I've been offered a job outside InfoSec

newjack

So I've been working for 2 years out of college. I started in digital forensics and now work in Security Support for a major software company. I've been trying to break through into the IR and or the Security Analyst scene and it's been quite hard to say the least. Today I had an extremely successful interview for a Network Admin position, and the pay is a lot better.

Would this hurt my career later if I wanted to move forward to become a security analyst or go back to infosec? I'd be working with VPN's and Firewalls, but I wouldn't be delegated the nice title, IR or Security Analyst. It's making me skepticle on taking the position. I still am waiting on hearing back on a major company that I am currently interviewing for for an IR position (still need to go in for another interview if I passed the technical phone interview)

stryder144

Since a lot of security jobs that I have seen ask for either extensive networking or sys admin-type experience, I would say you are not hurting yourself. If you are questioned later on, just say you were trying to broaden your understanding of the technologies that you would be expected to secure.

yzT

You are discarding a better job just because it doesn't have the title you want? Come on..

UnixGuy

Take it, firewalls and VPNs are good skills to have. Networking skills are essential. You're not losing, you're gaining more experience and more money. The job after that aim for a pure security role with more money. Plan to knock some serious certs to prepare for it.

TheFORCE

newjack wrote: »

So I've been working for 2 years out of college. I started in digital forensics and now work in Security Support for a major software company. I've been trying to break through into the IR and or the Security Analyst scene and it's been quite hard to say the least. Today I had an extremely successful interview for a Network Admin position, and the pay is a lot better.

Would this hurt my career later if I wanted to move forward to become a security analyst or go back to infosec? I'd be working with VPN's and Firewalls, but I wouldn't be delegated the nice title, IR or Security Analyst. It's making me skepticle on taking the position. I still am waiting on hearing back on a major company that I am currently interviewing for for an IR position (still need to go in for another interview if I passed the technical phone interview)

How can you secure something if you do not understand how it is setup, how it works and how it communicates? Take the job, it will only add value to you as a professional and will broaden your understanding of IT.

newjack

Just my paranoia, I guess. it's a small company and the last thing I want is to move from something that I find comfortable with less pay to something with a lot of pay and the place is a technical mess. In the end that actually sounds really good because I want to leave a big footprint in the next place I go too and show them what I am made of. I am on a see-saw of emotions.

One thing that did concern me is they don't use linux and still on Windows 2003.

redworld

You need both systems and networking experience to be an effective and well-rounded security analyst. Go for it. My previous Sr. Systems Engineer titles didn't hamper my ability to interview for more security-focused positions.

SaSkiller

I'm going to caveat what the others say.

As a person who has seen the resumes of people trying to get where you are, I can say there is something that I notice.

A. your certs. The highest security cert you have on your profile is S+. That could e why you aren't considered for IR/SA positions. They want validation that you know something. Right now they don't see it. The amount of people who don' have certs showing where they want to go is asstounding.

B. When it comes to understanding of networks and networking, I honestly don't think in depth confguration engineer experience is required. I sit next to the Network guys, they are pure network guys and honestly there isn't much crossover. you do need to know the basics, you need to understand why their IDS isn't seeing the data on a certain portion on the network, and obviously you need to know TCP/IP, but you don't need 2 years of Net Admin experience.

C. From what I have seen and heard from recruiters, they have flexability in getting candidates to companies, but one thing they rarely budge on is time, experience. If you don't have "x" years doing "y" you may be in trouble. I'm an analyst, no one is looking at me for IR, malware analysis, or pentesting because I don't have "x" years of experience doing that. You could be seriously hurting yourself because you don't have any recent time doing security or because you haven't met that base level.

D. You are going to hurt yourself if you have to move back in pay and work to take an entry level IR/SA position. Especially when they can see that you are trying to get your foot in the door, they will likely try to undercut you on salary when they see you moving back.

Good luck.

newjack

So I got the official offer and it pays 20k more in NYC, but the job is not exactly what I want. I am a bit scared because I have been really pushing for a Security role rather then a Sys Admin role. The money is pretty nice for someone whos been out of school for 3 years, but I am a bit taken back by the role.

diggitle

While in this SysAdmin role apply your security knowledge.

