Education for Information Security Professionals

By Peter H. Gregory

Long-term success in an information security career requires a college education and a lifestyle of continuous learning, which you can obtain through a steady diet of vendor demos, webinars, short courses, and training for certifications. To stay current on breaches, attacks, vulnerabilities, tools, products, laws, and more, you also need to establish a daily habit of reading technology and security-related news and events.

Keeping up with the rapidly changing information security field entails a discipline of ongoing learning and reading.

Maximize your formal education

The single biggest long-term success factor in a networking career is the amount of formal education. Although you could be successful without a degree (Bill Gates of Microsoft is a notable example), advancing into senior positions will be more difficult.

In a competitive job market, candidates with a Bachelor’s degree are usually held in much higher standing than candidates without a degree. Between candidates with degrees, the topic of the degree and the school where it was earned is important, but far less so than whether or not a candidate has a degree.

Early in your working career, your degree and major are highly important. As you get five to ten years into your career, your work experience begins to be more important than your area of study. However, even twenty years into your career, a lack of an undergraduate degree may keep you back.

Next to your formal education, a record of continuous learning is important. You need to demonstrate to prospective employers that you have a track record of learning new skills. This tells prospective employers that you’ll be willing to do whatever learning they’ll require of you in your new job. An absence of periodic training might tell a prospective employer that you aren’t interested in learning new things — a kiss of death in almost any technology job or tech company.

Engage in continuous learning

As an information security professional, your work will include daily reading on the latest events, threats, and defensive techniques. You also need to take classes on emerging technologies and skills. To be effective in your security job, you need to read and learn almost continuously.

Most information security professionals have one of the top three certifications: CISSP, CISM, or CISA. The governing bodies for these certifications require you to complete 120 hours of learning every three years — an average of 40 hours per year. Usually a minimum number of hours is required per year, so you can’t slack off for a couple of years and then do a big catch-up at the end of your three-year certification cycle. Instead, you need to follow this per-year minimum and watch for opportunities to earn your hours.

You might want to set up a worksheet that includes details for each learning event you attend. Your worksheet should include the following information at a minimum:

  • Date and time

  • Sponsoring organization

  • Name of the event

  • Length in hours

  • Description of completion evidence

Certification governing bodies conduct random audits, so you need evidence of each event, such as a certificate from the sponsor or an invitation confirmation plus a screen shot or two. For an in-person event, an event flyer or handout may have to do. Keep this evidence for at least three years.

Most certification bodies provide a means for recording your learning hours online. You’ll want to make sure your local worksheets are in sync with the hours that you report. This may sound like overkill, but you don’t want to rely on your memory for your learning events.

Often there will be a lot of overlap between the learning you need for your job and the learning you need to move into new domains or advance to positions of greater responsibility. This is by design: The day you stop learning is the day you stop being an effective information security professional.