Getting your foot in the security door

ptilsen

Following up on a recent thread, I'm wondering if anyone has any experiences to share in beginning or transitioning to a career/specialization in security?

I'm particularly interested in any experiences switching from systems or networking into full-time security. Whether you moved jobs or moved around within your organization, let's hear your story. What did you do to prepare? What are your job responsibilities?

docrice

I didn't read through the referenced thread, but I'll add my two cents since I understand the desire to go the security route but the difficulty in making that transition.

My climb in the IT space has spanned over a decade and I started at the bottom doing basic PC work, to various added menial low-level fix-it tasks, to enterprise desktop support (company sizes of 300 - 500 employees), then doing general systems and server admin, eventually moving into a role doing a mixture of systems and networking, and now I do full-time security. This is over several organizations in roles including technical (server-side) support for corporate customers and development lab infrastructure support. Almost throughout my career, I have relayed my concerns for various things security in areas that I had an influence in. I approached many topics in this manner (keeping in mind the main business requirements) and people around me took more notice in time.

Eventually I was doing minor security work including firewall administration, AAA configurations, network traffic baselining, software function auditing, etc.. I initiated many of these on my own. It took time, but I also needed that time to naturally evolve from my basic understanding of things to something more refined and deliverable to an audience where it had justification. I probably showed sufficient ambition (volunteering very long hours) that even when I was doing desktop support work, the network admin at the company handed me a Cisco 2900XL to play with, although I had no idea what to do with it at the time. I was even handed Domain Admin membership at one point, although I had no idea what that meant. Clearly they had trust in me for some reason. Perhaps working in smaller companies helps things maintain a fluidity that's much more rare in much larger organizations.

In the same desktop support role, I was eventually allowed to actually conduct domain credential audits and that's where I first learned the basic nuances of password cracking. I was primarily a Windows guy back then, but I invested a lot of time reading TechNet and whatever docs that provided more insight into how things work under the hood. It's really important to dig if you want to be influential in the security side of things in order to not just understand the why, but be able to relay it to people who aren't familiar with any of the basic concepts.

For those who are eager to get into security but find the career wall frustrating due to lack of experience, lack of hands-on access or opportunities, my advice is to survey your work environment, your organization's business requirements, perform an assessment on what could be improved security-wise, and volunteer ideas and at the very least just express interest. Don't over-do it, but be honest about your approach. People may or may not notice (many times they might not care), and sometimes you'll need to switch positions and go somewhere else, but once someone picks up the fact that you're strongly motivated and can potentially provide real value, they may be inclined to take a chance on you.

Opportunities don't come overnight and the reason why security positions "require experience" is because security is fundamentally based on trust. That trust is not handed out easily, especially when all kinds of internal secrets and proprietary information is given to people in these positions. The process and policies are formed to protect the organization's assets and the individuals handling high-value data need to understand the subtleties as well as hold that trust. This is why experience tends to be an emphasized requirement - raw skills alone do not make someone competent. Some degree of professional career maturity normally has to take place before that skill set translates into a natural fluency that's utilized efficiently and effectively and results in polished form.

I'd fathom that it's probably easier to get into security today than it used to be years ago since there's a growing demand (that is, management is "finally getting it"; or put another way, compliance requirements have made certain things more mandatory). However, us folks in infosec are control freaks by nature and to hand over a portion of that control requires a great deal of trust that the new guy won't screw something up or leak out things inadvertently / intentionally as the risk rises when access to sensitive areas is given to another moving part in the larger people-process machinery of an organization. It's our job to question everything, including existing assumptions, motives, product vendor claims, etc.. We guard the gates in our own capacity because depending on our role, we have to be the eyes and ears with the right perceptions for the businesses we work for.

It's not just education, certs, and experience though. It really helps to have social connections. I've gotten places in my career because I made impressions among peers and people in the right places. These connections are not a requirement by any means, but it does provide a distinct advantage. Spend time getting to know people, and not just to land a job but genuinely help out because you're interested in the larger good. Prove yourself and pay your dues. Professionals who have been there can recognize these traits and once you're at a level where we can accept you, we'll be willing to reach out.

What we don't like, however, is someone trying to game the system. We'll reject these folks with prejudice because it comes back to that basic principle: trust. We have to believe in not only the skill set you possess, but also your aptitude, willingness, your level of hunger for growth, and amount of self-investment you've made and that you might continue to make because of the dynamic nature of the industry as it is today.

