October 2006 - Bobby Rogers
IT security has become the “next big thing” in the job market — more IT professionals, regardless of background and experience, have been rushing to get into this field. Many people want the coolness and prestige that comes with being “Firewall Guy” or the girl who stops hackers in their tracks with some quick, deft keyboarding in the critical pinch. Unfortunately, many are finding out that the world of network security is not as glamorous as TV and films might portray.
Successful IT security people work long, tiring hours, often with no reward other than knowing that if everything is going right, and the network is secure, no one notices. Unsuccessful ones, on the other hand, find that in the event of a security breach, everyone usually notices because of data theft, denial of service attacks, viruses, potential downtime and other unpleasant things.
Additionally, successful network security professionals are not often the most well-liked individuals in the organization because they have the heavy responsibility of being the “bad cop,” enforcing security policy when everyone would like to be playing computer games, downloading illegal music and playing fantasy football. In the event of a serious security breach, unsuccessful ones are liked even less.
Achieving that pinnacle of becoming a network security engineer is not an easy road to success, either. Most people who are successful have many years of experience in a wide variety of IT fields, all of which definitely are useful as an IT security professional. Having experience in only database design, for example, can be very useful if you are tasked with only securing databases, but unfortunately, it won’t help you configure the company firewall.
In this respect, generalists are usually more successful than specialists — a good security engineer has experience in databases, client/desktop support, networking system administration, computer maintenance and programming. These are the key areas that a security engineer must draw from when designing and configuring enterprise-level networks.
In addition to the concrete technological skills, the ideal network security engineer must posses some soft skills, as well. Customer service skills, problem solving skills, the ability to think clearly and reason through tough situations, deal with management, communicate clearly and write well are things that make the difference between a “smart” but unsuccessful engineer and a successful one.
Once IT professionals have made the choice to become the all-knowing, all-seeing Superbeing known as the network security engineer, they have made a choice that will drive everything they learn and do from that moment forward. Playing with every new security tool known to man, reading security articles and books, learning everything from protocol analysis and packet structure to firewall and router configurations, and keeping up with the latest vulnerabilities and security strategies — these are just some of the new hobbies the IT security wannabe will have to take up.
Typical IT security job titles and roles, in addition to the coveted title of network security engineer, are security specialist/technician, security analyst and security auditor. Additionally, depending on how the organization is structured, security roles might be broken down further by department or function. Titles such as application security specialist or infrastructure security technician aren’t at all uncommon. Keep this in mind: Even in the bigger organizations that have dozens of IT people working for them, functions, titles and roles can get a bit fuzzy, and they usually are tailored to the needs of the organization.
Also keep in mind that our discussion mainly revolves around enterprise-level security job roles. In the smaller organizations that might have only a limited IT staff or even the “one-person-IT shops,” the client support specialist, systems administrator and network security engineer might all be the same person, in addition to being the receptionist or facilities manager. With that in mind, here’s a brief description of the various levels of IT security professionals, what their duties might encompass and some of the qualifications they should have.
A security specialist or technician is typically the entry-level or junior position in the IT security field. These people usually are just starting out in the security arena, possibly coming from the help desk or mid-level support tiers such as junior-level systems administration. Their duties typically include managing only certain specialized aspects of security such as maintaining the antivirus and security patch servers or reviewing the firewall logs. They might be responsible for applying security measures to servers after system administrators have built them, but before they are connected to the network. Additionally, they assist the engineers in the day-to-day security tasks. This is a learning position, and as such, it does not require an extensive set of credentials — a good working knowledge of operating systems, computer repair and a solid foundation in networking are important to the junior security professional. Other technical skills such as database or programming skills are a plus. As far as education goes, an associate degree in a general computer- or technology-related field is probably sufficient but not necessarily required. IT professional certifications that would be helpful are CompTIA’s A+, Network+ and Security+. Having a SANS GSEC certification would put them ahead of the power curve at this stage of their career.
