How to get into InfoSec field???

atippett

It seems like it is impossible to find an InfoSec entry level job. Ever InfoSec that is around my area (a city that hosts the MDA so there are PLENTY of IT jobs) always requires at the minimum 5 years of security related experience. How in the world can you get 5 years of security related experience if you can't even get into an InfoSec job?

TechnicalJay

Do you have any IT experience at all? Help Desk, Desktop Support, Network admin?

infoscrub

I wrestled with that problem most of last year. I have a job in InfoSec now.

I think you should turn the problem around and look at why someone would hire you. What can you do in infosec that businesses need? Most job requirements listings are wish lists but you need to actually bring value to the company hiring you.

Do you have a record of high integrity jobs (military+security clearance) and meet DoD requirements?
Do you have knowledge of policy, legal requirements and standards? Maybe auditing experience?
Are you familiar with secure coding and Can you write and audit code?
Can you teach end users better security practices?
Can you read pcap files? Audit event logs? Configure a router, switch, firewall or vpn?
How about patching and hardening systems?
Do you have business/risk management experience that can lend itself to recommending where security money gets spent?

If you can't think of something you can do that provides value to the company then get studying. If you can, find ways to prove it or find someone to take a chance on you.

Most of the security positions require experience because you aren't born ready to perform those jobs. Most of the skills needed come from working in related positions (sys admin patching vulnerabilities, network admin managing FW rules, software developer writing secure code).

atippett

I have the Sec+ certification and have been working as a Network Engineering Intern for the past 6 months. I also worked as a Python Programming TA last year for my college. I'm a senior in college majoring in IA/cybersecurity, so I don't have a degree yet. I'll be graduating in May. I don't know if any of that helps, but I feel like it should.

infoscrub wrote: »

I wrestled with that problem most of last year. I have a job in InfoSec now.

I think you should turn the problem around and look at why someone would hire you. What can you do in infosec that businesses need? Most job requirements listings are wish lists but you need to actually bring value to the company hiring you.

Do you have a record of high integrity jobs (military+security clearance) and meet DoD requirements?
Do you have knowledge of policy, legal requirements and standards? Maybe auditing experience?
Are you familiar with secure coding and Can you write and audit code?
Can you teach end users better security practices?
Can you read pcap files? Audit event logs? Configure a router, switch, firewall or vpn?
How about patching and hardening systems?
Do you have business/risk management experience that can lend itself to recommending where security money gets spent?

If you can't think of something you can do that provides value to the company then get studying. If you can, find ways to prove it or find someone to take a chance on you.

Most of the security positions require experience because you aren't born ready to perform those jobs. Most of the skills needed come from working in related positions (sys admin patching vulnerabilities, network admin managing FW rules, software developer writing secure code).

Remedymp

atippett wrote: »

I have the Sec+ certification and have been working as a Network Engineering Intern for the past 6 months. I also worked as a Python Programming TA last year for my college. I'm a senior in college majoring in IA/cybersecurity, so I don't have a degree yet. I'll be graduating in May. I don't know if any of that helps, but I feel like it should.

Apply to Secureworks.

NetworkNewb

atippett wrote: »

It seems like it is impossible to find an InfoSec entry level job. Ever InfoSec that is around my area (a city that hosts the MDA so there are PLENTY of IT jobs) always requires at the minimum 5 years of security related experience. How in the world can you get 5 years of security related experience if you can't even get into an InfoSec job?

That is because 5 years related experience doesn't mean you need to have a job specifically that just focuses on security. If your job deals in some aspect(s) of security and you have 5 years of IT experience, that is security related. And you should be applying to those positions. Also, make sure your customizing your resume to each position your applying for based on their job description. Focusing on aspects of your current position that can relate to what they are looking for.

Danielm7

infoscrub wrote: »

I wrestled with that problem most of last year. I have a job in InfoSec now.

I think you should turn the problem around and look at why someone would hire you. What can you do in infosec that businesses need? Most job requirements listings are wish lists but you need to actually bring value to the company hiring you.

Do you have a record of high integrity jobs (military+security clearance) and meet DoD requirements?
Do you have knowledge of policy, legal requirements and standards? Maybe auditing experience?
Are you familiar with secure coding and Can you write and audit code?
Can you teach end users better security practices?
Can you read pcap files? Audit event logs? Configure a router, switch, firewall or vpn?
How about patching and hardening systems?
Do you have business/risk management experience that can lend itself to recommending where security money gets spent?

If you can't think of something you can do that provides value to the company then get studying. If you can, find ways to prove it or find someone to take a chance on you.

Most of the security positions require experience because you aren't born ready to perform those jobs. Most of the skills needed come from working in related positions (sys admin patching vulnerabilities, network admin managing FW rules, software developer writing secure code).

Great first post, welcome to TE! But yes, I agree, 5+ in "security" can mean security roles and tasks, that's how most of us entered the field. A few months of interning likely isn't enough to cut it but you can always roll the dice and apply.

atippett

Ahhh, thanks for clarifying that. When I see 5+ years in security, I thought of directly a cybersecurity job. So, say I stay on at my intern where I'm at after college as an Eng 1. After 4-5 years I can start applying for security related jobs?

Danielm7 wrote: »

Great first post, welcome to TE! But yes, I agree, 5+ in "security" can mean security roles and tasks, that's how most of us entered the field. A few months of interning likely isn't enough to cut it but you can always roll the dice and apply.

NetworkNewb

atippett wrote: »

Ahhh, thanks for clarifying that. When I see 5+ years in security, I thought of directly a cybersecurity job. So, say I stay on at my intern where I'm at after college as an Eng 1. After 4-5 years I can start applying for security related jobs?

Definitely start applying before you meet a job description's requirements. Just because a job description asks for things does not mean they will find anyone with all those. So yes to your question.

I like this video:
https://www.youtube.com/watch?v=6G3kQyqMFpQ

markulous

Rule of thumb is to ignore the years requirement. Look at the job description and duties and if it's something you can qualify for, then apply.

Getting certs, labbing, staying up on current security news, and just showing a passion in general for security, will go a very long way in getting you hired.

There are entry(ish) level jobs out there in Infosec too, so maybe there aren't any you see now, but keep your eyes open for them.

Danielm7

markulous wrote: »

There are entry(ish) level jobs out there in Infosec too, so maybe there aren't any you see now, but keep your eyes open for them.

Also true, network, network, network! If you know people locally, through cons/meetups/whatever you'll likely find out about a lot more jobs than just hitting up monster.com and waiting.

cyberguypr

My case may not be the norm out there but I'll bring it up just as additional insight. I've had an entry level analyst job open for a few months and have been having a hell of a time filling it. We don't ask for much because we have a very strong security program and the internal and external resources to bring anyone up to speed. If you bring any IT skill set you get extra points, but we are even willing to take someone fresh out of college. So far this is what we have encountered:
- Bad resumes. I have zero tolerance for this. If I see typos I discard it. If it is 6 pages, I discard it. If you use fancy colors or weird design elements that distract from the essence of the document: I will mock it
- Position is posted as Jr. Analyst. Advanced guys apply expecting six figures
- Candidates with little experience augmenting resume and then failing miserably when we grill them. I particularly remembering a network guy claiming to be the God of Cisco security who had no idea what a CIS Benchmark was
- People who can't have a normal adult conversation
- People with zero business acumen
- And the biggest issue: lack of passion

Like I said, I don't care if you bring something to the table or not. I can help bring you up to where most of the team is. But please, show PASSION. If I ask you why you want to work Infosec, this is where you can shine. If I ask you how do you keep up with the industry do not say "Reddit" and then blank out when I ask you which specific subreddit or what hot topics have you read in the last few days. If I ask you if you have a lab, be honest. Don't tell me you have a lab and then follow up with "I have VMware Player with Kali, but I haven't done much with it".

