Learning Objectives
By the end of this section, you will be able to:
- Describe various career roles and responsibilities in information security
- Determine the certifications and degree programs needed to prepare for a career in information security
- Recognize organizations where information security careers are most viable
At this point, you may be wondering how to find and obtain a job in one of the roles described in the information systems security field. The answer lies not just in building academic credentials, but also in gaining a variety of certifications. Obtaining a certification diversifies and deepens your expertise. These certifications demonstrate specialized knowledge and help individuals pursue career advancement.
The globally recognized Certified Information Systems Security Professional (CISSP) certification is one example. The CISSP and similar certifications enhance your skills and provide a mark of quality on your professional profile, making you a more desirable candidate in a competitive job market.
Information security is a sizable field that presents multiple pathways for career trajectories, each with its own challenges and rewards. From roles like a security analyst and network security engineer to high-level positions such as chief information security officer (CISO), the sector offers a spectrum of career avenues. The primary functions associated with these roles range from securing network perimeters to establishing organizational security strategies. It is essential to understand that certifications provide technical proficiency, but it is the alignment of this knowledge with specific job responsibilities that completes a person’s professional portfolio.
Career Roles and Responsibilities in Information Security
With the rising complexities of information systems, there has been an increase in the number of roles that fall under the umbrella of information security. No longer is it a one-size-fits-all discipline that is solely the responsibility of an IT department. The field has morphed into a diverse landscape, offering an array of opportunities that encompass areas such as IT, business, law, and even psychology. From entry-level roles like security analysts to leadership positions such as CISOs, the profession now offers a variety of pathways for individuals with a range of interests and skills.
Overview of Information Security as a Profession
As you’ve learned, information security is the practice of safeguarding digital assets from unauthorized access, disclosure, alteration, or destruction. The scope of this profession has become both broad and deep, often encompassing multiple domains, including, but not limited to, network security, application security, endpoint security, identity management, cloud security, and even social engineering. In all these domains, the goal is still to protect an organization’s data and systems from internal and external threats, thereby supporting its broader mission and objectives. In the public sector, it may involve safeguarding critical national infrastructure or sensitive governmental data.
Link to Learning
As a cybersecurity professional, it is vitally important to stay up to date with the latest developments in cybersecurity. This field changes often as new technologies are developed and hackers develop new methods of attack. SANS provides a variety of free and paid information security resources such as courses, conferences, and newsletters.
The field of information security straddles several disciplines, and professionals may be able to integrate knowledge and techniques from a variety of sectors. While not an exhaustive list, Table 5.5 identifies some of these disciplines that intersect within the information security field.
| Discipline | Relation to Information Security |
|---|---|
| Information technology | IT forms the backbone of information security. Professionals need to be familiar with various hardware and software systems, network protocols, and security architectures. |
| Business | Understanding the strategic goals and operational nuances of an organization is key to effective security planning. It includes concepts such as business continuity and disaster recovery planning. |
| Law | Legal considerations, such as compliance with regulations like HIPAA in U.S. health care or GDPR in the European Union, are fundamental. Ignorance of legal requirements is not an excuse, and the ramifications of noncompliance can be severe. |
| Psychology | An often-overlooked aspect of information security is understanding human behavior, especially as it relates to social engineering tactics. Security awareness training, for instance, is an important element for creating a secure organization. |
| Ethics | The ethical dimensions of data management and privacy are increasingly gaining prominence, especially as society becomes more conscious of individual rights related to personal data. |
Roles and Careers in Information Security
A career in information security not only requires a good understanding of technology, but it also requires a holistic understanding of a variety of subjects that impact the security of an organization. By acknowledging this interdisciplinary nature, professionals can better position themselves for successful and impactful careers. Roles in cybersecurity fields range from those working in a security operations center to specialized positions such as cryptographers and forensic specialists, as noted in Table 5.6.
| Field | Role |
|---|---|
| Security operations center | The security analyst typically serves as an organization’s first line of defense, monitoring security alerts, analyzing anomalies, and initiating incident response protocols. Their role may also include vulnerability assessment and working with different departments to improve overall security posture. |
| Security governance and risk | Security governance and risk roles represent a merger between the duties of a security auditor and a security engineer. |
| Strategic security management | Typically, an information security manager is responsible for the day-to-day operations related to cybersecurity. This could include overseeing a team of security experts, managing security initiatives, and ensuring compliance with internal and external regulations. |
| Forensics and ethics | Forensic experts specialize in investigating and analyzing past security incidents to understand how they occurred and to recommend ways to prevent future occurrences. They are the detectives of the cyber world, piecing together clues to resolve complex security puzzles. |
Together, these roles create a robust framework for both proactive and reactive security measures, encompassing the creation of secure environments, detailed investigation of breaches, and preemptive identification of potential vulnerabilities. This consolidated specialization serves as an advanced line of defense, often working behind the scenes, that is critically important in bolstering an organization’s overall cybersecurity posture.
