Security Career for a Business Major

$bvb379

I moved back to Georgia on August 1st to pursue a career in information technology/security. I have my undergrad in business and plan on pursuing my masters in information systems (MSIS) very soon. I saw a post where, I believe, @jcundiff mentioned some different sub-levels of cyber security....
Governance, Risk, and Compliance
InfoSec Operations
Identity and Access Management
Business Continuity and Disaster Recovery
Threat Intelligence

My certs are under my name if interested. I was very good at conveying information to upper management in layman's terms at my previous job, this included consulting on our website, SEO, suggesting the creation and modification of queries in Microsoft Access all while explaining how it would benefit the organization and then proving that based on data. I also did some accounts receivable and any other various tasks my boss would ask of me. I was kind of a jack of all trades master of none. I would say I am better at the people-facing side rather than the more technical side simply due to my background, not that I can't learn, I do in my free-time, but I know there are more qualified people for the technical roles.

I recently interviewed for three different positions, two were more technical, one is more customer-facing. The one that is more customer-facing seems like a perfect fit because I would be a liaison between the Cyber Security team and the rest of the business, it would be more of a project management role.

I guess my question is more towards the veterans here and not the hardcore techies....what keywords should I be typing in when searching for jobs based on what I have put here?

I am 26 if that matters and have only worked at smaller, privately owned companies. I am trying to break into the more enterprise entry-level roles.

Thanks for reading.

goatama

Sounds like you're a shoe-in for middle management.

TheFORCE

$bvb379 wrote: »

I moved back to Georgia on August 1st to pursue a career in information technology/security. I have my undergrad in business and plan on pursuing my masters in information systems (MSIS) very soon. I saw a post where, I believe, @jcundiff mentioned some different sub-levels of cyber security....
Governance, Risk, and Compliance
InfoSec Operations
Identity and Access Management
Business Continuity and Disaster Recovery
Threat Intelligence

Search for GRC, all those topics are covered under GRC. Look for IT Compliance or IT Auditor. IT Auditors are more customer facing and not deeply technical, not all but the majority. Compliance is also very big now too. Read se of those descriptions and see if they align with your goals or experience.

Robertf969

If you are looking to go the Compliance route feel free to PM me, I will give you some tips.

636-555-3226

If you want to get into infosec infosec, good luck, you'll need lots of technical experience under your belt already. Infosec is one of those culminations of all things IT. I may be biased b/c I'm one of those guys who thinks the guy in charge of the dept should have a good knowledge of what the dept does. Infosec audit would be a good role, don't need to get too technical for that.

techfiend

There certainly isn't enough business minded IT pros and I think some companies would take a business degree and experience very seriously. I think junior project or service management would be the most likely landing spot to start. From there you could gain technical experience while still using your business knowledge. I don't know if security is really the domain that fits, I'm kind of naive of the field but think it's mostly techies hacking or protecting against hackers. I'd think architecture would have a much bigger demand for project or service management.

I see you have ITIL which is good and fits well. Project+ leading to a potential PMP would also be helpful.

jcundiff

636-555-3226 wrote: »

If you want to get into infosec infosec, good luck, you'll need lots of technical experience under your belt already. Infosec is one of those culminations of all things IT. I may be biased b/c I'm one of those guys who thinks the guy in charge of the dept should have a good knowledge of what the dept does. Infosec audit would be a good role, don't need to get too technical for that.

I am going to strongly disagree on this subject. We hire associate and analyst level infosec resources straight out of college. and Infosec audit not needing to be too technical is BS in my opinion... you need to know and understand what you are auditing

$bvb379

jcundiff wrote: »

I am going to strongly disagree on this subject. We hire associate and analyst level infosec resources straight out of college. and Infosec audit not needing to be too technical is BS in my opinion... you need to know and understand what you are auditing

I am going to have to agree with jcundiff as well on this. I have a friend at the company I interviewed for who had no interest in computers up until about his second year of college. He switched his major to Security and Assurance, which, from what I have seen, doesn't really teach you anything that technical. He now works as a cyber security engineer without any real technical background, just a college degree. The company is trying to get younger individuals and train them up because 25%-30% of their IT workforce is up for retirement in the next 5-10 years. Good for me, I guess.

jcundiff

Also you cant find mid-senior level infosec people right now... supply vs demand and with the shortage of infosec people now and projected into the near future, companies are having to hire younger/less experienced resources and grow them into more seasoned security guys/gals. 90% or our recent hires ( last 6 months) have been associates and Analyst 1s vs Analyst 2/Senior Analysts. This is across all sub disciplines that role into our CSO.

Going back to the OP's interviews, sounds like what we call a BISO (Business Information Security Officers) who report to our CSO, but are integrated into our Lines of Buisness (LoBs) Each of our LoBs have a BISO who is the LoB's liason with the Security org. It helps greatly to be able to speak the business side of the house's language and relate security needs/requirements in their terms. In my opinion, this type of role is only going to grow in demand

dmoore44

jcundiff wrote: »

I am going to strongly disagree on this subject. We hire associate and analyst level infosec resources straight out of college. and Infosec audit not needing to be too technical is BS in my opinion... you need to know and understand what you are auditing

Having worked in the GRC space... I'll disagree. You have a checklist and make sure the values on the checklist match the output from the system. Having a technical background helps you to understand how all the pieces fit together... but it's not overly technical.

On the other hand, the Security Engineering and Security Analysis roles are based in knowing exactly how an overall information system works - at both the macro (end-to-end connectivity) and micro levels (individual nodes in the system). To be successful in these roles, you need to understand how discrete systems talk to each other, what sorts of information are passed back and forth, and the limitations of the software stack in play.

Danielm7

I think everyone is right, in a way. It really depends on the company. If you work in a SOC they might be a lot more likely to hire straight out of college and train you up in specific tools. For other types of companies that have a small, internal security group, (IMO) they are going to be looking for someone with a more generalist approach and a lot of background experience in all the systems the company is already using.

Also, for the examples above where people got jobs in security straight out of school they came right out of a security program, not a business program with zero CS/IT classes.

$bvb379

In any case, thank you for everyone's input. I will continue the job search.

jcundiff

dmoore44 wrote: »

Having worked in the GRC space... I'll disagree. You have a checklist and make sure the values on the checklist match the output from the system. Having a technical background helps you to understand how all the pieces fit together... but it's not overly technical..

Having been in GRC and been the guy doing security audits on all our vendors, if you dont know what you are doing, then all you are going to do is check box compliance... good luck with that when you get breached via one of your vendors you audited... YMMV, but I am going to maintain that in order to be a good auditor, you need to be technical enough to understand and know what you are looking at/for.

This scenario above is why we switched QSA's for our PCI audits, when we were finding things internally that the QSA was clueless about, there's an issue lol And in talks with other FS sector people who were using them, they saw the same issues.