Promotion or new job with security path?

I'm currently a level 1 technician for a managed services company. I'm a domain administrator for each one of our 400 clients. I'm allowed to fix pretty much whatever the problem is if I know how to confidently do it. I've been there 7 months and they want to start training me for a promotion into professional services. I'll be making at least $50K.
It's a great company and work environment.

When I first got into IT about a year ago, security was where I wanted to go. There's pretty much no entry level security roles. I was offered a new job by a company that's moving to Houston from Chicago. They do managed services and security for financial firms only. So it's a bit more specialized. It's also a bit smaller than my company. They're offering me level 1.5 position with a direct path into security. $44K for the first 3 months and then a raise to 50K. The Houston office will be me, another tech, and the CEO of the company until they move the entire company to Houston. I interview with the CEO and he really wants me to come aboard. The interview we had went really well.

I'm not sure if I should play it safe and stay where I'm at or move to the new company and finally get into the security field like I've been wanting. It's a bit of a leap of faith whenever you move to a new position and they're promising you ****.

If you've read this far, thanks and what do you think I should do?

Find more posts tagged with

Comments

Remedymp

Go with the Security Analyst position at Alertlogic.

Get your certs quickly.

636-555-3226

Get your experience quickly. What kind of managed services will you be providing your customers? Make sure you know that stuff cold. Nothing against you, but this is why I refuse to outsource any security stuff at my company - tons of entry level people providing not always the best service. Start learning everything you can about what you're supposed to be doing for people and get really good at it.

Also, in my area there are literally an infinite amount of entry-level security positions. Every single company is looking for a security god who can do all things infosec and is willing to accept $50-$60k a year doing it. After not finding anybody to even interview for the position after 6 months, they either accept an entry-level infosec person (in other words, anybody who is vaguely interested in infosec) or just ditch the job listing (because they don't want to hire an entry level person) and outsource it to a third-party provider without realizing it's the same entry-level person doing the job but for more money and while they have the distraction of monitoring 50 other clients at the same time.

If job #1 is being an outsourced or consulting sysadmin for a managed service company then I'd say look to greener pastures. there's a lot of sysadmins and sysadmin jobs out there. It's a fairly mature market (compared to infosec, at least).

Caveat - I'm biased as I'm an infosec guy myself and firmly believe every IT person and every company with computers needs to do more with infosec.

volfkhat

Personal opinion:
No one should START in Security.
Instead, you start somewhere else, learn and gain experience doing that,
Then you make the jump over into InfoSec.

With that being said; it's your life.
you can do whatever you want to do.

If you don't have any kids/other-obligations... then why not make the move.

Personally, moving to another state just to take an Entry-level job... sounds a bit much.

I checked out your prior posts... it seems you have under a year of IT experience?
Maybe you should stay put [2 moe years] and continue building that resume EXP.
Then you make the jump to a SOC position somewhere.

Hell, Why NOT ask your current employer? If they have 400 clients.... they probably have a SOC.

Lastly,
did you ever get your eJpt? Security+?
(i figure if a person claims they Really want to work in Security... then they certainly followed through on their end).
If No.... did you at least finish reading the books?
Or, taken some Security classes at the College level?

I just want you to be sure if You know what working in InfoSec even means....

Good Luck!i

fabostrong

636-555-3226 wrote: »

Get your experience quickly. What kind of managed services will you be providing your customers? Make sure you know that stuff cold. Nothing against you, but this is why I refuse to outsource any security stuff at my company - tons of entry level people providing not always the best service. Start learning everything you can about what you're supposed to be doing for people and get really good at it.

Also, in my area there are literally an infinite amount of entry-level security positions. Every single company is looking for a security god who can do all things infosec and is willing to accept $50-$60k a year doing it. After not finding anybody to even interview for the position after 6 months, they either accept an entry-level infosec person (in other words, anybody who is vaguely interested in infosec) or just ditch the job listing (because they don't want to hire an entry level person) and outsource it to a third-party provider without realizing it's the same entry-level person doing the job but for more money and while they have the distraction of monitoring 50 other clients at the same time.

If job #1 is being an outsourced or consulting sysadmin for a managed service company then I'd say look to greener pastures. there's a lot of sysadmins and sysadmin jobs out there. It's a fairly mature market (compared to infosec, at least).

Caveat - I'm biased as I'm an infosec guy myself and firmly believe every IT person and every company with computers needs to do more with infosec.

