Getting into Information Security?
Geekboy
Member Posts: 16 ■□□□□□□□□□
I’m 99.9% sure this is the route I want to take now in my IT career. But not so clear on how to start my course. See, I’m confused about getting my foot in the door as a Security Professional. I have about 9 years in IT experience doing various things such as NT/2000 Admin, QA, Web Design -- Intranets, Jr DBA, and now Application Integration. As you can see I have experience with a few things but not security.
I look at the certs available and see that Security+ is the first one I should obtain, but after that, what’s next? The others I found so far require (infosec) experience. So what would be the next path to take after the security+ cert? I guess I’m tossed up since I don’t have the experience wonder how do I get my foot in the door working as a InfoSec pro, while maintaining my current salary (range). I feel I can offer the above items along with the security if that is possible.
I ask here since I’ve been out of the loop for a while and just not sure where I’m heading in IT but I’ve always been intrigued by security, hacking, hardware, troubleshooting, and tinkering with computers, I guess this is why I started in the first place. I’ve reached the top, as far as I can go in my current employment, and become unsure about IT, and now need to revive the passion I once had for this industry and get my ass in gear.
Your thoughts, suggestions, cert/reading recommendations would all be greatly appreciated.
I look at the certs available and see that Security+ is the first one I should obtain, but after that, what’s next? The others I found so far require (infosec) experience. So what would be the next path to take after the security+ cert? I guess I’m tossed up since I don’t have the experience wonder how do I get my foot in the door working as a InfoSec pro, while maintaining my current salary (range). I feel I can offer the above items along with the security if that is possible.
I ask here since I’ve been out of the loop for a while and just not sure where I’m heading in IT but I’ve always been intrigued by security, hacking, hardware, troubleshooting, and tinkering with computers, I guess this is why I started in the first place. I’ve reached the top, as far as I can go in my current employment, and become unsure about IT, and now need to revive the passion I once had for this industry and get my ass in gear.
Your thoughts, suggestions, cert/reading recommendations would all be greatly appreciated.
Comments
Sun, RedHat, and the 2003 MCSE have security specializations.
You may want to start getting some experience with Cisco and/or other firewall/network appliance vendors.
You should set your sights on the CISSP as your end goal, but that has some fairly rigid requirements. You can pick up the SSCP after one year of experience (or become an associate with either without meeting the requirements).
Check out these posts as well:
http://www.techexams.net/forums/viewtopic.php?p=213741#213741
http://techexams.net/forums/viewtopic.php?p=172435#172435
http://techexams.net/forums/viewtopic.php?t=19563
Thanks dynamik and I do understand about going CEH possibly next, but other than it still does not really help. I guess I was hoping some Security experts (or guys/gals with the cert.’s in this arena) may chime and show how they achieved their positions. For instance if you go for MCSE you basically are going for an Admin / Infrastructure / Windows Server support gig in IT. It’s a broad cert. and security however, is a little narrower and can be a little more difficult to get your foot in the door. What would help make this easier?
I’ve researched a little last night and figure I just put a plan together and get my Sec+, and possibly the CEH (since I cannot get anymore without experience, and quite a bit of money from what I’ve read online) to start with and just look at the different available positions in NYC and see what the employers are looking for these days. Maybe even finish my MCSA (which I’m just not into anymore). I have a diverse background and maybe trying to focus on one thing (security in this case) is not the correct way to go about it. If nothing else with any luck I can get into an organization that allows me the opportunity one day.
Carry this to the logical conclusion, and you realize security is a big, broad subject.
In my experience, you don't get higher level security positions until you prove yourself on platforms. If you don't have advanced skills in any operating system, how are you going to convince potential employers you can secure them?
I would encourage you to develop skills in at least one platform. That would mean go for MCSE, or a linux cert, whatever.
I would also recommend you begin developing skills in enterprise class firewalls, too.
