How did you get into security?

A lot of people really want to get into the security field but it's not the easiest field to get into with no actual job experience. A lot of people start out in IT doing desktop/tech support and making the jump/change to a security position can often be an uphill battle.

I thought it'd be neat if people gave their stories about how they got into the security field. I think it could give some people motivation or just more ideas of how to get into the field.

I applied to a ton of security positions. I put in applications for a year before running into a company that had a desktop role I could move into and from there move into security, only cause the positions were in the same company. I ended up turning that position down because my current employer informed me that they're building a security team inside the company and I'll be able to move into that position once it's made and should be here by October. In the meantime my employer paid for me to get my CEH and just paid for me to take an SANS GCIH course. So I'm not in a security position yet but it's being built at my job and they're investing in the training I need to move into the position. So we'll see.

Looking forward to how other people got into the security field.

Find more posts tagged with

Comments

BerkshireHerd

I spent almost a year doing Level II Desktop work before we had an opening for an Analyst. Since I already knew the hiring manager I was able to have an honest discussion about my goals and he gave me the opportunity to jump in. I did 2 years as a analyst and now have moved into an Identity and Access Manager role.

tedjames

A state agency hired me to be the technical writer in their security program. After a year and a half, I moved into program management. I did security analysis, incident handling, training, security awareness, etc., all within the same agency. Everything I learned was either by osmosis (learned on the job in real time), through the little bit of training they paid for, or through self-study, which comprised the majority of my education. That led to the job I'm doing now - Cybersecurity Analyst with a different agency.

higherho

By working as a System Admin / Engineer in the DOD. Having that system background (with CCNA level networking skills) and applying DOD & NIST standards made me more valuable to get into security full time (blue / red team). Individuals with engineering backgrounds (programming, networking, or systems) have a better understanding or I should say it comes easier than someone jumping into CEH / OSCP without it.

Thepro21us

I'm working as a IT helpdesk analyst myself and I also want to move into the security field and my job is also developing a cyber security division. I just wanted some advise should I work towards a info sec cert or a networking cert like a ccna. I already have a sec+ cert.

Danielm7

I was a sysadmin/engineer for a long time. I realized the most interesting part of my work involved security so I wanted to specialize in that. Since I was already doing a lot of security tasks already I redid my resume highlighting those aspects.

636-555-3226

Went to a concert with the girlfriend, her friend, and her friend's boyfriend. The friend's boyfriend told me I needed to get into security since it was going to be the hottest thing in the world in a few years. So I started immersing myself in it 110% and lo and behold he was right.

thesecuritybro

Well, I took a rather straightforward path bro. I started of doing help desk and sat on that for about 2 years. Then worked as a Network Engineer for a year and a half. Then once I felt like I had a grasp on networking I went and got the CEH and CASP. It was not long after that people were blowing up my phone offering me jobs.

dustervoice

[Backup Operator--- Helpdesk---Networking/Sysadmin---Auditing---Infosec] All of this took me (17 years). End goal become a teacher.

Mike7

Was doing sysadmin and app development for a while. Then websites around got defaced and security analysts started throwing VA/PT reports, IPS alert reports and other security advisories at me. These "experts" do not understand the contents of their reports. Explaining to them that a flagged vulnerability was a false positive was... just a futile exercise. They told me to "follow instructions as per report and fix it such that our system do not flag out vulnerabilities".

So I immersed into security, obtained certs such as CISSP/CASP/CISM and replied the security experts with security certs listed in my email sig. The silence was deafening. Recruiters started contacting me and I moved into security. It has been an educating, exciting and rewarding journey so far.

