Career Security Specialist

We are now preparing for the second part of the hacker tournament. Anticipating possible questions from journalists and people far from IB, I want to tell you in advance why the output will be far from hackers, and what the career of a security specialist looks like.

Beginner today, roughly speaking, can shift pieces of paper and walk around the perimeter with radio equipment, make plans for Disaster Recovery, and directly deal with fixing holes in the software . There are a lot of specializations. It all depends on the specific organization: its size, the types of information being protected, the technologies used, and so on. It is clear that the most interesting work where real security is necessary, and not fictitious (paper), there is a high level of automation.
')
Let's see where they come from and how such experts come out.

Education

Of course, in order to become an information security specialist, you need to have a technical education. Best of all - a specialty in which there is the word "automation", "security", "programming" or "mathematics". Several years ago, graduates of such universities as MEPI, Moscow Engineering and Technical University, Moscow State University and Moscow Institute of Physics and Technology were highly valued. In recent years, quite a few regional universities have been added with approximately similar training programs.

English is very important, especially technical. The sooner you started teaching him, the better. If you graduated from college, but do not speak English fluently, you should sign up for good courses.

Even in education for different specializations, it is important to “download” cryptography (a very good basic course is on the Curser) and mathematics in general, to understand the hardware used in the company (most often talking about telephony, cameras, etc.), it’s very good to understand the network architecture in theory and know the features of all hardware in practice, have experience in system administration of both MS and * nix, plus at least some server experience with HP and IBM. All this is learned in courses, seminars for students from large companies, they are most often free, for example, CROC regularly conducts training for students in different areas, information is available here . A number of things, like the ability to work with a soldering iron - this is a purely domestic practice. By the way, you will not need a soldering iron, but the understanding of iron at a low level is very even.

Another important part of the work of a safety officer is some kind of sociality. The fact is that security measures almost always somehow slow down the work of a company's processes, and people have to explain why this is necessary. To defend every decision, conduct trainings, prove the correctness of the leadership, and so on. Another aspect is the already mentioned work with social engineering , which simply necessarily requires at least a basic knowledge of psychology.

First job

At the exit from the university, the future security hero is either not needed by anyone (as a whole) or is perceived as an excellent intern for large businesses. The reason is that everything in the work depends on the specific environment and specific threats. That is, you can only learn in practice in the company where growth is expected.

From here three conclusions:

• It’s good to count on a multi-year career in one place.
• The sooner you start to get acquainted with the future company - the better. Optimally - to practice directly in it.
• It is important to generally develop personal qualities such as systems thinking and responsibility - they will be useful in all conditions.

A mentor-mentor is very important - most likely, a senior specialist or manager who will introduce everything to the course, talk about practical features and explain what rakes were before. Without it, you are doomed to re-walking on them.

Further, in general, there are two frequent options: first - you are slowly growing in the same company. The second - you fill a bunch of cones in the first place of work, and already being beaten up, but experienced, cynical and watchful, you start working for a bigger salary in another place.

Lifestyle and prospects

Quite a frequent question from students - "who to download: a sysadmin or bezopasnik"? For experienced people, this comparison causes a smile: this is how to compare warm to soft. At first, earnings are about the same. A safety officer has more chances for a successful management career, but also more responsibility: early gray hair, cardiovascular diseases and other consequences of constant stress are professional risks. The sysadmin, of course, is also worried, but in the event of his failure, the matter is limited to the carwash and recovery from backup.

"Bleed out" bezopasnik gets more, because, again, closer to making decisions (and risks) of the company. In big business, the rules in this area are simple - the more risks you have, the greater the income.

The work of an information security specialist often leaves an imprint on lifestyle. First, the profession is not taken to advertise. A few of your friends, web designers, system administrators, sales managers, or-what-there-may still be much higher in the company's hierarchy — and in fact work in safety. Actually, I know a few people on Habré, who have a completely different position written in their profile than in reality.

Secondly, travel restrictions are sometimes encountered. I will not go into details here, but if it is short, in terms of a career in a number of state-owned companies, it is better to learn English at home, rather than regularly go to other countries to practice. Since experience in specialized state structures and services is highly valued, it is better to think about this in advance.

As a rule, people in uniform or with a similar past dominate the key positions in the IS services in the corporate environment (in companies with a long history). This is your world, your values, the criteria of happiness and truth.

Border specialties

When developing a business (in young structures), very often a security guard grows either from a system administrator, or from someone from the development, for example, a project manager. It's just that at some point it becomes clear that you need a person who will take on a number of responsibilities - and someone gets it easier and simpler. Less often, a security guard is obtained from a financial analyst (or something like that) or a lawyer (by the way, this is one of the few humanitarian professions from which you can go to information security).

A risk management specialist can grow from an established information security specialist (this is already finance), in practice a paranoid who shows where and what needs to be reserved, plus how to recover in which situations. This happens in big business, and in Russia now Disaster Recovery is just beginning to gain popularity. The reverse process is also possible, when you first need to close the risks of the technical infrastructure, and only then this process will turn into ensuring security more broadly.

Keeping fit

Every day, you need to devote about an hour to education: this is the only chance to remain generally prepared for what is happening with technology. It is necessary to constantly read the specifics on the known situations of hacking, to master new systems - and at the same time to think all the time as an attacker outside. It was for such training that the Cyber ​​Readiness Challenge simulator was created: created by Symantec information security specialists with extensive experience, the corporation’s simulated network contains specific details for many large networks.

The difficulty is that to be ready for anything is simply impossible. If 15 years ago it was really possible to know all the features of its technical environment, without exception, now hackers of the attacking group (for example, competitors or, more often, scammers) will by default be more prepared with specific technologies. This means that you either need to have on your staff virtuoso specialists with narrow specializations, or to know them so that in case of problems you can have the opportunity to consult with them quickly or engage them to solve a problem.

Of course, in the form you need to support not only yourself, but also your department, as well as all people in the company in general. Here are two simple principles - audit checks and training alerts.

At last

Of course, a certain collective image is described above, which can be radically different from what is in your company. Everyone has their own needs and their own historical principles, so the approach to security can be very different.

Since there is an acute shortage of people with experience in the field, we regularly conduct various training events. As I have already said, the nearest major is the CRC tournament (the organizers are Symantec and we, KROK). Come to participate if you want to maximize your knowledge.

This tournament will help not only to give knowledge to the participants, but also receive traditional publicity in the media (here are reports from the past, for example). We expect an effect that will be significantly useful for the sphere.