimeter network testing or application testing. Although, having a general knowledge of internal networks, systems, and applications will greatly benefit the individual.

An infosec professional supporting secure SDLC with application defense will probably not need network defense skills. Physical security also requires a whole different set of skills. Etc...

The essential skills also vary based on whether you want to pursue a technical or management role.

As a fairly senior infosec manager, I am required to have knowledge of privacy regulation specific to the financial services industry as well as various privacy laws in the US and Europe. I also am required to have broad knowledge of ISO 27000 controls and the security operations functions that support those controls. Other aspects of my job also requires secure SDLC, application defense, vendor due-diligence, customer contract compliance and negotiations, and various ancillary stuff like incident management protocols, BCP/DR, etc..

In my experience, having a wide range of technical experience versus specialization tends to lead to a stronger information security professional.

UnixGuy

@Paul78: Very nice information. Do you see it as a good field to be in? I'm thinking of making the move to Information Security (not possible this year).

What are the pros and cons of your field as an InfoSec manager?

I'm thinking in the long term, whether to move to Infosec management, or to keep moving to senior position with system administration/design...something to think about

JDMurray

Information Security contains many diverse fields of learning and skills ranging from very technical to very "soft." . If you work for a small company, you may be performing a lot of diverse InfoSec duties. If you work for a large company, you will likely be compartmentalized into a position requiring fewer specialized skills, but with deeper knowledge and experience required.

Knowing the essential skills a good Information Security Professional must have therefore depends on what you want to do in InfoSec.

rwmidl

This is a little bit of a different take, but to me being a good InfoSec Professional is being able to look at what the "requested" security requirements are (ex: DISA STIG's) and then be able to determine what the "real world" impact be to your environment. Ex: if the requirement specifically forbids any remote desktop access to a server, but you have no local access to it, how can implementing that change be beneficial? Sure you are meeting the "requested" security plan, but there very well could be a downside to implementing that.

paul78

UnixGuy wrote: »

....Do you see it as a good field to be in? ....
What are the pros and cons of your field as an InfoSec manager?

Thanks. Glad you found my comments useful.

I do think its a good field to be in. Generally speaking, I expect that as more economies and commercial enterprises go digital across the world, my thoughts has been that digital crime will continue to rise not diminish. Criminals will go where the money is.

As for pros vs cons regarding InfoSec management - I suppose it depends what you consider a pro/con

I imagine that depending on how the company is organized also makes a big difference in the job/role.

I prefer infosec management because I like being in the mix of things. I touch all IT and non-IT functions because infosec intersects with those functions. One aspect that I prefer is reduced staff management responsibilities. In general, I need to be more detailed oriented on technical and legal matters than on staff management. Most of my peers have to focus on organizational and staffing matters. Most of my challenges revolve around influencing and explaining risks other groups. Also, InfoSec budget justification tends to be a lot more difficult to quantify since it is primarily about risk reduction and preventative measures.

I suspect like more job functions, the actual responsibilities will vary. I prefer line-of-business infosec management over enterprise generic roles.

spicy ahi

This is a great question, and for someone who's been in the business of security for a short period of time (less than 2 years) I continually ask myself this question. I have to agree with Paul that it really depends on where you fall in the infosec spectrum. Me in particular, I fall in the IA spectrum and my duties involve compliance with DoD directives as well as any (in my case) Navy and base policies. I also delve into the mitigation effort, running HBSS and iRetina scans to search for security deficiencies as well as patching these deficiencies. Much of my work is reactionary, and I don't have the opportunity to get into active pentesting as it's not my lane (the CND folks handle that fun stuff) I'd say my work is 80% paper handling and 20% tech work (and I use the term tech work loosely)

One thing I'd advise you, when you do get into the business, is don't be surprised if you suddenly take on more and more work with no additional compensation. When I started, I was hired originally to do just the mitigation scanning and patching. Then it grew and I was designated the IAO and that's how I took on the compliance duties. They're also now discussing whether or not to hand me the reins for the physical security management and I've heard rumors that they want to send me to some training classes to do software evaluation to do security testing of programs created in our base lab. I'd complain about earning more money, but I figure the best thing at this point is to get this stuff under my belt and then harp about the money when I know I have good bullets on my resume that will support my demands. Or if need be, will help me find an opportunity that will compensate me appropriately.

Oh, and another thing is be prepared to be disliked by everyone. Someone else can explain that part if you don't get it.

paul78

spicy ahi wrote: »

Oh, and another thing is be prepared to be disliked by everyone.

How coincidental that you mentioned it... As I was reading through your post, the first thing that went through me head was "I bet spicy isn't very popular".

@unixguy - I did fail to mention that particular side effect. While folks will respect a good infosec manager, at most organizations, infosec teams are not likely to win too many popularity contests. At my job, I usually socialize with the attorneys.

UnixGuy

paul78 wrote: »

....
I do think its a good field to be in. Generally speaking, I expect that as more economies and commercial enterprises go digital across the world, ....
...
I suspect like more job functions, the actual responsibilities will vary. I prefer line-of-business infosec management over enterprise generic roles.

I agree with you; I think we will be seeing more of 'aligning business with IT' and protecting sensitive information in the future.

I just sometimes see that if working in a hard-core technical sysadmin position for years might go to waste. Isn't better if one starts out as an IT auditor? I would like to leverage my technical knowledge and use it in a more effective manner rather than just forgetting all the technical skills...if you know what I mean.

paul78

I think it depends on the role. I believe that to truly be effective in the infosec, you really need to come from a strong technical background. Most of that deep sysadmin, netadmin, or software engineering knowledge translates to understanding the threats and risk posture of the organization that you are chartered to protect.

I personally come from a software engineering background developing system and network tools. But I also have experience with system and network engineering. There is very little that the IT teams (especially dev teams) can try to babble their way through about weaknesses in their security controls.

spicy ahi

paul78 wrote: »

How coincidental that you mentioned it... As I was reading through your post, the first thing that went through me head was "I bet spicy isn't very popular".

It's all true! Whenever folks see me coming, they automatically think, "Oh crap. Is there some new training AGAIN?" or "Damnit, not more patching." My personal favorite, from someone high up was "What new crap did big Navy make up that we have to follow now?" I don't particularly relish in it, but I know that one of my counterparts in another department gets absolute JOY out of ruining his peoples' day.

UnixGuy

@Paul78: I get your point. Thanks for the great response!

dmoore44

spicy ahi wrote: »

...but I know that one of my counterparts in another department gets absolute JOY out of ruining his peoples' day.

BWAHAHAHAHA! That made my day.