Skills and requirements for information security professionals

Despite the high popularity of the profession, the abundance of information resources and materials in the open access market suffers from a shortage of qualified personnel, especially those associated with practical information security.

This article will cover the topic of demand for information security specialists, the specific requirements and skills.

')

Statistics

According to statistics from one of the HR agencies, information security specialists at the end of 2015 were offered an average of 21% more than in January 2015. This indicates that even in a crisis, qualified specialists are in demand, moreover, the market feels their shortage.

Indeed, the topic of information security has become more urgent than ever - it is the growing attacks (in terms of damage and frequency) of the banking sector attacks (SWIFT, correspondent accounts), the increasing number of targeted attacks (Advanced Persistent Threat, APT), etc.

Even those companies staffed by information security specialists need a qualified assessment of the maturity of protection systems, perimeter security, web applications and other infrastructure elements - an increasing number of initiators of BugBounty programs is indicative, with the amount of payments ranging from $ 100 to $ 20,000 for vulnerability.

Jobs

Based on the data presented on the websites for the placement of vacancies, the average salary of information security specialists with experience of 1-3 years is at the level of 40,000-70,000 rubles. This refers to the specialists of the initial group (junior ), with little experience, according to professional requirements and duties, this is clearly seen (hereinafter, the "average" indicators are presented):

Duties:

• Administration of Cisco ASA and Kerio Connect firewalls;
• Administering the anti-virus protection server, monitoring the status of clients, removing viruses, fine-tuning protection;
• Search for vulnerabilities using specialized software and their removal;
• Monitoring the release of updates for operating systems, software and network equipment;
• Setting and control of switching equipment;
• Writing scripts to optimize security systems management;
• Access infrastructure management;
• Periodic analysis of logs.

Requirements:

• Experience of administering Windows OS from the 1st year;
• Basic knowledge of Linux OS from the 1st year, confident work in the command line;
• Basic knowledge of networking. IP addressing, static routing, ISO OSI, TCP models;
• Active Directory administration experience: setting group policies (GPO), managing user rights;
• Experience in setting up unauthorized access protection systems based on Windows;
• Experience setting anti-virus systems;
• Experience in developing complex IPTables firewall configurations;
• Ability to configure Apache2, nginx, Auditd, MySQL, PostgreSQL, Rsyslog.

As can be seen from the description, this is more a system administrator with a bias in the information security than a “pure” security engineer. It is difficult to distinguish any specific specifics in skills. Who is looking for candidates - a company of any orientation, it is difficult to select an area.

---

Experts with experience of 3-6 years are already in the middle . More skills and experience are required, but the salary level is much higher. These specialists, as a rule, have a good technical background (system administration, search for vulnerabilities), are well aware of applications, techniques and methodology. These specialists can be divided into two directions - attack and defense. Universals at this level (Pentester + IS specialist) - practically does not exist in nature (or this is already senior level). The average plug is 70.000-100.000 rubles.

Information protection specialist:

Duties:

• Setup and management of security subsystems;
• Security incident management;
• Setting and control of switching equipment;
• Writing scripts to optimize security systems management;
• Access infrastructure management;
• Analysis of log files and event logs;
• Participation in maintenance of the IT infrastructure of the Customer: ensuring information security and protection of personal data;
• Monitoring and control of the functioning of information security equipment;
• Maintenance, administration and ensuring the smooth operation of special means of information protection;
• Making changes to the settings of the means of ensuring safe interconnection upon detection of signs of an attack on the aircraft;
• Control of abnormal activity of internal aircraft users;
• Analysis of information security incidents and their solution;
• Conducting audits, preparation of organizational and administrative documentation and reports on information security.

Requirements:

• Higher education (IT, information security);
• Knowledge of the principles of construction and operation of networks and protocols of the TCP / IP stack;
• Knowledge of the ISO / OSI model;
• Understanding of computer and network security principles, web application security;
• Knowledge of how security products work (corporate antivirus, WAF, intrusion detection systems, etc.);
• Administrator level Windows and Linux;
• Automation experience (bash, perl, python);
• Experience in security analysis;
• Professional knowledge of core software used in the employer's infrastructure (from corporate antiviruses to DLP / IDS / IPS / SIEM, etc.).

