Little help with career path

Disas_main

Hello, I hope that this is the right place to ask my quesiton. I'm 16 years old high school student. Firstly I learn electronics in school(I'm in some kind of proffesional school, I'm not form USA when I end high school my diploma will be like from college + high school). So I want to enter in the security industry would electronics help me to find a job or to learn something easier? Secondly I didn't choose exacly what position I want to take I really love low level stuff I had watched intro x86, intermediate x86 and life of binaries made by OpenSecurity traning and I want to start writing exploit and RE malwares. But I'm not sure what certification I must get to enter this field, what expireince I must have and what degree I should get software engineering or CS? I will be very grateful if somebody with more experince tham me give me some hints.

MacGuffin

Disas_main wrote: »

what degree I should get software engineering or CS?

When I went to college the concept of "software engineering" was forming. The closest I could get to that was computer engineering with some software engineering electives. What I did learn in college was the distinction between computer science and computer engineering. Programs in the engineering college were focused on teaching people how to build things. There were courses on sciences of course, physics, chemistry, calculus, were all required. Also there were requirements on the social sciences, every student had to take something like psychology, history, foreign languages, and so on. The core of the engineering programs were on the engineering process, economics, statistics/probability, and such. In the computer engineering program the required courses included databases, operating systems, electronics, data structures, and of course programming. The new software engineering programs don't deviate much from what I took in computer engineering, the primary difference is that the focus is more on software (obviously) than on the hardware.

Computer science programs are typically out of the liberal arts college, there the focus is more on theory. Being a liberal arts program also means a giving students a wider base of knowledge, students will take more courses outside of their major than in engineering. That means there will likely be requirements for a foreign language, history, and generally more social sciences than what is required of an engineering program.

I've found that many employers do not make a distinction between software engineering and computer science degrees when hiring. What is important to them is that you have a degree in a field related to the job and that the course you took have prepared you for the job they are trying to fill. I've found it is possible for a student majoring in software engineering to take just about the same coursework as a student majoring in computer science. The biggest difference will be in the first and second years of the program. The engineering students will be taking "Introduction to Engineering" while the computer science students will be taking "Speech Writing".

I don't want to rip into computer science too much, I've met some very successful software developers that took computer science in college. I just remember what a recruiter for a big software company told me, they preferred engineering students to computer science students. They were willing to teach interns and employees whatever language they were using, that was easy and didn't take much time. What was harder and took time was teaching people good design practices. Every engineering student had to know how to program, it may have been Fortran or Pascal at that time but they had to know at least one programming language to graduate. Computer science students also knew how to program but unless they sought out courses on engineering they might not have learned good design.

I'd say take engineering if you want a job writing software, it will look better on a resumé and will better prepare you for the work you want. The courses on low level programming and computer security should be available to you as electives regardless of either major, but some of the engineering courses may only be available to engineering students.

Disas_main

Hello MacGuffin thank you for your response. I will stick witn engineering then. Also could you (or anyone else) recommend me some certifications or what should be my first job in the IT industry (my end goal is malware analyst).

JDMurray

If your end goal is Malware Analysis (a la the GIAC GREM certification) then I would suggest your first goal should be learning programming (Intel x86 assembly and C) followed by operating system security and forensics (GIAC CGFA, GCWN, and GCUX) and finally network intrusion analysis (GIAC GCIA). Also, don't pass up any opportunity to learn Malware analysis appliances like Bromium and FireEye along the way too. That will all certainly make you well-rounded and valuable as a Malware Analyst.

Disas_main

JDMurray wrote: »

If your end goal is Malware Analysis (a la the GIAC GREM certification) then I would suggest your first goal should be learning programming (Intel x86 assembly and C) followed by operating system security and forensics (GIAC CGFA, GCWN, and GCUX) and finally network intrusion analysis (GIAC GCIA). Also, don't pass up any opportunity to learn Malware analysis appliances like Bromium and FireEye along the way too. That will all certainly make you well-rounded and valuable as a Malware Analyst.

So basicly I need to know from everything alot + computer engineer degree. Isn't this too much for $100,000 maximum salary?

JDMurray

You need to throw in years and years of experience and proven success at your profession to get a six-figure salary.

Disas_main

JDMurray wrote: »

You need to throw in years and years of experience and proven success at your profession to get a six-figure salary.