It seems like a lot of folks think that a few certs is going to land them a job doing security work. Maybe in some cases, but for many of us (myself included, ironically) we look somewhat down on certifications. They're nice achievements, but how someone performs in real life could be a different thing. I've interviewed CISSPs and candidates with strong resumes who flashed their paper credentials and were obviously hoping to make a positive impression (including one candidate who had the ISC2 logo splashed on their first page). I can respect passing the exams, but I'm more interested in tangible qualities such as mindset, what the person's lab at home is like, how well they present themselves in a business environment, how they stay up-to-date on current events (news feeds, etc.), their ability to articulate technical details in an organized fashion, etc..

Infosec can be very much like IT in that it might involve long hours, but also bear in mind that it's a high-maintenance career. I'm speaking of the typical technical roles so my opinion doesn't necessarily cover all areas in the industry, but from what I've seen you have to spend a lot of your own time staying in touch with the pulse of the industry, constantly evolve your skill set and understanding of the world (and not just of the matrix grid we play in today), as well as continuously deliver and ultimately add value based on your organization's need. It's a balancing act and changes are frequent. Burnout is waiting at every corner.

Security can be sexy. You look at the kinds of things we deal with and it sounds like fun and games with cyber-toys. We use "attack tools" to perform vuln assessments, leverage "intrusion detection" systems, use load balancers to perform content-switching and enable web-application firewalls, etc.. It sure beats doing a few database queries and then performing server maintenance during a scheduled window, right?

But unless you work for a security consulting company, security specialists are expensive line-items to the bean counters. Security teams tend to be a cost center, and in many places you'll have to justify your position, pay, as well as make the uphill climb selling security to senior management who would rather spend budget on something that shows more obvious returns for the company's bottom line (and investors). That aspect alone makes the work stressful and it's unfortunate, but that's how it is in the corporate world.

So to wrap-up yet another unnecessarily-long rambling of mine before it gets more out of hand, my advice is to pay your dues. Take the time to mature your fundamentals so they're second-nature. Reach out and establish your own network of peers to exchange ideas and questions. Contribute something to the public good and show that you have value to add. Be able to effectively communicate difficult-to-understand concepts to people who don't know where the "any" key is. Relative to general IT, infosec is a small community and we can be a very discriminating bunch because we don't tolerate inefficiency. There's a lot of cake to eat when you finally get your foot in the door, but only if you know how to chew well.

ptilsen

Great post Docrice, thanks for your input.

DevilWAH

Docrie very nice post

I agree security is one you have to work in to slowly, you can't afford to make errors in security, especially for larger companies. they can't aford holes in there network, and at the same time it must be flexible enough for there staffs needs.

So you don't see many security engineers getting to cut there teeth on these kinds of networks. While they are happy to employ new commers to carry out basic network tasks.

IF your company has as security team make your self known. You might find a few good guys in it who are happy to discuss things and maybe even let you get a bit of hands on under there supervision. Especially if at the same you demonstrate the willingness to learn and get certified.

Or find a small company who have basic security needs (home/small business setup) and get some experience there.

Security is still one area that to get to play with the big boys you need to have a lot of experience and to be able to demonstrate you skills when needed you don't get in by blagging.

the_Grinch

Very great posts here! Not in the security realm yet, but I will add my two cent. Get that foundation in whatever technology you enjoy. Like systems administration? RHCE, MCITP and then start reading all the wonderful material available for securing them. Like networking? CCNA or Juniper, then start reading how to secure it. Same with web applications and whatever other technologies you love. I can admit, out of college I thought for sure my security degree and certs were going to get me a job, they didn't. I came close, but ultimately it wasn't in the cards. But I started getting experience as a JOAT and filling my resume with various technologies then my resume started to get notice. Now I showed a foundation in various technologies and the security coursework showed I could handle securing them. Rome wasn't built in a day and as Docrice has shown it will take some time, but with hard work you'll get there.

Hypntick

docrice wrote: »

Amazing Advice

Docrice, this right here is exactly the type of thing those of us who are looking to get into security want to read. Very well written and would love to hear more of your thoughts on this.

