Is Cyber Security only a senior role?

vtrader

In my search to find out what is needed to be for a cyber security job I search the job sites. So far all the job listings makes the position of cyber security a experienced position. They all state 5-10 years experience, CISSP, Masters for some, and a bunch of other experiences.
Are there no entry level jobs in cyber security?
Can't I even be the tea boy in a cyber security team?

cyberguypr

I'm going to quote a good explanation Slowhand provided on another thread.

Slowhand wrote: »

"Entry-level security" is kind of an oxymoron within IT. Generally, IT security is considered a second or third-tier world from entry-level anything. Most companies hiring for security consultants, security admins, or anything else regarding security want to see several years worth of experience in non-security-specific jobs, like being a sysadmin or network engineer for a while. It's for this same reason why CompTIA recommends you have at least A+ and Network+ level experience before attempting the Security+ cert, and that (ISC)2 requires some pretty heavy prerequisites for the CISSP cert.

My suggestion, focus on finding some general IT work first, spend a few years doing that, then transition yourself towards specializing in security so you have a little bit more experience and clout to back up any other certs you get. Unfortunately, this is a case of "you can't run before you learn to walk", and there's no getting around the need for prior field experience before you can really be taken seriously as a security specialist.

I see Infosec as being a doctor, a lawyer, a structural engineer, or something similar, you have to spend some serious time preparing towards the ultimate goal, and when you do, you are still going to be a rookie.

There are some situations where you may get lucky an land some sort of apprentice role, but those are extremely rare. Most companies are looking for the most cost effective way to invest in talent, and that usually means people with the right skill set and experience.

I know a guy who own a small security outfit. He gets kids fresh out of college, only hires locally (small-ish town), pays them peanuts, teaches them the wonders of security assessment, penetration testing, forensics, incident response, etc. They learn, do the job a year or two, and then move on. He has a steady pipeline. At the end of the day everyone is happy and get what they want.

Are there zero-experience Infosec positions out there? Of course! Are they scarce? Extremely.

Mitechniq

The concept behind this is, you must have a good fundamental knowledge and experience on what you are trying to secure.

RHEL

It is rare, just like an "entry level" sysadmin role; however, it does exist. My company just hired on two new infosec analysts with extremely limited experience for mid 50's. Pretty great starting salary for a new grad in upstate NY.

Danielm7

As someone who recently went from sysadmin work to a security position I 100% agree with the above posters. My job isn't even a Sr level yet and within the first week I had to sit down with a few CCIEs who went over the whole network at an above CCNA level viewpoint and expected you to follow it all. Then sat with the systems team who went deep into AD, Exchange, DNS, etc, and again, expected you to know it all. You generally don't pick all that sort of stuff up in school without a fair bit of working experience.

the_Grinch

As other's have stated, some entry-level positions do exist, but they're rare. I wouldn't say all security positions are senior level, merely they require a decent amount of skill that would probably be around level two in another position. If I want you to secure my servers then I want to know that you've have the experience dealing with the OS my servers use. Know how to configure them properly and how to test/install patches in the correct manner. Gotta have a firm foundation in a technology before you can secure it.

vtrader

It looks like all those cert trainers trying to sell me courses were playing with the truth when they said "sure you can get a job as a Jr security analyst"?

The best I can do is be initative driven and proactive, write my own material, investigations, case studies, blogs, get involved in events etc. Then sometime in the far future, one day an opportunity may be happen.

I should take my time in studing for certs and focus my on how I could apply it through making case studies. And practice the tech stuff as soon as I learn it.
I'm going to get a course contents of the higher level courses as well and create a checklist that I can work through slowly.

All a lot of work for some maybe in the future.