I know and I really enjoy solving programming challenges, and setting up my own server. I have a lot of fails with the second one mainly because of the equipment, but I'm really intrested in both so I think that I will be able to work in the IT industry. But those salaries aren't avaliable in my country, actually here no body hire malware analyst.

docrice

Malware and similar threats are all the rage in the infosec industry at the moment so the niche is gaining more acceptance. Assuming demand for this area rises, then remote work is a possibility. This industry changes fast and often though, so by the time your skill set is at a level where you can contribute, the range of problems to solve may be more diverse. You'll need to factor this in when looking at your career.

Ultimately, everything stems from foundations so as long as your basic principles are solid, then you can pivot and adapt to the ever-shifting industry landscape.

JDMurray

Disas_main wrote: »

But those salaries aren't available in my country, actually here no body hire Malware analyst.

Malware analysis is an excellent profession for remote work. Many professional Malware labs have analysts all over the world. Many organizations would prefer to send Malware samples elsewhere rather than have them analyzed on their own networks (if possible).

MacGuffin

Disas_main wrote: »

Hello MacGuffin thank you for your response. I will stick witn engineering then.

Slow down there, don't pick a degree program just because some guy you never met posted something on the internet. Talk to some advisors at the colleges you are thinking of attending, see what they think. Look at the programs and see if the required courses are topics that you think interest you and something you think you can handle.

Disas_main wrote: »

Also could you (or anyone else) recommend me some certifications or what should be my first job in the IT industry (my end goal is malware analyst).

All certifications I've seen expire in three years, if you are going to get into a four year college program there will be plenty of time before you have to worry about getting certifications. I'd think that starting out there really isn't a wrong certification to get, any IT certification will look good to employers and allow you to see what works for you in studying and taking the exams. I'd think that CompTIA and Microsoft certifications would be a good place to start.

As for a first job in IT I'd suggest taking just about anything you can get. I'm thinking that you'd probably want to find some work while you are in school. Something part time while in school and/or something during breaks. The primary goal in the first job is showing future employers that you can show up to work. Get work in computers if you can but flipping burgers and sweeping floors will do fine too. Customer service work of any kind will mean developing skills in gathering important details and dealing with people, skills that will be just as important as your ability to write code.

As others have pointed out in this thread you are going to need to have years of experience before someone will trust you to be a malware analyst. There are so many fields that would be a good place to start that it's difficult to nail down any one where you should put your focus. You will need to see what jobs are out there and who is willing to take a chance on you.

Chance opportunities are funny things. I remember meeting a programmer that had a degree in mechanical engineering. He showed a willingness to take on some code work to help out and people like what he did, so now he's writing code. I've met engineers that had degrees in physics, again they took that on at one point and kept with it. I say this to demonstrate two things. Where you plan to go may not be where you end up, priorities in life change in time. Also, there's a lot of different ways to get to where you want to go. People will recognize skills and want to put them to good use. Find something you like to do and let people see how well you can do it, there is a good chance they will let you do more of it.

Disas_main

Well I can only thank you all (especially thanks to MacGuffin) I decide to take it slower. Now I'm in vacantion from school, so I will pick some open source project and contribute, because I haven't write code from a lot time(maybe 2 mouths). The summer I will work with my ISP(I will help the network administartor). Also as I said I learn electronics and by the end of next year I will work for company so I will have little exp with electronics too. I hope that one day I will have enough skills to work as malware analyst. Wish greate life to everybody.

LionelTeo

Disas_main wrote: »

Hello, I hope that this is the right place to ask my quesiton. I'm 16 years old high school student. Firstly I learn electronics in school(I'm in some kind of proffesional school, I'm not form USA when I end high school my diploma will be like from college + high school). So I want to enter in the security industry would electronics help me to find a job or to learn something easier? Secondly I didn't choose exacly what position I want to take I really love low level stuff I had watched intro x86, intermediate x86 and life of binaries made by OpenSecurity traning and I want to start writing exploit and RE malwares. But I'm not sure what certification I must get to enter this field, what expireince I must have and what degree I should get software engineering or CS? I will be very grateful if somebody with more experince tham me give me some hints.

Hi Disas,

In order to break interest to IT Security, you must express interest to your prospective interviewer, you are right on the path to show passion in writing exploit and RE malwares. To do so, as you had understand, you cannot rely on purely degree or certifications or experience to break into IT Security, you would best require all three. Although from my personal route in life, I did not had a degree until now and had been jumping salaries from 40 to 80% between jobs.