You're in the position you need to get experience with security work before you can get the higher level security certifications. That is more product centric knowledge. Do you know how to configure a PIX/SonicWall/NetScreen firewall for example? Do you know how to harden servers of at least one OS platform? Do you know how to assess the security levels of those servers?
From what I've discerned, getting into security is somewhat of a gradual transition. It seems like very few people get security positions right off the bat, and most have to start as a systems or network admins and take on more responsibilities over time. Definitely keep reading through the security forums though; there's a wealth of information in there.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
I completed the Security+. Later this year, i'm going to work on the MCSA: Sec and the CCA: Access Gateway.
Not sure when I'm looking to move into InfoSec fulltime, but i'm laying the ground work.
2020 Goals: 0 of 2 courses complete, 0 of 2 exams complete
Maybe “broad” was the wrong term to use but you have to agree that “security” is more of niche in IT than Windows (As are security certifications and experience.). It’s a specialty and not something an MCSE can walk into. Its niche market within IT and requires a broad knowledge of things. This is why I posted, just wanted to get various POV’s.
I know I need experience, and knowledge, just wondered how others got there. It’s a mid-career mental block right now and I’m wondering if “specializing” is the key. Thanks again to those posting I got some good info here.
I like your story… Do you think it's possible to obtain a gig working on more security related items in IT, while pursuing a degree and or the next level’s of MS/Cisco certifications? For instance I have: Security+ certification and I’m an experienced IT guy. No master, but worked on a few things through the years. What role in IT security can I play -- where do I pay my dues? Or is it too soon to even think about it. Like ajs1976 I’m trying to lay down the ground work and who better to ask than my peers.
I think you're looking at this a bit wrong. I would argue the average MCSE does security work. Patch management involves security. Locking down IIS properly involves security. Setting up security groups and ACL's is security work.
What you're not defining is what security work do you want to do? You obviously want to become a higher level security specialist, but what exactly do you want to do? Implement firewalls? Penetration testing? Auditing? Secure network architecture?
This isn't to start an argument, but it's to point out that what kind of work you want to do years from now should be steering you today. For example, if you want to get into secure network architecture (like recommending what firewall products to institute, where they should be installed, what the policies should be, etc.), you should be gearing up for that by getting experience with firewall products, and learning sound principles of firewall configurations applicable to all firewalls. If you're looking more at auditing, you should be learning OS's, how to evaluate their relative security, the various criteria systems are judged by (CIS, etc.).
This correct.
And he is also correct in stating that it is something you gradually get into.
I am a security professional. But before this i did: system administration, network administration, and development/coding. Could I do my current job with out all of that experience? Sure, but I wouldn't be nearly as capable as I am now.
As a security professional I totally agree with these statements also.
You have to have a really solid grasp on the normal functionality of the systems your going to secure. If you don't have this how on earth can you pretend that you can lock them down?
And just like Hero states, patch management, account administration, permissions etc. is all security administration. Security covers such a massive amount of things, because of this there are many sub categories of security admin. There are guys you evaluate and secure applications, networks, servers, desktops, physical security the list goes on and one. And unless you work for a small company you will most likely be doing all of the security stuff. It is good practice to separate these disciplines inside of major corporations. This is done for many reasons. One reason is because the forensic guy has so many logs to go through there is no way he is going to have time to check/change firewall rules. Another reason for this separation is it adds another layer of security. If one person has the power to change firewall rules, review logs, and admin the servers that person effectively holds the keys to the castle.
My whole point with all of this is find out what part of comp technology is your favorite or you excel at the most. Then learn the security side of the that area.
Assuming you don't have a friend that can easily get you such a job, experience is the most important quality to have. Lacking the experience to get an InfoSec job, you will need to use your other skills to get into an organization where, one day, you can move to an InfoSec position. As an IT person in very large organization, you will have much greater InfoSec-related opportunities than working for small to mid-sized organizations. Also, having the ability to move to a new job rather than staying only where you are increases your opportunities too.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray