Recent events have shown that the threat of information security (INFOSEC) breaches is very real and frightening. In a recent CSI/FBI survey, nine out of ten organizations reported a breach within the past year, and many of these reported significant financial losses as a result of these breaches.

IT practitioners need to be aware of the following topics in order to ensure the security of their vital information: Networks and Telecommunications, Cryptography, Access Control, Security Architecture and Models, Applications and Systems Development, Security Management Practices, Operations Security, Disaster Recovery Planning/Incident Response, Risk Management, and Law, Investigations, and Ethics.

If you are seeking to go into the INFOSEC profession, your goal should be to land a job where you are likely to gain experience in one of the following areas:

  • Secure Applications and Systems Development
  • Implementation of Network, Telecommunications, and Internet Security
  • Cryptography and Cryptographic Applications
  • Management or Administration of Security (Operations Security, Network Security)
  • Design and Implementation of Access Control Systems
  • Development of Security Architectures and Policies
  • Implementation of Audit and Monitoring, Performing Audit Analysis
  • Performing Risk Management, Response and Recovery

Such jobs include software or systems engineering, programming, systems analysis, systems administration, or database administration.

Look for a job in which some part of your primary duties is to design or implement security. Once you have gained a few years' experience in one of these fields, then perhaps you are ready to begin looking for a role as a security administrator or INFOSEC analyst.

Note, however, that if you continue to work as, say, a programmer doing security-related work, you are in the INFOSEC field. You do not have to have "security" in your title to be in the INFOSEC profession.

Besides gaining experience in the field, formal education is getting to be an increasingly important component to landing a good INFOSEC job:

  • I would look into one of these graduate programs:
  • For certification in the field (I am a CISSP), look into the following:

    CISSP Certification:

    SANS GIAC certification and training:

Here's a good article on the INFOSEC profession:

Finally, I highly recommend reading this Slashdot interview with Fyodor, the creator of the very useful Nmap scanning tool:
He has a lot of good ideas for how to build up your INFOSEC knowledge.