In regards to degree, since your from an electronics path, you may do really want to consider information security management or related degree that could gear into into the right areas. In regards to certifications and career path, the easier way is to gain a foothold in IT Security is either breaking into Security Operation Center, asking for internal transfer, or move from networking to IT Security.

In either of this way, you would need all three, experience, degree and certification.

Moving on to the fastest way, trying to break into Security Operation Center, its a booming industry after with how much Security Operation Center is being setting up by companies over the world. Since its a shift job, the amount of headcount required is generally more as compare to a small security department with 3-4 people.

The best path to probably gaining this foothold, is to undertake a relevant degree program, and while doing so, to pick up on certifications that SOC jobs look for. And GCIA is the most commonly certifications on the list for SOC requirement.

In regards to IT Certification, IT Security is so huge, so you would not want to spend your time to deviate too much from your studies, while hardening or router security are welcome, these skills would not be used eventually when you move on to forensics, so you have to carefully plan your path or else you may actually even deviate your career as well that people would find it hard to consider you into the forensic path in the future.

Now, let me move on to SOC and why SOC had the best path to start as oppose to helpdesk / sysadmin. The first thing would be its actually difficult to fill up a SOC candidate, especially on big SOC headcount requirement they would often have to turn to looking at secondary candidate, that is where you would come in. Lack of experience, but related degree and powerful certification. And I would tell you that on average of 10 resumes, only 3 are applicable to a SOC environment. We even had a guy with lots of windows certification, and windows experience, but we would not take him as it is non-SOC related. So that is how strict the requirement can be despite the lack of headcount.

That is an advantage, because its easy to gear yourself into that requirement, but its a tough path ahead. At minimum level, you should try to pick up CEH; but CEH requires two years of experience, which is probably the most horrible requirement for entry level. Fortunately the two years can waived to a course, but I don't suggest to even spend your pocket money on this, it isn't really worth it since this certificate can be self study, unless money is not a requirement to you.

GCIH, which is the upgraded version of CEH, is obtainable via self study as well, please see my response for list of books here. http://www.techexams.net/forums/sans-institute-giac-certifications/100210-giac-certifications.html
The reason for GCIH is that its a solid foundation for IT Security Knowledge in technical. Overview of all attacks with incident response; although GCIH is a tough, this is actually the minimum level.

GCIA as covered, is the most highly sought after certification for SOC. Packet analysis at hex and binary level is a very rare skill, and thus obtaining this would means that you would guarantee almost a good chance in a SOC environment. With GCIH and GCIA, together with a degree, you would stand out among all candidate. Because you had two additional certification to prove your worth and interest in IT Security. Although without experience, you would be presenting yourself easy as a candidate who is possible to be train up due to your willingness to learn, enabling to easily break into the IT Security Environment.

Moving forward down the career line, you can start taking up GCFA, along with GCIH and GCIA, once again, its the easiest to break into the forensic path, to aim for a SOC integrated into forensic. From there, you can start to slowly to transit from SOC to fully forensics and then into malware researcher.

While all these course seems expensive, luckily though, once you are house in a good company, they are willing to send you for these courses so it ease your burden in self studying or going for courses.

And 100,000 is not the maximum salary for an IT Security Technical path. You can possible hit 150k to 200k for very high end technically specialise roles. You can always move up to lead role or technical manager, eventually, they would find ways to keep you. There even companies like secure ideas where CEO himself is very technical specialise, doing penetration testing and running the business while earning beyond that.

In a nutshell, for your consideration
Related Degree
- GCIH, GCIA, GCFA, then move to GREM in the future
or
- GCIH, GPEN, GWAPT, then move to OSCP, OCSE, GXPN in the future

MacGuffin

Disas_main wrote: »

Well I can only thank you all (especially thanks to MacGuffin) I decide to take it slower. Now I'm in vacantion from school, so I will pick some open source project and contribute, because I haven't write code from a lot time(maybe 2 mouths). The summer I will work with my ISP(I will help the network administartor). Also as I said I learn electronics and by the end of next year I will work for company so I will have little exp with electronics too. I hope that one day I will have enough skills to work as malware analyst. Wish greate life to everybody.

I didn't catch where you are from, perhaps english is not your first language, perhaps your grammar and spelling isn't this bad when not making rushed posts on the internet. If you want to go far in life then I'd suggest working on your spelling. It seems that every job posting I've seen spells out that the applicant "must have good verbal and written skills" or something to that effect. I thought that was a given but perhaps such skills are becoming a rarity.