Link to Learning
The Information Security Forum is a professional organization that provides links to security research as well as forums, tools, products, services, events, and news regarding information security and risk management.
Certifications and Degree Programs for Careers in Information Security
Continuous professional development is fundamental in information security. As threats become more sophisticated and bad actors continue to refine their craft, ongoing education is necessary. Within this context, certifications and formal education programs serve dual purposes. First, they provide the foundational and advanced knowledge required to confront emerging security challenges effectively. Second, they serve as universally recognized markers of expertise, enhancing career prospects and lending credibility to skills.
The role of certifications in information security is important. A certification such as Certified Ethical Hacker (CEH) signifies proficiency in ethical hacking techniques and tools, and the ability to assess the security of computer systems by looking for vulnerabilities in a lawful and legitimate manner. CompTIA is a professional organization that specializes in certifications in IT. Security+ is an entry-level certification from CompTIA that covers foundational skills and knowledge in network security, compliance, operational security, threats and vulnerabilities, data and host security, access control, and identity management. Other certifications offer structured learning paths and are often prerequisites for specialized roles in the industry (Table 5.7). For example, Certified Information Security Manager (CISM) focuses on management and governance of information security, and Certified Information Systems Security Professional (CISSP) is an advanced certification that focuses on the knowledge and skills required to design, implement, and manage a comprehensive information security program. Certifications act as both a road map for skill acquisition and a validation of those skills, especially valuable for professionals looking to transition into higher-level positions.
| Certification | Related Jobs |
|---|---|
| CompTIA A+ | Systems administrator, help desk technician, computer repair specialist, desktop support technician, IT asset manager, field service technician |
| CompTIA Security+ | Security administrator, security analyst, incident response analyst, cybersecurity analyst |
| Cisco Certified Network Professional | Network engineer, network administrator, cloud network engineer, solutions architect, IT manager |
| EC-Council Certified Ethical Hacker | Cybercrime investigator, ethical hacker, forensic investigator, penetration tester, information security auditor, vulnerability analyst |
| Certified Information Systems Security Professional (CISSP) | Chief information security officer (CISO), incident response manager, cybersecurity engineer, risk manager, security analyst |
Formal education, such as bachelor’s and master’s degrees in cybersecurity or information security, provides a comprehensive overview of the field. These programs often cover a broader curriculum, touching on related disciplines such as business, law, and ethics, preparing students for the interdisciplinary nature of modern information security roles.
Both certifications and formal degree programs are vital in shaping a path to a successful career in information security. They equip professionals with the skills needed to adapt and thrive in a dynamic environment while simultaneously serving as benchmarks of competence for employers.
Empowering Cybersecurity Careers: Value and Impact of Professional Certifications and Related Degrees
Certifications and degrees in information security play an important role in validating a professional’s skills and competencies. While traditional degree programs offer a broad scope of knowledge, certifications are focused on skill sets and methodologies directly applicable to the job. Unlike generic evaluations or internal assessments within an organization, certifications are designed and recognized by industry experts. Obtaining a certification often requires passing rigorous exams and, in some instances, demonstrating hands-on expertise in a controlled environment. As such, certifications act as a third-party endorsement of a professional’s capabilities, lending weight to résumés and professional profiles.
Certifications
CEH certification concentrates on penetration testing and vulnerability assessments, skills immediately deployable in the workplace. Cisco’s Certified Network Professional (CCNP), which focuses on advanced networking practices, is highly sought after by employers looking to increase their talent pool. Selecting the right certifications is a foundational step for a strong and definitive career path in information security. Certifications signal to employers that a candidate possesses a level of technical insight that has been rigorously evaluated and approved by a recognized accrediting body. In an increasingly competitive job market, such validation can distinguish one individual from other professionals in the field, and in many cases, it may be a formal requirement for securing a particular role.
