Certifications?

karlht

I am currently going to school for CIS, and I'm wondering if I can get any certifications that pertain to info. security. I'm new so bear with me if I sound ignorant. If I'm understanding correctly I should get all entry level certs. first? Any help would be greatly appreciated.:D

PC509

Entry Level would be the CompTIA Security+ certification (CompTIA Security+ Certification, Security Certification). Although, you still would need some real world experience to make it valuable. You could also get the A+ and Network+ certifications to go with it.

karlht

Thanks! I actually just ordered those 3 books (mike meyers) the other day so hopefully they'll show up soon. As soon as I get through them I will try to sit for the cert. test. So that's where I start and then I can go from there?

JDMurray

Also use the postings in our SECURITY+ - TechExams.net IT Certification Forums as study material.

Where you go from Security+ depends on what you want to do in InfoSec and what your interests are. InfoSec a vast field of experience ranging from accounting, auditing, and risk management to physical security to software/network security to cryptography. Most people pick one or two areas of specialization and try to make a career of it. Of course, you could also have a non-security related career in which security is just an important part.

karlht

JD, I was reading some of the old posts in the security forum, and came across somethings that you and Keatron were talking about. I didn't realize that you both are the particular field that I want to go into. What really interests me is hacking and network security, but I eventually want to move up the "corporate ladder" and be a CIO. I know, pretty ambitious, but that's how I gotten to the point where I'm at today. I look at all the job postings online and most if not all require 5+ years of experience. How did you break into the field, and how long did it take to get where you are today? I currently am a small business owner, so I guess that's why I want so bad to get ahead. I've even considered going the government route in order to put that on a resume before going into the private sector. Any advice and suggestions would be greatly appreciated. By reading what you and Keatron have to say, I realize that your advice is something to be listened to. Again, thanks.

JDMurray

Well, probably the first thing you need to realize is that there's no standard or typical way to start a career Information Security. The field itself is so diversified that it requires people from all sorts of backgrounds to make it work. Knowing the stories of how hundreds of InfoSec professionals got their start will show that some people, 1) worked long and hard to get a break in InfoSec, 2) were thrust into it by their job requirements, 3) just stumbled into it totally by accident. I'm the #1 case.

In my case, I decided to aim my career in the direction of InfoSec as a reaction to the wave of off-shoring occurring back in 2003-04. Many of the software projects I'd worked on had InfoSec aspects about them, but I never formally work as an InfoSec professional (by the corporate definition). I decided to go back to school and get a Masters in InfoSec, and later the SSCP and CISSP certs (and more still to come).

My lack of formal experience as an IT or corporate InfoSec professional was a bit of a detriment; my area of specialization is application security, and that's a rather small field compared to, say, auditing, risk management, or network security. My resume screams "SOFTWARE ENGINEER!!" and that makes hiring managers reluctant to hire me for non-software development positions. To move into InfoSec, I simply needed to work with what I already was.

For social networking, I attended professional InfoSec organization meetings (ISSA) and eventually found a job posting for a security research engineer that needed to know how to straddle the line between the Engineering and InfoSec departments in a software development company. Unfortunately, the company folded due to the current credit crisis, but it launched me in the direction of a true InfoSec career.

Education, certification, and experience are all very important factors in furthering and changing your career. Two other very important factors that shouldn't be discounted are "who you know" and "luck." Sometimes you know someone who will give you a break, although you may not have the necessary knowledge or experience for the position. This is why you need to do both online and face-to-face networking with people for building relationships and making yourself available when these types of opportunities are offered.

And there's just plain dumb luck. You were the hiring manager's third choice and the first two couldn't accept the job, or the hiring manager is so tired of looking for someone that s/he just takes a chance on you. Or maybe the interviewing team just isn't that proficient at interviewing and they hire you based on unreasonable assumptions they draw during your interview. Whatever--you got lucky and have a chance at a new career because of it.

Unless you have some sort of extraordinary, demonstrable InfoSec talent, you will need a college degree and formal training and work experience in one or more areas that are of use to the InfoSec profession. People who are auditors, accountants, programmers, IT system and network admins, security guards, and mathematicians all have learning that can be used in InfoSec. It's up to you to figure out how to integrate yourself (your experience, your resume, etc.) into the InfoSec profession.

One other thing: You mention starting with the DoD and working towards the private sector. Assuming you don't actually join the military, you might find that you are more valuable to the DoD as a private sector person. DoD shops are now very interested in hiring people with lots of private sector experience (this is how I came to have my present job).

I've repeated a few things that I've said in other posts, I'm sure, but that's basically my experience.

karlht

Thanks for the quick response! I have also thought about continuing my education once I receive my B.A., and going ahead and getting a MS in InfoSec. I'm just trying to get the best job I can get once I finish school, and am slightly disappointed by how few job postings there are that don't require at least 4+ yrs that are under the InfoSec. umbrella. I really appreciate what you had to say, thanks for everything you do on this forum, it really helps us out.

JDMurray

As a student, take advantage of your student discounts for getting books, software, and memberships to professional organizations. The Security+ and SSCP are good certs for people in, or just out of, college. Also check if there are any security-related internships or volunteer positions you can take through your school. Good luck!