Completely brand new to information security....career paths?
LockeWiggin83
Member Posts: 28 ■□□□□□□□□□
Ok, I am completely brand-spanking-new to IT security, and I just want to get a measure of where I am, and where I should go.
My story:
I worked for a couple of years after college as a backup technician for a small digital media company. It was pretty dead-end work (seriously, I did nothing 80% of the time), but eventually the company was bought by a much, much larger company, and I got recruited into the infrastructure team, even though I had zero IT experience (except for my one little backup server).
That was about nine months ago. Since then, I've done quite a bit of networking work. Anyway, I *think* I'm about ready to take my CCNA (and hopefully followed very soon after by CCNA Security), but obviously that's just the first step.
The problem is that although I enjoy what I do, I feel little excitement about the subject of networks itself. I want to learn more about networks, but I look at network expertise as a means to an end: essential to understanding the eventual big picture, but not necessarily something that represents what that big picture is.
Security, however, fascinates me because, by its very definition, it involves protecting against or combating a tangible, directed threat perpetrated by thinking humans, rather than protecting against arbitrary technical problems. More than that, I see a security career path as one that emphasizes "big picture" understanding, which I'm quite good at, yet still focuses on specific overall goal.
The problem I'm facing is that, being so new to IT in general (remember, only nine months' experience, three of which were probationary), I have no sense of context or perspective, especially in the field of information security. I know that security in general is essential, and I know that the general concept of and driving motivation behind information security are things that excites me, but I don't know what specific career paths or specializations I have to choose from, nor do I know what certifications or education will help me along those paths.
Anyway, that's my story. I wanted to hear from some of the people here some of their experiences, and some tips and advice for a brand-new member of the IT community interested in security. I'm especially interested in the (ISC)2 certifications, as well as the value and significance of advanced degrees in information security (I've been looking at the CISSP qualifications). But I need specifics.
And please, if you see me making misconceptions about the field that need to be corrected, say so!
EDIT: Read a few more threads on this forum, and I guess if business continuity is part of the overall security field, then I'm not *totally* new at it. A big part of my current job is planning short- and long-term backup and disaster recovery policies for our new POPs. Still, you know the adage "Prevention is better than a cure"? Disaster recovery to me seems more like a cure, and I think I'd rather be working on prevention.
My story:
I worked for a couple of years after college as a backup technician for a small digital media company. It was pretty dead-end work (seriously, I did nothing 80% of the time), but eventually the company was bought by a much, much larger company, and I got recruited into the infrastructure team, even though I had zero IT experience (except for my one little backup server).
That was about nine months ago. Since then, I've done quite a bit of networking work. Anyway, I *think* I'm about ready to take my CCNA (and hopefully followed very soon after by CCNA Security), but obviously that's just the first step.
The problem is that although I enjoy what I do, I feel little excitement about the subject of networks itself. I want to learn more about networks, but I look at network expertise as a means to an end: essential to understanding the eventual big picture, but not necessarily something that represents what that big picture is.
Security, however, fascinates me because, by its very definition, it involves protecting against or combating a tangible, directed threat perpetrated by thinking humans, rather than protecting against arbitrary technical problems. More than that, I see a security career path as one that emphasizes "big picture" understanding, which I'm quite good at, yet still focuses on specific overall goal.
The problem I'm facing is that, being so new to IT in general (remember, only nine months' experience, three of which were probationary), I have no sense of context or perspective, especially in the field of information security. I know that security in general is essential, and I know that the general concept of and driving motivation behind information security are things that excites me, but I don't know what specific career paths or specializations I have to choose from, nor do I know what certifications or education will help me along those paths.
Anyway, that's my story. I wanted to hear from some of the people here some of their experiences, and some tips and advice for a brand-new member of the IT community interested in security. I'm especially interested in the (ISC)2 certifications, as well as the value and significance of advanced degrees in information security (I've been looking at the CISSP qualifications). But I need specifics.
And please, if you see me making misconceptions about the field that need to be corrected, say so!
