There's a shortage of IT professionals; there's an even greater shortage of IT security professionals. Organisations are paying good money to find the right talent to protect their valuable IT assets and that's motivating broader IT professionals to either skill up or outright move into the security space. But just because you have the technical know-how doesn't mean you'll be an effective security professional. So what makes a good IT security professional? Let's find out.
Stephen McCombie is the senior practice manager for RSA Advanced Cyber Defence (ACD) in Asia-Pacific. He has 30 years of security industry experience and is an adjunct lecturer in Cybercrime at Charles Sturt University. At RSA Conference 2016 in Singapore, he spoke about the qualities that an effective IT security professional should possess.
"You have to be interested in security as a profession," he told Lifehacker Australia. "The problem is there's a lot of IT people out there who are fantastic at being IT people and running systems; but that's not security.
"Security is about dealing with actual breaches and problems that are caused, to understand the impact you're having in your security job around that; it's not just an operational job."
Technical skills are important when it comes to an IT security role but you need to have the right mindset as well.
"In the past, we used to have teams of network security guys who would run firewalls and they were just IT people; they weren't really IT security people at all and they just ran a device," McCombie said. "They had no appreciation of the effectiveness of what they were doing. Every security person needs to have that understanding of what they're trying to achieve for their organisations."
McCombie observed that IT professionals approach security incidents by focusing on systems rather than zooming out and thinking about the situation holistically. For example, they need to think about whether the one incident is a symptom of a broader attack that is coming in from multiple entry points.
"That's the more advanced thinking around investigating and understanding what's going on that seems to be lacking," McCombie said.
While he recognised many IT professionals found their way into the industry through their own research and little formal education, McCombie believes there is value in going back to school or doing training courses if they want to work in IT security.
"As much as I can understand a lot of IT people that go into security did their own research, there are a lot of fundamentals that people need to fill in the gaps for," he said. "An IT person might have good technical skills but may not necessarily understand things like investigation techniques and how you scope an incident. That is one of the great challenges we see in organisations. They have good technical people with good security knowledge but they don't necessarily have the methodology to be more effective.
"Ultimately education can't make a security person, but they can make a security person better."
Spandas Lui travelled to Singapore as a guest of RSA