Guardians of The Gate

What you need to know to land a job and keep your skills fresh in the IT security field.

Name: Jonathan Taylor

Title: Enterprise security engineer

Company: Sutter Health, Sacramento, Calif., a nonprofit services organization for 25 affiliate hospitals in Northern California

30-second resume: Taylor has worked in IT since 1994. After graduating from Brigham Young University in Provo, Utah, he joined a value-added reseller. While moonlighting as a Windows NT Server instructor at MTI College of Business and Technology in Sacramento, a fellow teacher told him about an opening at Sutter Health. He joined the company in 1997, first working on a project to roll out a Windows NT platform throughout the company's health care affiliates. Taylor switched to IT security in early 2000.

Skills boost: On-the-job training is the best way to learn, says Taylor. "There's very little training for information security," he says. "And even if there was, it's such a vast field that it would be difficult to get what you need for your particular industry or job."

Still, Taylor has found some courses that help him keep current. His most recent training came from Foundstone Inc., a security services firm in Mission Viejo, Calif. At its Web hacking course, he learned about common Web site vulnerabilities that hackers exploit - vulnerabilities that existed within Sutter Health's public site.

"It was a great big eye-opener," he says.

Other resources that Taylor uses to learn about potential security risks are newsgroups and Web sites devoted to IT security. He says there's a helpful bug list on the Web site of San Mateo, Calif.-based SecurityFocus.

Taylor says the mechanics of his job haven't changed since the events of Sept. 11; what's different is the interest that company executives now have in security. "When we would see patterns of risk before 9/11, people were apt to dismiss it," says Taylor. "Now when we say we have a concern, people's eyes go wide open."

- Johnson is a contributing writer in Seattle.


  • Keeping unauthorized people out of systems is the primary task for a security professional, so become skilled at performing risk assessments and working with firewalls, access controls, authentication software, digital certificates, network management security tools and intrusion-detection systems.
  • Networking fundamentals are a must, so brush up on TCP/IP. Count on employers asking about your experience with Cisco Systems Inc. products. They will also expect you to know how to administer common server operating systems such as Solaris, Windows NT and 2000, and Linux.
  • Bonus tip: If you have been through the firestorm of a disaster recovery effort or have designed and implemented a security system, you'll be in demand.


  • Certifications: The Certified Information Systems Security Professional (CISSP) certification is administered by the Dunedin, Fla.-based arm of the International Information Systems Security Certification Consortium Inc. It runs five-day boot camps to prepare people for the CISSP test.
  • Bonus pay? Not likely; the payback for certification is more often a job rather than a salary boost. Some employers list "certification strongly preferred" in job postings; others require one or more certifications. Without them, your resume could be tossed.


There are security job openings all over, including one for a manager of security and disaster recovery with a five- to seven-year track record, a CISSP certification, and experience with virtual private networks, encryption and intrusion-detection software. Location: Augusta, Ga. Salary: Up to $75,000

  • A financial services firm seeks a data security administrator with systems administration, firewall, intrusion-detection and programming skills. Location: Dallas Salary: Up to $70,000
  • Hot industry: With the federal government beginning well-funded cybersecurity projects, the job market in the government sector is hot, particularly in the Washington area.

SOURCES: Nick Doty, editorial director at Inc. in minneapolis; Thomas Woods, principal at Magee Resource Group in Shreveport, La.; Julie Larson, vice president of information security, risk assessment, awareness and compliance at Comerica Inc. in Detroit.

Special Report

The Security Action Plan

Stories in this report:


Copyright © 2002 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon