Information security is arguably one of the hottest IT specialties, and security skills are in demand. The good...
news is that Windows Server administrators are performing more security-centric functions each day, including malware protection, user provisioning, BYOD policies, password policies, patching, backups and so on. So, what does it take to advance your career in IT security? Here are four things to focus on to build a solid security career.
1. Read, read, read. You can learn a lot about security from others who are smarter than you or have new ideas and approaches. Read websites such as SearchSecurity.com; check out books on information security at local bookstores or on Amazon.com. You can also watch security videos on YouTube and follow security thought leaders on Twitter.
2. Set up your own test lab environment. Setting up an inexpensive test lab is a useful way to put your security knowledge into practice without endangering a production environment. It's easy to do using virtual machines and free security tools such as Kali Linux. You can also use limited or trial versions of commercial products such as Nexpose and Acunetix Web Vulnerability Scanner. If you have some budget to procure more tools or even better security tools, you can always tinker with data loss prevention and next-generation firewalls.
3. Attend industry events. Learning from others at a conference or seminar can be invaluable. You often can learn more about security in a one-hour session at the RSA Conference or a TechTarget security dinner than you could in a year's worth of reading and working on your own. Seek out local ISSA, ISACA and related security groups, and attend their meetings when possible.
4. Get certified. I'm not convinced that security certifications such as the CEH, Security+, and CISSP will make you better at securing a Windows environment, but they will help you get over that hiring barrier when you're looking for a new job.
Windows admins should apply security principles to everything. Think like the bad guys about how something can be broken or hacked. Consider the cultural and political aspects of ways to better implement and manage security in your environment. Once you get to a point where you're comfortable, look for the next step.
There are a ton of options -- beyond typical security administration -- for exercising your newfound security knowledge, including:
- Security architecture
- Software development and quality assurance
- Penetration testing and security assessments
- IT auditing and compliance
- Incident response and forensics
- Security leadership
The important thing is to take the time to discover what it is that you're truly interested in, and work to improve your job and technical skills. You might have to dabble in a few different areas at work -- as an intern, after hours in a home lab or by consulting with clients. There's a serious shortage of good information security talent -- and landing a job in that field likely comes with a pay increase. All that work will pay off.