Completely brand new to information security....career paths?

LockeWiggin83LockeWiggin83 Member Posts: 28 ■□□□□□□□□□
Ok, I am completely brand-spanking-new to IT security, and I just want to get a measure of where I am, and where I should go.

My story:
I worked for a couple of years after college as a backup technician for a small digital media company. It was pretty dead-end work (seriously, I did nothing 80% of the time), but eventually the company was bought by a much, much larger company, and I got recruited into the infrastructure team, even though I had zero IT experience (except for my one little backup server).

That was about nine months ago. Since then, I've done quite a bit of networking work. Anyway, I *think* I'm about ready to take my CCNA (and hopefully followed very soon after by CCNA Security), but obviously that's just the first step.

The problem is that although I enjoy what I do, I feel little excitement about the subject of networks itself. I want to learn more about networks, but I look at network expertise as a means to an end: essential to understanding the eventual big picture, but not necessarily something that represents what that big picture is.

Security, however, fascinates me because, by its very definition, it involves protecting against or combating a tangible, directed threat perpetrated by thinking humans, rather than protecting against arbitrary technical problems. More than that, I see a security career path as one that emphasizes "big picture" understanding, which I'm quite good at, yet still focuses on specific overall goal.

The problem I'm facing is that, being so new to IT in general (remember, only nine months' experience, three of which were probationary), I have no sense of context or perspective, especially in the field of information security. I know that security in general is essential, and I know that the general concept of and driving motivation behind information security are things that excites me, but I don't know what specific career paths or specializations I have to choose from, nor do I know what certifications or education will help me along those paths.

Anyway, that's my story. I wanted to hear from some of the people here some of their experiences, and some tips and advice for a brand-new member of the IT community interested in security. I'm especially interested in the (ISC)2 certifications, as well as the value and significance of advanced degrees in information security (I've been looking at the CISSP qualifications). But I need specifics.

And please, if you see me making misconceptions about the field that need to be corrected, say so!

EDIT: Read a few more threads on this forum, and I guess if business continuity is part of the overall security field, then I'm not *totally* new at it. A big part of my current job is planning short- and long-term backup and disaster recovery policies for our new POPs. Still, you know the adage "Prevention is better than a cure"? Disaster recovery to me seems more like a cure, and I think I'd rather be working on prevention.

Comments

  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    Read through these threads if you haven't: adynamik1's keatron Bookmarks on Delicious (the Adam Sandler one is great for a laugh).

    I'd spend some more time trying to figure out which area of security you'd like to focus on. As our advice to you will probably vary considerably depending on what you want to do. Do you want to do pen testing, work with firewalls, research vulnerabilities, etc.

    The Security+ is the obvious starting point. However, if you really want to be a master of an area, you're going to need to spend a lot of time developing the fundamentals first. If you just rush into the security arena without understanding how the underlying technology works, you're probably not going to do a very good job. It's difficult to stick through that part because it's not nearly as exciting as the security portion.

    Welcome to the forums :D
  • LockeWiggin83LockeWiggin83 Member Posts: 28 ■□□□□□□□□□
    I actually have read those threads. Well, except for the "I'm done with Adam Sandler movies" thread. icon_lol.gif

    I paid the most attention to this thread, which seemed to break down the security roles pretty nicely.

    As should be obvious in my mini-essay above, I'm a "big picture" person, so of all the roles on that thread, ultimately I hope to be the security policy guy, but security assessment also seems very interesting to me. Both, however, strike me as high-level positions that require a good understanding of multiple if not all domains of security. So, I have my end point in mind, just no idea of how to get there.

    As far as certifications, Security+ was one of the ones I was looking at initially, but my colleagues encouraged me to go for CCNA Security instead. What's the difference? I understand that Security+ is vendor-neutral, but as to subject matter, which provides a better foundation?

    Also, what would be the next step? SSCP?

    Note: To me, the certifications are benchmarks along a path, and gateways to subsequent segments. I'm looking for the most comprehensive path, not the quickest one. To be honest, I drink this kind of information like a thirsty camel drinks water, so I'm not worried about how long it might take me.
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,668 Admin
    As far as certifications, Security+ was one of the ones I was looking at initially, but my colleagues encouraged me to go for CCNA Security instead. What's the difference? I understand that Security+ is vendor-neutral, but as to subject matter, which provides a better foundation?

