7 Things Every Security Professional Should Know

4. Monitor security industry budgets and salary trends

Security professionals can understand a great deal by the ways companies spend their money on IT. By tracking spending, budget behaviors and pay scale trends we have a greater understanding of the trend in the security industry. The past year wasn’t good for the job market due cost cutting measures and lay offs across all industries. However, in UK for example as per itjobwatch the trend is getting better for security jobs. The trend shows that the average salary has increased by 10% since year 2008. The skills which provide the best potential to sell one’s CV in the market are ISO27001, CISSP, Government, PCI DSS and so on.

5. Don’t be limited to just reading

To be a successful security professional one needs to have not only technical know how but also hands on experience. Nowadays companies insist on hands on experience in firewall management, IPS/IDS configuration, penetration testing. If your company can afford to send you for hands on training then speak to your manager and get some training in network security or Linux administration or windows security, etc. However, if training budgets are tight and chances look slim for new training then the best approach is to speak to someone in telecoms team or operations security team. Book an hour of meeting based on their availability and discuss basics, common scenarios, settings and configurations and risk mitigation.

6. Blogging is serious business

Something I learned quite late but is quite a motivational factor for me every day since then is blogging. I personally recommend every security professional to start a blog and express their ideas freely. This is a free world and we have the freedom of expression. Blogging presents itself as an ideal way of marketing yourself on the internet.

7. Don’t be afraid of starting a business

There are many people out there who might disagree which this statement especially when there is a recession going on, but I stand by it. If you don’t start something now you may never take up the challenge of starting something of your own. To start something you need to do your own market research to find out the gaps in the market and whether you have something that’s unique to sell. Even if it isn’t unique don’t be afraid to try. Every business will take some time to reap benefits but you must not give up at the very first stumbling block. The more hard work you put in the better the results. For a security professional there are a number of opportunities like starting your own security consultancy, developing your own security product, information security blogs or websites, etc. The list can go on and on and its up to you to decide what skills you have that can be used worth while for your business.

-Anupam Cherubal on behalf of My Infosec Job team.

PS: This article was previously called “What Could Have Been Done Differently in 2009?”. Since the content is good but got buried due to the “2009”, I just gave it a face lift and brought it back to life! 🙂

Pages: 1 2

Filed Under: ArticlesFeaturedFrom me to youFront PageJob MarketMy career


RSSComments (17)

Leave a Reply | Trackback URL

  1. Job Portal says:

    Can I simply just say what a relief to uncover someone who genuinely understands what
    they’re discussing over the internet. You actually realize how to bring an issue to light and make
    it important. More people need to check this out and understand this side
    of your story. It’s surprising you are not more popular because you certainly possess the gift.

  2. KK says:

    Excellent Article for InfoSec Guys

  3. […] would like to share with you: Got myself a job in 3 days (using some of my tricks listed here and here), found a neat flat to live close to the beach (which we’re really looking fwd), got married […]

  4. […] outros dois posts que eu recomendo. SĂŁo do blog My Information Security Job: 7 Things Every Security Professional Should Know e How to Start Your Information Security […]

  5. A few more items I would add to your list:

    1. Learn to listen
    This is a very important part of your point about “Learn to communicate effectively”. By listening you’ll be able to understand the business needs and balance those against the security needs.

    2. Understand that information security is more then IT security
    Safeguards, for protecting information, can be administrative, physical, or logical (i.e. APL). This relates to two important points: a) not all the information you’re trying to protect is in electronic systems, and b) holes in you administrative or physical safeguards can easily negate all the efforts you’ve put into the logical safeguards (i.e. your IT security systems).

    3. Be able to answer the question “why” or “so what”
    This relates back to my first point above … if you know the business needs you’ll be able to easily explain why you’re recommending a particular safeguard. If you recommend something that has nothing to do with a real life threat/vulnerability then you’ll get the “so what” question.

    4. The answer to “may be” has to be risk based
    It is always the business managers that get to say “no” or “maybe” or “yes” not the technical staff. Businesses can “accept risk” as well as “mitigate” it! The technical job is to help the business with a threat risk assessment (threats, vulnerabilities, likelihoods, impacts, risks, recommended safeguards, costs of implementation). Then the “enterprise risk management” steps in and decides how to “handle” that risk: ignore (not recommended), accept (cost of doing business), transfer (buy insurance against the risk), avoid (get out of that business or avoid that activity), transform (turn it around, if the world gives you lemons make lemonade).

    Take the time to see the big picture, IT isn’t there for its own sake, there is a business out there that you’re supporting, learn everything you can about that business and how you can help to drive its success!!!

  6. […] I faced when transitioning from a technical security career to a managerial one is that the skill sets involved are VERY different, especially if you are to become an Information Security professional (as […]

  7. […] outros dois posts que eu recomendo, sĂŁo do blog My Information Security Job . SĂŁo 7 Things Every Security Professional Should Know e How to Start Your Information Security Career? […]

  8. […] article-listing est signĂ© Adriano sur My Information Security Job. Il recense les 7 « choses qu’un homme sĂ©curitĂ© devrait faire ». A commencer par communiquer, […]

  9. […] postsThe 10 Coolest Information Security CareersHow to Start Your Information Security Career?7 Things Every Security Professional Should KnowInformation Security Career Tips by a Guru: Interview with Peter H. GregoryInterview with InfoSec […]

  10. Christopher Wren says:


    Hi there…. I have to agree with you and you also have to tailor the content to your audience. There is nothing more annoying to read a self appointed SME, regurgitate the same old theories and thought processes that are on every other blog.

    For a blog to be essential to a InfoSec practitioner it has to expand their marketability, either due to the additional understanding of the subject or in the additional InfoSec opportunities that come your way.

    If you are looking at revenue streams from your blog or getting other writing opportunities, then you are becoming a blogger for a living and not an InfoSec practitioner. This is still a valid career move, just not a career move within InfoSec.

  11. In response to Chris’ point on blogging. I don’t see it as a career booster however it does give you occasion to think more thoroughly about some of the issues we security professionals have to deal with. There is a different thought process required when you seek to broadcast or publicize your thoughts regarding a certain subject. It is similar to teaching. I teach college level security courses and it keeps me on my toes and my edges sharp. I have to always take a step back and present the bigger, more complete picture in my classes whereas at work, I may be more focused on a specific security concern or project.

  12. […] 6. Blogging is serious business 7. Don’t be afraid of starting a business Read the full article here. Once you've homed on these skills, check out the 10 coolest Information Security Careers.. […]

  13. […] 6. Blogging is serious business 7. Don’t be afraid of starting a business Read the full article here. Source: My Information Security […]

  14. Christopher Wren says:

    What does the blog bring to your career?

    You also have to be very careful with information and the content of your blog as it may pigeon hole you and have a knock-on effect to the opportunities that come your way.

    If I look at the style and content of your writing, it appears to be written from the view point of IT Security and not Information Security.

    There is very little that touches risk, compliance, governance, assurance or the wider discipline of Information Security or Information Assurance.

  15. Social comments and analytics for this post…

    This post was mentioned on Twitter by B4BStrategies: 7 things security professionals should know, go to https://www.myinfosecjob.com/2010/01/7-things-every-security-professional-should-know

  16. […] postsWhat Could Have Been Done Differently in 2009?Interview with InfoSec Industry Insider – Part 2How To Answer Tough Interview […]

  17. Girish says:

    It was a Nice read. Generates good vibes to start a new year. Looking forward to the 10 valuable advices.