Interview: Anatomy of an IT Security Career
Veteran IT security specialist, J. Wolfgang Goerlich, gives advice on breaking into the information security field, in demand skills, emerging industry trends and more.
You've heard that information security is a hot field -- and it is. But how do you break into the IT security industry if you don't have a ton of experience?
Sometimes, the best way to learn is to talk with someone who's been around the block a few times. We asked J. Wolfgang Goerlich, a 19-year IT and cyber security veteran, for some of the insights and lessons he's learned throughout his career. Goerlich, currently an executive with a security firm in the Detroit, MI area, shared with us a bit about his career path, how he got his first "real" job, some industry trends he sees brewing, and what advice he'd give to the next generation of information security professionals.
Here's what he had to say:
ITCareerFinder: Tell us a bit about yourself and your professional background.
Goerlich: My career has straddled the lines of software development, IT operations, and IT security. I started in the field early, right out of high school, building and securing a hospital's computer systems. In college, I started an IT company in order to grow my friends’ technical talents. Later, as the VP of an IT company and then as the technology manager of a financial firm, I built training programs and managed workflow to accelerate the careers of my team.
With an eye towards helping people get involved with IT security, I launched the open source project named SimWitty under the slogan "Develop People, Develop Security." I have co-founded several groups in [my local] area, including MiSec and OWASP Detroit, and I organize workshops and conferences under the BSides Detroit banner. All in all, I am reasonably active in the community and I enjoy seeing people’s careers and talents develop.
How did you get your start in IT and, specifically, in information security?
Like many of my generation, I watched WarGames and Hackers and became interested in the computer hacker scene. I joined discussions on Bulletin Board Systems and began reading everything I could about computer security. Much of what I read focused on gaining root access or sysadmin permissions. In other words: A lot of people were spending a lot of effort to gain full access to systems illicitly.
Around the same time, I was assisting a nurse in standing up a hospital’s first Electronic Medical Records (EMR) system. Shortly after the EMR went live, the nurse left, and the hospital offered me the position of their sole IT and information security person. I had but one question: Could I have root and sysadmin access? The answer was yes. I took the job, and have been building and securing IT ever since.
The lesson I took away from the situation: If you want something, ask for it.
What's your current role and primary job responsibilities?
I am currently the Vice President of Consulting with an IT security and ethical hacking firm named VioPoint. Perhaps my most enjoyable responsibility is recruiting, developing, and retaining talented professionals. Strategically, I analyze the marketplace and our clients to determine what areas we should focus on. Tactically, I am responsible for managing the consulting team, client projects, and ongoing client programs. I also spend a couple days each week as a virtual Chief Information Security Officer (CISO) for our smaller clientele. All in all, the job is challenging and it exposes me to many gifted people in a variety of organizations and industries.
What advice can you offer to young professionals and career-changers looking to begin or advance an IT security career?
The four factors a hiring manager looks at are who you are, who you know, what you know, and what you can do. My advice is to take on activities that grow two or more of these areas at the same time. Find ways to turn class projects into workable open source prototypes that demonstrate what you can do. If you are taking on a certification exam, partner with others in your studies or pair the training with a side project. Attend the local security group meetings like ISSA, ISACA, OWASP, etc., to network with people in the area while learning new skills. You can achieve the same value by volunteering at IT and cyber security conferences, along with getting the opportunity to meet the speakers and experts. Finally, in everything you do, find ways to reinforce and communicate your personality and your values.
The objective is to increase the odds of meeting the people who you can ask for a job. You also increase the odds of them saying yes, as they will be familiar with who you are and what you can do.
What are the toughest parts about the information security profession?
The toughest aspect of IT security, today, is creatively using the resources we do have to secure our systems from numerous threats, both automated and advanced, that aim to steal our intellectual property and disrupt our business. When I started out, I was responsible for two servers and a few dozen desktop computers. Today, the typical IT security professional is responsible for several thousand networked devices, with tens to hundreds of different hardware and software configurations. There is never enough time to learn all the intricacies of the platform, nor enough time to practice all the offensive and defensive techniques. Moreover, due to budget constraints, IT security teams rarely have the capital to purchase the latest and greatest security tools. Turning limited resources and tight deadlines into creative constraints in order to win another day, this is the toughest part.
Within the broad security field, which specific skills and job roles do you predict will be in high demand in the future?
Our devices and platforms are expanding. New growth areas such as mobile, Internet-enabled devices, and so on will be in high demand. People who can secure highly scalable systems like cloud computing and big data will be hotly sought after. Finally, skills that enable professionals to tackle more systems, such as automation and tool development, will grow [as well].
The ability to effectively communicate never goes out of style. Today’s and tomorrow’s information security professional will be interacting with people at all levels of the organization. Moreover, as much of the work will be done by others in IT operations and software development, professionals will need to be able to influence and educate their peers on how to build and develop secure systems. Over the long term, people skills (a.k.a. soft skills) can make or break your IT career.
Bottom-line takeaways: Don't be afraid to ask for what you want, so long as you're polite and professional. Continously grow your professional network via local and online industry groups. Become a lifelong learner. Recognize opportunities in unlikely places. Advance your skills in hot IT domains such as mobile, big data and cloud computing. And learn how to talk to people; IT security pros who can communicate effectively, especially with people outside of the IT organization, will always have an advantage.
You may also like