Breaking into Security

Danielm7Danielm7 Member Posts: 2,297 ■■■■■■■■□□
OK, I know there have been a lot of requests on how to get into the infosec field without experience, but I have a lot of other experience, just not in a "100% security" position. I'll give some details.

I just finished (as in haven't even gotten my final call scheduled) my BS in IT:Security at WGU. As most of you are aware that isn't a 100% security focused degree but an IT degree with a specialization. With that I got a pile of certs including the Security+ and CCNA Security.

I have over 10 years in IT, I've done a lot of different things, JOAT for sure, from servers/networks to ecommerce and website work. I want to specialize, I like wearing a lot of hats but I keep ending up in these little companies where I do everything but I'd like to focus more.

All of the information security analyst type positions that I've looked at specify a number of years, usually 3+ in a security specific role. Also, for most of them they specify a CISSP as either a prereq or highly desirable. I'm not talking senior security engineer type roles either. I don't think you have to be everything they ask for, but I feel like a lot of what I know now is book/lab knowledge so it makes me reluctant.

I do have to do a total revamp of my resume and I'd like to take some time to refresh myself on the material for the certs that I do have as I don't work with a lot of that material daily now. Is it worth going for something like the SSCP? Is that around the same level as the Security+? I'd like to do the CISSP in the future but I don't know if it's wise to try to study for that for the next few months and then still be stuck with the "no security specific job experience" issue afterwards.

Any suggestions for other material that I can self study that would be appealing on my resume and make me stand out more than the other people that also don't have "100% security" experience roles? Maybe software packages, labs I can play with, etc. I'm not really looking to get into the pen testing side, but more infrastructure/general systems protection security.

Since someone will likely ask, the reason I keep pointing out the issue of not being in a totally security focused role before is that has been the issue I was having a few months ago when applying and talking to recruiters. I decided to just hold off, finish school, and start the search fresh after.



  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    With ten years of IT experience I'm sure you meet the requirements to get the CISSP. I'd say that your chances of getting a security position would be greatly enhanced with that designation. I've often found that my combo of certs, general IT experience, and degree was enough to get an interview for a security position. While I understand a lot of postings say "security specific years of experience" I'm pretty sure you've done a vast amount of security related functions over your time as a JOAT. Thus:

    1. Take and pass CISSP
    2. Apply for the jobs and see what happens
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    Where are you located?
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    OK, I think at this point you want to determine what type of security you're interested in. You've ruled out penetration testing, are you more of an engineering/tools person? With 10+ years of admin experience I can't imagine it would be very difficult to slip into a Security Tools / Engineering job. Competent people who have had their hands in different types of technologies are specifically valuable to security, because often times security people are tasked with defending all the things.

    I personally don't think the SSCP brings value to you at this point. CISSP, IMO, would be a better decision because it's one of the few things recruiters know about security people, and they often ask for it. So it seems to be HR gold in the sense of getting contacted.
  • Danielm7Danielm7 Member Posts: 2,297 ■■■■■■■■□□
    Thanks for the input. I'll skip the SSCP idea for now and look more into the CISSP for the future. I'll have to dig more into the engineering/tools side, I'm pretty open right now as my certs are semi general for security and I don't have a pure security job now so I'd love to get my foot in the door somehow. I've even considered looking into compliance and auditing at some point since I used to deal with a side of that at a past job, not doing the auditing but handling the audit teams that came in.
  • Cert PoorCert Poor Member Posts: 240 ■■■□□□□□□□
    I'd like to land a junior InfoSec position, and there's a lot of threads like this here. This thread is really relevant to my goals. I just rarely see Security positions opening. I anecdotally know 2-3 past co-workers who switched over into Security positions, but they're not technical people at all, so there is hope. It's possible because they just knew the right people and internally changed roles. Some of the Security positions are more access control and creating new user accounts -- so nothing technical at all, but they get the benefit of a "Security Engineer" job title. Lucky. :) It also doesn't hurt IT hiring chances that these folks are fairly attractive women who are genuinely pretty nice people, just not technical.

    I hope the CCNA and CCNA:Sec will help me get a junior position, but if not, I'll play around in SysAdmin land a little bit longer.

    @Danielm7: I agree with skipping SSCP and fast tracking CISSP. The CISSP doesn't look overly technical so I kinda don't see the point of SSCP even for a beginner, let alone someone with 10+ years of IT experience. Good luck! I think CISSP will be the resume candy that HR departments will eat up.
    In progress: MTA: Database Fundamentals (98-364)
    Next up: CompTIA Cloud Essentials+ (CLO-002) or LPI Linux Essentials (010-160)
    Earned: CompTIA A+, Net+, Sec+, Server+, Proj+
    ITIL-F v3 2011 | ServiceNow CSA, CAD, CIS | CWNP CWTS
Sign In or Register to comment.