Back on topic, there's ton of jobs out there that may take you. Remember that if that utopian unicorn is not out there those of us with hiring power will keep going through the list of candidates. Apply away!

dmoore44

atippett wrote: »

\I'm a senior in college majoring in IA/cybersecurity, so I don't have a degree yet. I'll be graduating in May. I don't know if any of that helps, but I feel like it should.

Make sure to take advantage of your school's job placement programs, attend any IT related career fairs, and check out the security related meetups in your area.

the_Grinch

First, kudo's to cyberguypr and the way his company runs things. Too many companies believe that building up an employee means they will leave once they've completed their training and thus they only hire people with the skills (or at least they believe have the skills). Instead, they should see it as building up great people who will ultimately stay because you've shown loyalty to them.

As to the poster's question, getting a position in infosec takes a number of things. You'll want to have a foundation in something (networking, servers, desktops). How do you secure something if you've never set it up? Along those lines you'll want to get certifications revolving around the technology you have the foundation in. Many will have a security certification that will correspond to their products. Resume wise, you are probably doing all types of security related work and it just hasn't clicked yet. Add users and apply certain permissions? Access management (security). Apply patches based off of on going research you do for the products you support? Patch management (security). Open up ports on a firewall or adjust acls? Network security. As an IT person you would be hard pressed to find any aspect of your job that doesn't revolve around security. Might not be your full time gig, but it definitely is a piece of what you do.

I got into my position because of my technology background. I had four years of technical support under my belt, a degree in information security, and certifications to back that up. I outlined the areas of security I dealt in along with the full time duties I performed. Three years later I am the go to guy at my agency for anything security related. Been through further training, dealt with incidents, and stay informed about the latest threats. Also, dare I say it, blazed a few trails that people at my agency and other agencies had not done.

To mirror cyberguypr: PASSION. This is one of the few position where if you don't have passion for it you will fail. It means working when you're home and on vacation, it means considering the risk associated with each decision that you make, and it means speaking up when perhaps everyone thinks you are wrong or that it shouldn't be a concern.

markulous

cyberguypr wrote: »

- Candidates with little experience augmenting resume and then failing miserably when we grill them. I particularly remembering a network guy claiming to be the God of Cisco security who had no idea what a CIS Benchmark was
!

I'd love to be a fly on the wall at that interview.

atippett

You guys are great. Very good info so far! I will definitely be soaking all of this in and applying it. Thanks guys

Madmd5

atippett wrote: »

It seems like it is impossible to find an InfoSec entry level job. Ever InfoSec that is around my area (a city that hosts the MDA so there are PLENTY of IT jobs) always requires at the minimum 5 years of security related experience. How in the world can you get 5 years of security related experience if you can't even get into an InfoSec job?

I wouldn't necessarily say you need years and years of experience to get your foot in the door in InfoSec. I have little over three years of IT experience doing mostly support roles. However, in that time, I also got numerous certs and worked on firewalls and VPN. Backtrack, roughly 3 months, I applied and accepted job as Network Security Engineer at large healthcare organization. A lot of it depends on your interests, your drive and willingness to learn as much as you can, and timing.

atippett

Can I PM you my resume and tell me how well it is set up for my experience level?

cyberguypr wrote: »

My case may not be the norm out there but I'll bring it up just as additional insight. I've had an entry level analyst job open for a few months and have been having a hell of a time filling it. We don't ask for much because we have a very strong security program and the internal and external resources to bring anyone up to speed. If you bring any IT skill set you get extra points, but we are even willing to take someone fresh out of college. So far this is what we have encountered:
- Bad resumes. I have zero tolerance for this. If I see typos I discard it. If it is 6 pages, I discard it. If you use fancy colors or weird design elements that distract from the essence of the document: I will mock it
- Position is posted as Jr. Analyst. Advanced guys apply expecting six figures
- Candidates with little experience augmenting resume and then failing miserably when we grill them. I particularly remembering a network guy claiming to be the God of Cisco security who had no idea what a CIS Benchmark was
- People who can't have a normal adult conversation
- People with zero business acumen
- And the biggest issue: lack of passion

