Where to start a career in network security

jamwithashjamwithash Member Posts: 9 ■□□□□□□□□□
Greetings. I have just learned about this certification, and it looks like just what I was looking for, because I am one year out of college and have decided I would like to persue a career in network security.

However, I find that I lack the experience in network security required by most job ads I see for gaining experience in network security, and I was wondering if people on this forum had some advice on where to start. I did major in computer science in college, and have experience working basic tech support jobs. I do not have any server administration experience, except for my own personal Linux box which is hardly anything real.

I am in a basic tech job right now. It's a small operation, and I haven't learned anything in the year I've been here. There is not much room for advancement. There is an opening for an assistant sysadmin, but I am under the impression that they want someone with more credentials than I posess (in my estimation they will never find someone so overqualified for not enough money, and in about four or five months they will lower the requirements. But I know I could do the job if they let me).

Even so, this isn't where I want to be. What I would like is to work for some consulting firm or something that has me traveling to various locations across a large geographic region, doing security audits on networks and collaborating with clients' network security staff to build even better security. I'm not even sure if that is a job that actually exists or not, much less know of any companies that do such things, much much less companies willing to take on and train guys who still don't know a whole lot like me.

Does anyone know where I should start with this? Does anyone know of any companies that do such things? Does anyone know the best way to gain the qualifications required to work at such a company? I would really appreciate the advice. I think being a CISSP would be great for me, but I have such a long way to go, I'm not sure how to get there.

Comments

  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,671 Admin
    If you are specifically interested in the CISSP certification, the first thing you need is to familiarize yourself with the requirements for attaining the certification. Be sure to especially note the mandatory, verifiable information security-related work experience requirement for the CISSP certification.
  • jamwithashjamwithash Member Posts: 9 ■□□□□□□□□□
    Yes, I know about the work experience requirement. I am asking for advice about how to get work experience, since I'm assuming most people reading this forum have some work experience in network security. How did you get your experience? What advice to you have for me on getting mine?

    I am looking for a way around the general problem of needing experience to gain experience. Most people's response it seems is "I got lucky." That's fine. Tell me the story of how you got lucky.

    How about this. Does anyone reading this forum participate in the hiring process of security professionals? Interviewing them? How do they get their experience? Is there a general trend in a certification path? Or do people just go crazy with the certifications starting with the easiest and least expensive and work up?
  • seuss_ssuesseuss_ssues Member Posts: 629
    Unfortunately its not always easy.

    Most people have to grind it out as a network/system analyst or admin to gain the needed 5 years of experience.

    Im currently patiently grinding away.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    I can agree with seuss. It's hard to start right into "security". To be really effective, you must understand the underlying problems faced by admins and/or programmer. Since network security is a fairly new and still developing field, it's made up of many former admins and programmers who, like you, developed an interest in the security field and began to specialize.

    Personally, I wouldn't have a lot of confidence in a "security consultant" who never had the experience of running his own network. I certainly understand exceptions to the rule, but in general I think you have to "practice security" while actually managing a network to see real world problems and how security can affect a production network before you recommend to others how they should secure theirs.

    Now the above was not at all intended to be critical, just my take on your question. :)

    Seuss: please check your messages, I've had a PM sitting in my outbox for you for a couple of days. icon_cool.gif
    All things are possible, only believe.
  • SchluepSchluep Member Posts: 346
    I am in the process of trying to transition from Database to Security. I just sat for the CISSP exam to become an Associate of (ISC)2 since I lack the neccessary security related work experience to meet the requirement. I am still awaiting results, but feel confident that I likely passed the exam. I found the preparation for this exam to be very useful in getting a broad overview of the different areas that affect security.

    If you are looking at the certification not from a learning perspective but as a way to get a high paying security job without security experience it is unlikely you will be able to do so with any certification, regardless of how prestigous it is. Certifications can definitely help your foot in the door however and start earning Security experience somewhere. Meeting and associating with people in IT Security helps a lot as well. I know a gentlemen that owns a Security Consulting Firm and another that has been with security for many years at one of the larger corporations in PIttsburgh, as well as a number of other people involved in InfoSec. Many of them I associate with on a regular basis and they know exactly how fluent I am in different areas of InfoSec just from talking with them, as well as where my weaknesses are. This gives me a lot more options than most people when I take the plunge from Database to Security.

    Right now I am still on a learning phase however as I refuse to work for someone if I cannot effectively perform the task initially and be able to very quickly improve to a level where I can outperform others doing similar tasks. I could not accept money for performing a task that I am not fully confident I could perform successfully. I guess this falls more into the Ethics category, but it is why I have not pursued a position in InfoSec that I likely could have already.
  • jamwithashjamwithash Member Posts: 9 ■□□□□□□□□□
    OK, I see. I can't jump right into security. And I totally get sprkymrk's point. Who wants some snot-nosed kid telling awesome sysadmin guy about how to run his network? I totally get that.