TheFORCE

newjack wrote: »

So I got the official offer and it pays 20k more in NYC, but the job is not exactly what I want. I am a bit scared because I have been really pushing for a Security role rather then a Sys Admin role. The money is pretty nice for someone whos been out of school for 3 years, but I am a bit taken back by the role.

I believe if you live in Long Island NY and you work in NYC you do not have to pay city taxes, so that 20k is even more than you think. And you can pay for transportation pre-tax and that will help even more. How much is the salary if you don't mind sharing?

newjack

TheFORCE wrote: »

I believe if you live in Long Island NY and you work in NYC you do not have to pay city taxes, so that 20k is even more than you think. And you can pay for transportation pre-tax and that will help even more. How much is the salary if you don't mind sharing?

I am going from 55k to 75k. I had a conversation today and told them my concerns and they were really respectful about it and understanding. They said they liked that I am upfront (obviously after today's conversation) and they believe that I can change the infastructure of the company IT wise.

Which I feel the same way, but, I have been working very hard to get a role in risk/vuln assesment and analysis and I guess it'd do be a disservice to my ego if I took this. I was told to take a couple days to think about it. My goal right now was to get a position, as a security analyst and to really work in a team where I can analyze threats, create policies, network mapping, and create tech docs and bring it to management. Then after that become the management. But the thing that is holding me back from this role is that I kind of will be steering away from my goal.

TheFORCE

newjack wrote: »

I am going from 55k to 75k. I had a conversation today and told them my concerns and they were really respectful about it and understanding. They said they liked that I am upfront (obviously after today's conversation) and they believe that I can change the infastructure of the company IT wise.

Which I feel the same way, but, I have been working very hard to get a role in risk/vuln assesment and analysis and I guess it'd do be a disservice to my ego if I took this. I was told to take a couple days to think about it. My goal right now was to get a position, as a security analyst and to really work in a team where I can analyze threats, create policies, network mapping, and create tech docs and bring it to management. Then after that become the management. But the thing that is holding me back from this role is that I kind of will be steering away from my goal.

You will not be steering away trust me. One of our infosec guys just joined our group and he transferred from the infrastructure team. Needless to say he already knows many of the topics he needs to address because of the experience that he brings from the infrastructure side. So really you will be adding value to yourself. The bump in pay is also good. On your next job or promotion you will be doing infosec for more than 90k. You can't go to 90k from your current 55k position, so use this as another stepping stone. And you have to remember infosec has different jobs, levels and titles. The guy that is doing the network mapping is the not the same guy that is creating the policies or the same guy that is creating the tech documents or the same guy that is doing event management and vulnerability scanning.

TechGuru80

Having operations experience is never a bad thing...

UnixGuy

OP you might be on to something here. Maybe you need to wait and go straight to that infosec job that you want. I can see why it's hard to decide.

newjack

UnixGuy wrote: »

OP you might be on to something here. Maybe you need to wait and go straight to that infosec job that you want. I can see why it's hard to decide.

I am not sure if this is sarcastic. But thank you. It's a little more then that, I have been putting a lot of efforts into my certs, sand box systems and my current position to kind of move away from the infosec field to not build it up more, but go back to sys admin work and then years later go back to infosec. I dont know. It bothers me a bit.

UnixGuy

@newjack: Not sarcastic at all. I took the long path and worked in sysadmin/engineering for like 7 yrs and sometimes I feel like I should've started with InfoSec roles way earlier. I see people coming from 1 yrs of experience and jumping into InfoSec and learning on the fly. Not sure the years I spent learning about Fiber channels and iSCSI would directly pay off in InfoSec.

Good luck with whatever you decide to do. Keep certing up!

newjack

UnixGuy wrote: »

@newjack: Not sarcastic at all. I took the long path and worked in sysadmin/engineering for like 7 yrs and sometimes I feel like I should've started with InfoSec roles way earlier. I see people coming from 1 yrs of experience and jumping into InfoSec and learning on the fly. Not sure the years I spent learning about Fiber channels and iSCSI would directly pay off in InfoSec.