Cyberscum

Join the AD military, Reserves or guard. You can get in a cyber sec slot in a heartbeat

yeah yeah

There are MANY entry-level cyber jobs out there. I have personally trained a number of people that only had 1-2 years of general experience, and put them on a path to become a skilled cyber professional. Doesn't take much to run some vulnerability scans, approve patches, or doing some basic auditor level C&A.

vtrader

Thanks for you replies. I think I am overthinking things. After reading some of the job requirements feeling overwhelmed. At the same time I am aware that experience trumps certs, but at the same time I do not want to be doing a IT support level job for several years before being able to start a career in security.
As for the military I'm a little too old for the military and have health issues.
Being recently unemployed I going to advantage of the time and get the basic certs done.

LeBroke

I actually got lucky with an entry-level security position. Mostly because a small 5 people company (that I knew about through a friend) needed someone to part-time answer phones and emails (more like, keep a cell on me and answer questions people might have), which was perfect while I was in school.

Pretty quickly ended up doing the more menial security/compliance work (running automated scans, writing/editing reports, going over company policies to bring them in line with ISO 27000 series, etc). Never really had full-time hours except for a few busy months, though have 2 years experience to show on my resume.

Seriously debating if I should pursue security or not, unlike most people here I actually find it boring as hell (I give up easily if I can't get something working, and most hacking is trying to do something 400 times with no knowledge of whether you can even do it).

Cyberscum

LeBroke wrote: »

Seriously debating if I should pursue security or not, unlike most people here I actually find it boring as hell (I give up easily if I can't get something working, and most hacking is trying to do something 400 times with no knowledge of whether you can even do it).

Well it all depends on the job. If you are part of a Red Team, Pen Team, Sec Architect etc... the job is very interesting, all depends on what you like in IT.

I agree compliance work is boring if you are in a boring place, but if you are in constant negotiations with execs and management about compliance it is fun and engaging (for me).

And to say hacking is trying something 400 times with no idea what you can and cannot do could not be further from the truth. In fact, it is prob the complete opposite.

LeBroke

Actually, I like compliance. It's the Red Team/Pentest work that I find boring (yep, I'm weird and in the minority). I'd honestly rather build/fix stuff (i.e. sysadmin work) than try to poke holes in it.

My experience so far is that typical companies (we focused on online gaming compliance) don't much care about security. They just want a pass, or if not a pass, to at least check off their annual security audit box to show they're proactive and couldn't give 2 craps what happens if they get hacked. Hell, I'm pretty sure most of them would just **** the business and start up again under a new name.

It's probably quite different in defence, and the situation might improve now with the Target, Home Depot and Sony hacks, but.. When you audit some company and 3 years straight they've got the same (game-breaking) issues that leave them vulnerable to script kiddies (like me, lol). You know they don't care at all. That said, current trend seems to be less "let's hire auditors everyone" and more "let's build an inhouse team OMG LIEK NOW!!121!!" (I've had a few interview offers over LinkedIn already, though I'm completely unqualified for them).

Cyberscum

LeBroke wrote: »

Actually, I like compliance. It's the Red Team/Pentest work that I find boring (yep, I'm weird and in the minority). I'd honestly rather build/fix stuff (i.e. sysadmin work) than try to poke holes in it.

My experience so far is that typical companies (we focused on online gaming compliance) don't much care about security. They just want a pass, or if not a pass, to at least check off their annual security audit box to show they're proactive and couldn't give 2 craps what happens if they get hacked. Hell, I'm pretty sure most of them would just **** the business and start up again under a new name.

It's probably quite different in defence, and the situation might improve now with the Target, Home Depot and Sony hacks, but.. When you audit some company and 3 years straight they've got the same (game-breaking) issues that leave them vulnerable to script kiddies (like me, lol). You know they don't care at all. That said, current trend seems to be less "let's hire auditors everyone" and more "let's build an inhouse team OMG LIEK NOW!!121!!" (I've had a few interview offers over LinkedIn already, though I'm completely unqualified for them).

Ok, I only do cyber sec for the government so I cannot relate. We try and take it seriously.

veritas_libertas

Cyberscum wrote: »

Well it all depends on the job. If you are part of a Red Team, Pen Team, Sec Architect etc... the job is very interesting, all depends on what you like in IT.