    I'm not asking about how to be a big-shot. I'm not asking about making a lot of money. I'm a single male anti-materialist, I just gotta pay the bills and feed myself, I don't give a crap about making lots of money. What I want is work where I can solve real problems by being innovative and creative, and see the effect my solutions have on the world around me. I have two jobs right now, and one is in tech support, where I solve problems, but they're not always real problems, just problems other people think they have. And I don't solve these by being innovative or creative; I have little license with the methods and resources I can use to solve problems. The majority of my work can be done by a person following a flowchart. And my solutions rarely have any lasting effect on the world around me—I'll be back next week to fix the same problem for the same clients. I am bored as hell, and worse yet there's no room for advancement for the foreseeable future.

    Sorry about the rant. Anyway, fine, I can't jump into being a security consultant. I didn't know that was a "big-shot" sort of gig. What are some jobs that involve a lot of travel and would be a step in the right direction towards gaining the experience needed to be a CISSP? I can handle boring, I just can't handle the lack of potential advancement at my current job.
  • jamwithashjamwithash Member Posts: 9 ■□□□□□□□□□
    Oh yeah, and I also enjoy a certain amount of urgency in my work. I excel under pressure. I don't want to be constantly under pressure, but I don't want to feel as though I could die and decompose at my desk and no one would notice until the smell got too bad.
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,671 Admin
    You haven't mentioned your age, but have you ever considered a career in the military? There are InfoSec opportunities in the Air Force. Use the search feature to find other discussion threads on IT and security in the various branches of the military.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    I never said "snot nosed kid" once in my post. icon_lol.gif

    I understand completely where you're coming from. Check into jobs for DISA, CERT or TNOSC on the government side, as they often have entry level network analyst positions that consist of watching IDS alerts and such. Look for jobs in the DC area, I have seen some intersting stuff starting in the high 40's for someone with a degree. Companies that contract to government are good too.

    Is there a specific side of security you are interested in? Virus research, Intrusion Detection, firewalls, forensics?
    All things are possible, only believe.
  • jamwithashjamwithash Member Posts: 9 ■□□□□□□□□□
    I am 24.

    Every year or so I go, "Hey, what about the military?" I'm pretty good at working within structure set up by other people. I appreciate leadership, and can lead when necessary. I enjoy, to a certain extent, dressing up in uniforms. I am an Eagle Scout, and therefore have a compulsion towards working to fulfill requirements just because they're there. I also ascribe to the motto of "Be Prepared" and would jump at the chance to learn how to manage firearms and hand-to-hand combat.

    [Edit by Webmaster: removed opinions about current wars etc, please, this forum is about IT certifications...]

    [Edit by poster: To summarize, I do not like some of the ways the military has been choosing to spend its time, ergo I do not wish to get IT certifications by joining the military.]

    I am, however, perfectly willing to participate in domestic affairs. I would consider working for the FBI, or the CIA, or even the NSA so long as there was a little field work and it wasn't strictly sitting at a desk. Like I said, I want to travel, and when I said that I was thinking across America, by car, and living out of crappy hotel rooms and apartments for a few weeks at a time. Right now I'm committed to the travel part, because you're only a single male college graduate maybe once in a lifetime and I want to move around and see things before I settle down.
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,671 Admin
    Hmmm...you like structure, you want to travel, and are not crazy about how the U.S. military is currently being utilized. How about the Peace Corps? I'm pretty sure they'd ship a guy like you all over the planet to both fix and teach people about computers. I'd look into the PC myself if I didn't have the wife/kids/mortgages thing going right now (...and forever).
  • buulambuulam Member Posts: 55 ■■□□□□□□□□
    I am a Security Consultant, feel free to PM me...
    Currently working on:
    CCNP (BCMSN, ONT, ISCW completed)
    HP ASE ProCurve Networking (BPRAN, Security completed)
  • jamwithashjamwithash Member Posts: 9 ■□□□□□□□□□
    The Peace Corps? Brilliant! Well, except that I want to stay here in the U.S. So I'll check out AmeriCorps. I know lots of people who have done things through them, but nothing that's involved traveling all over the place. That's a great suggestion, though.
    Is there a specific side of security you are interested in? Virus research, Intrusion Detection, firewalls, forensics?