Good luck with whatever you decide to do. Keep certing up!

Thank you for the words of encouragement.

diggitle

UnixGuy wrote: »

@newjack: Not sarcastic at all. I took the long path and worked in sysadmin/engineering for like 7 yrs and sometimes I feel like I should've started with InfoSec roles way earlier. I see people coming from 1 yrs of experience and jumping into InfoSec and learning on the fly. Not sure the years I spent learning about Fiber channels and iSCSI would directly pay off in InfoSec.

Good luck with whatever you decide to do. Keep certing up!

Sounds like you took the path KEATRON recommends for everybody. His soda can methodology that is. I sorta wish I did that because I feel as though I haven't earned it as many MCSEs, RHCSAs,and CCNPs have. I really start to feel bad when sysadmins or engineers ask me how to get into info security. I'm like they have all that experience and certifications "cans" and are asking me "the short cutter" with newbie skills how to get into it. Life is not fair that's for sure. A person spends 15+ years in IT acquiring the "cans" ultimately to be bypassed by a kid with no exp that is straight out of high school or college. This happens a lot in life.

I blame cisco, microsoft, and the rest of society for that. They teach things like if you don't eat your greens you can't have your pudding... i.e get your A+, Net+, and start at help desk first then move up. I see it recommended in this forum a lot.

Pupil

diggitle wrote: »

While in this SysAdmin role apply your security knowledge.

Some people don't realize how much security work they can do in their current roles. If you're a sys admin or network admin, then apply your security knowledge, secure your systems/network, keep up with the industry and follow security best practices. That'll give you something to put down on your resume and discuss for infosec interviews.

diggitle wrote: »

Sounds like you took the path Docrice recommends for everybody. His soda can methodology that is. I sorta wish I did that because I feel as though I haven't earned it as many MCSEs, RHCSAs,and CCNPs have. I really start to feel bad when sysadmins or engineers ask me how to get into info security. I'm like they have all that experience and certifications "cans" and are asking me "the short cutter" with newbie skills how to get into it. Life is not fair that's for sure. A person spends 15+ years in IT acquiring the "cans" ultimately to be bypassed by a kid with no exp that is straight out of high school or college. This happens a lot in life.

I blame cisco, microsoft, and the rest of society for that. They teach things like if you don't eat your greens you can't have your pudding... i.e get your A+, Net+, and start at help desk first then move up. I see it recommended in this forum a lot.

I can totally relate to this. Many on this forum and elsewhere proclaim that infosec isn't an entry-level field and that you need minimum X years doing sys/network admin or programming/developer experience before you can even think about it. They argue how can you secure something if you don't understand how it works inside out. But times have changed since they started in IT. Now colleges offer undergrad programs in cyber security and fresh grads are landing level 1 information security analyst roles across the country. They learn what they lack on the job and from company paid trainings.

eSenpai

Pupil wrote: »

I can totally relate to this. Many on this forum and elsewhere proclaim that infosec isn't an entry-level field and that you need minimum X years doing sys/network admin or programming/developer experience before you can even think about it. They argue how can you secure something if you don't understand how it works inside out. But times have changed since they started in IT. Now colleges offer undergrad programs in cyber security and fresh grads are landing level 1 information security analyst roles across the country. They learn what they lack on the job and from company paid trainings.

Any company employing an "information security analyst" with a standard job description also has a team of technology inclined people doing the hands-on work.

For most companies, there is simply no such thing as "on the job training" so that kind of places this comment into its proper light. You are coming from an experiential place that is the exception and not the rule. For every company that trains their security people, there are about 100 that don't. Totally pulled the 100 number of the air but look at the number of SMB's compared to large enterprises and you will see that the large enterprises are FAR outnumbered by the mom & pop to medium sized businesses of the world. These places do not have the budgets to train.

