Careers in Information Security:

Letter to a Student

by M. E. Kabay, PhD, CISSP Associate Professor, Information Assurance

Program Director, Master of Science in Information Assurance Norwich University, Northfield, VT 05663-1035 USA

Dear Student:

Message text written by >I am interested in the security aspect of computers and information. Can you tell me how or what road I might take to get a degree to where I can focus on the security aspect or what would be the closest thing to it?<

Many security experts begin their careers in the military by volunteering or applying for training and positions in SIGINT, INTEL, COINTEL, PSYOPS, and military police. Others take on security responsibilities as part of system and network operations or management. Some security experts come from the administrative side rather than from the technical side.

Taking a computer science degree with a specialization in information security is an excellent way to enter the field. Check the resources at Purdue University's CERIAS Project <> for extensive links to undergraduate and graduate programs with formal security components. Eastern Michigan University, Purdue, George Washington University, and George Mason University, among others, offer undergraduate degrees with specialization in INFOSEC. Even if your preferred college does not, you can usually manage to get permission for an honors thesis in security if you try hard enough and find resources within the college or the community who can help guide and evaluate your work.

In general, a computer science or management information systems degree with as many security courses as were offered plus extensive reading will help you get a job in information security when you graduate. There are so few people interested in the field that we are much in demand.

An advanced degree (e.g., MSc. and PhD) from Dr Spafford's programs at Purdue University offers the possibility of detailed study and original research, much of which you can publish in scholarly journals if you are keen on university teaching and further research. Many postgraduate students are receiving high salary offers as they complete their degrees.

It is not necessary, however, to insist on a computer security degree. One can also enter the field with a strong background in computer science and other disciplines. The obvious choices for training include (but are not limited to) programming, operating systems, data structures, quality assurance, cryptography, data communications, information systems management and all information security courses that are offered by your school or by nearby schools (find out about away terms).

Less obvious choices include

The wider your expertise the more successful you can be in INFOSEC B and indeed, in general.

In addition, you can acquire several types of certification in security and security-related fields. AtomicTangerine strongly encourages security personnel to aim for the CISSP (Certified Information Systems Security Professional) designation; see <> for more information.

Perhaps the most important elements in successful careers in the security field are a commitment to lifelong learning and an interdisciplinary, wide ranging curiosity. Security is an interesting field because it can benefit from so many different disciplines, including not only technical fields but also aspects of the human side of security.

[Original version included a list of readings and articles which has become outdated. See “Information Security Resources for Professional Development” at ]

Best wishes,


M. E. Kabay, PhD, CISSP

Get the free Network Fusion Security e-newsletter at

< >