    Also, what would be the next step? SSCP?
    Security+ is the standard beginning InfoSec cert. It is a single, vendor-neutral exam. It is recognized by government agencies and other certification vendors, and is actually required for some certs, like HIPAA, and can be used for others, like MCSA: Security and MCSE: Security.

    CCENT>CCNA>CCNA Security is a much more technical certification path. There is much more information to learn and much of it Cisco-specific. People often fail the CCNA exam because they underestimate its difficulty and complexity. Having the Security+ (and SSCP) will help you with the CCNA Security exam, but not the CCENT and/or CCNA exams. And the Cisco ICND1 exam (for CCENT) covers more networking topics than the CompTIA Network+ exam does.
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    The Security+ is definitely going to provide the best foundation. The CCNA:S is going to focus on vendor-centric network security. It's not going to give you a broad overview of security like the Security+ will.

    Compare the objectives between the exams:
    CompTIA Certification Exam Objectives
    https://cisco.hosted.jivesoftware.com/community/certifications/security_ccna/iins?view=overview

    I think the CCNA:S is the more prestigious of the two, and it will probably give you a bigger bump career-wise. However, I'd still do the Security+ in addition to it in order to develop a solid security foundation.

    For what you want to do, the CISSP sounds like a good end-goal. Also, you might want to look at some of the management-level certs here: GIAC Certifications

    The SSCP would be another good one to take. It's more technical than the CISSP, so it will probably compliment what you're currently doing more than what you want to be doing eventually (but extra knowledge is never going to hurt you). JD refers to it as the Security++.

    Keep in mind that while the SSCP has a one-year requirement and the CISSP has a five-year requirement (with up to one waived for other certs or education), you can still take the exams and become an associate if you don't meet the requirements. I believe you're given six years to meet the CISSP requirements, so if you're in a position where you're building experience (or will be shortly), there's no reason not to go for it (other than building up that foundation first).

    How do you like working with Cisco? I think the best way to get to your desired location is going be choosing a path (or route if you like puns) and sticking with it. No matter what you do, you'll constantly be exposed to new things and will develop a greater understanding of the overall processes. The important thing is to pick something you find interesting and stick with it. If you like Cisco, take a look at the NP and SP, and possibly even an IE or two if you're feeling ambitious.
  • LockeWiggin83LockeWiggin83 Member Posts: 28 ■□□□□□□□□□
    JDMurray wrote: »
    Security+ is the standard beginning InfoSec cert. It is a single, vendor-neutral exam. It is recognized by government agencies and other certification vendors, and is actually required for some certs, like HIPAA, and can be used for others, like MCSA: Security and MCSE: Security.
    Aren't the MCSA and MCSE certifications retired now? I was looking at getting an MCP certification, too, but it looks like MCSE and MCSA were replaced by MCITP: Server Administrator and MCITP: Enterprise Administrator, geared towards Server 2008. Are there new security-related Microsoft certifications, too?
    JDMurray wrote: »
    CCENT>CCNA>CCNA Security is a much more technical certification path. There is much more information to learn and much of it Cisco-specific. People often fail the CCNA exam because they underestimate its difficulty and complexity. Having the Security+ (and SSCP) will help you with the CCNA Security exam, but not the CCENT and/or CCNA exams. And the Cisco ICND1 exam (for CCENT) covers more networking topics than the CompTIA Network+ exam does.
    Well, I'm already well on my way to earning my CCNA. Its mostly the terminology that is causing me problems, not the concepts. I learned networking on-the-job, so I have the practical knowledge. I just have to match it to the textbook.
  • LockeWiggin83LockeWiggin83 Member Posts: 28 ■□□□□□□□□□
    dynamik wrote: »
    The Security+ is definitely going to provide the best foundation. The CCNA:S is going to focus on vendor-centric network security. It's not going to give you a broad overview of security like the Security+ will.

    Compare the objectives between the exams:
    CompTIA Certification Exam Objectives
    https://cisco.hosted.jivesoftware.com/community/certifications/security_ccna/iins?view=overview

    I think the CCNA:S is the more prestigious of the two, and it will probably give you a bigger bump career-wise. However, I'd still do the Security+ in addition to it in order to develop a solid security foundation.
    I'm definitely going to self-study in both, most likely, but I'm only going to choose one for dedicated training (paid for by my company, of course). So it sounds like CCNA Security is the one that'll actually require that kind of dedicated training, because it's more technical? Or I could save that training for the SSCP instead.
    dynamik wrote: »
    For what you want to do, the CISSP sounds like a good end-goal. Also, you might want to look at some of the management-level certs here: GIAC Certifications
    Researching CISSP is what first drew me here.