EDIT: Read a few more threads on this forum, and I guess if business continuity is part of the overall security field, then I'm not *totally* new at it. A big part of my current job is planning short- and long-term backup and disaster recovery policies for our new POPs. Still, you know the adage "Prevention is better than a cure"? Disaster recovery to me seems more like a cure, and I think I'd rather be working on prevention.
Comments
-
dynamik Banned Posts: 12,312 ■■■■■■■■■□Read through these threads if you haven't: adynamik1's keatron Bookmarks on Delicious (the Adam Sandler one is great for a laugh).
I'd spend some more time trying to figure out which area of security you'd like to focus on. As our advice to you will probably vary considerably depending on what you want to do. Do you want to do pen testing, work with firewalls, research vulnerabilities, etc.
The Security+ is the obvious starting point. However, if you really want to be a master of an area, you're going to need to spend a lot of time developing the fundamentals first. If you just rush into the security arena without understanding how the underlying technology works, you're probably not going to do a very good job. It's difficult to stick through that part because it's not nearly as exciting as the security portion.
Welcome to the forums -
LockeWiggin83 Member Posts: 28 ■□□□□□□□□□I actually have read those threads. Well, except for the "I'm done with Adam Sandler movies" thread.
I paid the most attention to this thread, which seemed to break down the security roles pretty nicely.
As should be obvious in my mini-essay above, I'm a "big picture" person, so of all the roles on that thread, ultimately I hope to be the security policy guy, but security assessment also seems very interesting to me. Both, however, strike me as high-level positions that require a good understanding of multiple if not all domains of security. So, I have my end point in mind, just no idea of how to get there.
As far as certifications, Security+ was one of the ones I was looking at initially, but my colleagues encouraged me to go for CCNA Security instead. What's the difference? I understand that Security+ is vendor-neutral, but as to subject matter, which provides a better foundation?
Also, what would be the next step? SSCP?
Note: To me, the certifications are benchmarks along a path, and gateways to subsequent segments. I'm looking for the most comprehensive path, not the quickest one. To be honest, I drink this kind of information like a thirsty camel drinks water, so I'm not worried about how long it might take me. -
JDMurray Admin Posts: 13,091 AdminLockeWiggin83 wrote: »As far as certifications, Security+ was one of the ones I was looking at initially, but my colleagues encouraged me to go for CCNA Security instead. What's the difference? I understand that Security+ is vendor-neutral, but as to subject matter, which provides a better foundation?
Also, what would be the next step? SSCP?
CCENT>CCNA>CCNA Security is a much more technical certification path. There is much more information to learn and much of it Cisco-specific. People often fail the CCNA exam because they underestimate its difficulty and complexity. Having the Security+ (and SSCP) will help you with the CCNA Security exam, but not the CCENT and/or CCNA exams. And the Cisco ICND1 exam (for CCENT) covers more networking topics than the CompTIA Network+ exam does. -
dynamik Banned Posts: 12,312 ■■■■■■■■■□The Security+ is definitely going to provide the best foundation. The CCNA:S is going to focus on vendor-centric network security. It's not going to give you a broad overview of security like the Security+ will.
Compare the objectives between the exams:
CompTIA Certification Exam Objectives
https://cisco.hosted.jivesoftware.com/community/certifications/security_ccna/iins?view=overview
I think the CCNA:S is the more prestigious of the two, and it will probably give you a bigger bump career-wise. However, I'd still do the Security+ in addition to it in order to develop a solid security foundation.
For what you want to do, the CISSP sounds like a good end-goal. Also, you might want to look at some of the management-level certs here: GIAC Certifications
The SSCP would be another good one to take. It's more technical than the CISSP, so it will probably compliment what you're currently doing more than what you want to be doing eventually (but extra knowledge is never going to hurt you). JD refers to it as the Security++.
Keep in mind that while the SSCP has a one-year requirement and the CISSP has a five-year requirement (with up to one waived for other certs or education), you can still take the exams and become an associate if you don't meet the requirements. I believe you're given six years to meet the CISSP requirements, so if you're in a position where you're building experience (or will be shortly), there's no reason not to go for it (other than building up that foundation first).