ITSec14

Been in IT for 3 1/2 years. Started off in an analyst position for a little over a year, specifically focused on core banking applications and sharepoint development, then transitioned into a sysadmin role for a little over a year, then took a security admin position at my current company. I made some frequent jumps, but you gotta do what you gotta do.

jcundiff

over the last 19.5 years, Company 1 - help desk>help desk leader>account management> higher level help desk management> Incident, Problem, and Change management >>>Company 2 - Incident (service restoration) Management (included being BC/DR coordinator for data center/noc)> GRC Advisor (sold the hiring manager, who had exposure to me through the BC coordinator role, that he should take a chance on me) > Lead Threat Intelligence Analyst (got this role simply by telling our then CSO that that was where I wanted to go) Been a wild ride over the years

Remedymp

Came from 4 years Desktop support and got an offer from a Dell to be a Sec Analyst. Best decision I made in my career.

fabostrong

Nice to see all the ways people made it in.

fabostrong

Thepro21us wrote: »

I'm working as a IT helpdesk analyst myself and I also want to move into the security field and my job is also developing a cyber security division. I just wanted some advise should I work towards a info sec cert or a networking cert like a ccna. I already have a sec+ cert.

I'm not an expert or anything but I'd say go for another security cert. While CCNA R&S is definitely good to have, I don't think it would add a ton to your security knowledge.

yoba222

The recipe I followed:
1. Find some security-related project where you work and really own it.
2. Fluff that project up as a showpiece on your resume.
3. Keep applying until you get hired into security.

E Double U

I was working for a telco's config/migrations team which was scheduled to be offshored to India at the project's end. I checked vacancies within the company and SOC was hiring. I already had a good reputation with the team from my days in the same company's NOC so they gave me a shot.

SoCalGuy858

Started as a systems administrator / help desk technician with my current company in 2013. During this time, I concentrated my efforts (as much as I could) on security-focused activities and building up my security knowledge by earning a few low-level security certifications (Sec+, SSCP, MTA: Security, etc.). I consistently made it known to my supervisor (corporate Director of IT) that I was interested in security, as well.

All of this, combined with being in the right place and the right time, paid off. Just before my two year mark with the company, a restructuring of the IT department was announced, and my supervisor transitioned over to become the Director of Information Security... a brand new position within the company. Due to my continued expression of interest in security and my concentration on security-specific education, I was offered to transition into my company's first ever Information Security Analyst role. It's definitely NOT the norm, but I'm fortunate that I was able to get where I am this early on (been in this position for 2.5 years now and just turned 25).

UnixGuy

Went from Unix support/admin/engineering/design to Security ops analyst to security consultant to incident responder/jack of all trades security....

First security job they wanted someone with Unix experience (granted they didn't know what Unix is but nvm)...Got in and learned more about Firewalls (I knew most of the basics anyway from working with IPtables..) The rest was really easy to pick up.

gkca

UnixGuy wrote: »

Went from Unix support/admin/engineering/design to Security ops analyst to security consultant to incident responder/jack of all trades security....

First security job they wanted someone with Unix experience (granted they didn't know what Unix is but nvm)...Got in and learned more about Firewalls (I knew most of the basics anyway from working with IPtables..) The rest was really easy to pick up.

So how do you like security compared to *nix admin stuff?

aderon

I did basically what everyone on here recommends. Gather as much diverse general IT experience as possible so that when you get into Security you don't feel lost.

First, I got any IT job that would hire me regardless of what I was doing or what the pay was. This wound up being an internet help desk call center job. I worked my way up there until I was doing low level windows sys admin stuff for a more advanced call type. I earned my Net+ and Sec+ while I worked here. I also decided to go back to school and began attending WGU.

Then I diversified my background a bit and got a job as a tech support engineer at an enterprise storage company. This broadened my IT background a bit and helped me become familiar with aspects of IT that I frankly didn't even know existed at the time. I was still very green and even though I wasn't doing anything crazy at this job, I feel like the experience here really opened my eyes. I earned my A+, Linux+, Project+ while working here.

At this point I knew I needed to get a stronger networking/linux background if I wanted to get into security. So I transitioned to a NOC job that was purely linux focused (not a windows machine in sight lol) and gave me a lot of hands on experience troubleshooting networks and making commits. The job responsibility here was actually pretty wide too. I wound up learning a ton about HTTP, APIs, CDNs, Cloud Storage, certs, reading packet captures, scripting, VPNs, BGP, transit providers, Linux, change management, version control, etc, etc. I learned a TON here. I felt like this was my first "real" IT job. While I was here I earned my CCNA R&S, CCNA Security, and finished my Bachelors in IT - Sec. I was promoted to Network Engineer here before I left.

