Advice required for a career move

Hello,

I just joined recently, but have been reading the before for quiet some time now. I am also even acted upon the advices imparted especially for the certification to follow for IT security specialization, but i am still confused so i decided to ask my doubts.

Something about myself, I have 6+ years of experience in software development, mainly on networking/telecom products like routers and switches. I am a undergraduate in computer science. IT security was always my interested, Initially i would credit that interest was due to movies

but later the fact that it was real that you get paid to penetrate a system or even investigate the hack was what got me really interested.

Now I know i should i have decided on the career path much before, but was always confused i never got much support from my manager/mentor/team members on this regard other in the s.w dev field. Since i was aware of the networking aspects, i decided to get my feet wet in IT security with CEH, which i completed though not with a great score. So going forward would be CISSP & OSCP for both career opportunity and to get the real know how of pen testing.

But my confusion , in that IT security field the job would be of Testing and administration aspect, right?
So does a software developer should make that move? Is it possible that i can carry my exp from dev side to testing/admin side? Is it worth while to do so?
Certs need to be renewed right, is there any advantage of certs over Graduation/Post-Graduation, where the latter does not require any of it.

Also when we say IT security is there is technical field that one can stay forever? In dev side i know one can stay technical field forever and also get paid handsomely at the same time, may not be as much management guy but definitely not bad too. But In security side i was see the that suggestion goes from pen testing to management if there needs to be growth in career. Is this true?

I just mention most of the info/confusion i have assumed/collected over period of time. Please correct me if I am wrong. Apologies for the long post.

Appreciate any thoughts..

Thanks

Find more posts tagged with

Comments

kiki162

Since you have a good background SW Dev background, this should help you tremendously to move into the IT Security realm. I think you’ll have to have a layered approach (meaning it may take you a few years) to get to pen testing position, but it’s certainly doable.

You can go for your CISSP, but would probably start with SSCP or CASP to get your feet wet. The OSCP exams you can do down the road. You also have GIAC exams to consider as well for pen testing.

Yes some of these certs will need to be renewed after a while, but that’s why you get additional certs for your CPE credits. Certs and a degree will help you get in the front door, but experience will trump everything else. Some of IT Security jobs need someone with sysadmin knowledge, however it’s not completely required. It’s helpful to have an idea about the differences between Windows and Linux as well. With my job, I do a lot of work with compliance, setting up lab environments for testing purposes, and lots and lots of regex. Programming is always a plus if you can write scripts to automate tasks.

When you get enough posts on here, you’ll be able to send PM to others. Send me an PM, and I can send you some job opportunities that could help you out in your quest.

mekanik

Thanks kiki162.. I agree that experience is the most important of all.. Like you suggested, if SSCP or CASP is the kick starter then I will definitely look into it before CISSP.. Also i understand CISSP requires me to have experience in security domains or get the exp in few years. I have worked with few scripting languages nothing too complex or that i know it back of my head but definitely not new to it.

Could you help me understand the different domains or should i say "type of work" that is there in security ? I am still not clear on that.. I hear lot of words like pen testers, ethical hackers and auditors but not more than this. I know there could be a lot of them and difficult to mention it here but broadly an idea to it or even any links to help to understand the different classifications of jobs..
In the dev field we identify by the domains and lanuguages like banking, telecom , embedded etc and java, C#, assembly , C etc on very broad spectrum.. Anything like that?

Kreken

The others are network security, systems security and policy making.
Network security deals with implementation and maintenance of firewalls, IPS's, VPNs and etc.
Systems security deals with OS, applications, AV and etc.
Policy making deals with corporate security policy, writing/editing. I think compliance and DR also falls under this.
You also have security analysts but they mostly just monitor stuff.

Edit: There is also some cross-over between these domains. For example, firewalls/IPS can do AV's, Cisco Ironport does email policies and DLP instead of Exchange server.

mekanik

Thanks Kreken..

Since I cleared CEH, I am getting newsletters from EC council university for the Masters program.. Is this any good?

cyberguypr

The SANS Security Training Roadmap gives a good glimpse at some of the areas.
This is also a good resource.