Like I said, I don't care if you bring something to the table or not. I can help bring you up to where most of the team is. But please, show PASSION. If I ask you why you want to work Infosec, this is where you can shine. If I ask you how do you keep up with the industry do not say "Reddit" and then blank out when I ask you which specific subreddit or what hot topics have you read in the last few days. If I ask you if you have a lab, be honest. Don't tell me you have a lab and then follow up with "I have VMware Player with Kali, but I haven't done much with it".

Back on topic, there's ton of jobs out there that may take you. Remember that if that utopian unicorn is not out there those of us with hiring power will keep going through the list of candidates. Apply away!

mbarrett

atippett wrote: »

It seems like it is impossible to find an InfoSec entry level job.
requires at the minimum 5 years of security related experience.

Then it's not entry level. Or HR is saying 5 years to screen people out and the ones who get interviews are either liars or desparate for a job.
You might have to relocate to find a good infosec opportunity, or just get a basic sysadmin job and familiarize yourself with security tasks that way. I always get depressed when I see these kinds of shennanigans from companies -a lot of companies have no idea what they want/need.

atippett

I don't think I will have to relocate. We have a military base that hosts the MDA with over 40k employees, which probably half are in the IT field. Also, in 2 years they will have finished a cyber lab on base and plan on hiring 80 cybersecurity engineers/analysts/researchers.

mbarrett wrote: »

Then it's not entry level. Or HR is saying 5 years to screen people out and the ones who get interviews are either liars or desparate for a job.
You might have to relocate to find a good infosec opportunity, or just get a basic sysadmin job and familiarize yourself with security tasks that way. I always get depressed when I see these kinds of shennanigans from companies -a lot of companies have no idea what they want/need.

TechGromit

I was able to land a InfoSec job with no security experience, but I had 20 years experience in the IT field. My supervisor often tells me he was lucky they hired me, a lot of the other InfoSec personal they hired for other sites around the same time, while many had College degrees, they had no experience with networking, servers, desktop support, simply put they are not well rounded in there experience and sometimes struggle with different tasks because if this. One guy locked himself out of a Cisco switch he was setting up and had to get he supervisor to help him, I on the other hand google the answers and solve my own screw-ups without bothering my supervisor with trivial stuff.

the_Grinch wrote: »

... and it means speaking up when perhaps everyone thinks you are wrong or that it shouldn't be a concern.

This is a good point, many people that are new in IT will not voice there opinion for fear of being wrong. It's a rare meeting I don't have something to say, just do it tactfully.

beads

Usually, we are looking for someone, eluded to above, for someone with five years of prior IT experience dealing with security not necessarily someone with someone already in a dedicated security role. Generally, someone who has been working in Windows server or LAN/WAN administration (infrastructure). Think patching and closing vulnerabilities. Has some idea what business is and how to anticipate the money makers needs before IT. Those skills are exceedingly hard to find in IT. More rarely, security folks come from development and DBA. Those folks generally gravitate toward pentesting, SDLC and are in higher demand than us generalist because of the rarity. Most of us come from the Infrastructure side of the house, roughly 85 percent and cover everything not SDLC and pentesting, etc.

What we need as cyberguypr and the_Grinch have indicated so eloquently is the need for PASSION and not just another "me too" personality looking for a senior engineers paycheck with a help desk analyst skill set. We have talked to lots of those folks and the skin around here is pretty thick if not hide like because of such.