And what did I leave for? My first Security Engineer job! With my background in windows, storage, unix/linux, networking, scripting, etc I had finally gotten enough background experience that someone was willing to take a chance on me. I feel well prepared and enjoy my job a lot. I'd say it was worth it!

UnixGuy

gkca wrote: »

So how do you like security compared to *nix admin stuff?

Much more interesting as I was getting bored with sysadmin/engineering, specially after the introduction of DevOps and the endless stream of tools..Security is very broad and my first security wasn't that good at all, but the second one much better. There are definitley more to be done with security, I just need to upskill to get to those interesting jobs

TechGromit

Luck. I was in the right place at the right time. Also a recommendation from a respected employee helped as well. I had lots of IT experience, but no training or experience in cyber security.

NetworkNewb

Blackmailed the manager of the security team.

Blucodex

Word of mouth there was a company looking, interviewed and landed the job with no titled security experience; just 6 years of systems/network background and a CISSP.

fabostrong

Blucodex wrote: »

Word of mouth there was a company looking, interviewed and landed the job with no titled security experience; just 6 years of systems/network background and a CISSP.

Did you have the actual CISSP title or the associate title at the time?

Blucodex

fabostrong wrote: »

Did you have the actual CISSP title or the associate title at the time?

I've never held the associates title. As soon as I passed the exam I went through the endorsement process. The thing with the CISSP requirements are that a security "title" does not matter for experience. You just need experience in 2 of the 8 domains.

You could be a 5 year veteran of the helpdesk and qualify for the CISSP. The requirements are much more liberal than people believe. I know that's going to really irritate a lot of people but that's the truth.

SpetsRepair

I got really, really lucky in the field and most of it was because this company was growing so much they needed qualified people asap. Basically I am from California and ended up working short term data center, helpdesk contracts and no company really took the time to hire on full time. They would bring a team in and we would work for a few weeks, a month and than we were let go. I ended up in a situation where things were not changing for me and I started to study for certs again to gain a competitive advantage in the field. Within a 4 month period I spent ANY downtime in my life to study for certs, I became certified and within 2 weeks of receiving my CCNA Sec certification I was called about a security analyst role which I did not apply for. I ended up taking the offer and moving to Denver, Co where my journey began. Within a few months on the job I began training other people on how to do certain things with many of our systems, I became the go to guy at the office and ended up getting promoted to security engineer within a few months. I ended up leaving that company, and honestly regret leaving. I am allowed to come back but it probably won't be a engineer position so I'm not going to do it.

Blucodex

SpetsRepair wrote: »

I got really, really lucky in the field and most of it was because this company was growing so much they needed qualified people asap. Basically I am from California and ended up working short term data center, helpdesk contracts and no company really took the time to hire on full time. They would bring a team in and we would work for a few weeks, a month and than we were let go. I ended up in a situation where things were not changing for me and I started to study for certs again to gain a competitive advantage in the field. Within a 4 month period I spent ANY downtime in my life to study for certs, I became certified and within 2 weeks of receiving my CCNA Sec certification I was called about a security analyst role which I did not apply for. I ended up taking the offer and moving to Denver, Co where my journey began. Within a few months on the job I began training other people on how to do certain things with many of our systems, I became the go to guy at the office and ended up getting promoted to security engineer within a few months. I ended up leaving that company, and honestly regret leaving. I am allowed to come back but it probably won't be a engineer position so I'm not going to do it.

Way to take initiative and grab an opportunity. I've worked with too many (being one myself at one point) people who think punching in a clock every day is going to land them a good opportunity. You have to put in work and pay your dues.

UnixGuy

SpetsRepair wrote: »

.... I ended up leaving that company, and honestly regret leaving. I am allowed to come back but it probably won't be a engineer position so I'm not going to do it.

Awesome story. Why do you regret leaving?

Remedymp

Very interesting article posted on ISC2: https://www.isc2.org/infosecurity-professional-insights.aspx#5minutes