In my own experience working for an MSP, yes we do certain security functions, firewall, access control, etc. However we don't have the full package so to speak, for everything else we refer the client to a third party firm. My one thought in all of this was what kind of revenue stream are we giving up by not having this in-house? As of right now i'm pitching the idea to the owners and other managers where I am, they seem highly interested, so I am hopeful in making the jump and possibly starting something great.

ptilsen

Hypntick wrote: »

In my own experience working for an MSP, yes we do certain security functions, firewall, access control, etc. However we don't have the full package so to speak, for everything else we refer the client to a third party firm. My one thought in all of this was what kind of revenue stream are we giving up by not having this in-house? As of right now i'm pitching the idea to the owners and other managers where I am, they seem highly interested, so I am hopeful in making the jump and possibly starting something great.

Interestingly, this one my own experience except for one difference: The owner was not fully interested. In hindsight, I don't believe it was or is within my organization's abilities to really implement this based on a variety of factors, but mainly our size.

vsecgod

docrice wrote: »

Security can be sexy. You look at the kinds of things we deal with and it sounds like fun and games with cyber-toys. We use "attack tools" to perform vuln assessments, leverage "intrusion detection" systems, use load balancers to perform content-switching and enable web-application firewalls, etc.. It sure beats doing a few database queries and then performing server maintenance during a scheduled window, right?

But unless you work for a security consulting company, security specialists are expensive line-items to the bean counters. Security teams tend to be a cost center, and in many places you'll have to justify your position, pay, as well as make the uphill climb selling security to senior management who would rather spend budget on something that shows more obvious returns for the company's bottom line (and investors). That aspect alone makes the work stressful and it's unfortunate, but that's how it is in the corporate world.

This. Too many "Noobs" only think about the sexy part of it, and don't realize the whole picture when it comes to business requirements/politics/paperwork/how it translates on paper and business, basically all the negative and non-sexiness stuff (which accounts for the majority of the job) so they are kinda oblivious to what the job actually entails.

ptilsen

vsecgod wrote: »

This. Too many "Noobs" only think about the sexy part of it, and don't realize the whole picture when it comes to business requirements/politics/paperwork/how it translates on paper and business, basically all the negative and non-sexiness stuff (which accounts for the majority of the job) so they are kinda oblivious to what the job actually entails.

Call me crazy, but it's actually this side of security that really interests me. That's not to say I'm not interested in the more "sexy" technical aspects, but things like compliance, policies, documentation, auditing really are what I enjoy. I've been fortunate enough to have the opportunity to do a grounds-up PCI compliance project, which was not just the technical implementation, but also the design, the documentation, and working with the vendor to make sure everything met their expectations. I loved every part of it, including the documentation and policies I got to write.

I had another opportunity to both write and implement a full set of security policies for another organization to meet their customer's requirements. Again, it was a lot of fun, and I enjoyed both the technical and business/legal aspects of it.

Basically, I'm saying I think paperwork is sexy, and I would never want to work in any technology aspect that I can't tie back to something applicable and beneficial to the organization in question.

It's really just a question of how to represent and utilize my existing experience and skills more and more, potentially in a full-time security role.

ChooseLife

Excellent comments in this thread, thanks to ptilsen for kicking it off and those contributing to it.

IMO, docrice's post addresses a number of important points about InfoSec, what it takes to get in and succeed. Would be great to see it as a sticky (and make it mandatory reading for anyone opening weekly "Which cert to take to break into security and make $$$ quickly" threads).

I'm hoping to come back and tell my story one day...

paul78

docrice wrote: »

I'll add my two cents since I understand the desire to go the security route but the difficulty in making that transition.

@docrice – I enjoyed reading about your experience and how you got to where you are. I’m often interested in the varied paths that a career can take.

My own road into information security is a bit different so I thought that I would share it.

I started my own career over 20 years ago in tech support but left that job only after 18 months to work as a software engineer. I worked primarily on Unix and VMS developing operating systems utilities. I also had a short stint working on some early mobile applications (pre-Palm). After that, I started managing software development teams working on Windows 3.1 client-server applications. My management experience expanded to also managing infrastructure teams during the dot-com era. And it was during this time that I started to gain a more holistic view of an IT as a business support function.

After the dot-com era, I spent some time consulting and it was during this period that I gained an appreciation of information security as a formal practice. On and off, at various jobs, I would usually play the role of information security SME. At one point, I even started a small security company specializing in IDS management.

At my current employer, I play the senior information security role. Partly because we are required to have someone in that position – but mostly because it makes good business sense. How I got the job was basically to make a case that the business needed it.