At job #2, the new position, my main purpose would be doing tier 1 desktop support. One of the owners does all the security work by himself. Since I want to get into security, he'll be slowly giving me security related tasks and things like that to build up my experience and knowledge of actually working in infosec.

As far as the managed services that they provide, it'll be basic desktop support and mainly applications that are strictly used in the finance field. There's 3 owners. Two of them authored a book together about how to do IT in the finance. There's two main companies that do IT for financial firms and this company is one of them.

fabostrong

volfkhat wrote: »

Personal opinion:
No one should START in Security.
Instead, you start somewhere else, learn and gain experience doing that,
Then you make the jump over into InfoSec.

With that being said; it's your life.
you can do whatever you want to do.

If you don't have any kids/other-obligations... then why not make the move.

Personally, moving to another state just to take an Entry-level job... sounds a bit much.

I checked out your prior posts... it seems you have under a year of IT experience?
Maybe you should stay put [2 moe years] and continue building that resume EXP.
Then you make the jump to a SOC position somewhere.

Hell, Why NOT ask your current employer? If they have 400 clients.... they probably have a SOC.

Lastly,
did you ever get your eJpt? Security+?
(i figure if a person claims they Really want to work in Security... then they certainly followed through on their end).
If No.... did you at least finish reading the books?
Or, taken some Security classes at the College level?

I just want you to be sure if You know what working in InfoSec even means....

Good Luck!i

If it was just me, It'd be a lot easier to make the jump but I'm married. Having my wife makes the decision a lot harder cause if it goes south, it effects her too.

I wouldn't have to move to another state. The company is based out of Chicago and are opening an office in Houston. Eventually they want to move their entire service desk to Houston. So initially here in Houston, it'll be me, another level 1 tech, and the CEO.

I'm right at a year of IT experience now. All general desktop/server experience. Even with two more years of experience, I still wouldn't have any security experience. I don't feel like 3 years of desktop support would do much for me when trying to move into a security role. Unless I was a system admin maybe?

My current employer doesn't have a security position. There's security things built in here and there but nothing like security analyst role or anything like that.

I agree, I must certainly follow through on my end and get the certs and things like that to help build my knowledge and show that I'm serious about getting into the field. I purchased the eJpt but haven't finished yet. Been working on my MCSA Windows 10 which I just finished and working on CCENT. These are certs that my employer wanted me to have so I've been working on those. In general though, I've read and watched a lot of different security classes. I have a CBT nuggets subscription so I use that and just whatever else I can find on the internet.

infoscrub

fabostrong wrote: »

They're offering me level 1.5 position with a direct path into security. $44K for the first 3 months and then a raise to 50K.

I would do my best to see if I could talk to those who would be my future co-workers. Ask them about the average time someone stays there, what the work is like etc. They should be able to give you a better idea how true the "direct path into security" is. I would also be very curious about what they think of as security, this can vary from monitoring SIEM, hardening/patching systems, to making business cases, to managing all of the paperwork for change management. These can put you on completely different career paths.

volfkhat

fabostrong wrote: »

I'm right at a year of IT experience now. All general desktop/server experience. Even with two more years of experience, I still wouldn't have any security experience. I don't feel like 3 years of desktop support would do much for me when trying to move into a security role. Unless I was a system admin maybe?

Yes, exactly. Keep continuing to grow.
It's perfectly normal to start at desktops, and then move on to servers. Keep learning. Understand how Group policies work within A.D., Learn about NT4/Forest Trusts, how to manage DHCP scopes, DNS, smtp relays. Learn some basics of powershell scripting too!
Build the foundation so you can be that Security Guy who KNOWS the technical; Not the Security-guy who only talks in generalities...

Or,
If you are BORED with what you are doing... and you have your mind made up; then make the jump :]
Professor Messer has a decent curriculum (on youtube) for the Sec+; check it out. (or also your cbtnuggets).
Also, i would drop the CCENT. if you only have a 1 year of experience... i'd recommend studying the Network+ instead. It helps build a better general foundation than the ccent (imo).

Personal Anecdote:
I sit across from some SOC guys. All they seem to do is Read logs All day; trying to figure out why accounts get locked out, etc.
And the Paperwork. LOTS of paper work.
bleh!!

if you take the Security gig... Just make sure you know 100% what you're going to be doing :]