    I've heard the saying that CISSP is miles wide and an inch deep. That interests me for another reason: if I read a CISSP prep book or a self-study course, will that give me a good overview of security in general? I've read keatron's description of CISSP as the plastic loops that ties the six-pack together, and that interests me, because I've always been a top-down learner, meaning I learn fastest when I have an understanding of the big picture and where my current subject matter fits in. So while I might not qualify for the CISSP certification itself, I'm thinking that studying for the CISSP (or becoming an Associate of CISSP) might be a good way to at least get that overall perspective and accelerate the rest of my learning.
    dynamik wrote: »
    The SSCP would be another good one to take. It's more technical than the CISSP, so it will probably compliment what you're currently doing more than what you want to be doing eventually (but extra knowledge is never going to hurt you). JD refers to it as the Security++.
    SSCP is something I'm planning for in the next year, maybe even in the next six months when we make our next training session selections.
    dynamik wrote: »
    How do you like working with Cisco? I think the best way to get to your desired location is going be choosing a path (or route if you like puns) and sticking with it. No matter what you do, you'll constantly be exposed to new things and will develop a greater understanding of the overall processes. The important thing is to pick something you find interesting and stick with it. If you like Cisco, take a look at the NP and SP, and possibly even an IE or two if you're feeling ambitious.
    I'm not a big fan of Cisco hardware. My experience has chiefly been with Foundry (SX800s, FESXs, and MLXs), which is why I said my problem with the CCNA is mostly with the terminology, not the networking concepts.

    Getting at least one CCIE, however, is one of my goals.
  • RTmarcRTmarc Member Posts: 1,082
    I'm not a big fan of Cisco hardware.

    Getting at least one CCIE, however, is one of my goals.

    You'll have to learn to love Cisco hardware if you are going to be CCIE.


    The 2003 MCSA/MCSE track has not been retired yet. It will be around for several more years.

    The CCNA:S is going to give you a network-based security foundation, however, it is going to be heavily centric up on Cisco and their hardware/software.

    I always tell people that want to walk down the security path to start in the same spot: Security+. Work your way out from there.
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    You certainly don't need a course for the Security+. If I were, I'd try to get a CBT Nuggets annual streaming subscription over a course. You should definitely look into that if you haven't already.

    As far as the MS certs are concerned, the MCSA/E are still alive and well. Server 2003 isn't going anywhere any time soon; they haven't even announced when those tracks are going to be retired.

    I'm going to be working on my CCNA:S and SSCP (along with various others) this year, so definitely stay in touch. Good luck with your journey, and keep us posted! :D
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,668 Admin
    Well, I'm already well on my way to earning my CCNA. Its mostly the terminology that is causing me problems, not the concepts. I learned networking on-the-job, so I have the practical knowledge. I just have to match it to the textbook.
    Be sure that you know all of the topics on the CCNA exam's objectives list. It is unlikely that your job's activities has you performing hands-on operations with everything that's covered by the CCNA exam. You will still need to use the Todd Lammle books with hardware (or sims/emus) to learn everything you need. Don't be over-confidant that you know what you need to know to pass any Cisco exam or you may be unpleasantly surprised on exam day.

    And yes, start learning to love Cisco hardware and terminology, marketing information, and the GUIs and command line. Otherwise, you'll just be hating what you do for a living.
  • LockeWiggin83LockeWiggin83 Member Posts: 28 ■□□□□□□□□□
    What about studying CISSP material now, in lieu of Security+, even if I don't plan on getting the CISSP certification for a while? Are CISSP prep guides (like the All-in-One) comprehensive enough to cover *also* Security+ topics in addition to more advanced topics specific to CISSP, or do they start around where Security+ ends?
  • RTmarcRTmarc Member Posts: 1,082
    Jumping directly to the CISSP material is like jumping to calculus before you know algebra. You need to get the basics down and that foundation settled before you start trying to tackle the more advanced subjects. There is quiet a bit of information covered in the CISSP exam the assumes you have exposure to the underlying ideas and theories.

