Looking at moving into Security

EildorEildor Member Posts: 444
I have just over a years experience as a Network Support Engineer for a well known vendor. Without going into details, there aren't many opportunities to progress within the company, and I'm not overly interested in taking a managerial position at this stage in my career. Great working environment, pay and benefits; but job satisfaction is lacking. I don't feel as if I'm doing the things that I enjoy/have an interest in, and I'm not being challenged. I have developed an interest in Information Security and feel specialising in this field is more beneficial to my future career aspirations (I would like to do consulting/start my own business at some point). I am considering taking a career break and going back to University to pursue a Masters in Information Security (this would hopefully be at one of the top Universities in the UK), whilst also studying for something like GSEC in my spare time (perhaps GSED too if I can manage it). I believe this would put me in a better position to start transitioning into a position that would provide me with the challenges that I'm looking for, and to work my way towards specialising. As always, would appreciate advice from people who have already been there, done that :))

Comments

  • MeanDrunkR2D2MeanDrunkR2D2 Member Posts: 899 ■■■■■□□□□□
    Personally, I wouldn't recommend taking a break from your career just to get that masters. If possible, I would see if you would be able to swing getting that degree while you are still working. Main reasons being that you don't need to get student loans and can continue to make money while you pay school without going into debt. But another major reason is that you would need to explain that gap in employment and the experience that you gain while working and getting that degree can be rather huge. It would be better to have more experience to go with the Master's degree then just focusing 100% on the education without the stable employment that you currently have.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Infosec has a lot of specialties, but having a generalist background also helps frames things in correct context. Although I don't know your background that well, it seems like going back for a Master's might not be the best use of your time if you're already employed and want to get into security.

    The GSEC is a perfect example of good generalist certification as it covers a lot of ground. It should complement your existing network engineering experience, but if you want to stay in the network side of security, the GCED is probably better skipped and doing something like SANS SEC503, 504, 560, and so on (with the GCIA, GCIH, and GPEN certs). The app, system, and networking domains cross paths in infosec so it's good to have a strong base but you can't specialize in everything.

    One commonality which distinguishes security from "non-security" practices is that you need to have a deeper understanding of the moving parts. The vendor training I've taken doesn't help you realize the critical-eye and scrutinizing mindset that's very important. I'm a big fan of SANS training as well as the Offensive Security offerings. They help you see past the shiny, over-priced commercial appliances which are sugar-coated with so much marketing these days that I'm becoming diabetic just consoling into them.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • EildorEildor Member Posts: 444
    Thank you both for your input! :))

    To provide some background: I'm not as concerned about the monetary loss of pursuing a Masters. I'm living with my parents, have very small outgoings, and have saved up more than enough not to have to get into debt. Experience-wise, staying in my current position isn't going to provide with me with much exposure to the security side of things. It's provided me with a strong networking foundation, and I've got to where I am now considered a go-to person amongst other Engineers (even those Engineers that have many more years experience than myself). There are opportunities to move into a more managerial role, but as I said that's not something I want to do right now. Yes, I could consider jumping ship, but I wouldn't expect to 1. Be able to land into a security role based on my current experience/exposure 2. Get paid as much as I am getting paid now. I think taking time out to pursue my Masters -again, from a top University-, would help bridge that gap and put me in a better position to do something that interests me, and something that I'll find challenging. To me, it makes sense long-term, but I just wanted to see if anyone has gone that route and how it worked out for them. Of course, everyone's situation is different and what's worked for one person isn't necessarily going to work for the other.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I feel there's an opportunity cost by taking time off from employment. Most employers hiring security-focused candidates seem to prefer those who have been in the trenches and have also stayed current on new developments. While formal education isn't a bad thing, I get the sense they're not as well-considered without the due experience to back it up. Classes tend to focus on concepts and what ideal environments may be like, but real-world business environments are always much, much more messier.

    Quite frankly, a year's experience isn't a whole lot in the IT field (although if that year is just for your current role and you have many more years in other areas, that changes the situation quite a bit). Entry-level security with lower experience requirements might become more commonplace in the future, but for now they're still relatively geared towards those with more heavy experience.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • EildorEildor Member Posts: 444
    I have to agree, and experience is definitely my main concern. Having said that, the little experience I have had has taught me that a large number of people in IT have years of experience on paper, but don't really know what they're doing. I've come across many 'Engineers' who can't even analyse packet captures, and for example, determine where exactly DHCP failing (client side, server side, somewhere in-between?), why their newly installed firewall that is replacing an old firewall (and uses the same IP address) isn't forwarding traffic, why their sites are unable to negotiate a VPN tunnel, why their ICMP requests aren't getting from A to B; and the list goes on. I can't imagine security is any different. I think you can compensate for lack of experience in other ways (degree, certs, having a lab at home, blogging); not that these things are equal to years of solid experience, but to at least show that you have a genuine interest, and are capable and willing to learn. I could be wrong, but I think if you spent a year researching, labbing, learning a scripting language, and getting familiar with common tools penetration testers use, you would be in pretty good shape.
  • MeanDrunkR2D2MeanDrunkR2D2 Member Posts: 899 ■■■■■□□□□□
    I don't honestly believe and think that labbing, testing, etc in a non-corporate environment would put anyone in pretty good shape. Yes, you are learning but you will have to find an employer who would be willing to take that gamble, unless it's an entry level type of role. And as far as your limited experience goes, it's limited to only the places that you have worked at. Those of us who have been in IT for a decade or longer would agree that there are some who don't have a clue, but that there are many who do know that stuff perfectly. Maybe it's something to do with the UK and the vendor that you are with. Some folks get into a role either by luck, or by impressing their bosses or putting in the time. There are many variables and maybe they haven't had to do much of those things that you've seen in your network position. IT Security usually isn't something that there are many entry level positions and most have to work hard and go through the steps to even sniff a job like that.

    While learning scripting languages and knowing the tools that pen testers use is a good thing, it really doesn't mean much unless it's experience from an actual corporate environment. I don't mean to burst your bubble, but it's not the easiest field for many to break into without putting in the experience in other roles before they get their break. Certifications would go much further than home labbing would on its own.
  • EildorEildor Member Posts: 444
    Thanks for providing your input. It sounds like I will have to think this through some more, and perhaps re-align my expectations.
  • MeanDrunkR2D2MeanDrunkR2D2 Member Posts: 899 ■■■■■□□□□□
    You are in a good position now where you are learning the job and networking, which is honestly great and where you need to be to move into IT security in the future. I'd definitely recommend that you look at some certs that would help guide you into that sort of position. Being new to IT will make it more difficult, but you are earning that experience which is what employers would like to see. If you were to quit, and focus on school and home labs, how would you explain that decision to future employers? Will they think that maybe if you don't see yourself moving up fast enough that you'd quit and work on more labs and a PHD? ( I know, it's silly, but some employers may see that)

    Take your time before you make any decision at all. It's ultimately your choice and you will make it work how you would like down the road.
Sign In or Register to comment.