Switch from engineering to security - Security+, MTA security fundamentals ,.. ? Lost

Titig

Hi all,

I am a software engineer with 2 years of experience, and I'm interested in Security.
Actually, I have an opportunity to take a Msc Degree in Cyber security (part time) - but as it's quiet expensive I want to be sure that I want to pursue a career in security (the degree ends with an internship, which means that I would have to quit my current job).
For that reason, I'd like to take a certification first, to be 100% that I'm ready to "sacrify" 2 years of my life working and studying !
Do you think that the Security+ would be a good one to start ? My knowledge of Network is quiet bad, so I'm a little bit lost... Maybe I should start with Network+ and then take the Security+ one ? what about the MTA security fundamentals ?

Thanks !

jibtech

From where you are, the best first step is the CompTIA trifecta. A+/Net+/Sec+. They provide a great foundation around IT in general, from the non-coding side. From there, you will need to decide what aspect of security interests you.

Red Team: You want to look at things like eJPPT, OSCP, etc. There is also good value in the SANS certs.

Blue Team: For this approach, you should look more at network security. MCSA/MCSE, CCNA, CCNA:Security, etc.

The MTA series is an interesting primer, but offers little in the way of recognition or real learning. Most IT folks with a couple years of experience can sit them successfully without studying. The MCSA mentioned above is the real entry point in the MS world. If you are more interested in the Linux world, I would recommend looking at the Linux+ or LPIC series.

Hope it helps.

Titig

Hi Jibtech,
thanks a lot, yes it helps !
I think I will study for the 3 exams, but I'll only take the Sec+ one (In my head Sec > Net > A so there is no point to pay 1k$ if I only want the Sec+ one).
Then, and only if I'm still interested, I'll take the Msc ! Speaking of which, do you think it's really usefull if I already have an IT degree (Bachelor in Business Information Systems) ? It's a part time degree that leads to a 5 months internship, which means that I would have to leave my current job...

jibtech

Titig wrote: »

Hi Jibtech,
thanks a lot, yes it helps !
I think I will study for the 3 exams, but I'll only take the Sec+ one (In my head Sec > Net > A so there is no point to pay 1k$ if I only want the Sec+ one).
Then, and only if I'm still interested, I'll take the Msc ! Speaking of which, do you think it's really usefull if I already have an IT degree (Bachelor in Business Information Systems) ? It's a part time degree that leads to a 5 months internship, which means that I would have to leave my current job...

My experience has been that companies look for three categories... experience, degree and certifications. The BS:BIS covers the second. The Sec+ starts you off in the third, but it is only a start. I am a big fan of all three CompTIA certs, as they all cover unique areas, especially for people who have less experience. Beyond that, you should be looking to certify the knowledge you have gained. This is where things like the MCSA/MCSE, eJPT, OSCP, etc. all come into play.

Long story short.... yes, it is all useful.

cbdudek

Titig wrote: »

Hi Jibtech,
thanks a lot, yes it helps !
I think I will study for the 3 exams, but I'll only take the Sec+ one (In my head Sec > Net > A so there is no point to pay 1k$ if I only want the Sec+ one).
Then, and only if I'm still interested, I'll take the Msc ! Speaking of which, do you think it's really usefull if I already have an IT degree (Bachelor in Business Information Systems) ? It's a part time degree that leads to a 5 months internship, which means that I would have to leave my current job...

It depends on what certifications you have now. If you have none, then getting your Sec+ will help. The A+ and Network+ will also help you since you only have 2 years of experience in the field. If you already have a Bachleors in IT, then don't push yourself to get another degree right now. As someone who has done hiring and decision making in IT, your current degree is fine. Its the experience and certifications you need to get covered.

Switching to security now is going to be just fine for you. Taking the Sec+ is a good first step but don't underestimate the other A+ and Network+ to start. Expand your knowledge from there.

Titig

Hi all!
Thanks for your messages, sounds good!

So I'll take the 3 certification then. Actually I don't plan changing job before at least 2 years, so I think I've got my plan now!
1. Taking certifications
2. Registering for the part time master if I'm still interested - the deadline is in 6 or 7 months.
3. Finding a great internship, which should be 'easy' with my A+/Net+/Security +

Thanks!

N7Valiant

jibtech wrote: »

From where you are, the best first step is the CompTIA trifecta. A+/Net+/Sec+. They provide a great foundation around IT in general, from the non-coding side. From there, you will need to decide what aspect of security interests you.

Red Team: You want to look at things like eJPPT, OSCP, etc. There is also good value in the SANS certs.

That's an interesting cert list. Does one normally transition from whatever the trifecta qualifies you for(all the offers I've gotten are either installing cables or Help Desk) straight to pen testing?

