Infosec career advice

Hi,

Looking for some advice here.

Have a genuine interest in Infosec and work it an environment where there is an infosec team but they are non-technical and relies on the operations department to handle the technical side. You can guess Im part of the operations department.

Unfortunately this means ‘official experience infosec wise ‘ we are not directly Infosec so my CV has to reflect this but includes as many bits that relate to security work as possible.

I passed the sec+ way back in 2012 and last year passed the SSCP however even with those plus general security exposure and about 15 years as an admin Im not getting anywhere when applying for Infosec roles.

I don’t really want to have to drop salary ( and don’t believe I should to move into Infosec ) but also accept proven limited experience and in some ways going in at an entry/associate level.

I have the following options open to me and wondered what you guys thought? ( esp. hiring managers )

A) I can complete CompTIA cyber security analyst and certify hopefully ( practical and course/exam paid for by me )

I can complete the EJPT ( junior pentester ) exam and certify hopefully ( practical and course/exam paid for by me )
C) I can go through the KALI course but theres no exam at the end.

What would get me more chance of being in the running?

Thanks for your time.

Find more posts tagged with

Comments

GirlyGirl

triplea wrote: »

Hi,

Looking for some advice here.

Have a genuine interest in Infosec and work it an environment where there is an infosec team but they are non-technical and relies on the operations department to handle the technical side. You can guess Im part of the operations department.

Unfortunately this means ‘official experience infosec wise ‘ we are not directly Infosec so my CV has to reflect this but includes as many bits that relate to security work as possible.

I passed the sec+ way back in 2012 and last year passed the SSCP however even with those plus general security exposure and about 15 years as an admin Im not getting anywhere when applying for Infosec roles.

I don’t really want to have to drop salary ( and don’t believe I should to move into Infosec ) but also accept proven limited experience and in some ways going in at an entry/associate level.

I have the following options open to me and wondered what you guys thought? ( esp. hiring managers )

A)I can complete CompTIA cyber security analyst and certify hopefully ( practical and course/exam paid Go to indeed and report back how many hiring managers or companies are looking for it. I'll wait right here. ..
I can complete the EJPT ( junior pentester ) exam and certify hopefully ( practical and course/exam paid for by me ) Go to indeed and report back how many hiring managers or companies are looking for it. I'll wait right here. ..
C) I can go through the KALI course but theres no exam at the end. It's kids in high school doing that. That can't really be what you think would help you stick out. Please tell me no. You can learn Kali on YouTube for free.

What would get me more chance of being in the running?

Thanks for your time.

beads

Start with the basics and decide WHAT it is you want to do in InfoSec rather than the broad brush stroke of computer security.

tedjames

You may have to look outside your company. In the meantime, getting more practical, hands-on training and experience will help. And definitely don't think you'll have to take a lower salary. If anything, it should go up when you get into security.

Danielm7

triplea wrote: »

I don’t really want to have to drop salary ( and don’t believe I should to move into Infosec ) but also accept proven limited experience and in some ways going in at an entry/associate level.

The above posters are right as well. But wanted to touch on this, if you don't have the experience to get one of these jobs, what makes you think you should get paid just as much as you do in a job you've been doing for 15 years already? FWIW, I took a small cut to change specialties than almost doubled my salary within the next 3 years after.

triplea

GirlyGirl............ Why bother posting? you're not adding anything useful?

To the rest thank you for answering sensibly

The SSCP is often used as a steeping stone to the CISSP and has to be verified by one as actually having a degree of experience and you must also get ISC2 to verify from current CV and domains they relate to.

As I said on a technical scale our infosec team has extremely little in the way of technical ability, management yes, policy writing yes etc. We are responsible for things like firewall ACL's, filtering, technical policies, AV etc. We are all working in an ISO27001 framework company. Part of these duties are part of my admin role, GPO lockdowns for example so I’m not going in fresh faced as such but accept there much to learn hence looking at ejpt and CSA. The reasoning is gainingpractical skill with ejpt and I understand the CSA isn’t just point and click, would be nice to delve further into more logs etc

johndoee

triplea wrote: »

GirlyGirl............ Why bother posting? you're not adding anything useful?

To the rest thank you for answering sensibly

The SSCP is often used as a steeping stone to the CISSP and has to be verified by one as actually having a degree of experience and you must also get ISC2 to verify from current CV and domains they relate to.