How do you like working with Cisco? I think the best way to get to your desired location is going be choosing a path (or route if you like puns) and sticking with it. No matter what you do, you'll constantly be exposed to new things and will develop a greater understanding of the overall processes. The important thing is to pick something you find interesting and stick with it. If you like Cisco, take a look at the NP and SP, and possibly even an IE or two if you're feeling ambitious. -
LockeWiggin83 Member Posts: 28 ■□□□□□□□□□Security+ is the standard beginning InfoSec cert. It is a single, vendor-neutral exam. It is recognized by government agencies and other certification vendors, and is actually required for some certs, like HIPAA, and can be used for others, like MCSA: Security and MCSE: Security.CCENT>CCNA>CCNA Security is a much more technical certification path. There is much more information to learn and much of it Cisco-specific. People often fail the CCNA exam because they underestimate its difficulty and complexity. Having the Security+ (and SSCP) will help you with the CCNA Security exam, but not the CCENT and/or CCNA exams. And the Cisco ICND1 exam (for CCENT) covers more networking topics than the CompTIA Network+ exam does.
-
LockeWiggin83 Member Posts: 28 ■□□□□□□□□□The Security+ is definitely going to provide the best foundation. The CCNA:S is going to focus on vendor-centric network security. It's not going to give you a broad overview of security like the Security+ will.
Compare the objectives between the exams:
CompTIA Certification Exam Objectives
https://cisco.hosted.jivesoftware.com/community/certifications/security_ccna/iins?view=overview
I think the CCNA:S is the more prestigious of the two, and it will probably give you a bigger bump career-wise. However, I'd still do the Security+ in addition to it in order to develop a solid security foundation.For what you want to do, the CISSP sounds like a good end-goal. Also, you might want to look at some of the management-level certs here: GIAC Certifications
I've heard the saying that CISSP is miles wide and an inch deep. That interests me for another reason: if I read a CISSP prep book or a self-study course, will that give me a good overview of security in general? I've read keatron's description of CISSP as the plastic loops that ties the six-pack together, and that interests me, because I've always been a top-down learner, meaning I learn fastest when I have an understanding of the big picture and where my current subject matter fits in. So while I might not qualify for the CISSP certification itself, I'm thinking that studying for the CISSP (or becoming an Associate of CISSP) might be a good way to at least get that overall perspective and accelerate the rest of my learning.The SSCP would be another good one to take. It's more technical than the CISSP, so it will probably compliment what you're currently doing more than what you want to be doing eventually (but extra knowledge is never going to hurt you). JD refers to it as the Security++.How do you like working with Cisco? I think the best way to get to your desired location is going be choosing a path (or route if you like puns) and sticking with it. No matter what you do, you'll constantly be exposed to new things and will develop a greater understanding of the overall processes. The important thing is to pick something you find interesting and stick with it. If you like Cisco, take a look at the NP and SP, and possibly even an IE or two if you're feeling ambitious.
Getting at least one CCIE, however, is one of my goals. -
RTmarc Member Posts: 1,082 ■■■□□□□□□□LockeWiggin83 wrote: »I'm not a big fan of Cisco hardware.
Getting at least one CCIE, however, is one of my goals.
You'll have to learn to love Cisco hardware if you are going to be CCIE.
The 2003 MCSA/MCSE track has not been retired yet. It will be around for several more years.
The CCNA:S is going to give you a network-based security foundation, however, it is going to be heavily centric up on Cisco and their hardware/software.
I always tell people that want to walk down the security path to start in the same spot: Security+. Work your way out from there. -
dynamik Banned Posts: 12,312 ■■■■■■■■■□You certainly don't need a course for the Security+. If I were, I'd try to get a CBT Nuggets annual streaming subscription over a course. You should definitely look into that if you haven't already.
As far as the MS certs are concerned, the MCSA/E are still alive and well. Server 2003 isn't going anywhere any time soon; they haven't even announced when those tracks are going to be retired.