I just always assumed it was a rather long and tortured path to get to pen testing going from Help Desk to maybe Tier 2 support, then sys admin, then net admin, security analyst, and then maybe you can stick a toe into pen testing.

jibtech

N7Valiant wrote: »

That's an interesting cert list. Does one normally transition from whatever the trifecta qualifies you for(all the offers I've gotten are either installing cables or Help Desk) straight to pen testing?

I just always assumed it was a rather long and tortured path to get to pen testing going from Help Desk to maybe Tier 2 support, then sys admin, then net admin, security analyst, and then maybe you can stick a toe into pen testing.

Realistically, none of it happens in a vacuum, and every situation is unique. I have 20 years in the field, and I knocked out the trifecta this year. At the same time, there are many people coming out of school with a CCNA in hand. It really depends on each person.

There are a handful of certs that are appropriate for the more junior positions in each area. A/N/S+ is a good example. I also think newer IT folks should look closer at getting an MCP earlier in their careers, even if the MCSA isn't quite within reach. As you progress in your career, document the learning and work on the tests that certify what you have learned. Frankly, the non-security side of IT has a more clear path, and that comes from being more defined over the last 20 years.

The security side is a bit less defined though. A/N/S+ is a good solid start, but where to go from there? There are certainly some vendor specific certs that would be valuable, depending on what you do/want to do. I personally would look at Wireshark. If you are working on Security Center, then the Tenable certs might be a good path. Ditto for Qualys. From the defensive side of security, the more traditional MCSA/MCSE is a good approach, with CCENT/CCNA being an option if you are touching the network aspect.

The real difficulty lies in the red team side of security. Traditionally, it is targeted more towards people with several years experience somewhere else, but that is clearly changing. I think there is a great deal of value in starting on some of the certs like the eJPT at an earlier stage, building to some of the more advanced certs as your career progresses.

McxRisley

I disagree with the MCSA/MCSE. You don't need those certs to work in security, those really only have value for someone who plans to admin servers or whatever else their MCSA/MCSE is in. What you need to succeed in the security industry is a STRONG sys admin background, don't waste your time on those microsoft certs. Also, unless you are specifically planning to work in networking, you don't need to go any higher up the never ending networking cert ladder than the Network +.

Also, going for a Masters in a field that you haven't even worked in before? That is one hell of a VERY BAD idea.

duta74

IMHO, you can omit A+ and start from Network+ and continue to Security+

Danielm7

I'd vote for skipping A+ too, and probably N+ as well if you're already a software engineer. Look into the different areas of security, it's a VERY wide field, maybe something using the skills you already have would be interesting to you.

Start here:
https://tisiphone.net/2015/11/08/starting-an-infosec-career-the-megamix-chapters-4-5/

Look over the different types of jobs, maybe something more involving code might be interesting to you. Don't jump right into an MS, don't start taking a pile of certs, figure out what actually interests you first, then make a plan to get there.

Titig

McxRisley wrote: »

Also, going for a Masters in a field that you haven't even worked in before? That is one hell of a VERY BAD idea.

Hi McxRisley,
thanks Actually the masters is available for people with no prior experience in security as well, and leads to an internship (which gives the "first" security experience).
But yeah, as I never worked on that kind of stuff before it's really hard for me to know wheter I should give it a try or no ! Moreover, my current employer won't like the fact that I have to do an internship in another company,... .

IMHO, you can omit A+ and start from Network+ and continue to Security+

Ok ! I plan to watch some videos online to check the content of the A+ one, then I'll see whether it's worth it or not. It seems interesting but my employer won't pay for the exams, and it's quiet expensive... And I don't really care about the "hardware" part



[COLOR=inherit !important]


[/COLOR]

LordQarlyn

Interesting, because I see a lot of job listings for application security as it relates to software development.
Anyway, I agree with the consensus, unless you want to start at the very beginning, you can skip A+ and Net+. Decide on the direction you want to pursue information security and take the courses and certs relevant to that.

Titig

Danielm7 wrote: »

I'd vote for skipping A+ too, and probably N+ as well if you're already a software engineer. Look into the different areas of security, it's a VERY wide field, maybe something using the skills you already have would be interesting to you.

Start here:
https://tisiphone.net/2015/11/08/starting-an-infosec-career-the-megamix-chapters-4-5/

Look over the different types of jobs, maybe something more involving code might be interesting to you. Don't jump right into an MS, don't start taking a pile of certs, figure out what actually interests you first, then make a plan to get there.

Hi Danielm7, thanks for the link ! I just read it and I'm wondering, is SECURE DEVELOPMENT a "real" career ? I have the feeling that it's part of the software architect developer.
I'm interested by the Penetration Tester and the secure development jobs

Anyway, I agree with the consensus, unless you want to start at the very beginning, you can skip A+ and Net+. Decide on the direction you want to pursue information security and take the courses and certs relevant to that.

Ok thanks