    What's the hang up with starting with Security+? This is the basic, entry-level certification in the security world and where most people do/should start.
  • LockeWiggin83LockeWiggin83 Member Posts: 28 ■□□□□□□□□□
    RTmarc wrote: »
    Jumping directly to the CISSP material is like jumping to calculus before you know algebra. You need to get the basics down and that foundation settled before you start trying to tackle the more advanced subjects. There is quiet a bit of information covered in the CISSP exam the assumes you have exposure to the underlying ideas and theories.

    What's the hang up with starting with Security+? This is the basic, entry-level certification in the security world and where most people do/should start.
    I've got no hang up with it, but I know how my mind works. I learn fastest and retain the most information if I learn from the top-down, not the bottom-up. To use the algebra-calculus analogy, it would be like learning how what I'm studying in algebra ties into what I'm *going* to learn in calculus. Understand?

    Anyway, knowing all the certs is great and all, but what about career paths?
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    The Security+ is a relatively comprehensive (albeit light) overview of security. I don't see how that goes against your top-down philosophy.

    Like I said, pick a technology/direction and focus on developing and advancing in that area. Your area of expertise will be small at first, but the breadth will increase as you advance.

    What sort of formal education do you have? You might want to consider pursuing a related graduate degree.
  • LockeWiggin83LockeWiggin83 Member Posts: 28 ■□□□□□□□□□
    dynamik wrote: »
    The Security+ is a relatively comprehensive (albeit light) overview of security. I don't see how that goes against your top-down philosophy.
    It's not the breadth of the overview I'm looking for, it's the specificity. When I study something, I want to be able to see how it's relevant at all levels of experience and expertise. That means being able to identify a specific practical implementation of the theory at the end point.

    What I wanted to know is if a CISSP prep guide gives that full length of relevance for all the topics covered by Security+, or if it only picks up where Security+ ends.

    Either way, I'm definitely going to try to cover all of my bases and earn the certifications in order. What I'm talking about is the prep work, not the exam.
    dynamik wrote: »
    Like I said, pick a technology/direction and focus on developing and advancing in that area. Your area of expertise will be small at first, but the breadth will increase as you advance.
    Hence why I asked about career paths as well as available certifications.
    dynamik wrote: »
    What sort of formal education do you have? You might want to consider pursuing a related graduate degree.
    Yeah, an advanced degree is something I mentioned in my first post.
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,148 Mod
    I agree that jumping to CISSP is not the smartest thing to do. Even when studying the simplest chapters like physical security, it will be difficult for you to understand why we need to lock racks and what's best to use and when, because you don't reallly know what's that for, reasoning will be difficult and you will end up memorizing a lot of thing instead of understanding, which will be almost useless in scenario based exams.


    My advice, go for CCNA (use Todd lammle, and any simulator), if you find it difficult then go for Network +

    I also recommend Security+, and Linux+. The MCSA or MCSE depends on your background. You really need knowledge and experience in IT in general to do find in InfoSec. Just general experience, I'm not talking expert-level experience, just a mid-level one.

    good luck and welcome to the forums
    Goal: MBA, Jan 2021
  • LockeWiggin83LockeWiggin83 Member Posts: 28 ■□□□□□□□□□
    UnixGuy wrote: »
    I agree that jumping to CISSP is not the smartest thing to do. Even when studying the simplest chapters like physical security, it will be difficult for you to understand why we need to lock racks and what's best to use and when, because you don't reallly know what's that for, reasoning will be difficult and you will end up memorizing a lot of thing instead of understanding, which will be almost useless in scenario based exams.
    Ok, that's the answer I was looking for.

    We have a CISSP reference book in our office, but I just ordered Security+ for myself. I just needed to know if it was necessary to spend the extra money. :D
    UnixGuy wrote: »
    My advice, go for CCNA (use Todd lammle, and any simulator), if you find it difficult then go for Network +
    All I need to do is convince my supervisor to squeeze the $250 needed for the exam into our budget. :)
    UnixGuy wrote: »
    I also recommend Security+, and Linux+. The MCSA or MCSE depends on your background. You really need knowledge and experience in IT in general to do find in InfoSec. Just general experience, I'm not talking expert-level experience, just a mid-level one.
    Security+ or CCNA Security is my next step after CCNA. I was also considering RHCT and MCITP: Server/Enterprise Administrator, but I haaaate Linux with a passion, and my co-workers have told me that anything I learn while studying for a Microsoft certification, I can learn better and faster on the job.
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,148 Mod
    Start with CCNA then Security+. Then it's up to you learn Windows Administration or UNIX or Linux Administration or Networking.

