Defining IT Security Jobs/Careers

happyend98

Good Afternoon All,

I have become "semi-obsessed" with the IT Security field and that being said I know that covers a very very broad range. Let me preface my question by saying I currently have 4 years experience with a major IT company first as a Service Desk Analyst and currently working in Client Access Mgmnt area that has Security realms to it. We are the gatekeepers per say and provide access to multiple systems for multiple clients. However I have been consumed with security from the Threat and Analysis angle. I am currently studying for the Security+ with hopes of moving to the CEH and then CISSP?
First is that a good route? and second would love to have some of veterans here on the forum break down IT Security related job roles. It can be as general or specific as you would like. I am looking ultimately for specific titles related to Threat Analysis /Monitoring etc etc.

~Ken

Danielm7

Threat analysis and monitoring could be an information security analyst role, as always titles always depend on the company. As for the certs, there are surely ones that are more useful to you as an analyst. The Security+ is a decent starting point. The CEH and CISSP might look great to HR but may not be the most helpful for your role. I'd look into the GCIA, while I haven't done that myself I've been told it's very useful for that job role.

RoyalRaven

To preface = there is not one right/wrong way to get into security or security roles. You've laid down that is your passion...I'd say that's an important first step. My advice might be generalized, but its important to understand more than just the certs or job title.

On the paths themselves, it really does have a lot to do with your background/experience to this point. Security is rarely a section of IT you land in from the get-go...it's typically an advanced area of another discipline. What I mean is that usually someone who gets into security full-time has spent many years already mastering one or many IT disciplines. For example:

Database background = application security/transaction analysis
Networking background = network security/firewall/IPS/etc.
Sysadmin background = system security/hardening
Auditing/analyst background = business security/risk management/security configuration review/etc.

Just a few of many examples. What I can say is that security is more fine-tuning of IT systems/processes to get the maximum return for the business while minimizing the risk/areas for error or exposure. Its best to understand the fundamentals in-depth of the subject before you can make recommendations. Usually security is cross-team work, so don't underestimate the business part - you really need to know what's going on for whomever you're supporting.

If you know what other areas of IT you like, see what combinations might work for you. It can be hard to be jack-of-all-trades in security because there is an insane amount of things to learn or manage. Focus on what you like the most and become an expert in that area.

It takes serious time and hands-on to get to where many security folks are. We all started where you did and kept building knowledge from everything we touched. Don't worry about getting certified in everything early...it will come in time, but focus on a specific area or cert at a time.

And for specific information, if you really enjoy the threat and analysis area, you'll want to know the system platforms inside and out (file level, forensics-type level, ACLs, logs, registry, etc... a whole slew of other things) as well as how traffic flow works in networking. Essentially you need to have an intense understanding of areas of each OS that a typical user would never touch or know how it works. You need to know how each platform operates correctly, where there is room for error/problems to occur, and what alternative methods nefarious individuals may use to alter the system in their favor. Back to experience and time working with each platform or type of device!

Oh, never stop learning and questioning...that's a key to successful progression in security

happyend98

DanielM7...Thank you for the reply. I was advised that route Sec+, CEH, CISSP by Keith Barker who does some of the CBT Nuggets training. I thought the CEH would be very beneficial if for nothing else understanding the mind of a hacker etc. And was always led to believe the CISSP was the pinnacle for IT Security Certs? Appreciate very much your input!

happyend98

RoyalRaven...Sincerely appreciate the time spent explaining your ideas and thoughts on what I would like to do. I have taken your advice and will use the details to help further research and study those areas you mentioned. I agree that being a jack of all trades is super difficult just from my study materials and the different certs I have looked into...Wow is the info overwhelming. I am first trying to build my Networking background terminology and understanding a little better but not necessarily looking to get certified in that realm. I know the Threat/Cyber Threat road is what I want to do. My issue is age for getting into IT and getting a late start figuring out what it is I wanted to focus on and specialize in, although I have always known that I enjoyed the virus, spyware, malware blah blah side from my early interest in computers and detection and what makes all that work. I just wish I knew how to narrow down that road a little better and quicker. Thank you kindly for all your advice again!