I agree compliance work is boring if you are in a boring place, but if you are in constant negotiations with execs and management about compliance it is fun and engaging (for me).

And to say hacking is trying something 400 times with no idea what you can and cannot do could not be further from the truth. In fact, it is prob the complete opposite.

Yup. A good pen tester follows a well executed process that will find and produce good results. It's not just about breaking down walls and poking holes.

yzT

Is cyber security only a senior role? not anymore in my opinion.

It really depends on what kind of position are you looking at. For example, there are positions like SIEM analyst which can be performed without experience, which doesn't mean without knowledge.

vtrader

Found this job desc for Junior IT security analyst

My client is a rapidly growing niche Software-As-A-Service (SaaS) company. With over 5000 clients worldwide they have doubled in size in the last year alone and will be shortly moving to new offices in the City of London. They need someone with good knowledge of email traffic management, messaging and routing to join their expanding IT Security team as a Junior IT Security Analyst, initially working with their anti-abuse / anti-spam team.

You will analyse email traffic for malicious activity, research, detect and mitigate spam and malware and maintain and improve global anti-spam and anti-malware systems.

Essential: some knowledge of email traffic management and routing including some experience of email security technologies. Good understanding of mail protocols (SMTP, POP3, TCP/IP, DNS, IMAP, SSL / TLS etc.)

Useful: Linux / Unix experience, spam and malware detection and blocking techniques, regular expressions, anti-virus, whitelists and blacklists, Perl, Java,shell scripting, PHP, MySQL, spamassassin, messagelabs, websense, webroot, postini, surf control, blackspider, clearswift, mimesweeper, mailscanner, CISSP, CEH, Maintenance of Real-time Block Lists, Real-time Allow Lists, URI Block Lists, Email traffic analysis and malicious activity detection, Experience working with spam and malware detection and blocking techniques, Experience working at an ESP/ISP or in a SOC environment. Prior experience of working within SaaS environments would be an advantage.

Thats a lot to know/experience. Is this for real or is it HR's ask for everything routine?

Deathmage

vtrader wrote: »

Found this job desc for Junior IT security analyst


That's a lot to know/experience. Is this for real or is it HR's ask for everything routine?

that looks like a brief list, but also looks like a keyword ****.

This is another reason why I think getting certfiied in stages is a must;

Stage 1: CompTIA trifecta
Stage 2: Getting your foot in the door and getting a year or two of experience.
Stage 3: CCNA/MCSA/VCAP - in one real order but just get all 3 of them.
Stage 4: another year or two with those certifications towards experience.
Stage 5: but this time you'll have 2 to 4 years of experience, getting your CASP or CISSP only seem logical.
Stage 6: at this point you can do a security role and also take other security certs like CISM, C|EH, CCNP:S, etc.

Now sure others may have a different approach, but Security is something I'd like to do in the future and practice pen testing and security audits on a regular basis with clients, small stuff really but it build a baseline of experience for the future. I agree with other(s) in that to be a really good security expert you need to be versed in many different flavors of IT.

vtrader

This is why I am trying to get a linux admin job as a entry point to security. I am also playing with begineer PT course from elearnsecurity. A good case scenario is that if I can get a entry level linux admin job in the next two years, then another year or so after I can start focusing on the security. At the moment just playing around with centos at home, creating different types of virtual servers.
But just trying to get an IT job as a entry level support is a challenge in itself right now.
The way things are, it does not matter how much home lab experience I have, it will not make a difference for the HR bots.

anhtran35

I had an opportunity awhile back to get a Cyber Analyst Position = Call Center Tier 1 for BAE. Basically, it was like working in a SOC with limited responsibility. It's the ENTRY way to higher level positions( = certs and experience ).

dou2ble

vtrader wrote: »

Found this job desc for Junior IT security analyst


Thats a lot to know/experience. Is this for real or is it HR's ask for everything routine?

