Security career advice

Hi,

I've been looking to jump over to InfoSec. However although working with the InfoSec guys and being a system admin I am finding it hard to make the transition. There are roles but there not that many without direct experience. ( Im SSCP and Sec+ and help the InfoSec team out a lot but Im still a system admin at the end of the day )

Now the original plan was to do something like a security engineer transition but Im hopefully being offered a Security Officer role ( doing 2nd interview tomorrow as a face to face ). I like many parts of that role but its mainly not technical. Do that role for 18 months and hopefully grab either a cissp or some more tech certs. Hopefully means as an IT Security officer I may bypass the majority of HR filters. Feel I could get some good cross training there as will cover things like DLP etc.

Do you think this is a valid career path or hold on? ( I may well enjoy that role and not want to leave anyway )

Thoughts please?

Find more posts tagged with

Comments

LordQarlyn

LOL, okay first off, the only sure way to bypass the HR filters and especially the ATSs is to find out who the hiring manager is for the position and get in touch with him or her. Even for C-level positions (CIO/CSO/CISO/CTO/CPO), if you apply through the normal process of submitting through ATS, if your background doesn't have the right keywords in the right numbers it won't even get to HR let alone a hiring manager. (naturally people applying for C-level jobs probably already know or can find out who the 'hiring manager' is, usually the CEO or COO, and contact them directly). Virtually everyone knows ATS is broken but its used still because almost every opening these days gets like hundreds or even thousands of applicants and there has to be some way to filter them.

As for your plan, you are at a crossroads right now. As you observed, the Security Officer is less technical and I am guessing more administrative. You seem to be a person who enjoys the hands on (nothing wrong with that BTW, I enjoy hands on). There are career paths that are technical, with Security Architect being the pinnacle and my understanding pays pretty well. If you are really and hands on technical person, look for those jobs. As a Sys Admin, there's lots you can do the harden operating systems and domains and gain infosec experience.

Good luck with what ever route you take.

triplea

Thanks.

Lets see if I ace the interview then decide if that's the job track I really want.

UnixGuy

your plan is really good and not unheard of.

Take the role if you get it, and work on certs on the side as you plan to do. The only thing I suggest you do differently is actually give the role a chance even if it's not very technical, you might enjoy it and learn a lot of new things like governance for example. Take it, work on certs, and be open to the opportunities that this roe might open

Good luck

mikey88

triplea wrote: »

Hi,

I've been looking to jump over to InfoSec. However although working with the InfoSec guys and being a system admin I am finding it hard to make the transition. There are roles but there not that many without direct experience. ( Im SSCP and Sec+ and help the InfoSec team out a lot but Im still a system admin at the end of the day )

I'm a Security Analyst and our team works directly quite a bit with Sys and network teams. Infosec tends to be the end goal for many.. but working closely with System Admins and them seeing what we do day to day... many don't want those responsibilities. (Compliance, paperwork etc)

triplea

Im deffo up for giving it a chance first.

LordQarlyn

mikey88 wrote: »

I'm a Security Analyst and our team works directly quite a bit with Sys and network teams. Infosec tends to be the end goal for many.. but working closely with System Admins and them seeing what we do day to day... many don't want those responsibilities. (Compliance, paperwork etc)

Yep! The paperwork is endless and it must be stayed on top of. Regulations and policies periodically reviewed and updated, systems and configurations as well as users' audited for compliance. Some people prefer this, others prefer the hands on implementation of security. That's why it is good to discover where you stand. Who knows you may find you like it.

JoJoCal19

Going into a non-technical InfoSec role is great way to transition in, and will allow for a move to a more technical role later on if you put in the time to learn the technical skills, and grab some certs. There are many ways to transition in. I was at a large financial firm and made the move from second level desktop support to IAM. From there I've held many roles in InfoSec including a Sr. Security Engineer handling security engineering and architecture.

triplea

Sometimes you just can’t get a break….

I interviewed for a security information officer, really good company, benefits, manager seemed nice.

I did a 20 min phone call with the interviewing manager and that went well, good rapport, can I come in for a face to face?

Did face to face for an hour and everything seemed good, all positive. Only thing I had to raise was that Im working alongside the infosec officer in current company so very aware what he does, reporting, risk registers etc etc. And what would be chased of the technical side for instance because he would be chasing me. Ran through with him that it’s not just IT infosec looks after ( not in a showing off way but just so he knew I knew what we were expecting. He led most of the interview etc which is fine and I was able to mainly answer. I did say though that I didn’t do the job directly and was looking to transition ( hence the running through what I knew ). I also spoke with the companies security engineer who was also there ( he used to be the position Im going for ). I openly discussed with him how a lot of companies wanted to get experience security people in but there were a lot of companies who didn’t want to invest and this was a general problem. The interviewing manager did say in the interview that theres always a few ways to get into that role, mainly from a technical background or auditing. The technical guy also said that that was the problem he found when he went for the information security role so I think he was onside. Manager also seemed happy that I had done security exams off my own back and continued development, also wanted to go for CISSP at some point.

Feedback to recruiter very positive, confident and knowledgeable. Only 3 went through to face to face stage and I was the front runner. Can we have another conversation as hiring manager wants to raise 2 concerns.

Was I happy to go into a non-technical role – may be odd for a bit and take a while to get used to a different mind-set but yes ( I just said yes no problem )
What was I like producing MI and presenting? Said we didn’t really have reason to do that in this role but did produce some stats for things like AV etc. Hadn’t presented and does worry me if it was to a big audience but I do meet new users every day. ( may be something I don’t worry about after a while )

Anyway we had the conversation yesterday for 20 mins and all seemed fairly good. I also spoke to the manager and wanted to run through a few question to check the role was what I thought it was ( it is , same as the security officer in my current job ) and I wanted to make sure I would be happy so I could be a good fit for them. Asked to clarify what a typical week would include ( he replied actually that’s a really good question and ran me through ) The recruiter told me I came across again very confident, enthusiastic and engaging throughout the whole process and how I handled the call ( and would be a good team fit ) but also they are also interviewing someone else and will let me know by mid next week ( managers off til then ). Recruiter also told me they normally just turn people down if they don’t consider a good match for the role. Recruiter had someone else turned away.

Now this other person applied direct apparently and the hiring manager want to see ‘what else was out there’ not from a recruiter. Now if this guy is already an information security officer I suspect they will get it due to already being in the field ( I do see the logic in fairness )

Cheers.

triplea

Hi.

Looks like happy days for me then as they phoned me back and I was offered the job after nearly 3 weeks from face to face interview.

Only slight problem is I got attracted to another job ( whilst this took so long and I thought I was out of the game ) and Im being phone interviewed for that next Tuesday. This one is for security analyst rather than information security officer. Might have a bit more technical in it. Slightly less pay.

Don’t know what to do now…..