Having interviewed my fair share of these college grads, what my experience says is that I don't put them on the sharp end of the stick so I respectfully disagree with you that most colleges are preparing people enough for true security work. They aren't. You can roll out of the Stanford or UT with a new Master's in security and all I can really put you on is policy work or forensics research but not solo technical assurance or remediation until you have some actual hands-on time with the technology in question. Therefore, I will reiterate what others have said, if you don't have enough technical knowledge about what you are securing then you indeed cannot secure it properly. More so than that, you are a liability to me because your potential adversary will know and pwn you(us) because of that aforementioned lack of knowledge. There is this institutionalized arrogance by both old-timers and newbies within the community that with enough tools and just a little knowledge then assurance can be had and that is simply not the case. The real job of security is not for the faint of heart and it is definitely not for the "it will be OK" optimistic crowd.

UnixGuy

@Pupil & @diggitle:

I think my comment was a bit misleading. I agree if InfoSec is what you want to do then start doing it now. However,...

My experience isn't really lost - on the contrary, it's really handy. I keep getting job offers left and right for sys admin, pre sales ,sales, architect, and everything inbetween really. If I lost my entry-level (mind you, the pay isn't entry level) Infosec job, I can get a job tomorrow doing something else.

Put it this way, I'm in a great position to be doing Security/Systems/Enterprise Architecture in 5 years time than anyone who jumped straight into security.

Case in point, you're designing a back to back disaster recovery/Business continuity solution, ...do you know how to design backups for VMware, high end machines with zones and/or LPARS, mainfraim, citrix,...etc. Sure, you can wing, but if it's a complex environment you sink. You be the paper pusher and 'audit' that backup solution, but will you really understand what's going on with it? Can you troubleshoot slow backup? Can you find ways to breach/hack the business continuity solution?

Experience is not lost, but I agree that if InfoSec is the *only* thing you want to do, then just do that. IT is broader than one specific field, and you should aim to know as much as you can.

ArabianKnight

......+1

diggitle

Pupil wrote: »

Some people don't realize how much security work they can do in their current roles. If you're a sys admin or network admin, then apply your security knowledge, secure your systems/network, keep up with the industry and follow security best practices. That'll give you something to put down on your resume and discuss for infosec interviews.



I can totally relate to this. Many on this forum and elsewhere proclaim that infosec isn't an entry-level field and that you need minimum X years doing sys/network admin or programming/developer experience before you can even think about it. They argue how can you secure something if you don't understand how it works inside out. But times have changed since they started in IT. Now colleges offer undergrad programs in cyber security and fresh grads are landing level 1 information security analyst roles across the country. They learn what they lack on the job and from company paid trainings.

That's my story. After college --> landed a job for a small company (doing pen-testing/PCI compliance/Vulnerability management) ---> Recently got hired at a fortune 250 company doing pen tests and vulnerability management. They pay for training and certs.

NovaHax

I'm going to be the voice of dissent here and say that I would be hesitant to take it...especially if infosec is where you want to be. Have you tried leveraging your existing security experience for another job in infosec, with comparable pay to the offer you just got?

All I know is I have heard a lot of people around these parts complaining about how hard it is to break into infosec. And if you take a sysadmin job, you might find yourself facing that barrier all over again.

Just food for thought...but in the end...do what you think will make you most happy.

mackenzae

Only you can really answer the question but as others have echoed it wouldn't "hurt" you at all. If it gives you experience in Networking Admin which you don't have then it helps you better understand what you might actually have to "secure" in the future. I'm not saying someone can't be good without a networking background but honestly it makes you all that much better than the next guy who doesn't have the networking background and wants to "secure" the network.

successrealm

I'm going to agree with NovaHax and say stay in infosec.
Now that doesn't mean you can't get tons of certs in networking, and even coding (Python, et cetera). From what I "hear" in your voice, you wanted to get into infosec, work your way up in infosec, and you are worried if you got out it may be difficult to get back in.

I say go with what you feel here because I sense you would change positions/fields and end up not being happy.
These are your words, and they are more powerful than you realize my friend...

"My goal right now was to get a position, as a security analyst and to really work in a team where I can analyze threats, create policies, network mapping, and create tech docs and bring it to management. Then after that become the management. But the thing that is holding me back from this role is that I kind of will be steering away from my goal."