The Expert's View with Hord Tipton

5 Tips for Job Seekers

Ethics, Continuous Learning Tops The List.

As we look back on the national month of cybersecurity awareness, it's important for all of us to remember that security education - whether among IT professionals, consumers, or our young people - is an ongoing effort that doesn't end with October. As I said in my previous blog, security education is particularly important for the young, and the onus is on the entire industry to help bring awareness to our schools and other children's groups. The sooner that an individual learns good security, the more successful they can be as they join a professional world that is increasingly reliant on the cyber world.

With this in mind, I turn my attention to the aspiring security pro - those young people who feel they may want to build their careers around data protection and defense. As organizations become more and more reliant on technology to run their day-to-day operations - and as attackers become more proficient and highly motivated to damage or steal valuable data - there is a greater need for highly qualified professionals than the industry has ever seen. In fact, it is projected that this industry will need more than twice as many professionals in the next two years than before, which makes this a wonderful area of opportunity for a young professional looking for a steadfast, recession-proof career field.

Because of my work with (ISC)2, I am often asked what tips I can offer for a new professional just entering the field of security. Here are five of the strongest tips I can provide:

  1. Understand the ethics of what you do. In computer security, it can be easy to slide into a hacker mentality - you might be tempted to access data or networks just because you can. However, the cornerstone of being a security professional is to know the boundaries of what is ethical and unethical behavior. For instance, as a security practitioner you must know the difference between criminal hacking and performing a contractual security penetration test for an external client and realize that if you fail to handle data in a manner that is expected, you can experience serious legal and criminal consequences.
  2. Never stop learning. Once you've finished your formal education and joined the working world, your security training should never stop. Security is a field that changes every day - both the threats and the defenses are constantly shifting. Seek out the means to educate yourself on all aspects of both threats and defenses, not only through formal programs, but also through constant reading, contact with other professionals and hands-on practice. A security professional who isn't always learning will soon become extinct.
  3. Be versatile. The IT security field may seem a narrow one at first glance, but as you dig deeper, you will find that there is a huge amount of opportunity to learn specialized skills and practices. Whether it is learning about application security, network security, or any of a hundred other topic areas, you'll find that there's room to get to know very specific areas of security and even become a specialist yourself. Be open to digging deeply into a specific security area.
  4. Always keep your work in context of the organization you are supporting. As technology professionals, we're often distracted by the 'cool' technologies and threats that we find interesting at a technical level. But your job as a security professional is to protect the critical data that your organization needs to support its mission and its customers or users. As you are learning the technical aspects of your job, be sure to also spend some time learning about the day-to-day mission of the organization you work in. Whether you're in business, government, or any other pursuit, your priorities as a security professional should match the priorities of the organization you work for.
  5. You learn the most by doing. Security, perhaps even more than most other pursuits, is a "hands-on" profession. What you've learned in a classroom or in a certification program is not useful until you've applied it to real environments and real problems in your own organization. In some cases, you may find that what you've learned in the classroom is only the beginning - you will need to tweak and adapt those concepts to fit your own systems and data protection strategies. Pros need to test their systems, learn to efficiently use off-the-shelf technology and be creative in their development of defenses. The best security professionals are those who take what they've been taught and apply it to real-world systems, then adapt it to fit the threats and risks faced in their own specific environment.

The world of security is changing rapidly. If you're just starting out, you should learn to accept that change, embrace it, and make it work for you and your organization. You have an exciting career ahead of you - and it will only get more exciting as the threats and technologies evolve.

Tipton is the Executive Director for (ISC)2, the largest not-for-profit membership body of certified information security professionals worldwide, with over 80,000 members in more than 135 countries.

About the Author

Hord Tipton

Hord Tipton


Tipton is the executive director for (ISC)², the global leader in educating and certifying information security professionals throughout their careers. Tipton previously served as president and chief executive officer of Ironman Technologies, where his clients included IBM, Perot Systems, EDS, Booz Allen Hamilton, ESRI, and Symantec. Before founding his own business, he served for five years as Chief Information Officer for the U.S. Department of the Interior.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.