I'm reminded of an old joke:
Q: "What's worse? Ignorance or apathy?"
A: "I don't know and I don't care."

Poor spelling means either you don't know enough to spell correctly or you don't care enough, neither will look good to employers. I know this is an informal forum here but bad habits in life tend to creep into bad habits in work.

Contributing to open source is a good idea, that's something I should do myself. People will want to see examples of your work. Work at an ISP sounds great, see if you can get some malware countermeasure experience there. I suspect they have all kinds of firewalls, e-mail filters, and so on that you could play with.

I heard a very simple piece of advice on how to get ahead, get to work before your boss and don't leave until your boss does. The first and last thing that your manager should see at work is you working. If you remember anything I gave you then it should be this, be early and stay late.

Disas_main

LionelTeo, your answer was pretty deep, thank you. My plan is to start working at full time job when I get 18 years old.
MacGuffin, I'm from Bulgaria(Balkan Peninsula). Yes, English isn't my first language this summer my perents promise me that they will give me money for english course(my currect level is B2 I want to get C1 and them C2). I know that my English isn't the best, but our schools are so bad that I had to study English from internet, this is the main reason why my grammar is bad, but I know a lot of words so it will be easy to learn it. I can guarantee that I will remember it because the presons who replayed to my thread are the only people who give me some hint for my career path.

LionelTeo

I heard a very simple piece of advice on how to get ahead, get to work before your boss and don't leave until your boss does. The first and last thing that your manager should see at work is you working. If you remember anything I gave you then it should be this, be early and stay late.

This sounds like an old fashion type of company culture. Of course if this is currently within your company culture, then this could be the only approach. There is plenty of great advice out there, one of them is from Hong Kong richest guy regarding about splitting money into 5 parts, but in a summary.

i) Split summary into 5 parts. Monthly Allowance, Future House, Books, Treats and Small Vacation
A few notables
Treats - treat influential people when you are poor, especially the people that will help you in your life. Including your boss, you do not have to have treat every month; but rather, do it according to occasion. Notably festive season, this also help to lighten the stressful environments work.
Books - As cheaper as 50 dollar can upgrade yourself easily. There is so many books on Amazon to buy and read. Regardless of your line, simply read, upgrade yourself, and you can easily impress people you meet along the way, hand in hand with the above point, you should be able to grow and expand your network easily. Soon everyone you are in good terms with before, will be looking out for you, and soon, its possible to get your salary double. (I tripped mine since the start of my career)
Vacation - to save up for a small getway, can be a nearby island or resort that is relatively cheap to relax yourself.

On top of this with Warren Buffer advice, especially on honesty being a gift and don't expect it for cheap people, following these will empowered you to climb through ranks easily.

Remembered to consider giving 1% of your salary out of goodwill to charity organization, there is always people who require assistance more than us.

http://e27.co/li-ka-shing-teaches-buy-car-house-5-years/

NovaHax

Disas_main wrote: »

So basicly I need to know from everything alot + computer engineer degree. Isn't this too much for $100,000 maximum salary?

Who told you that malware analysis and reverse engineering caps off at 100k? Its actually quite common to make over 100k in the security industry.

Disas_main

According to SANS, but as I said those values aren't for my country.

philz1982

Disas_main wrote: »

Hello, I hope that this is the right place to ask my quesiton. I'm 16 years old high school student. Firstly I learn electronics in school(I'm in some kind of proffesional school, I'm not form USA when I end high school my diploma will be like from college + high school). So I want to enter in the security industry would electronics help me to find a job or to learn something easier? Secondly I didn't choose exacly what position I want to take I really love low level stuff I had watched intro x86, intermediate x86 and life of binaries made by OpenSecurity traning and I want to start writing exploit and RE malwares. But I'm not sure what certification I must get to enter this field, what expireince I must have and what degree I should get software engineering or CS? I will be very grateful if somebody with more experince tham me give me some hints.

Have you called some of the companies that do what you want and asked if you can shadow their workers for a day? Some will say no and some will say yes. This will help you decide once you see the job(s) first hand. Plus it will help you build contacts that may be beneficial in the future.

Disas_main

philz1982 wrote: »

Have you called some of the companies that do what you want and asked if you can shadow their workers for a day? Some will say no and some will say yes. This will help you decide once you see the job(s) first hand. Plus it will help you build contacts that may be beneficial in the future.

As I said earlier, in my country this professions (actually all professions in security field) aren't very popular. But I will give a try to some companies.