what are the career opportunities in security?
DESCRIPTION
NYU POLY Women's Cyber Security Conference - What are the career opportunities in security?TRANSCRIPT
WHAT ARE THECAREER OPPORTUNITIES
IN SECURITY?And, how do I get there?
WHAT WILL WE TALK ABOUT?
• About me and my career path• Industry history• Why enter security• Job types• Workforce entry pro-tips
ABOUT ME
Shyama is the Vice President of Information Security for Live Nation, Entertainment, the world’s leading producer and promoter of live entertainment and the parent company of Ticketmaster and the House of Blues.
Shyama joined Live Nation in December 2013, as a business security leader, implementing and maturing the Information Security and Compliance program for Ticketmaster. Prior to joining Live Nation, she was the Sr. Director of Software Security Engineering for CBS and NASDAQ, using her penetraiton testing roots to design and implement holistic security programs.
Shyama Rose is a regular keynote and Information Security industry speaker. She is the author of several Center for Internet Security benchmarks and lectured at New York University’s “Application Security” course.
HOW I GOT INTO SECURITY
PassionYou have to LOVE this field! But, don’t forget to follow the $.
Curiosity
• 1994 – started hacking the interwebs• 1994 – 1999 – reverse engineering, hacking• 1999 – 2005– college, grad school• 2005 – 2010 – hacking machines, researching
• That one time I pretended I was a dude• 2010 – now – hacking people, i.e., management
Drive
Defined my own career
Sought continuing knowledge
Self promotion
MY TITLES
Researcher / Penetration
Tester
Security Project
Manager
Director, Software Security
Engineering
Sr. Director, Software Security
Engineering
VP, Information Security
2005 2008 2010 2011 2013
THE INFORMATION SECURITY WORK FORCE
INFORMATION SECURITY HISTORY
This field is NEW(ish)
WHY ENTER INFORMATION SECURITY?PROS
Entering the world of cyber security has ALOT of benefits! These are just a few...
Tangibles• Growing and stable profession• Workforce shortages persist• High salaries• Mission critical roles
Intangibles• A consistent and evolving challenge• Define your own career• Geographic leniency• Be the hit of the party: “I’m a hacker!”
SECURITY SALARIESThe Skinny
Information Security salaries trend toward the high-end of the technology field. This is due to a shortage of qualified professionals paired with high industry demand.
* Averages vary by geographic location
VP, Inform
ation Secu
rity
Software
Secu
rity M
anager
Inforamtion Se
curit
y manager
Sr. In
formation Se
curit
y Analys
t
Information Se
curit
y Analys
t
Sr.Sc
urtiy A
dministra
tor
Secu
rity A
dministra
tor$0
$20,000 $40,000 $60,000 $80,000
$100,000 $120,000 $140,000 $160,000
Salary
Salary
WOMEN REPRESENT ONLY 11% OF THE INFORMATION SECURITY PROFESSION. - ISC2
DIFFERENTIATORSUse your gender as an advantage
Pay no mind to the Twitter/Defcon/Blackhat/Conference noise about women
• You stand out more when you’re successful• Communication skills• Broader understanding of the security field• Security policy formation • Leadership skills• Business management skills
Oh yeah, and...• Technically brilliant
* Averages vary by geographic location
SOUGHT-AFTER SKILLSOh, hey, job security!
Hard Skills• Software/Application Security• Threat intelligence• Forensics• Tool knowledge• Program management
Soft Skills• Bridge the gap between business and technology• Gain knowledge quickly • Detail oriented problem solvers• Risk takers
Technical AND managerial
The SWEET SPOT
Risk Taker?
JobSECTORS
IPO’dDistribution of Security Professionals Across Industries
PROs
CONs
• Steady demand for professionals• Predictable career advancement
and compensation• Can pave your own way, carve out
your own profession• Excellent benefits
• Can become monotonous and repetitive
• Security is not core to the business• You can be a cog in the wheel
Healthcare
Insurance
Telecomm
Entertainment & Media
Banking
Information Technology
NOT IPO’dWho’s who
• Security Products• Bluebox• Veracode• Threatgrid, etc...
• Security Consulting• IOActive• Leviathan Security Group• Gotham Digital Science, etc...
