IT Audit or IT Security specialist - Career Advice

shreenagshreenag Member Posts: 26 ■■■□□□□□□□
Hello all, Need some career advice here...

So I have been involved in IT for the past 8 years and in Infosec for the past 2 years. earlier I used to be a VoIP Test engineer. Gradually moved into VoIP security and now doing IT audit related activities(remediation, controls testing) for the past 2 years.My concern with IT auditing is this is more of taking screenshots, reading documents updating excel sheets and less of Hands-0n work.

I am interested in becoming a security Specialist but not sure if I can transition into that after nearly 8-10 years of experience.
I am also not sure if I have the required skillset. My technical skill is limited to basic linux usage, basic pen testing skills, QA skills.I do not have any security product experience.I hold certifications in CCNA, CEH, ISO 27001 Lead Auditor and ISO 27001 Lead implementer.I wrote the CISSP but failed -668 and now preparing for the CISA as I am currenty working in IT audit.

I want to return to a more hands-on work and want to be a specialist rather than a IT sec generalist/ IT auditor.My future goal at least in the next 3-5 years is to work as a Security Program Manager in core Tech companies like MIcrosoft, Google,Amazon etc..
or in IT Security Business development in companies like PwC, Deloitte etc..

could you please let me know
  • if its better for me to stick to IT audit /IT sec management or can I move into some specialist role (like Red team/ Blue Team)after these many years of experience.I feel rather shallow after doing IT audit.
  • Should I continue doing CISA- CISSP - CISM or should I now focus on GCIH, GCIA, GPEN, OSCP kind of certifications

Any advice would be appreciated.

Comments

  • K-9K-9 Member Posts: 82 ■■■□□□□□□□
    Do you know the phrase "the grass is always greener on the other side of the fence"? Some jobs look like so much fun until you have to do them day in and day out. I love the technical side of security, but I moved into the audit/managerial/compliance side. The hours and pay are better for me, but I don't love it as much.

    Personally, I don't think you can ever go wrong getting the CISSP and/or CISA no matter what you decide to do. What if you go into full time pen testing and decide you don't like it? Get the CISA and/or CISSP first while you have the experience fresh in your mind. Give yourself options.
  • Info_Sec_WannabeInfo_Sec_Wannabe Senior Member Member Posts: 416 ■■■■□□□□□□
    shreenag wrote: »
    So I have been involved in IT for the past 8 years and in Infosec for the past 2 years. earlier I used to be a VoIP Test engineer. Gradually moved into VoIP security and now doing IT audit related activities(remediation, controls testing) for the past 2 years.My concern with IT auditing is this is more of taking screenshots, reading documents updating excel sheets and less of Hands-0n work.

    Taking screenshots and preparing tons of documentation is a must for IT Auditing as you must get evidence of controls working as they are supposed to and at the same time documenting what procedures you performed and the related results. icon_rolleyes.gif
    shreenag wrote: »
    I am interested in becoming a security Specialist but not sure if I can transition into that after nearly 8-10 years of experience. I am also not sure if I have the required skillset. My technical skill is limited to basic linux usage, basic pen testing skills, QA skills.I do not have any security product experience.I hold certifications in CCNA, CEH, ISO 27001 Lead Auditor and ISO 27001 Lead implementer.I wrote the CISSP but failed -668 and now preparing for the CISA as I am currenty working in IT audit.

    My case is somewhat similar to yours as I've been doing mostly IT Audit and just transitioned to InfoSec since two years ago. I also plan / intend to transition to a security specialist / analyst role, but I'm only starting to get basic linux usage and pen testing skills, so you're better off than me in that area. Don't give up. :) There are a couple of zero to hero posts here in TE to get you more inspiration. icon_thumright.gif
    shreenag wrote: »
    • if its better for me to stick to IT audit /IT sec management or can I move into some specialist role (like Red team/ Blue Team)after these many years of experience.I feel rather shallow after doing IT audit.
    • Should I continue doing CISA- CISSP - CISM or should I now focus on GCIH, GCIA, GPEN, OSCP kind of certifications

    That would really depend on what you want to do. As for me, I've decided to pursue pen testing (but currently working on CISSP due to work). Once you've figured it out, the folks here in TE would gladly share their experience and opinions. icon_thumright.gif
    X year plan: (20XX) OSCP [ ], CCSP [ ]
  • shreenagshreenag Member Posts: 26 ■■■□□□□□□□
    Thanks Info Sec Wannabe.I had some events happening in the personal space so could not visit this forum and this post sooner. I guess both of us are in the same boat. I have the same 3 year goals as you have. Thanks for the guidance
Sign In or Register to comment.