Getting into security on the side.. bad idea?

jamesleecolemanjamesleecoleman Member Posts: 1,899 ■■■■■□□□□□
Alright so this might be a bad idea but...

I would like to break into security some how. I don't have the years of experience (coming up on the one year at work) in IT doing firewalls, servers, networking or anything like that. Would it be wise to do auditing or vulnerability assessments for small companies?

I've earned my 4 year in Network Security two years ago, completed some of my masters at WGU (MSISA) and I'm transferring to back to DU to finish the masters that I had started. I'm working on the SSCP and eJPT certification right now.
Booya!!
WIP : | CISSP [2018] | CISA [2018] | CAPM [2018] | eCPPT [2018] | CRISC [2019] | TORFL (TRKI) B1 | Learning: | Russian | Farsi |
*****You can fail a test a bunch of times but what matters is that if you fail to give up or not*****

Comments

  • Danielm7Danielm7 Member Posts: 2,310 ■■■■■■■■□□
    Maybe consider something like a jr. analyst role? Either way you'll need to sell yourself, and being on the hook with clients when you really don't have the experience to back it up isn't a great situation to be in. You'll also then try to get a job at some point by telling them that you did security on the side, which some companies might not really give you some credit for.

    You have a BS in network security and are partially done a MS in security as well. Have you been applying to a lot of places? Have you gotten feedback about what you're missing? There are a lot of things in the security field that you can learn with open source tools and a home lab.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    You have to ask yourself what kind of value-add you're creating. The BS helps, but without sufficient field experience how are you going to provide findings and suggestions that's contextually relevant to your clients? If you don't understand the difficulties of an IT operation from both technical and business perspectives, you'll likely just end up reporting a bunch of findings without a proper understanding of the technologies involved.

    In addition, if your clients challenge your findings, how are you going to defend your findings without understanding the nuances that exist between the interoperabilities between all the layers?
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • philz1982philz1982 Member Posts: 978
    Alright so this might be a bad idea but...

    I would like to break into security some how. I don't have the years of experience (coming up on the one year at work) in IT doing firewalls, servers, networking or anything like that. Would it be wise to do auditing or vulnerability assessments for small companies?

    I've earned my 4 year in Network Security two years ago, completed some of my masters at WGU (MSISA) and I'm transferring to back to DU to finish the masters that I had started. I'm working on the SSCP and eJPT certification right now.

    Heck ya,

    I just did a full IT Risk Audit for an ISD near my house. Great way to go and earn extra money and skills. I've also done a DIARMF Cycle with a Software Company for DoD compliance. Cool thing with Software Audits is you can do them in off hours. PM me if you want details.

    -Phil
  • dark3ddark3d Member Posts: 76 ■■□□□□□□□□
    I may have to get with you as well. That sounds interesting.
    CISSP - January 2015
    WGU B.S. IT - Security (2/1/2015-6/16/2015)
    Working on: MSISA/Radware/Fortinet/Juniper/PAN

  • jamesleecolemanjamesleecoleman Member Posts: 1,899 ■■■■■□□□□□
    Wow, thanks for the responses!!!

    I had no idea what I would be getting myself into. Maybe it'll be best if I could get into more security related things at my job before I start thinking about doing something like this.

    I've been looking jr. sec analyst roles to see what they require.
    Booya!!
    WIP : | CISSP [2018] | CISA [2018] | CAPM [2018] | eCPPT [2018] | CRISC [2019] | TORFL (TRKI) B1 | Learning: | Russian | Farsi |
    *****You can fail a test a bunch of times but what matters is that if you fail to give up or not*****
  • CyberscumCyberscum Member Posts: 795 ■■■■■□□□□□
    Would it be wise to do auditing or vulnerability assessments for small companies?
    Sure, but can you do one? My suggestion to you if you are actually interested in performing vul assessments is...

    1. Download a vul assessment tool ex:RETINA, ACAS, BACKTRACK, KALI...
    2. Figure out what you can offer ex:netscans, compliance, patching...
    3. Volunteer your services to local business for free to dev a network
    4. Hone in your skills and either apply for jobs or start your own business

    If I was you I would start with something that has a good GUI and lots of support. It will make your transition a lot easier.

    My recommendation would be N-able from solar winds. It has an amazing GUI and tonz of support. Their scanning engine is RETINA, but they support an easy to use GUI that literally anyone can get used to. It costs about $2 an IP though, but if you are learning and want to start with something easy it is the way to go. It also spits out analytics that are in an easy to read format for business owners.

    Any specific questions let me know.
Sign In or Register to comment.