Every security professional should know those "essentials". Studying for the S+ will teach you the basic ports and protocols. The other stuff helps but I'd recommend becoming a sys or network admin first then going security. A previous post someone mentioned talking with Sr Network and computer engineers...you have to be able to talk their lingo when you're in security. The best way to learn that is to do some sys or network admin stuff yourself and become more technical. The CISSP, CISA or CISM are good certs for becoming more familiar with security methodologies, strategies and high overview implementation. But you won't learn how to remediate or mitigate vulnerabilities without being the one who does it or walking with them. It's easy to find the known vulnerabilities because there are so many tools out there. I work with some CCIE's and Microsoft guys that are extremely smart. They worked hard to get where they're at and expect security to do the same. I'm certainly not as technical as them and find myself using google a lot. But having a basic technical foundation makes it a lot easier to research what they're talking about. On the flip side of these guys being smart is that they don't have a security perspective but can sound like they do. They'll talk their way around you and out of requirements, which then creates more work for you and you still have to go back and "annoy" them some more.

dmoore44

yzT wrote: »

...For example, there are positions like SIEM analyst which can be performed without experience...

Uhhh... I'm going to have to say this is a hard no. SIEM done properly involves setting up complex use cases that correlate events across multiple log sources/event generators. In order to properly handle alerts, you need to understand not just the use case for a given SIEM rule, but also the underlying information forwarded to the SIEM by a given log/event source.

To be truly competent requires more than just creating a ticket for every alert, because if that's all you do, you're nothing more than a glorified help desk monkey.

yzT

In my opinion, you misunderstood the position. As an analyst you are not the one to set the SIEM, you are the one that checks if an alarm has triggered and either work on it or escalate it, basically as a helpdesk as you said.

You need to know the sources of course, that's why I said you need knowledge, but you can properly perform such job without past experience working with SIEM.

d4nz1g

Since I was in tech scholl I always aimed towards infoSec. To get to that field, you need some experience with lots of different technologies.
I started with Microsoft servers, then moved to Networking.

I found out that network was the right fit for me, although I deal with security stuff regularly (firewall, IPS, stuff like that) and I don't even consider going after an infoSec position.

I found the love of my life right in the middle of the way.

vtrader

So I recently tweaked my CV to include my interest in getting a job in IT security.
Now I am getting emails from recruiters both agency and direct from companies saying the usual "we saw your profile, thought you would be suitable for this security consultant job...............".
The funny thing is I have no work experience or certs in IT let alone security.
Are these guys just fishing for the sake of generating interest in the applications, or genuine interest?
I have a feeling it is for the former because from reading the job descriptions it's obivous of the mismatch in exp needed/have.
I have replied to them saying i'm interested, lets see if they respond.

Paulieb81

Cyberscum wrote: »

Join the AD military, Reserves or guard. You can get in a cyber sec slot in a heartbeat

I wish I knew someone in air force cyber, I'm an army vet, trying to jump on board with air force but it seams like air force recruiters have no desire to do their job. It's crazy, army recruiters you have to join witness protection to get away from them once they have your name.

Paulieb81

vtrader wrote: »

So I recently tweaked my CV to include my interest in getting a job in IT security.
Now I am getting emails from recruiters both agency and direct from companies saying the usual "we saw your profile, thought you would be suitable for this security consultant job...............".
The funny thing is I have no work experience or certs in IT let alone security.
Are these guys just fishing for the sake of generating interest in the applications, or genuine interest?
I have a feeling it is for the former because from reading the job descriptions it's obivous of the mismatch in exp needed/have.
I have replied to them saying i'm interested, lets see if they respond.

Yup, they have automated searches that pull your resume up. Once you get in contact with them and they actually review your resume, they will tell you that you don't fit the requirements. They get paid to fill spots, so they blast out emails all day long to anyone the searches pick up.