As I said on a technical scale our infosec team has extremely little in the way of technical ability, management yes, policy writing yes etc. We are responsible for things like firewall ACL's, filtering, technical policies, AV etc. We are all working in an ISO27001 framework company. Part of these duties are part of my admin role, GPO lockdowns for example so I’m not going in fresh faced as such but accept there much to learn hence looking at ejpt and CSA. The reasoning is gainingpractical skill with ejpt and I understand the CSA isn’t just point and click, would be nice to delve further into more logs etc

I think GirlyGirl gave you solid advice. Don't waste your time on anything that companies are not looking for. Especially if you want your resume to not be in the recruiters/hiring managers recycle bin after they view it. The cybersecurity field is competitive. I will repeat again for you. The cybersecurity field is competitive. IF you can't compete job wise, which you don't have the experience, you must compete in other areas such as certifications and education. IF you can't compete experience and certifications wise you need to reevaluate your agenda. You are especially wasting your time trying to negotiate salary. Every new person has to be able to deliver. If you say you know something you shouldn't need training. If you have worked with Splunk or ArcSight or LogRythm or ACAS or name that SIEM I shouldn't have to teach you. I should (only) have to teach the person that's getting paid less that doesn't have the experience/certifications. You are going to have to bring something to the table in the cyber field. It's hot. Not because it's the only field making money, it's because it's on portrayed in movies and television shows. It's because it's where all the money is allegedly being made. You can't negotiate in the "real world" if your resume doesn't put you in a position to negotiate.

SSCP is ofter used as a stepping stone? Did you get that off of the ISC2 website? The majority of people on the boards didn't use SSCP as a stepping stone. But, I am not going to argue. IF I rent a boat and I am out to catch a fish, I am trying to get the biggest fish I can. The big fish is CISSP. Nothing against SSCP though. It gets you in the ISC2 thinking mind frame.

It is System Administrators doing this:
[FONT=&amp]We are responsible for things like firewall ACL's, filtering, technical policies, AV etc
[/FONT][FONT=&amp]GPO lockdowns[/FONT][FONT=&amp]

I did some of that stated above on the Help Desk.

[/FONT]I guess one companies "infosec" team is another companies system administrators. That is why I think little of titles and more on job descriptions.

Good Luck with whatever you decide.

Ertaz

You've got the experience to go for the CISSP. It's only up to 150 questions now, so it's not the grueling task it once was. Once that's over, Step 1: Figure out what you want to do in security. If it's offensive, just buckle down and do the OSCP. If it's blue team, get a vendor level cert in the discipline you want to be in (SIEM, Vuln Scanner, etc). Go after it.

UnixGuy

I think you have a good technical experience, I think here are your options

1) Apply to as many jobs as possible...you might luck out and get something without a pay cut (probably need to be patient and go through numerous interviews).

2) Work on certifications, finish that CASP/CISSP and eJPT and then move up and more advanced ones as well. You have an excellent background and knowledge as well so the more certs you get the better your chances are

Honestly, the more work you put into those higher level certs the better your chances are

triplea

Hi,

An update and looking for some advice here ( my inner self is already saying it should be a wise choice )

Hopefully Im going to an interview on Friday for the position of IT Security Engineer. Basically they want someone with general 2^nd line support skills and an interest in security.

Cons - The money is roughly the same as my current salary, the only downsides is a week’s loss of holidays, 1k annual bonus, slight loss in pension and a slightly longer working day and some site visits.

Pros – I am literally working in a 2 man team with the security manager. The title change should help my future career ( Im 45 BTW ) and this is a dedicated team.

Job spec is below

This would suite a candidate looking for exposure to a wide range of security applications who would like to drive forward career progression within a dedicated team.

Duties, Responsibilities and Experience:

Monitoring Firewalls (Sonic / Dell)
Event Logging (GFI)
Antivirus (McAfee)
Secure FTP encryption
Manage and implement security backups of systems Incident Management
Data Loss Prevention

Vulnerability Assessment and Remediation
TCP/IP - Networking
Intrusion Detection and Prevention Systems
Web and Email related protocols
Logical Access Management
Identity Management
Threat Assessment
Cryptography

Other Skills & Experience:

Confident, reliable and a good team attitude.
Ability to conduct risk assessments and convey results to stakeholders, compliance and management
A solid understanding of IT Networking concepts and protocols
A good understanding of storage and virtualisation
Excellent written and verbal communication skills
The drive to see delegated tasks through to completion
Ability to run or contribute to complex projects
A team player
The ability to work under pressure.

Be available for on-call duty should security issues occur overnight or over the weekend

Feeling that even if I was there for 2 or 3 years, the direct security experience would be invaluable. Add in a few more certs and I could carry this career on for a long time yet.

Thoughts and of course I have to get it first

ITSec14

That's a broad range of responsibilities, which would be great experience. Even if your pay would stay the same and a few other sacrifices, you would be setting yourself up for big opportunities later on. My last job was my first security position. I stayed for about 14 months then landed my current job making $25k more, but I'm not sure how salary structures are in the UK. My recommendation is look into the IAM space. That is going to be growing immensely in the coming years and companies are paying top dollar for top talent.

triplea

Damn so close

Only 2 off us went through to second interviews and I found out this morning its wasnt me.

Recruiter said there was nothing negative about my interview and it was very positive. They just thought the other person would be a better fit.

Cant ever really tell what swung it but it should be a good confidence boost that I went that for after 11 years with no interview and doing an sysadmin role.