Each certification level, whether entry-level or advanced, typically builds on the last, creating a pathway for continuous skill acquisition and career progression. This is particularly significant in information security. By regularly updating and expanding your certification portfolio, you are not just meeting the requirements of your current role, but also preparing yourself for the more complex challenges that lie ahead in higher-level positions.
For example, suppose you are an IT professional with experience in data analysis, and you are interested in transitioning into a threat intelligence analyst role. In this case, CompTIA Cybersecurity Analyst (CySA+) would be a strategic certification to pursue. The CySA+ specializes in behavioral analytics to identify cybersecurity threats, a skill often required for threat intelligence analysis. For more senior roles, such as information security manager or CISO, the CISSP is considered a gold standard. The CISSP provides a comprehensive overview of information security and may be a requirement for high-level security roles within large organizations.
Aligning certifications with career goals can deliver tangible benefits, enabling individuals to tailor their professional development to meet the expectations of future roles. It is worth investing the time to research and select the certifications that offer the most direct path toward a desired career trajectory in the field of information security.
Degree Programs
Earning certifications in cybersecurity-related fields can help with obtaining employment with many employers. However, degree programs complement the certification stack and demonstrate to potential employers that you can perform tasks both in an academic and in a technical manner. Additionally, many employers seek individuals who possess a degree in higher education for higher level roles in an organization such as chief information officer or CISO. For example, in their analysis of employer hiring behaviors, one study found that several employers favored those who possessed a degree accompanied by certifications over those with certifications alone (Figure 5.16).21
Degrees in cyber-related fields include the following:
- Undergraduate programs: Bachelor in cybersecurity. Many institutions offer a bachelor’s degree in a cybersecurity-related discipline. Several of these programs incorporate general networking, ethical hacking, penetration testing, programming in various languages (such as Python, C#, and C++), and network defense. Additionally, these programs often have specializations or “tracks” that allow students to specialize in a particular area of cybersecurity. According to the U.S. Bureau of Statistics, the number of jobs related to cybersecurity to be added by the year 2033 could be more than 59,000.22 Many of these positions require a minimum of a bachelor’s degree coupled with certifications to be considered for employment.
- Graduate programs: Master in cybersecurity. Those holding this credential are often sought after by enterprise organizations looking to hire senior-level managers to oversee teams in a cybersecurity environment. Those enrolled in these programs acquire industry-recognized skills along with skills in leadership and management. The curriculum in these programs is normally designed to expose learners to practical skills that can be immediately applied upon graduation.
Combining Certifications and Degrees
Combining both certifications and formal education provides the benefits of a formal degree coupled with industry-recognized skill sets. Formal education helps to provide a broad theoretical understanding of the field along with the soft skills sought after by the industry. Moreover, the depth of knowledge gained during the formal education process helps to reinforce the concepts of practical application by supplying a broad understanding of the field.
The act of acquiring both industry-recognized certifications and formal educational qualifications in cybersecurity demonstrates more than mere skill acquisition; it reflects a commitment to mastering the complexities of the field. Each of these educational pathways offers benefits. Certifications such as Security+, CISSP, or CISM are tailored to validate a specific set of skills and are often updated more frequently than traditional academic curricula. They provide practical, firsthand experience and are excellent at helping to build immediate competency in specialized areas. Certifications also offer quicker routes to career advancement by serving as easily recognizable benchmarks for employers.
Organizations for Information Security Careers
A fulfilling career in the cybersecurity domain depends not only on skill and qualifications, but also on the organization one joins. Organizations provide context in which professionals apply their expertise to real-world challenges, influencing both job satisfaction and career path. Therefore, selecting the right workplace becomes an important decision, affecting not just individual career growth, but also the broader mission of enhancing digital trust in society.
Corporate Sector
The corporate sector is the most expansive area for information security professionals, encompassing technology companies, financial institutions, health-care providers, and e-commerce businesses. Each of these subsectors demands specialized knowledge and skill sets, from safeguarding intellectual property to ensuring customer data privacy.