• Technology startups• Hello, San Fran
PROs CONs
• Bleeding edge technology• Lots of travel and experience• Forefront of security industry• Going public = $$$• Security is valued
• Long hours• Burnout• Low compensation (at times)• Occasionally high risk• Bottom line driven
GOVERNMENTIs it a secret?
- Exploitation Analyst- Offensive Strategist- Vulnerability Analyst
PROs CONs
• Job Security• Forefront of cyber security• Wide range of job types to choose• Good resume fodder
• Additional personal scrutiny• Lower compensation• Overly process/hierarchy oriented
The JOBS
TITLES
What you’ll find on career sites
• Security Researcher• System/Network/App Penetration Tester• Security Architect• Forensics Analyst/Expert• CISO/VP, Information Security• Security Program Manager• Incident Responder• Malware Analyst• Network Security Engineer• Security Analyst• Security Operations Analyst• Intrusion Analyst• Security Auditor
* Highlighted items are in high-demand
LEADERS AND DOERSWhich one are you?
Generally speaking, security professionals fall into two categories
LEADERS DOERS
• Security Consultant/Researcher
• Executive – SVP/VP• Security Architect• Project or Operations
Manager
• Analyst• Auditor/Compliance• Security Engineer• Security Systems
Administrator• Network
Administrator• Consultants
Attackers and Defenders
SECURITY RESEARCHER/PEN TESTERResponsibilities
Professional skills
• Help improve resiliance to cyber threats• Simulate real world attacks• Proactively test an orgs ability to detect, react, and adapt to attacks• Provide remediation strategies• Provide training
• “Blackhat” style hacking techniques
• BA/BS computer science
• Experience conducting penetration tests
• Experience with disassemblers/decompilers/debuggers
• Experience developing custom scripts/tools
• Strong technical writing skills
VP, InfoSec/DEPUTY CISOResponsibilities
Professional skills
• Security policies, procedures and practices• Oversee patch management, software security and incident response functions.• Develop security awareness and communications strategies• Develop and execute strategic plans• Provide executive briefings
• Be a change agent
• Maintain credibility with senior executives
• Understand, develop and utilize relationships
• Understand broader security
SECURITY ARCHITECTResponsibilities
Professional skills
• Plan delivery of solutions• Determine security requirements by evaluating business strategies• Monitor and ensure compliance• Provide consistent and repeatable security architecture guidance• Serve as lead technical expert• Conduct studies of new technologies and provide security guidance
• Application, infrastructure, data and network security
• Experience leading security architecture efforts
• Expertise in mitigating and addressing threat vectors
• Interpersonal skills
• Translate security concepts into business requirements
SECURITY ANALYSTResponsibilities
Professional skills
• Monitor and advise on security issues• Coordinate security projects• Conduct audits and provide remediation plans• Logfile review and analysis• Prioritize remediation
• Strong technical skills
• Knowledge of compliance and privacy standards
• Knowledge of information security standards (ISO, HIPAA, PCI)
• Experience working in a team-oriented environment
• Good verbal and communication skills
Workforce entry PROTIPS
GET A FOOT IN THE DOORPosition yourself for success
• Meet recruiters, not all of them suck. NYC/NJ based: • Lee Kushner www.ljkushner.com• Alta Associates
• Go where the opportunity is• Seattle, SF, NYC, London...
• PUT YOURSELF OUT THERE• Research, present, join social media
• Build a network of peers, professionals and contacts• Meet consultants, they know where the jobs are• Go to events, conferences, meetups, etc.
• In NYC: NYSEC, OWASP, FSISAC• Conferenes: Blackhat, Defcon, bSides, Countermeasure, etc.
• Certifications, do we care about those?
EVALUATING THE JOBJust because you get an offer, doesn’t mean it is good!
• Does it meet your requirements?• Do you care about the company’s mission?• Does the position speak to your strengths?• What is the quality of life?• What are the values of your leadership, boss and peers?• Do you have the same core mission?
LOCKING DOWN THE JOBYou don’t get what you don’t ask for
• Ask for what you are worth• An interview is two-sided, interview your interviewer• Set very clear expectations before accepting an offer• Don’t undersell yourself
• ...or OVERsell!• Have confidence that you have the skills, or can get them
AFTER YOU GET THE JOBKeep working it
• Excel in your current position• Publicize your accomplishments
• With peers, industry and network• Nurture your connections and network• Keep a pulse on the job market, and keep looking
• No really!
KILL IT LADIES!