I often see a lot of threads asking about what cert is best to get into information security. My personal experience – I didn’t hold any certifications until last winter (and some of you probably recall that I am a college drop-out). I sat for the CISSP and CISM because I was curious about the content of the certification. I did it on my own dime and I did not share the existence of my certifications with my employer.

ptilsen wrote:

Basically, I'm saying I think paperwork is sexy, and I would never want to work in any technology aspect that I can't tie back to something applicable and beneficial to the organization in question.

I'm so pleased to see someone else say that. And at some levels, I would agree with you -

As you get into more senior roles, “paperwork” is the job. That could be everything from contract reviews, legal negotiations, governance reviews, audit management and just plain making sure that the risk tolerance is in-line with the security posture. As you noted - not everything about information security is operational in nature.

My view on information security is that it’s very broad and a lot of what I’ve read on TE assumes that security starts with the networking and systems administration. In my own experience, to execute on a comprehensive security program, a defense-in-depth perspective is required. And to do that effectively, a successful senior practitioner would need to have breathe of knowledge ranging from IT infrastructure (networking and systems administration), application programming, physical security, to legal support. In my opinion, a technology generalist who is aligned to business goals is likely to be able to be more successful.

ptilsen

paul78 wrote: »

In my opinion, a technology generalist who is aligned to business goals is likely to be able to be more successful.

That might be the most encouraging sentence I've ever read on the subject.

afcyung

My first advice to anyone interested in getting to a full time security role is make your current job one. This is what I mean by that. If you are help desk and you are out working on someones computer and you see someone leave their workstation logged in while to go to the restroom or take a break, take some time to educate them on the risk that poses. If you see users sharing passwords or account information. Educate them on why that's wrong and report it up your chain of command to help resolve the issue. If you see theses types of things and do nothing you aren't interested in security. I always try and tell our help desk people to get involved with security because they are out and about more than anyone else. If you are a network/sys admin then make sure your equipment is locked down as tight as possible. Make securing the equipment your priority, know the NIST pubs and if you are looking for supplemental guidance the DISA STIGs. Stay engaged in the secure implementation of new equipment. If you see insecure implementations of hardware/software work to resolve them. At this point you will be well rounded Infosec professional and more than ready to move into a dedicated Infosec spot.

docrice

An excellent article on this subject over at Ethical Hacker:

http://www.ethicalhacker.net/content/view/412/24/

NetworkingStudent

ptilsen wrote: »

Following up on a recent thread, I'm wondering if anyone has any experiences to share in beginning or transitioning to a career/specialization in security?

I'm particularly interested in any experiences switching from systems or networking into full-time security. Whether you moved jobs or moved around within your organization, let's hear your story. What did you do to prepare? What are your job responsibilities?

I’m going to go a different route, and tell you that you should start networking with others in various security groups. Right now I don’t work in security, however; I do belong to security to the ISSA(Minnesota group) and I do believe that we allow guests to sit in on a few meetings for free. This allows future members to check it out and see if they like it or not. Also, I believe you mentioned that you were in school, so might be able to get a student discount. We meet every other month, so our next meeting will be in July. It’s in July because in May we have the secure 360 conference. I can email the chapter president on your behalf and see if we can get you into a few meetings. There is a networking hour before each meeting, so it would at least give you a chance to meet others from the security field. Our next meeting is in July.
There is a MN defcon group that meets once a month or every other month. The leader of the group mentioned at the last MN ISSA meeting that anyone is welcomed to attend this group. It might be worth your time to check it out. They usually test security flaws and work on security projects. I think they would welcome you. It’s at least worth a shot.

There is another group called the Security Awareness and Education group and it’s free to join. It’s a group that meets and discusses security in a panel type discussion. Mostly they review and talk about security policies. I really wanted to attend this group, but I work night shift, so it’s been hard to make it to one of the meetings. I can send you some info on this group, whenI get an email about their next meeting. This group usually meets in the morning.

Then of course there is Owsap, which is free to join, but I believe it’s geared more to developers, programmers, web security, and app security.
I provided all the links below; I wish you the best on your entry into the security field.

Minnesota ISSA Chapter

https://www.owasp.org/index.php/Minneapolis_St_Paul

DC612 - Minneaplis Defcon 612 Group

anothergeek

Recently I got hired to be a security analyst. I have no previous knowledge in security but like most people just applied in entry level jobs to see if I could get in. My old job didn't really have a security group which is weird...but oh we'll. During my interview I believe they could tell I was really interested and they really questioned me on everything. (severs, firewalls, networking, etc) Im really excited to learn and my new boss told me there's lots of opportunities to grow within the company...