Future Technology
Meta’s AI
After the release of ChatGPT from Open AI, several tech companies rushed to develop their own models to compete. For example, Google developed Bard (now known as Gemini), Tesla is working on their own models under xAI to try to generate a platform that outperforms GPT, and Microsoft implemented Copilot, which is another large language model (LLM) that was deployed in November 2023. Another contender in this field is Meta, who released the second iteration of their open-source LLM called Llama 2 in 2023. Their model is optimized for lower resource usage and can be deployed in a number of environments, ranging from academia to the commercial sector. One other important feature of the Llama 2 model is its ability to be trained and adapted to complete different tasks. Meta has partnered with Microsoft for Llama 2 to provide global access to their AI technology to encourage users to innovate by building on their model, which can in turn benefit businesses around the world.
Government, Public Sector, and Nonprofit Think Tanks
In the government and public sector, certified information security professionals contribute significantly to the safeguarding of national interests and public welfare. Holding certifications not only validates a professional’s skills, but also reinforces the level of trust and credibility in governmental operations. For example, certified professionals can be instrumental in developing secure electoral systems, safeguarding public health records, and ensuring the confidentiality of sensitive diplomatic communications. By doing so, they facilitate an environment of digital trust that is important to maintain the public’s confidence in governmental systems and operations. Professionals in this area are often employed by government agencies such as the Department of Defense or the Department of Justice.
The nonprofit sector and think tanks also help to shape the landscape of information security. These organizations primarily focus on research, advocacy, and public awareness, often working to address the cybersecurity needs of vulnerable populations or to shape public policy. They apply their specialized knowledge to developing solutions or frameworks that advance the cause of digital trust. Certified professionals may be seen as holders of digital trust, advocating for responsible and secure use of technology. Some of these types of entities include:
- Cybersecurity research organizations: Nonprofits such as the Electronic Frontier Foundation (EFF) or the Center for Internet Security (CIS) often conduct groundbreaking research on cyber threats, security technologies, and ethical computing practices. Their work may result in white papers, open-source tools, or policy recommendations.
- Educational institutions: Think tanks and educational nonprofits aim to raise cybersecurity awareness and literacy. They may offer training programs, certifications, or collaborate with academic institutions to promote cybersecurity as an essential part of the curriculum.
Freelance and Consultancy
The freelance and consultancy sector is suitable for those who prefer project-based or contractual work, often serving clients across the same sectors. It offers flexibility but demands a versatile skill set and an entrepreneurial mindset. In any of these sectors, certifications serve as a testament to an individual’s skills and as a basis for advancing digital trust. A certified professional lends credibility to an organization’s cybersecurity posture, thereby facilitating trust.
Link to Learning
There are many opportunities available to those interested in freelancing or performing consulting work in cybersecurity. Some of these resources include online courses, industry forums, and professional networks. Read this article about becoming a cybersecurity consultant from Springboard for some suggestions on getting started.
Importance of Continuous Learning and Adaptability
Cybersecurity is a rapidly changing field with evolving threats and vulnerabilities that demand constant vigilance. Herein lies the importance of continuous learning and adaptability. The ongoing process of acquiring new knowledge and skills, particularly to keep pace with evolving cybersecurity threats and technologies, is called continuous learning. The ability to change or be changed to fit new circumstances is called adaptability, which is a critical trait for cybersecurity professionals facing a dynamic threat landscape. Cyber threats mutate and adapt, and so must professionals in the field.
Technologies such as cloud computing and generative AI bring novel challenges, such as data breaches and AI-powered attacks. These evolving risks highlight the importance of adaptability and continuous learning in cybersecurity. Staying informed and flexible enables professionals to effectively safeguard digital trust across all sectors. Additionally, the ability to pivot and evolve your skill set in response to new types of cybersecurity risks is invaluable. It is this combination of continuous learning and adaptability that enables an information security professional to remain effective.
Link to Learning
As more nations adopt AI, there encounter both benefits and risks. On one hand, AI can be leveraged to read x-rays, and chat with a person in real time, or complete mundane tasks. On the other hand, AI can also be used to ramp up social engineering attacks such as phishing, spam, and other malicious applications that threaten security.
Footnotes
- 21Jim Marquardson and Ahmed Elnoshokaty, "Skills, Certifications, or Degrees: What Companies Demand for Entry-level Cybersecurity Jobs," Information Systems Education Journal 18, no. 1 (2020): 22–28.
- 22Bureau of Labor Statistics, “Information Security Analysts,” Occupational Outlook Handbook, U.S. Department of Labor, last modified August 29, 2024, https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm