For my first article, I thought it would appropriate to provide some advice on what it takes to be an Information Assurance Professional. I am doing this for a couple of reasons. First, as a new manager at my job, I find myself frequently mentoring up and coming IA professionals or those that want to join our ranks. Second, a father of a toddler who loves playing anything electronic (especially if it lights up and make sounds), I wanted to write an open letter to my son Jack in case he wants to follow in his dad's footsteps and I'm too old to remember it all (it's OK to laugh now).
The first piece of advice I would like to dispense is to remember that you don't know everything and you never will. Sure you may have a degree or two attached to you name along with a certification (or several). However, we are in a field which is ever changing and becoming more and more diverse. I almost feel sorry for the recruiters who are trying to figure out what IA is, never mind trying to fit a person with the exact skill sets for the position their bosses require. For example, five years ago, I never heard the term CND (Computer Network Defense) Analyst until I got offered a job as one. Anyways, my point is that you need to adopt an attitude that you need to be continuously learning throughout your career. New technologies and threats will always be emerging, adapt to them or face unemployment as an IA professional. In addition, you need to network and seek out fellow IA professionals who specialize in fields other than your own. For example, the computer forensics guy that you met at a seminar might become handy if you ever need to do an investigation.
The second piece of advice is to continuously maintain your certifications and not at the last minute. I had friends that I had to help out get their CPEs at the last few weeks before their certifications ran out. Believe me, it is not a pretty picture. In addition, if you have to rush to get CPEs at the last moment, you will probably not get anything out the courses or learning opportunities that you are taking to get them. That is why I believe that ISC2 has now set down a minimum number of CPEs earned every year. Besides, it can be your valid reason to convince your boss to send you to go to Black Hat or DefCon.
It is my contention that in a few years, the CISSP by itself will be a dime a dozen, especially with some government agencies requiring all of its IA employees and contractors to have a certification. My long-range advice would be to obtain further certifications or concentrations such as the ISSMP. That way, potential employees or clients know that you stand out plus you have more in-depth knowledge/experience with certain fields within the IA realm. However, you should keep in mind that you should only get the certifications that you think that you can maintain in the long run. Do not forget that with every certification come with CPEs or similar requirements.
The third piece of advice is you need to maintain your security clearances is you have them. Often, I have been to job fairs where they issue you a badge based on your clearance level. Sometimes, I have approached a table at job fairs with the wrong colored badge and they are already waving me off because they are only looking for those with TS/SCI clearances. They don't care if you had the clearance last week. Employers want people they can put on site immediately for their clients. Now, i am going to bring up a related topic that many of you will not like. However, it is necessary. You must remember that you must conduct yourself appropriately in whatever you do, especially if your activity leaves a paper trail. Remember, the security investigators will try to find out every marriage, divorce, job, hobby, arrest, etc. which may influence the agencies which grant security clearances on their decisions. So if you have time to make a decision, just keep in mind how it looks on paper or how you are going to have to explain it to your Security Manager.
Finally, learn to have fun and enjoy what you do. Enjoy the journey!