    I would say intrusion detection and forensics.
  • CherperCherper Member Posts: 140 ■□□□□□□□□□
    The problem with AmeriCorp is that they don't really pay anything. There are a few of them here where I live that work at a place that recycles computers and gives them to seniors and low income folks. If you can afford to live on a small stipend not a bad deal, but around here they don't do anything with security.
    Studying and Reading:

    Whatever strikes my fancy...
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,671 Admin
    I was suggesting joining the Peace Corps as a corporate employee and not as a volunteer. They seem to be an organization that would require a lot of travel from their IT people.
  • jamwithashjamwithash Member Posts: 9 ■□□□□□□□□□
    So instead of joining the Peace Corps you mean get a job with the Peace Corps.

    As to what Cherper said, I know that AmeriCorps pays crap. I know someone who is working for them and eating using food stamps. However, if she sees her commitment through (she's in a program in schools that lasts until the summer) she gets a $5000 student loan credit, and when you add that onto her stipend it's not that different than what I get paid now. Plus, working for someone who pays crap but would train me would be better than someone who pays OK but doesn't.

    And Cherper, do you have the Star of Life avatar because you're an EMT or something?

    What do you guys think of this? Would you say it's a decent start or would you say don't even bother, there are better moves to make?
  • CherperCherper Member Posts: 140 ■□□□□□□□□□
    jamwithash wrote:
    And Cherper, do you have the Star of Life avatar because you're an EMT or something?

    What do you guys think of this? Would you say it's a decent start or would you say don't even bother, there are better moves to make?

    Once upon a time when you were a small child (God, it has been almost 20 years ago) I was a paramedic. I still keep up on my EMT stuff, but gave up that field when I cam to the realization that your back goes out and it really sucks scooping up dumb kids from the pavement. I volunteer on a service as a substitute when the regular crew members are gone.

    As for the internship with New Horizons, it might not be a bad deal. I have found that the quality of the training at NH varies widely from location to location. I would see about sitting in on a class and making sure that you are actually going to get some training, rather than end up doing nothing but helping around the lab for the paying students.
    Studying and Reading:

    Whatever strikes my fancy...
  • jamwithashjamwithash Member Posts: 9 ■□□□□□□□□□
    Sorry I got busy and let this thread get stale, but I'm not quite done yet.

    As I have been reading and looking at jobs, I was wondering if anyone has some suggestions on perhaps a progression for certifications. I know that technically if I have the experience and take the exam I could just be a CISSP. But that's a pretty big step from where I am, considering I don't seem to have the experience required to get the experience required for the certification, and I'm not sure I even know enough to take a class to study for the exam.

    So has anyone noticed any trends or put any thought into a progression of certifications working up to CISSP? People on these boards are certified out the wazoo. It seems like maybe I would start with something small and somewhat superficial, like the CompTIA Network+ and Security+ (I am judging based on my sole IT cert of A+, for which I didn't even need a class to get). Then perhaps something vendor-specific, like Cisco stuff. Don't get me wrong, I do enjoy the fast track, and would like to get CISSP as quickly as possible since right now it's the one I really care about, but right now it looks to me like scaling a sheer wall. Where are the handholds?
  • ajs1976ajs1976 Member Posts: 1,945 ■■■■□□□□□□
    Net+ and Security+ would be a good place to start. Along the way, you can figure what areas you may want to specialize in. Then you can move onto the CISSP.
    Andy

    2017 Goals: 1 of 5 courses complete, 0 of 2 exams complete
  • glennrossleeglennrosslee Member Posts: 14 ■□□□□□□□□□
    Geez, you only have an A+ and you are already talking about a CISSP. Get your Net+ and Security+ plus and then start working on some MS Certs...After these then I would go for CCNA, CCNP and then see from there if I am still keen on security, it takes time. I have over 5 years experience in IT related work and that is but a drop in the ocaean. I also would like to be a consultant and do security...etc but I also know that I need to have the hard years behind me to get to where I want to get to. To me it sounds as if you have a pretty bad attitude to your current job, one year and you haven't learn a thing, bored...etc?!? Man, change your attitude, improve your skill set and then talk about security...
    Next up 70-290...Long term (within a year) is Server+, 70-621, 70-291, 70-293, 70-294, 70-298 and Security+
  • jamwithashjamwithash Member Posts: 9 ■□□□□□□□□□
    Man, change your attitude, improve your skill set and then talk about security...

    Yeah, that's pretty much a summary of what I'm trying to do, thanks.
  • glennrossleeglennrosslee Member Posts: 14 ■□□□□□□□□□
    Your attitude to your current job...You have to crawl before you walk in the world of IT.
    Next up 70-290...Long term (within a year) is Server+, 70-621, 70-291, 70-293, 70-294, 70-298 and Security+
Sign In or Register to comment.