Approaching InfoSec with a Business Background

Hey guys,

I'm a bit new here so hopefully I won't get bashed for this question...

I just graduated from college (BS in Finance/Accounting) and will be working for a public accounting firm. As of last summer, I recently became interested in information security. This was primarily during my internship where I had the chance to work with a higher up in the firm who's involved in information security services.

Right now I'm studying for the CPA exam, but after that I think I want to tackle some IT certs and try to get involved with the infosec group at my firm again.

My IT background is very limited, but after some research I do understand the kind of foundation required to approach information security.

Most suggested paths I see in this forum are for people who already have in-depth IT experience/education, but is there an approach for people who have a different background?

Find more posts tagged with

Comments

loneferret

I would suggest strengthening your overall knowledge of IT, before going into InfoSec.
Take some programming/networking classes... grab some good books. Get familiar with different operating systems such as Windows and Linux.

Don't know if I'm saying this correctly, but one doesn't "start" in Infosec. They usually go into it after have some level of experience in IT before making the jump into this weird and wonderful thing called security.

*coffee time...darn it.

ptilsen

I don't see any problem with applying a business or financial background to infosec. Now you probably aren't going to to be doing more technical work such as configuring firewalls, hardening servers, penetration testing, etc. Even with certifications and a broader technical background you simply wouldn't be qualified for that, certainly not right of that bat. Coming from a business background, you will want to steer more towards security management. You will still need some tech background, and for that I would specifically recommend you pursue Net+ and Security+. They will give you the bare minimum foundation you'd need to get started on this path. It's definitely still worth familiarizing yourself with Windows and Linux technologies and how they're used, but I wouldn't start towards any certifications on them.

The trick is going to be getting your foot in the door and getting to that management position without taking a detour into some technical areas that aren't security related. I don't have any specific suggestions there other than getting those two certifications as a foundation. Once you get to the point of doing security management, risk analysis, or something of that nature, your business/accounting background will be helpful, if anything.

tpatt100

I think you might end up looking at IT from an IT-Security-Audit perspective. General IT background with an emphasis in Legal-Regulatory Compliance-Security Regulations. (If that makes sense).

loneferret

Oh boy, hope I didn't sound like I was saying you couldn't do.. no no..
Having a good solid business background is good, gives you another perspective that other IT people would never consider. I still believe you would need to get more IT training. As mentioned above Sec+/Net+.. I'd even add Linux+ but that's me.

Like ptilsen and tpatt100 makes perfect sense. Get some training/knowledge (practical not just theory), foot in door and go from there.
Good luck.

*ok too much coffee now.

JDMurray

A problem with a lot of InfoSec folks that they don't have any business skills, so they don't understand how security solution must make TCO and ROI sense. Sure, financial people usually end up in the auditing and forensics end of InfoSec, but there is plenty of need for people who understand business operations in risk management and proactive business continuity planning too.

frobro989

Thanks for the responses so far.

I believe I can get a bit of hands on work through my future employer (they offer an IT audit training program) which will help with technical experience.

I was considering graduate school for a bit, but realized that it would be more economical and beneficial for me to learn things on my own through internet resources and hands on training through work.

From what I've seen so far I need to look into Net+, Sec+, and Linux+.

JD, you mentioned business continuity and and risk management. With these being a forum for exams and certs, would you mind explaining which cert(s) are primarily required/needed for this? I'm assuming CISA, CISSP, CISM, and CRISC to name a few, along with good, hands on experience.

JDMurray

Certs required by hiring managers for RM and BCP jobs? Get thee to Monster and Dice, search for the jobs you are most interested, and glean for what certs are the most sought! I think you'll find that a business InfoSec person can't go wrong with the CISSP/CISA/CISM hat trick. (Be sure to check the professional work experience requirement for each cert you seek.)

frobro989

Will do. I've looked around at positions open at the Big 4 accounting firms as well as some consulting companies and found the CISSP and CISM to be quite popular. So I think I'll try to tackle all 3 (in the future of course).

I think that will open me to a lot of areas such as RM/BCP and audit/forensics.

Still having trouble on a clear path to these though.

Here's what I've come up with so far...

Network+
Linux+
Sec+
.
.
.
.
.
.
CISSP
CISA
CISM

Not sure what to do in between.

Also, another question (I have too many of them). How important is programming when it comes to these upper level certs?

paul78

frobro989 wrote: »

How important is programming when it comes to these upper level certs?

Programming itself isnt neccesarily helpful and it depends on the specific topic. Having some software engineering foundational knowledge is always helpful. But many areas of IT do not require it.

