Over the last few years, IT security has become one of the top choices for IT professionals and those looking to move into IT. So what is the best way to become one of the much-envied chief information security officers (CISO) or join the league of sought-after hacker-combatants? Gary Flood investigates.

As the market for technology jobs improves - and it is, according to a March study on improving employment figures by the Recruitment and Employment Confederation and KPMG, which said the UK IT sector was leading the way in terms of payroll increases - one sector is coming into prominence: security.

A glance at any news website, or increasingly the TV news, confirms information security is a growing issue in society, too, brought into notorious prominence by the way the British taxman lost the personal data of half the families in the country in 2007.

As calls for ‘panic buttons’ on Facebook mount and surveys find one in four British schoolkids have tried hacking into their mates’ profiles on the same social networking site (according to a March report from IT security experts Tufin Technologies in conjunction with Cumbria Constabulary), security has become trendy.

It's also perhaps finally something UK organisations have to invest money in. As of the start of April, organisations found to have failed to properly safeguard their processes by the UK data privacy watchdog the Information Commissioner's Office will be liable to fines of up to £500,000.

If you needed any more incentive to get into security as an IT professional, then how about this: a CISO, or chief information security officer, the IT leader in a company whose sole job is managing the way security gets done, is not what you’d call a bad job: ‘The average CISO at a FTSE 250 company could expect to be on a salary of around a quarter of a million pounds a year,’ says Simon Humber, MD of information risk management recruitment specialists Acumin.

‘After the CIO post the CISO role is one of the key managerial roles in a company and we see this as a great job market.’ His company’s most recent salary index, meanwhile, shows the base rate salary for information security and risk managers working in large organisations has risen by £5,000 to £50,000.

Becoming a CISO isn’t the only end-point in the IT security market; the more technically minded will probably find themselves more comfortable performing hardcore anti-hacker combat in the jungles of the corporate network. But if you are an IT expert looking to advance your career in the less technical and more professional end of the field - or are a manager trying to support such a move - what are your options?

Looking at career paths

There is a lot of debate in the field as to what the best specific qualification might be at the top end, but in general a combination of a good introductory Masters course, a clutch of industry and vendor-specific certifications from the major suppliers, culminating in at least one, possibly more, of the various experience-based qualifications seems to be the best route (see box), whether you want to move into the managerial or technical side of IT security.

But what you might get in terms of letters after your name and deep knowledge about best practice in information security procedures is going to be only half the battle in getting that huge salaried, high-status C-level job, it seems.

‘In some ways the best qualification for such a business management role would be an MBA,’ says Neil O’Connor, Principal Consultant at independent IT security consultancy Activity IM. ‘Being a CISO is more about people, budgets, business strategy and proactive leadership of the technology function. You have to be a good translator and communicator. In fact, the ability to write a decent report is paramount to a consultancy like ours, as our output is so often a document a business person has to be able to read.’

Others, such as IT security expert Paul Maloney, Managing Director of Technology Management and Consultancy, agree that the ability to translate between the two worlds of business and technology are key to reach CISO status, but Paul also finds that it’s ‘hard to see if the technical experience with MBA or technical experience with CISSP [Certified Information Systems Security Professional] is the best combination.’

Paul himself started in general IT, and then took the opportunity of a 2005 redundancy to self-study to advance his career in security, choosing the CISSP qualification as well as Prince2 and business continuity skills. ‘The process of getting the qualification was quite tough, but it was great to be forced to learn things you didn’t know you needed to know, like my coursework on encryption algorithms; I’ll never have to calculate one myself probably, but now I do know how to talk to someone who does and I could follow it. CISSP also makes you do CPD, so I have been to attend conferences I wouldn’t have gone to otherwise. It makes you look outside your own specialty and get the wider view.’

What certification?

However, anyone looking to get certifications in security soon realises there are many bodies vying for your and your employer’s attention. One widely recognised security qualification is the CISM, Certified Information Systems Manager, available from ISACA, a global non-profit association of IT governance, security and assurance professionals (ISACA is also well known for its older IT auditor qualification, the CISA, Certified Information Systems Auditor plus an IT governance qualification, CGEIT) CISM came on the market in 2002 and is now held by 12,500-plus security professionals worldwide.

Then there is (ISC)², established in 1989, with some 68,000 certified members from more than 138 countries to whom it delivers lifelong career support with programmes of certification, advanced education and member services. More than 3,500 of these are in the UK.