ArabianKnight

Just did a quick search on Indeed. See, they do exist! No experience needed.

https://performancemanager4.successfactors.com/career?company=Bechtel&career_job_req_id=38050&career_ns=job_listing&navBarLevel=JOB_SEARCH&jobPipeline=Indeed

ptilsen

ArabianKnight wrote: »

Just did a quick search on Indeed. See, they do exist! No experience needed.

https://performancemanager4.successfactors.com/career?company=Bechtel&career_job_req_id=38050&career_ns=job_listing&navBarLevel=JOB_SEARCH&jobPipeline=Indeed

The trick is, a well established IT professional typically doesn't want to reboot his or her career by switching to entry-level security. I, for one, don't.

doobies

ArabianKnight wrote: »

Just did a quick search on Indeed. See, they do exist! No experience needed.

https://performancemanager4.successfactors.com/career?company=Bechtel&career_job_req_id=38050&career_ns=job_listing&navBarLevel=JOB_SEARCH&jobPipeline=Indeed

Required Skills:

• Received a Bachelors in Information Technology, Computer Science or related (within the last 12 months)

Desired Skills:

• Experience administering and supporting Windows and one of the following: Apple or Linux based operating systems (e.g. XP, Windows 7, 2003, 2008, OS X) Strong analytical, documentation, and communication skills.
• Understanding of IDS & IPS technologies
• Understanding of Windows event log analysis.
• Experience with enterprise information security data management tools such as ArcSight or Splunk.
• 1+ years of experience working on computer security team in an IT environment
• Understanding of network traffic analysis
• Experience with trouble ticketing and change management tools.
• Passion for all things information technology and information security
• Natural curiosity and ability to learn new skills quickly

LULZ... did you see arsight or splunk? 1+ years of experience working on a cert team... understanding of PCAP... remedy and passion for IS overall. IDS/IPS... and system administration.


Experience is needed... wheter self taught (splunk is free..., ids is free... servers are free) or in an internship, campus computer lab admin, or helpdesk... but don't get it twisted.. experience is needed.

Do you know pCAP?... b/c they want someone who understands it.. you don't get that skillset overnight...

m3zilla

What do you consider a security job? Where I work, we have a department that deals with security policies in terms of what people should or should not be allowed to do. They define the policy, such as who can/can't use USB flash drives, what department can/can't access production servers, etc. They are glorified paper pushers. Then there's the firewall group who build/deploy firewalls for the company and the various branch offices. Last, we have network engineers, who do the day to day work on the firewall, creating rules, tracing logs, etc

I think to people new to the filed, they think of "security" as as they see it on TV, and it's rarely the case.

docrice

I think most people who are outside of infosec see security as pentesting, intrusion analysis, incident handling, or forensics; anything that involves digital deep inspection and command-line work to find the needle in the haystack. While security work could involve that, security in general involves almost anything from armed (or unarmed) guards, audit and compliance, log management, backups, networks, servers, clients, web application review, firewalls, awareness training, software code reviews, and on and on.

The traditional cliches of corporate IT security roles are usually about firewalls, IDS, external audits / pentests, and compliance. Every organization breaks it down differently though. Some have more emphasis on technical controls over compliance and vice versa.

GoodBishop

ptilsen wrote: »

Call me crazy, but it's actually this side of security that really interests me. That's not to say I'm not interested in the more "sexy" technical aspects, but things like compliance, policies, documentation, auditing really are what I enjoy. I've been fortunate enough to have the opportunity to do a grounds-up PCI compliance project, which was not just the technical implementation, but also the design, the documentation, and working with the vendor to make sure everything met their expectations. I loved every part of it, including the documentation and policies I got to write.

I had another opportunity to both write and implement a full set of security policies for another organization to meet their customer's requirements. Again, it was a lot of fun, and I enjoyed both the technical and business/legal aspects of it.

Basically, I'm saying I think paperwork is sexy, and I would never want to work in any technology aspect that I can't tie back to something applicable and beneficial to the organization in question.

It's really just a question of how to represent and utilize my existing experience and skills more and more, potentially in a full-time security role.

You might want to look into getting your CISA - they are very useful in getting into that line of work.