In particular, the CISSP certification offered by ISC2 has essentially become table stakes for higher level positions, while CRISC from ISACA is essential for risk management, he says. In other cases, such as reaching higher than an entry-level job working with firewalls, it would be a good idea to get a vendor certification from Cisco or Juniper.
Meanwhile, in software development, becoming an SSDLC certified practitioner will prove your chops in application security, Bellanger says.
• Know what you're getting into
There is a downside to the security profession, however, in the form of stress and burn-out. "At security conferences in the U.S., a major topic is depression, and it's starting to be talked about in the field," Martin-Vegue says. "If you feel you can't deal with the work stress and burn-out, [pursuing a security career] might not be the best idea."
The reason for this phenomenon, observers say, is the attitude of many companies toward the security function. That is if a breach occurs, it's assumed that someone in security didn't do their job. In the case of a highly public breach, "it's very disruptive, both for customers and the people who work there," Martin-Vegue says. "People get fired, the stock price takes a hit, you lose public trust. If you're the guy behind the keyboard, assessing security controls for the year leading up to that, it's really serious."
In addition to always being on the hot seat, the security function is often perceived as being separate from the business, Bellanger says. The business doesn't always appreciate the delays caused by placing security controls around an initiative, and yet, if something goes wrong, security is blamed. "It can be a very lonely, siloed position," he says.
This situation is bound to change over the long term, he says, as security becomes a full part of the business development cycle. "When security is fully embedded and in synch with the business, you'll have a lot less stress on the security team," he says. "The business needs to realize it's going to get hacked at some point. Right now, there's a lack of understanding that pushes it to find someone to blame."
Still, Combs says, "a security career requires you to have strong chops in various areas." With continuously changing technology, evolving threats, new regulations and the constant fight for security budget, "you never reach that point where your work is done." In the ISC2 survey, even though more than three-quarters of respondents said they are satisfied with their current position, the industry experienced a staff turnover rate of almost 20% last year, the highest rate of churn (ISC)2 has ever recorded.
• Follow your passion, not the money
Sign up for Computerworld eNewsletters.