Danielm7

happyend98 wrote: »

DanielM7...Thank you for the reply. I was advised that route Sec+, CEH, CISSP by Keith Barker who does some of the CBT Nuggets training. I thought the CEH would be very beneficial if for nothing else understanding the mind of a hacker etc. And was always led to believe the CISSP was the pinnacle for IT Security Certs? Appreciate very much your input!

The CISSP is a very general security cert, lots of salespeople/management have it because it really isn't hands on technical at all. Having the general knowledge is helpful but it's frequently described as "a mile wide and an inch deep" so it skims over a million topics. If you want strictly threat analysis I'd look at certs that cover that specifically. If you want real hands on with the CEH type topics check out the OSCP, it would be worlds more difficult than the CEH though as it's 100% hands on vs the CEH which is mostly just memorizing terms, tools, etc.

I like Keith Barker, but keep in mind that CBT Nuggets teaches classes for the certs he recommended, they don't teach the SANS material, Offensive Security material, etc, so they aren't really going to suggest them as a path.

the_Grinch

Have to agree with Raven, you need a strong foundation in a technology before you can move into security. In regards to the CEH, for what you pay you're half-way to the cost of the OSCP and you'll get more return on your investment. Everyday I am seeing more and more postings for people with the OSCP.

My advice is to focus heavily on risk analysis. Being in security for two years now I have seen that business needs will often trump security (a very sad fact). Thus is you can properly perform a risk analysis and show that of the ten things you want, two would truly hurt the bottom line the business will be more apt to agree with you.

renacido

I agree 100% with RoyalRaven: the foundation of any security career is experience in IT, and he was correct in how security is really an advanced specialization of IT technical disciplines (network, systems, database, web, app dev, cloud, mobile, etc) and IT management/business analysis.

Before you get discouraged, this is not to say that you aren't ready to make the transition toward security. Just keep in mind that admin/engineer-level knowledge is critical and it is knowledge I call upon all day every day in my security job. As a security pro expect to be constantly in training to keep your expertise current, and expect to have as much if not more involvement with the rest of IT as well as stakeholders and managers in the business units than any other IT department.

Certs are useful and helpful in both giving you an established body of knowledge and skills as well as a standard of proficiency to aim for and achieve, and of course for helping to qualify you as a candidate for a job. I have the 3 certs you mentioned, Sec+, C|EH, and CISSP (for the latter I'm awaiting my ISC2 endorsement review). That's a pretty good roadmap if you are interested in SOC admin -> security analyst -> Sr analyst -> Security Manager as a career path. You might decide on a different path as you are exposed to different things and opportunities come along. But as was mentioned don't rush into filling your resume with certs just to have them. They aren't nearly as important as experience and your ability to network, interview well, and take advantage of lateral or project-oriented opportunities from your current position. I beat out 26 CISSP holders for my current job, and I was under zero expectation by my employer to get the cert; I just wanted to have it and my boss was nice enough to pay for it. The SANS/GIAC/Offensive Security certs were mentioned, and those have their strengths too. SANS has a good reputation for infosec training, but both the training and the exam fees are very expensive and cost prohibitive for many (myself included). OffSec is highly respected in the pentesting area, but it's a much bigger commitment in time, effort, and potentially money than C|EH, and for many infosec roles the C|EH curriculum is more than sufficient. No dis' to the OSCPs here but how many security breaches last year did Mandiant find were attributable to some zero-day being compromised by a script that wasn't loaded into Metasploit? If companies and governments minimized their exposure to phishing, used multi-factor authentication, properly pentested and remediated known exploitable vulnerabilities, etc., the vast majority of security incidents would have been prevented without any Python custom shell script ninjitsu.

Gotta run...hope this helps. Ask any questions you may have.