Pentester:

Duties:

• Testing information media and software products of the company;
• Testing information systems for fault tolerance;
• Instrumental analysis of information systems;
• Identification of current threats according to the OWASP TOP 10 classification, development of compensatory measures;
• Penetration testing;
• Security analysis of source codes of software products.

Requirements

• Experience in identifying system vulnerabilities;
• Experience with Burp Suite, Hydra;
• Experience SQLMap, OpenVAS, Metasploit Framework, Fortify, AppScan;
• Experience Acunetix, w3af, X-Spider, Max-Patrol, Nmap;
• Knowledge of the principles of construction and operation of web applications;
• Knowledge of typical threats and vulnerabilities of web applications listed in OWASP Top 10;
• Manual and automated testing skills for web application security;
• Experience in penetration testing;
• Experience in auditing IT and IS systems.

The requirements for such specialists are more specific, focused on the scope in a particular area, including methodologies and the type of software used. Representatives of e-commerce, financial sector, integrators, large / distributed retail companies, etc. are looking for such specialists.

---

Specialists with experience from 5-6 years - senior . As a rule, this is a leadership position - the head of the security analysis department; Head of Information Security Management; analyst; large sales of IB vendor; uz-specific pentester. The salary level is from 120,000 to 200,000 rubles.

There are very few people from this category, and, as a rule, they are “widely known” in the industry. These are experts who are well versed in the subject area, and, as a rule, have expert qualifications in a narrow specialization. Welcome to the experience of speaking at conferences or other public activity - it means the candidate monitors the trends and receives a timely assessment of the professional community.

Of the requirements here are the following:

• Higher IB / IT education;
• Availability of certificates;
• Availability of publications and articles in the subject area;
• Public speaking experience;
• Knowledge of basic techniques, classifications and international practices (OSSTMM, OWASP, WASC, NIST SP800-115, etc.);
• Skills to identify IS threats based on information about vulnerabilities (classification of threats, making recommendations on how to eliminate vulnerabilities and minimize business risks);
• Knowledge of the regulatory framework in terms of information protection: laws and other regulatory legal acts of the Russian Federation governing relations related to the protection of restricted access information (not related to the state secret), the guidelines of the FSTEC, the FSB, including the protection of bank secrecy, automated process control systems, commercial secrets, knowledge of STO BR IBBS, PCI DSS, ISO 27xxx;
• English;
• Leadership, ability to achieve goals, initiative, activity, self-organization skills, responsibility;
• The ability to program in one or more scripting languages;
• Expert knowledge of core software (IBM Qradar, Splunk Enterprise, Imperva DAM, Maxpatrol, Symantec Critical System Protection, Tuffin, Gigamon Networks and Cisco ASA., Etc.);
• Expert knowledge in highly specialized systems: (for example, SCADA / ERP / SS7 / Hardware);
• Experience in developing your own tools / utilities / methods;
• Experience in the development of technical and analytical documentation;
• Experience in conducting statistical studies;
• Experience investigating security incidents, collecting evidence, forensic;
• Experience in large security analysis projects or information security audits.

Requirements are presented in the average version for the above specialists. Professional skills of the applicant, as a rule, are known and such people are “hunted” not for a specific task, but for a whole stage or level of the company's activity. This kind of specialists are in demand in the financial sector, IT integrators, information security vendors, large IT companies.

---

The top of the pyramid ( lead ) - experts with experience of 10 years. This category includes CTO, CISO, system architect, team lead. Salary level from 200.000. As a rule, these are famous people in the information security industry, with extensive experience and connections.

Requirements / skills: here they usually look at completed projects, line of action. Skills can request a complete list from previous positions (and it is usually extensive to this stage), or the necessary result of work will simply be indicated. In the case of these positions, people no longer look at knowledge, but at achievements.

Such specialists are required by large integrators, information security vendors, the largest technology companies, the financial sector, and the public sector.

Summing up

Information security for market participants is becoming a priority. To provide such protection only by automated means is almost impossible. The demand for specialists in the field of information security is growing at the same rate as the information technologies themselves are developing.

The problem of education and further employment lies in the perennial problem “there is no work, because there is no experience, because there is no work ...” and you can read this phrase endlessly in a circle. The generally accepted fact that a diploma in itself does not give priority. By the time of release most of the knowledge is no longer quoted.

The quickest and most successful way out is self-education.