At the mid- or experienced professional level, we can assume security specialists or technicians already would need to be in the security field for possibly two or more years, or at the very least they would be experienced, midlevel professionals in another closely related field such as systems administration or software development/engineering. At this level, the position will require them to be more involved with the day-to-day security tasks, as well as lead security implementation projects such as installing and configuring a new firewall array or conducting vulnerability assessments on the enterprise infrastructure. They also can lead small teams of other security technicians.
These midlevel security specialists should require little supervision and could accomplish most tasks alone. They also assist the security engineers as needed, and they should already know basic security principles and terminology such as those tested by the Security+ exam. At this level, they might have some college or a four-year degree in a computer-related field. They should at least have or be working toward vendor-neutral certifications such as the SCNP or ISC2’s SSCP, or a more technically-focused security certification such as the SANS GCFW, GCWN and GCUX. They also might have more vendor-specific certifications such as the MCSE: Security or Red Hat. Representative job titles might be security specialist, analyst, senior technician, etc.
Finally, at the top of the heap, so to speak, we have the network security engineer. This is usually the most senior, technically and professionally demanding level a security professional can reach. IT professionals making it to this level probably have five or more years in the security field. At this level, they might be leading other security professionals in the organization, they might be in charge of the security division or they might be on the chief information officer’s staff.
They’ll likely be responsible for security design and architecture, strategic planning, and maybe even the testing and evaluation of new products. As senior-level security professionals, they might be expected to advise the CIO or CISO on all information security issues that affect the organization. They also might be expected to work compliance and regulatory issues for upper management. In terms of education, a bachelor’s degree is probably a minimum requirement for a network security engineer job — a master’s degree in information assurance is probably preferred. Certifications typically earned at this level include the CISSP, CISA and even the SANS GSE.
After achieving the higher-level title, there are also some functional areas in security in which a network security engineer might specialize. They might frequently lead special teams, focusing on incident response, forensics investigations or penetration testing, depending on the business area in which the organization is involved. They also might be contracted out as consultants to other companies in those areas, if their company is in the consulting business.
Incident response is a growing niche in the security field that involves the organized reaction a company has to any unplanned event that degrades the security or performance of the network infrastructure. These unplanned events could be natural disasters or other contingencies. Traditionally and more likely, though, they are hack attacks, data loss, or computer abuse and criminal activity. Being a qualified incident-response team member or leader requires the level of knowledge and experience found at the network security engineer level.
A sub-specialization to incident response is the field of computer forensics — experienced network security engineers often are trained to investigate electronic crime and abuse for the purposes of gathering facts and evidence to support an administrative action or criminal prosecution. This field requires a vast amount of technical knowledge and experience from all facets of computer security, as well as knowledge of the law, evidentiary procedures and technical writing.
Network security professionals at the engineer level should at least be security generalists — they should be well-versed in all the different facets of their profession — but they can also specialize in a particular area such as firewalls or even a particular vendor’s security product line. For instance, there are security engineers who specialize primarily in infrastructure products such as those made by Cisco, and they are experts in Cisco Pix firewall and VPN devices, wireless security and remote-access products. Other vendor-specific specializations include the Microsoft product line, which likely means possessing the MCSE: Security certification. At that level, they would be experts in the security design of Windows-based Active Directory infrastructures, and they might have in-depth knowledge of securing Windows architectures and Microsoft’s ISA Server product. Not to be left out, there are also network security engineers who deal with and specialize exclusively in Linux-based architectures, frequently possessing the more advanced Red Hat, Novell SuSE, or SAIR/GNU certifications.
So you’ve decided to take the road that leads to becoming a cool network security engineer. You want to get all the high pay and respect that comes with the job, and you’re willing to do what it takes to get there. You have a sort of road map to guide you, so now you’ll know which turns to make and when. It can be a bumpy road sometimes, but the destination is definitely worth the trip.
