How to proceed?

Good evening everyone. I recently transitioned from a career in law enforcement to IT, with the long-term goal being InfoSec (possibly ISM). I have my BS in IT and a Sec+ cert. I was recently hired as an administrator for a distance learning network, which gives me a decent, high-level spread of multiple IT domains (help desk, network, security), so I'm building up my work experience. I also plan on taking ITIL-Foundations within the next couple of weeks, so I'll soon have that under my belt.

I'm undecided with how to proceed from here. I've considered backtracking for my Net+, just to round out my foundational knowledge, but I'm really anxious to jump into more security-oriented training. CEH is appealing because it's one of the few security certs out there that has no "hard" barrier to entry (i.e. years of experience in InfoSec). Should I consider CEH as my next step? Is it a recommended cert for someone with very little hands-on experience with those sorts of tools? IT security jobs are few and far between in my area and I'm stuck here until my wife finishes school (1.5yrs). I want to use this time to make myself a strong candidate for a security job once we're a little more mobile.

Your thoughts and feedback is appreciated!

Find more posts tagged with

Comments

danny069

If you look up IT jobs through indeed.com in your area, what certs are jobs mentioning in their posts? CEH is definitely a well recognized cert to have and is very tool heavy, nmap commands, etc. The CASP is also another great cert, but not as recognized yet. Some study for the SSCP, which is not as recognized by employers either. These are all logical steps to next level certs such as the GSEC, CISSP, GISP, CISM, etc.

renacido

Get your Net+, consider Server+, A+, Linux+. Study a programming language and/or scripting. Good IT Security pros were good IT pros first.

CEH is a good next step after Sec+. You mentioned it doesn't have an experience requirement, but that's only partly true...you need 2 years experience UNLESS you take a CEH course at one of their authorized training centers.

Spend some time familiarizing yourself with the security field and various roles within. There are a lot of different roles and deep areas of specialization within infosec, which is itself an advanced specialization within IT. There are leagues of difference between being a compliance auditor, a pentester, a digital forensic analyst, a security architect, a BCDR analyst, or a security (SOC) analyst.

Another thing to do in the meantime, is set up a good home lab. You can put together a fine hacker lab using recycled/used hardware and free/open-source software on a shoestring budget and tinker to your heart's content. It's an investment that will pay for itself many times over via honing your craft and getting the well-payed jobs that come with it.

Russ5813

Hey guys thanks for the replies.

@danny, there aren't many jobs in my area that require certification. Most want experience. I did some volunteer work + freebies for friends/family, but employers typically favored applicants with work experience. Since getting my current job, I feel like I'm getting the traction I need-- building experience and grinding out some certs. As I wrap up ITIL, I find that I'm having trouble deciding on a path to take.

@renacido, I forgot about that prerequisite. I'm actually in an online tech program at Syracuse that offers a class that I think meets the CEH course requirement. I'll have to double check. I'm thinking you're right though. Net+ is probably the way to go, despite how badly I want to jump into more security training.

TechGuru80

Russ5813 wrote: »

CEH is appealing because it's one of the few security certs out there that has no "hard" barrier to entry (i.e. years of experience in InfoSec). Should I consider CEH as my next step? Is it a recommended cert for someone with very little hands-on experience with those sorts of tools?

CEH requires two years of information security experience unless you take one of the official study options (not self-study), and starts at something like $1,700 as already said.

Personally, I would just get Network+ and then keep progressing. The problem is that if you study for or even get a higher certification than Security+, you will run into knowledge gaps and then have to backtrack. Set that foundation now and then keep moving.

A recommended path might be something like:

Network+ > Consider either CEH or get background in Networking / System Administration technologies and reevaluate.

There are honestly so many options once you have your foundation set that you almost have to take it certification by certification. Paths change...interests change...demand changes...so many factors impact InfoSec, which makes it different than a System/Network Administrator role that basically has very set paths with either Cisco or Microsoft / Linux usually.

MrAgent

If you want to get into security, go the security route. Get the CEH. I wouldn't waste my time on Net+. If you want the knowledge buy a book on it and check out some cybrary courses.

Russ5813

TechGuru80 wrote: »

There are honestly so many options once you have your foundation set that you almost have to take it certification by certification. Paths change...interests change...demand changes...so many factors impact InfoSec, which makes it different than a System/Network Administrator role that basically has very set paths with either Cisco or Microsoft / Linux usually.

You're absolutely right about the number of certs out there. The more certs I discover and learn about, the more difficult it becomes deciding on what to pursue next! Tons of interesting stuff out there and I'm just barely scratching the surface. You make a good point about having to constantly backtrack, though. I'll focus on the Net+ for now, then look into Linux+ later this year, just so I can start working with an OS that isn't Windows.

@MrAgent: Thanks for the response! Based on some of the user's feedback, I think I'll focus my studies on some more foundation concepts, since I'm not really mobile at this point. I can always read about security in my leisure time

MrAgent

Here's how I look at things.
If you want something, you have to go get it. This means that if you want to have a role in security, you need to show that you want it. Net+ in my mind is a step backwards. Keep in mind that to be successful in security (and you'll hear this a lot) you have to have a passion for it. So by going and getting the CEH, or other relevant security certs shows that you are passionate about it.

I 100% agree that you definitely need to know *nix pretty well to be successful in security. I certainly wouldn't be where I am now if I didn't dive head first into Linux, granted that was in 1993. So if anything, you may want to get Linux+ over Net+

Just my .02 cents.

renacido

Net+ is only a step backwards if you already know a good bit about networking.

I don't encourage novice IT guys to dive right into security. You need a base of general systems and networking knowledge and experience in at least one but preferably a few IT environments to be able to identify anamolies and vulnerabilities and to be able to prescribe effective countermeasures that will actually work (and be accepted by IT directors) in real-world IT environments. Yeah you may learn specific skills and techniques that are valuable for security work but you won't have the broader technical knowledge and professional judgement to apply them independently.

Linux/Unix skills are more or less valuable depending on the job, role, sector, etc., you are working in. In my 23+ years as a full-time IT pro, I've spent about 2-3 years total where I needed to know Linux/Unix. Just throwing my 2 cents in.

renacido

Please don't take my advice as, "forget about security until you've worked in systems/networking for a few more years." Not at all!

Learn, study, lab, get more security certs, that's all good.

Just don't ONLY study security is what I'm saying. And that in my experience, over a decade in infosec, very few people can really contribute as a security pro until they really have a solid base of knowledge and experience of how systems and networks work and are managed in the real world.

If you are passionate about security and enjoy learning about it, then you're the "right type" of person to come into this field. We need more like you and fewer who are interested in it solely because they hear that CISSPs make 6 figures.

Russ5813

Thanks for the replies, Ren. And no, I didn't take your advice as that I should forget security for a few years

Through my bachelor's program, I have a good understanding of IT concepts, I just haven't had the opportunity to put them into practice. I really enjoyed my security-related classes and am anxious to dive into an InfoSec career, but it makes sense to have some real work experience with the basics before doing so.