How to get a job in IT security?

zippie666

Hello,

I've just started my career as factory support agent in a service desk for a factory which has over 6000 employees. This means I work with all kinds of OS's such as Windows Server 2003 and 2008, unix, HP OpenVMS, ... and I give support to all productioncritical systems, but I also (out of interest) work on "office related" incidents, although that's not in my scope actually. I've always had an intrest in IT security but I understand getting a job in IT security isn't for starters (I've just worked for almost 6 months now since I graduated).

I currently hold ITIL v3 Foundation, Configuring Windows 7, Windows Server 2008 application infrastructure, Windows Server 2008 network infrastructure and have an exam in 3 weeks for the 70-685 Windows 7 DST exam (rollout of Windows 7 in less than half a year, good excuse for an extra cert )

What certification path do you suggest? A collegue of mine suggests going for an Isaca cert, is that something you guys advise too?

jdancer

Another option is to get a CompTIA Security+ cert. However, if you feel your current certs cover basic security, then go get a GIAC Security Essentials cert. This will be my next security cert once I'm done with my CCNA.

LinuxRacr

Start with the CompTIA Security+ cert. Check out the following thread, and pay close attention to keatron's suggestions...

http://www.techexams.net/forums/security-certifications/28593-security-certification-where-start.html

hiddenknight821

After reading this thread, I just checked the ISC2's website for SSCP, and I ran into this message. Talking about perfect timing!

Note: Effective February 1st 2012, professional work experience requirements for the SSCP will remain one year, but the domains will change. Please refer to the SSCP Candidate Information Bulletin for details.

Valsacar

Working towards CISSP should be your path, of course you'll need experience to get there. When I asked my Security shop of where to go they said since I have Security+ go for CISSP. Their logic was that anything in the middle is mainly a waste of time and the only question people will ask is, when are you getting your CISSP?

I took a boot camp and found the majority of the stuff was covered by Network+ and Security+, since I worked for a few years in application development I found that aspect of it familiar as well. Some military experience helped me with the business continuity aspect (Military calls it continuity of operations), so for me the training was more a refresher and confidence booster.

Question is, what do you want to do? IT Security is a huge field, you have IA, physical security, network security, firewalls, etc. I personally want to move into Network Defense, which is why CEH is on my list for this year (doing CCNA now).

So in short, as far as certs go, do your Network+ and Security+ (could throw in A+ just to get the basic three down) and then go for CISSP as soon as you meet the experience requirements. Anything else in the middle will just help add to your experience and understanding. You also need to pick an area of IT Security you want to work in, which will help you focus the certifications and other training you should be working on.

Diggs3d

Hello all,

Valsacar has made a very good point. Most people that I know that work in IT Security field recommend CISSP. I currently hold SSCP and Security + certs which are good starting points. Hopefully the CISSP will land me an IT Security role.

Good Luck

kurosaki00

Imma hijack this thread, although its about so so the same subject (How to get into IT Security)

Many mentioned working towards CISSP, which I agree.
But how do you get the experience for CISSP if you dont really work in the security field.
I work with cisco ADM and VPNs but most of my daily work is towards stuff outside the security stuff.
Does this kind of experience still counts for CISSP?

the_Grinch

You're making the assumption that you need to have the CISSP in order to get a security position. If you are willing to move, general IT experience and security education should get you into a company. From there it would just be a matter of gaining the experience and then studying for the CISSP.

Valsacar

You also need to understand what the experience requirements are, you don't have to work in IT security to get the experience. Physical security for example is not purely an IT thing, business continuity/disaster recovery is also not. If you've worked in network admin you probably have some experience you can use. Look at the domains, you need experience in those (not all). I bet most people that have worked in IT for a few years have more CISSP experience than they think.

pinkydapimp

Valsacar wrote: »

You also need to understand what the experience requirements are, you don't have to work in IT security to get the experience. Physical security for example is not purely an IT thing, business continuity/disaster recovery is also not. If you've worked in network admin you probably have some experience you can use. Look at the domains, you need experience in those (not all). I bet most people that have worked in IT for a few years have more CISSP experience than they think.

Agreed. I just passed my CISSP exam and am waiting for my endorsement to go through. You only need experience in 2 of the 10 domains. If you work in IT with Active directory for example, you have experience in the Access Controls domian. If you have experience in Network Security or cryptography, then you have your second and thats all you need for a CISSP!

kurosaki00

Thanks for the info guys
I think then I have enough for SSCP, but still need a bit more for CSSP
(Only like 2 yrs of experience)

But thanks a lot, I think in the near future Ill consider SSCP

froufrou123

As many above already mentioned, it depends what do you want to do in IT security. There's auditing, penetration, network security and so on. From what I know about CISSP is that it is not a highly technical cert, it gives you intermediate knowledge of tons of IT security topics making it one of the most ideal choices for management roles.