    If you work in Windows environment, then you will learn Windows administration quickly, and all you need then is to go for Linux+ or LPI-1 to get the basics of Linux Administration if you want.

    But if you want serious UNIX or Linux Administration skills, then you definitely need a job in a busy *NIX environment to do so, and it is the only way IMHO.

    I recommend you work in the Cisco side or UNIX side, but that's just my personal preference.

    Good luck icon_thumright.gif
    Goal: MBA, Jan 2021
  • LockeWiggin83LockeWiggin83 Member Posts: 28 ■□□□□□□□□□
    UnixGuy wrote: »
    If you work in Windows environment, then you will learn Windows administration quickly, and all you need then is to go for Linux+ or LPI-1 to get the basics of Linux Administration if you want.

    But if you want serious UNIX or Linux Administration skills, then you definitely need a job in a busy *NIX environment to do so, and it is the only way IMHO.
    Yeah, I'm definitely not doing much in terms of Linux/UNIX in my current position. We have a couple of application servers to care for that are Linux, but the vast majority (like, 90%) of our servers are Windows.

    What's the approximate marketshare of Windows vs. Linux/UNIX/anything else in the server market?
    UnixGuy wrote: »
    I recommend you work in the Cisco side or UNIX side, but that's just my personal preference.
    Gee, I wonder why, UnixGuy? icon_cheers.gif
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,148 Mod
    Windows is used more everywhere, but the number of expertise in UNIX is less that's why you typically get paid slightly more.

    This is up to you, choose what you like and then from that you can move up to security.

    dice.com can you give you nice overview of salaries and market demands :)
    Goal: MBA, Jan 2021
  • LockeWiggin83LockeWiggin83 Member Posts: 28 ■□□□□□□□□□
    I don't suppose you (or anyone else here) know of any site or resource that gives a good roadmap of infosec career paths? That would be immensely helpful.
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,148 Mod
    Nothing that I know of really, but there are a lot of useful posts in this site.



    The famous certs that I know of are:


    Security+ is your foundation.

    Auditing: CISSP, CISA, CISM

    Management: SSCP, CISSP (althought SSCP is more technical)

    Penetration Testing: CEH, OSCP

    Network Security:CCNA Security, CCSP, CCIE:Security

    Firewalls: CCSA (check point)

    Forensics: CHFI


    Also, for system admins, there is MCSE Security for MS, Security cert from Red Hat, Security Cert from SUN, ..etc.


    There are a lot of products certs from Mcafee, Norton, Trend Micro....


    you just do some of the certs then get a job with InfoSec, then from that you can move up
    Goal: MBA, Jan 2021
  • redgrenredgren Member Posts: 21 ■□□□□□□□□□
    I don't suppose you (or anyone else here) know of any site or resource that gives a good roadmap of infosec career paths? That would be immensely helpful.

    I don't know of any "roadmaps" per se, but here is a link that provides an overview of the major security related certifications: http://dmiessler.com/writing/infoseccerts/ A Guide to Information Security Certifications
  • jnwdmbjnwdmb Member Posts: 99 ■■□□□□□□□□
    Very useful information. Thank you
    A+ IT Technician, Network +, Security+
    MCSA:M, MCSE:S
    (MS 270,290,291,293,294,298,299)
    MS Exchange 2003 (70-284)
    MCTS: Server 2K8 Virtualization(70-652 & 70-403)
  • shednikshednik Member Posts: 2,005
    but I haaaate Linux with a passion

    Depending on what you end up wanting to do in InfoSec you better learn to like it or at least have a moderate skill level in this area. MANY tools for security related functions are written for Linux based systems. What do you dislike about Linux so much??
  • TurgonTurgon Banned Posts: 6,313
    shednik wrote: »
    Depending on what you end up wanting to do in InfoSec you better learn to like it or at least have a moderate skill level in this area. MANY tools for security related functions are written for Linux based systems. What do you dislike about Linux so much??

    Agree there. UNIX/Linux foundations at least are fundamental for many serious technical security roles. Far too many people advising on platforms they don't understand.
  • KasorKasor Member Posts: 912 ■■■□□□□□□□
    Can someone tell me a little more about SSCP? I'm still confuse after looking at the website...
    Kill All Suffer T "o" ReBorn
Sign In or Register to comment.