I'm going to be working on my CCNA:S and SSCP (along with various others) this year, so definitely stay in touch. Good luck with your journey, and keep us posted! -
JDMurray Admin Posts: 13,091 AdminLockeWiggin83 wrote: »Well, I'm already well on my way to earning my CCNA. Its mostly the terminology that is causing me problems, not the concepts. I learned networking on-the-job, so I have the practical knowledge. I just have to match it to the textbook.
And yes, start learning to love Cisco hardware and terminology, marketing information, and the GUIs and command line. Otherwise, you'll just be hating what you do for a living. -
LockeWiggin83 Member Posts: 28 ■□□□□□□□□□What about studying CISSP material now, in lieu of Security+, even if I don't plan on getting the CISSP certification for a while? Are CISSP prep guides (like the All-in-One) comprehensive enough to cover *also* Security+ topics in addition to more advanced topics specific to CISSP, or do they start around where Security+ ends?
-
RTmarc Member Posts: 1,082 ■■■□□□□□□□Jumping directly to the CISSP material is like jumping to calculus before you know algebra. You need to get the basics down and that foundation settled before you start trying to tackle the more advanced subjects. There is quiet a bit of information covered in the CISSP exam the assumes you have exposure to the underlying ideas and theories.
What's the hang up with starting with Security+? This is the basic, entry-level certification in the security world and where most people do/should start. -
LockeWiggin83 Member Posts: 28 ■□□□□□□□□□Jumping directly to the CISSP material is like jumping to calculus before you know algebra. You need to get the basics down and that foundation settled before you start trying to tackle the more advanced subjects. There is quiet a bit of information covered in the CISSP exam the assumes you have exposure to the underlying ideas and theories.
What's the hang up with starting with Security+? This is the basic, entry-level certification in the security world and where most people do/should start.
Anyway, knowing all the certs is great and all, but what about career paths? -
dynamik Banned Posts: 12,312 ■■■■■■■■■□The Security+ is a relatively comprehensive (albeit light) overview of security. I don't see how that goes against your top-down philosophy.
Like I said, pick a technology/direction and focus on developing and advancing in that area. Your area of expertise will be small at first, but the breadth will increase as you advance.
What sort of formal education do you have? You might want to consider pursuing a related graduate degree. -
LockeWiggin83 Member Posts: 28 ■□□□□□□□□□The Security+ is a relatively comprehensive (albeit light) overview of security. I don't see how that goes against your top-down philosophy.
What I wanted to know is if a CISSP prep guide gives that full length of relevance for all the topics covered by Security+, or if it only picks up where Security+ ends.
Either way, I'm definitely going to try to cover all of my bases and earn the certifications in order. What I'm talking about is the prep work, not the exam.Like I said, pick a technology/direction and focus on developing and advancing in that area. Your area of expertise will be small at first, but the breadth will increase as you advance.What sort of formal education do you have? You might want to consider pursuing a related graduate degree. -
UnixGuy Mod Posts: 4,570 ModI agree that jumping to CISSP is not the smartest thing to do. Even when studying the simplest chapters like physical security, it will be difficult for you to understand why we need to lock racks and what's best to use and when, because you don't reallly know what's that for, reasoning will be difficult and you will end up memorizing a lot of thing instead of understanding, which will be almost useless in scenario based exams.
My advice, go for CCNA (use Todd lammle, and any simulator), if you find it difficult then go for Network +
I also recommend Security+, and Linux+. The MCSA or MCSE depends on your background. You really need knowledge and experience in IT in general to do find in InfoSec. Just general experience, I'm not talking expert-level experience, just a mid-level one.
good luck and welcome to the forums -
LockeWiggin83 Member Posts: 28 ■□□□□□□□□□I agree that jumping to CISSP is not the smartest thing to do. Even when studying the simplest chapters like physical security, it will be difficult for you to understand why we need to lock racks and what's best to use and when, because you don't reallly know what's that for, reasoning will be difficult and you will end up memorizing a lot of thing instead of understanding, which will be almost useless in scenario based exams.