There's CISA for auditing. Since you're a MS guy, CISA plus windows security may be ideal for you. I think there will be a growing demand for windows security admins in future. You should also look into organization independent certs like RSA for SIEM type of architecture and McAfee Firewall certs for starter.

kurosaki00

froufrou123 wrote: »

I think there will be a growing demand for windows security in the future.

this came to mind


lol

LinuxRacr

I'm currently testing theories in this thread.

docrice

Coming from someone who does "network security" in a somewhat traditional role (firewalls, intrusion detection / prevention, traffic analysis, product evaluations, vulnerability assessment, network design, etc.), I'll add my two cents in saying that while certs are fine and dandy, real qualities that I look for in a candidate is evidence of drive / motivation, ability to keep up with current events, willingness to spend the time to become well-versed in at least one or two areas, and continuous self-investment for improvement. Attitude is also a very key factor when I conduct interviews. At the end of the day you're judged on what you can deliver.

Infosec requires a great wealth of accumulated knowledge and wisdom, at least for my area. Learn all you can about the technologies that interest you and go far beyond the textbook since they only teach you so much. Dig deep, break, fix, break again, and understand the nuances of how it all works under the hood. Grow and harvest a great lab at home. Spend many, many, many, many countless hours reading and learning more.

Always keep asking yourself the question, "But what if...?" You have to forecast how the system can be broken and then understand paths to mitigation. Accept that you're never going to be great at everything. It's ok; I'm relatively lame in all areas but I keep pushing.

I recently interviewed a CISSP for an opening at my company who didn't pass muster. While I can appreciate a certain degree of enthusiasm, he didn't have the self-initiative qualities and demonstrated investment that I'd expect from someone who really, really wants to be in a security position. If someone doesn't have all the raw skills, I at least hope for the right mindset and determination.

Valsacar

docrice wrote: »

Coming from someone who does "network security" in a somewhat traditional role (firewalls, intrusion detection / prevention, traffic analysis, product evaluations, vulnerability assessment, network design, etc.), I'll add my two cents in saying that while certs are fine and dandy, real qualities that I look for in a candidate is evidence of drive / motivation, ability to keep up with current events, willingness to spend the time to become well-versed in at least one or two areas, and continuous self-investment for improvement. Attitude is also a very key factor when I conduct interviews. At the end of the day you're judged on what you can deliver.

Infosec requires a great wealth of accumulated knowledge and wisdom, at least for my area. Learn all you can about the technologies that interest you and go far beyond the textbook since they only teach you so much. Dig deep, break, fix, break again, and understand the nuances of how it all works under the hood. Grow and harvest a great lab at home. Spend many, many, many, many countless hours reading and learning more.

Always keep asking yourself the question, "But what if...?" You have to forecast how the system can be broken and then understand paths to mitigation. Accept that you're never going to be great at everything. It's ok; I'm relatively lame in all areas but I keep pushing.

I recently interviewed a CISSP for an opening at my company who didn't pass muster. While I can appreciate a certain degree of enthusiasm, he didn't have the self-initiative qualities and demonstrated investment that I'd expect from someone who really, really wants to be in a security position. If someone doesn't have all the raw skills, I at least hope for the right mindset and determination.

Given what you say you're looking for, I would think CISSP would fit as a paper requirement to get to the interview stage. Passing that exam shows most of the things you are looking for (much more so than say, Security+). Of course, as your example showed, it doesn't guarantee anything or help someone with really poor interview skills. I got mine because security (network defense specifically, working on some other stuff to have proof of that focus) is where I want to go, and it does take a lot of studying and determination to pass that test.

effekted

docrice wrote: »

Coming from someone who does "network security" in a somewhat traditional role (firewalls, intrusion detection / prevention, traffic analysis, product evaluations, vulnerability assessment, network design, etc.), I'll add my two cents in saying that while certs are fine and dandy, real qualities that I look for in a candidate is evidence of drive / motivation, ability to keep up with current events, willingness to spend the time to become well-versed in at least one or two areas, and continuous self-investment for improvement. Attitude is also a very key factor when I conduct interviews. At the end of the day you're judged on what you can deliver.

Infosec requires a great wealth of accumulated knowledge and wisdom, at least for my area. Learn all you can about the technologies that interest you and go far beyond the textbook since they only teach you so much. Dig deep, break, fix, break again, and understand the nuances of how it all works under the hood. Grow and harvest a great lab at home. Spend many, many, many, many countless hours reading and learning more.

Always keep asking yourself the question, "But what if...?" You have to forecast how the system can be broken and then understand paths to mitigation. Accept that you're never going to be great at everything. It's ok; I'm relatively lame in all areas but I keep pushing.

I recently interviewed a CISSP for an opening at my company who didn't pass muster. While I can appreciate a certain degree of enthusiasm, he didn't have the self-initiative qualities and demonstrated investment that I'd expect from someone who really, really wants to be in a security position. If someone doesn't have all the raw skills, I at least hope for the right mindset and determination.

I may be applying for some security positions if there's opportunity to work remote and if so I hope the interviewer will have your outlook. Over the course of the last year and a half I've put a lot of time and effort into brushing up on various technologies with a focus on security, did a penetration testing course, and have a drive to learn everything I can because the security field really interests me.

If I can get a BA from WGU in 2 years I plan on sitting for the CISSP since having a BA will knock 1 year off the required exp, and by then I'll have 4 years of exp in the various domains.