Get best of the week

Information Security Specialist. What does and how much does it earn

An information security specialist is not the easiest, but demanded IT profession. It scares with many terms and peculiar tools, although in reality it is accessible to people without a technical background. After studying IS, you will work with state-owned corporations, banks, medium and large businesses, cloud services and startups. Simply put, wherever there is a chance of hacking.

This article tells in detail who such an information security specialist is, what he does, how much he makes and how to become one. Bonus - a selection of books for exploring the profession.

Who is an Information Security Specialist Now


Usually, an information security specialist means a person who can implement and maintain protection against unauthorized access. Set up a network, anticipate errors and potential bugs, deploy and launch connection monitoring technologies.

But there are narrower specialties already within the sphere:

  • Pentesters are the so-called “white”, or “ethical” hackers. They do not hack into business resources illegally. Instead, they work for companies and look for vulnerabilities that developers then fix. It happens that such people work on a salary, or participate in Bug Bounty programs - when a business asks to check their protection, promising a bonus for the bugs found.
  • Development specialists - such specialists are involved in the creation of applications and programs. Simply put, they study architecture and ready-made code and suggest that there may be an error or a “window” for hacking. A commonplace example is to leave the ability to send an SQL injection in the site entry form.
  • Network specialists - they are looking for potential and known vulnerabilities in hardware and network systems. Simply put, they know how, using Windows, Linux, or other systems, an attacker can get into your computer and install the necessary software. They can both find a hacking opportunity and create a system that will be difficult to get into.

There is another option for the division of specialists:

  • Those who crack, and no matter what, networks or programs. Their specialization is the search for errors and vulnerabilities, ethical hacking.
  • Those who build and maintain a security system. It is this option that employers now imply when they are looking for information security specialists.

Such a division is conditional. For example, in a small business developing mobile applications, an information security specialist will be engaged in the entire cycle, from development to implementation. And in a large cloud corporation, you can only work with Kubernetes, without touching anything else.

An information security specialist now is one who implements a security system in a company and supports it from attempts to penetrate from outside.

Due to the unstable terms, there is a slight confusion in the names of vacancies - companies are looking for information security specialists, security administrators, computer network security engineers and other names, implying the same specialist.

What do information security experts do


The main tasks of an information security specialist are to set up tools for protection and monitoring, write scripts to automate processes, and from time to time conduct pentests, feeling like a hacker. Monitor overall system performance and administer information security tools.

Here are typical tasks of an information security specialist:

  • Examine the information security system in the company, figure out where there are obvious vulnerabilities.
  • View the general situation, find out who, in principle, may be interested in hacking a company.
  • Create a protection implementation program. Decide what to fix first - for example, configure access protocols, register security scripts, configure a password generation system.
  • Deal with the product - find vulnerabilities in the code, draw up a technical task for elimination.
  • Assess security system - conduct consistent attacks on network resources.
  • Analyze monitoring - find out who was interested in the system, in what ways, how often.
  • Introduce protection for particularly weak nodes.

Plus, the sphere of information security - you can work for several years, but never encounter something unknown and incomprehensible. Of course, there are no exact statistics, but usually all vulnerabilities and hacking methods are known.

Conditionally, about 80–90% of the operating time is occupied by protection against already known hacking methods. Another 10% is something new that has not yet been prescribed in manuals and documentation.
An information security specialist is not always a creative profession. Usually, on the contrary, you do not need to invent anything and reinvent the wheel. A specialist takes a ready-made checklist or instruction, and then implements a security system. Tests it, finds bugs, fixes them. And then a new iteration.

How to become an information security specialist


The path to the profession of an information security specialist is similar to the standard for IT - first courses or self-training, then an internship and transfer to a full-fledged job.

Judging by the reviews of engineers at professional sites, it takes 9-12 months to start a profession, of which half a year is taken by courses.

Do I need a technical background


Experience in IT and programming is not needed - this is a special profession at the intersection of system administration, development and consulting. Of course, if you are a novice developer or engineer, it will be easier - you don’t have to understand the general principles of processes in IT. But not much, because in any case, information security has a lot of its subtleties and technologies.

An ideal training plan in the field of information security is a minimum of theory and a maximum of practice. It’s useless to study the list of popular vulnerabilities, you need to try to implement protection against them in a working product and run into system limitations.

Do I need English


At the start, a good knowledge of the language is not necessary - it is enough to understand the necessary minimum so as not to get lost in the program interface and read the documentation with the Google translator.

But then the language is worth practicing. High-quality literature, magazines, blogs and information security forums are mostly foreign, and good translations into Russian do not appear immediately. To be constantly “in the subject”, you have to turn to the source.

When choosing IB courses, pay attention to whether technical English classes are included in them. In such classes, you will not spend time working on extraneous topics such as vacation, cooking, or anything else unrelated to IT. Instead, get acquainted with the special vocabulary that is used in testing, developing and reading documentation.

What you need to know to get started


The problem of many courses that train information security specialists is the emphasis on one of the areas of the sphere:

  • A lot of theory . For example, the courses tell a lot about design features, about possible vulnerabilities, but there are no practical tasks. This is bad - it’s important that you can immediately try to attack or defend.
  • — , , . , - . , , DevOps. . .
  • — , . , , .

If you plan to build a career in the field of information security, it is worth looking for courses that teach the full implementation of the security system. Plus learn to use vulnerabilities for pentests. And they are sure to talk about how to do all this legally - you need to understand the regulatory framework and the specifics of the legislation.

That is, the laws and network settings, and hacking, and protection against hacking.

Skill stack


Here is a sample list of what you need to know and be able to get started:

  • Set up a network stack.
  • Conduct an audit of the system, analyze which place is vulnerable.
  • Attack network resources in popular ways and configure a system of protection against such attacks.
  • Set up a monitoring system and a warning system about problems.
  • Consider the human factor in building protection.

In addition, an understanding of cryptographic and other protection methods will come in handy. Plus, understand the regulatory legal acts in the field of information security, the sphere of responsibility of state structures (FSTEC, FSB, Ministry of Defense, Central Bank).

Tool stack


Here's what you need to try before applying for an intern:

  • Linux - make your own assembly, read about popular vulnerabilities of the system itself and internal programs.
  • Windows - the ability to customize both user and server solutions is useful. Know how to conduct attacks through updates, spoofing drivers or utility utilities.
  • DLP - Try the popular data leak protection technologies. Simply put, these are programs that can block writing to a USB flash drive or sending certain types of data to social networks or mail. For example, Sophos or McAfee DLP
  • IDS — . , , . , .
  • SIEM — , . , , - , — , . Splunk, IBM LogRhythm.
  • Kubernetes. Kubernetes, , .

Still useful knowledge of methodologies. Understand how DevSecOps works. This is a modern philosophy that allows you to implement protection at any stage of product development. It will come in handy if you work as an information security specialist in a product development company.

To start in a career, it is not necessary to know all the technologies at the professional level. It is enough to have a general idea of ​​the system, not to get lost in the settings and documentation. If conditionally, you need to know how to do it, and not what to do.

How much do such specialists earn and how much are they in demand


The average earnings from data protection specialists according to the “ Habr Careers ” is about 125 thousand rubles. But this is the total amount for all levels and companies. There are those who start with 50 thousand rubles, and there are also vacancies for managers with incomes of 300-400 thousand.

Salary growth


Here is a typical picture on job sites:

  • A novice specialist in Moscow earns about 50-60 thousand - this is an intern without work experience.
  • Junior position - there are vacancies of 60-80 thousand.
  • A full-fledged information security specialist with experience of 1-2 years - 100-150 thousand.
  • A specialist with experience in 3-5 years - 150-200 thousand.
  • Head - 200 thousand and above.

Demand


Demand for information security specialists is high - only at HeadHunter they usually search for 800-900 such people. If you add other names of the profession, for example, security administrators or computer "security", you get about 2,000 vacancies.

Mostly offers from 150 thousand in Moscow or St. Petersburg. In the regions, a specialist with experience of 1-2 years can count on 50-120 thousand.

Only highly qualified specialists offer to work remotely - for example, there are such vacancies with incomes of 250-350 thousand rubles. Basically, a security engineer works in an office.


Example of a remote paid job

What to read on the topic


Here is a selection of literature that will help you better understand the field of information security. But it’s worth reading in parallel with the courses - only on the theory to get to the level of the trainee will not work.


Where to study as an information security specialist


You can obtain structured knowledge in the course " Information Security Specialist " in Netology.

You will learn:

  • build a process for identifying vulnerabilities at all stages of development;
  • determine where to expect threats, how to minimize them and investigate the consequences of attacks;
  • study the necessary legislation to act within the law.


The material was prepared by Dmitry Kuzmin.

More articles:


All Articles