Its main certification is the CISSP (Certified Information Systems Security Professional), though it also offers other security certifications, for example the SSCP, the Systems Security Certified Practitioner. To get to CISSP status, applicants must be endorsed by an existing (ISC)² member and have accumulated prerequisite years of experience in one or more of the security disciplines or domains covered by an (ISC)² credential. Once these requirements have been confirmed, applicants must pass the exam for the desired credential and adhere to the (ISC)² Code of Ethics.

The IISP, the Institute for Information Security Professionals, was set up five years ago by a combination of industry, academics and the UK government in an attempt to build the first ‘competence-based’ skills framework for information security. You become an M.Inst.ISP (or Member of the Institute of Information Security Professionals): no exams are sat and there are only 240 of them in the world so far, 95 per cent in the UK, but this body claims government backing for its definition of which 35 core skills are relevant for security.

Overload?

Despite (or because of) its current popularity, security is in danger of overheating as a profession, worry some commentators. ‘I see security following the same general pattern as IT did itself 30 years ago - starting very buoyant then everyone came in,’ warns Vernon Poole, Head of Business Consultancy at IT assurance, security and forensic service provider Sapphire. ‘At the moment there’s a premium in being in security but will there be another glut?’

‘Yes this is a “hot area” - just look at the HMRC issue,’ agrees Fred Piper, Director of External Relations for the Information Security Group of Royal Holloway College. ‘Now I read about encryption in The Sun newspaper. Is it a good area for employment? There is definite interest from employers but also increasing competition for those well-paid jobs, too. When we started we were the only university in the world offering such a course, now there are 20 to 30 in the UK alone. The market isn’t saturated yet, but you need to differentiate yourself.’

To do that you need to choose your career and training path carefully, suggests Mark Gerhard, CEO and CTO of Jagex Games Studio, a UK games company best known as the company behind RuneScape, a global multiplayer online computer game. ‘When the MCSE started, people could go out and get £35k jobs at once with it, then soon there were 100,000 holders and it got devalued. So a qualification in itself is not enough - you have to stay as up to date with the market and the technology as you can to continue to be relevant.’

Right personality

There is also, frankly, the issue of personality. It takes a certain sort of person to be good at this stuff. ‘Security people can end up being a bit like policemen - a bit suspicious of everyone. We tend to be the ones sitting with their backs to the wall in the restaurant so we can watch who’s coming in,’ jokes John Colley, who looks after European strategic development issues for (ISC)² and, as a former CISO himself (Head of Risk Services at Barclays and Group Head of Information Security at the Royal Bank of Scotland Group, among other such roles), should know what he’s talking about.

Paul Maloney agrees. ‘You can spot the security guy in the coffee shop as he’s the one who takes his laptop to the toilet and then wraps the strap around his table leg. We’re also terrible people to go to the airport with, as we know why and what the screening people are doing - and also when they are doing it wrong.’

Neil O’Connor describes the perfect security consultant as follows: ‘They are professional, articulate, knowledgeable and interested. They also have to want to contribute and make new directions, not just follow a routine. If you go home at night and study networks and live and breathe it, go into penetration testing. If you are more into the core principles, go into the more people and policy-oriented side. But whichever route you take, there is a great future.’

What is the ‘ideal’ path into security?

So you’ve just graduated or are trying to get into IT. You may then be fortunate enough to be given a chance to learn the ropes by someone like a major financial institution, but more likely you’ll have to carry on training.

A good first stop on your career in IT security would be getting the Security+, a very popular entry-level qualification from CompTIA, which is recognised by Microsoft, among others.

Then you will want to gain a Masters degree, either part-time or sponsored by a company - the one at Royal Holloway is the grandaddy of them all, being the first ever such course in the world (1992) and still has a very high reputation, but many UK universities now offer equivalent courses, such as the new specialist Masters degree starting this autumn at City University, London, in Resilience, Assurance, and Risk Management for Computer-Based Systems.

As a next step you probably need to get some vendor qualifications, but be cautious they don’t limit you to being knowledgeable about just one product set. Then you will probably face a T-junction: either you become a technical security guy or a managerial one. On the much more technical ‘hacker’ side of IT security, penetration testing, the most relevant qualifications are the CREST (Council of Registered Ethical Security Testers) and UK Government CHECK system, administered by the GCHQ. If management is more you, you would want to get something like the CISSP or even an MBA.

There is also a thought that it’ll be information security practitioners who will end up licensed to practice in the same way doctors or accountants are. Indicative for this are developments like the IISP gaining more acceptance and US Senate Bill 773, the proposed Cybersecurity Act, which among its proposals has a wide-ranging call for a professional IT security licence for anyone working with ‘federally relevant’ computer systems - which, some people argue, could mean all of IT.