So to add to the confusion above, you need to be a bit more specific than "I want to be in security..." Why do you want to be in a field that changes hourly and are you really willing to stay on top of the field. Upgrade you knowledge and skill level nearly every: day, night and likely weekends as well for the rest of your career. No, we are not kidding about how much many of us work at knowledge levels around here. Its what it takes to be successful in this career field. No arguments.

You need to be able to express what it is that you want to do in "security". Thus far you sound as though your close to graduation but really only interested in a "job" any job but not so much a career in anything specific. This is another nail in the interviewing coffin for many a candidate. They have no clue as to what it is they even want to do save collect a paycheck. Lots of those careers buried in the back. You'll meet them someday as they usually go something like this: "Oh! I used to do what you do but now I sell men's suits..." Ummm... yeah.

Last, consider WHERE you want to live. Best bet is that you're likely going to get pulled in the direction of your nearest major market or city. I take flack for this all the time as not everyone is going to have some great telecommute/work at home job while working from the sticks. I will submit myself to that one as well. Otherwise I'd be back on my farm in Northwest Michigan screaming at deer instead of yelling at end users for trying to watch **** brought in on USB sticks and other security anomalies we cannot talk about on the board.

Develop some detailed questions and ask, the board is more than happy to help. Also look up Iristheangel's post on getting started in IT on this board. I would but running out of time and need to pivot on a problem.

Best place to get started in security in my opinion? Audit.

Till then!

- b/eads

DatabaseHead

@ Grinch that first part is so true. Obviously I am not speaking in absolutes but pretty dang close.

We have had 2 analyst leave right after receiving some high end training. Both training cost ~6000, since then we get 500 a year tops to train for. Since I have been here for 3 years and been promoted to a first level manager I get more, but not 6000 more..... At my last company it was the same thing, the response is usually, why train you can learn on the internet. Hard to argue when your manager states that.

beads

Classic.

http://www.techexams.net/forums/jobs-degrees/119817-career-job-advice-observations.html

markulous

DatabaseHead wrote: »

@ Grinch that first part is so true. Obviously I am not speaking in absolutes but pretty dang close.

We have had 2 analyst leave right after receiving some high end training. Both training cost ~6000, since then we get 500 a year tops to train for. Since I have been here for 3 years and been promoted to a first level manager I get more, but not 6000 more..... At my last company it was the same thing, the response is usually, why train you can learn on the internet. Hard to argue when your manager states that.

My SANS/GSEC training is going to end up costing around 7k. Once I get that, I can get my CISSP here also. That'll all happen ~1 year from now. Combine those with what I have plus I'll be done with my MSISA and I can probably leave and snag a 90-100k job. But will I do it? In my opinion, if this place is willing to invest in me, they get first crack at me. If they are going to lay on more responsibilities, more opportunities, and more $, then I have no reason to leave. I'll stay as long as I keep learning/growing. If they want to pay for my training and not give me any of those things and expect me to be loyal "just cuz", then they have another thing coming. Not saying the latter is the reason your company couldn't retain people, but it's definitely a factor for businesses keeping employees.

Danielm7

DatabaseHead wrote: »

@ Grinch that first part is so true. Obviously I am not speaking in absolutes but pretty dang close.

We have had 2 analyst leave right after receiving some high end training. Both training cost ~6000, since then we get 500 a year tops to train for. Since I have been here for 3 years and been promoted to a first level manager I get more, but not 6000 more..... At my last company it was the same thing, the response is usually, why train you can learn on the internet. Hard to argue when your manager states that.

The problem is if you bring them on at entry level salary, keep them there for awhile and train them up to the skilllset far above what they came in at but keep the salary pretty static, they are going to leave. I've seen this a few times at my company, people brought up from helpdesk, they might get a couple thousand dollars extra to go to the desktop team, then maybe a couple thousand more to start in the sysadmin team. Before you know it they're doing the same work of a mid-grade sysadmin put being paid a bit over helpdesk rates. They get an offer for double their salary, of course they are going to take it.