We have a CISSP reference book in our office, but I just ordered Security+ for myself. I just needed to know if it was necessary to spend the extra money.My advice, go for CCNA (use Todd lammle, and any simulator), if you find it difficult then go for Network +I also recommend Security+, and Linux+. The MCSA or MCSE depends on your background. You really need knowledge and experience in IT in general to do find in InfoSec. Just general experience, I'm not talking expert-level experience, just a mid-level one. -
UnixGuy Mod Posts: 4,570 ModStart with CCNA then Security+. Then it's up to you learn Windows Administration or UNIX or Linux Administration or Networking.
If you work in Windows environment, then you will learn Windows administration quickly, and all you need then is to go for Linux+ or LPI-1 to get the basics of Linux Administration if you want.
But if you want serious UNIX or Linux Administration skills, then you definitely need a job in a busy *NIX environment to do so, and it is the only way IMHO.
I recommend you work in the Cisco side or UNIX side, but that's just my personal preference.
Good luck -
LockeWiggin83 Member Posts: 28 ■□□□□□□□□□If you work in Windows environment, then you will learn Windows administration quickly, and all you need then is to go for Linux+ or LPI-1 to get the basics of Linux Administration if you want.
But if you want serious UNIX or Linux Administration skills, then you definitely need a job in a busy *NIX environment to do so, and it is the only way IMHO.
What's the approximate marketshare of Windows vs. Linux/UNIX/anything else in the server market?I recommend you work in the Cisco side or UNIX side, but that's just my personal preference. -
UnixGuy Mod Posts: 4,570 ModWindows is used more everywhere, but the number of expertise in UNIX is less that's why you typically get paid slightly more.
This is up to you, choose what you like and then from that you can move up to security.
dice.com can you give you nice overview of salaries and market demands -
LockeWiggin83 Member Posts: 28 ■□□□□□□□□□I don't suppose you (or anyone else here) know of any site or resource that gives a good roadmap of infosec career paths? That would be immensely helpful.
-
UnixGuy Mod Posts: 4,570 ModNothing that I know of really, but there are a lot of useful posts in this site.
The famous certs that I know of are:
Security+ is your foundation.
Auditing: CISSP, CISA, CISM
Management: SSCP, CISSP (althought SSCP is more technical)
Penetration Testing: CEH, OSCP
Network Security:CCNA Security, CCSP, CCIE:Security
Firewalls: CCSA (check point)
Forensics: CHFI
Also, for system admins, there is MCSE Security for MS, Security cert from Red Hat, Security Cert from SUN, ..etc.
There are a lot of products certs from Mcafee, Norton, Trend Micro....
you just do some of the certs then get a job with InfoSec, then from that you can move up -
redgren Member Posts: 21 ■□□□□□□□□□LockeWiggin83 wrote: »I don't suppose you (or anyone else here) know of any site or resource that gives a good roadmap of infosec career paths? That would be immensely helpful.
I don't know of any "roadmaps" per se, but here is a link that provides an overview of the major security related certifications: http://dmiessler.com/writing/infoseccerts/ A Guide to Information Security Certifications -
jnwdmb Member Posts: 99 ■■□□□□□□□□Very useful information. Thank youA+ IT Technician, Network +, Security+
MCSA:M, MCSE:S
(MS 270,290,291,293,294,298,299)
MS Exchange 2003 (70-284)
MCTS: Server 2K8 Virtualization(70-652 & 70-403) -
shednik Member Posts: 2,005LockeWiggin83 wrote: »but I haaaate Linux with a passion
Depending on what you end up wanting to do in InfoSec you better learn to like it or at least have a moderate skill level in this area. MANY tools for security related functions are written for Linux based systems. What do you dislike about Linux so much?? -
Turgon Banned Posts: 6,308 ■■■■■■■■■□Depending on what you end up wanting to do in InfoSec you better learn to like it or at least have a moderate skill level in this area. MANY tools for security related functions are written for Linux based systems. What do you dislike about Linux so much??
Agree there. UNIX/Linux foundations at least are fundamental for many serious technical security roles. Far too many people advising on platforms they don't understand. -
Kasor Member Posts: 934 ■■■■□□□□□□Can someone tell me a little more about SSCP? I'm still confuse after looking at the website...Kill All Suffer T "o" ReBorn