With your background, an IT audit career is very achievable. The popular SSAE16 for example largely done by accounting firms who offer IT audit services.

frobro989

paul78 wrote: »

Programming itself isnt neccesarily helpful and it depends on the specific topic. Having some software engineering foundational knowledge is always helpful. But many areas of IT do not require it.

With your background, an IT audit career is very achievable. The popular SSAE16 for example largely done by accounting firms who offer IT audit services.

Gotcha.

I've been watching some intro to programming lectures and I think I'll watch one on object oriented programming before I start tackling an actual language. It's a nice toss up when you spend most of your evening watching a CPA Exam lecture.

JDMurray

The truth is that the high-level InfoSec exams are less technical than you would think. None of them require programming skills unless they are specifiy certifying defensive programmings skills, secure coding practices, etc. Experience with programming comes in very handy with understanding application security issues. Most people never spend a second pondering how software is created or works inside. Knowing how software is designed and implemented helps greatly to understand appsec issues.

frobro989

Didn't think of it that way. I wanted to follow up on a question I had earlier. Im assuming as long as have the general knowledge and get the work experience, I wouldn't need many certs to shoot for the "hat trick". Or am I wrong?

ptilsen

CISSP alone will require four years of experience, and none of them will necessarily be easy to pick up from scratch. In my opinion you would do well to start with some lower-level certs to give you a better foundation.

frobro989

Sorry failed to mention that as well. So I'm assuming Net+, Sec+, Linux+. I assume what to get next is determined by what field I work in/ what job I want?

Also, does anyone have an recommendations on grad school? Not specific schools, but comparing grad school to self educating.

At first I was going to learn things on my own but the more I read this forum the more I think grad school would be beneficial. Just would like 2 cents from someone who has been there before.

Thanks.

GoodBishop

frobro989 wrote: »

Hey guys,

I'm a bit new here so hopefully I won't get bashed for this question...

I just graduated from college (BS in Finance/Accounting) and will be working for a public accounting firm. As of last summer, I recently became interested in information security. This was primarily during my internship where I had the chance to work with a higher up in the firm who's involved in information security services.

Right now I'm studying for the CPA exam, but after that I think I want to tackle some IT certs and try to get involved with the infosec group at my firm again.

My IT background is very limited, but after some research I do understand the kind of foundation required to approach information security.

Most suggested paths I see in this forum are for people who already have in-depth IT experience/education, but is there an approach for people who have a different background?

I would highly recommend the following certs: CISA, for IT auditing. CRISC, for IT risks. CISSP, once you have 5 years exp. And in your case, if you have the CPA, you should look into getting the CITP, as you need a CPA to get that. The CITP Credential

Start with the CISA though, that would be your best bet. Unless, of course, you just want to go pure security, in which case the A+, Network+, and Security+ is your best bet to start out. But why not leverage your background, that's what I say.

frobro989

Thanks for the advice GoodBishop.

I keep thinking that I need to do extra, but the idea of leveraging what I already know sounds more reasonable and realistic.

GoodBishop

frobro989 wrote: »

Thanks for the advice GoodBishop.

I keep thinking that I need to do extra, but the idea of leveraging what I already know sounds more reasonable and realistic.

Sure.

I used to work at a public accounting firm for 7 years, and I just recently was a IT auditor for 2 years - trust me when I say, you're doing pretty good. You have your B.S. in Finance/Accounting, which is awesome. You're studying for the CPA, also awesome. When you have your CPA, you can pretty much find a job anywhere (in accounting, that is). You want to get into IT security, which is a sexy field. I think with your background, here are several possible career paths: IT Auditor, where you get to audit company's IT systems for compliance purposes as a independent third party; IT Risk Analyst, where you determine risk rankings for different parts of IT; IT Financial Analyst, where you budget and project the finances that IT gets from the mothership corporation. You even have the opportunity to get the CITP certification, which gives you street cred in IT with accountants (and their clients).

If you wanted to go pure IT security, there are ways to do it, but you can leverage your background by spending a few years in IT audit or IT risk, and that would help get you on that path. Me, I always loved IT security, still do. I started out in general IT, help desk to be specific, and then got to be a senior IT generalist. Then, I knew that I wanted to go into IT security, but due to unforseen circumstances (got married, moved), had to get "any job", so I got a IT auditor job. Honestly, it was a pain, but I learned a boatload (and started and got through a third of a MBA in the process). I used that experience to get a managerial IT risk job, so it worked out.

Take what you want to do and map it out careerwise, and then implement your plan. It's good stuff.

GoodBishop

frobro989 wrote: »

Also, does anyone have an recommendations on grad school? Not specific schools, but comparing grad school to self educating.

At first I was going to learn things on my own but the more I read this forum the more I think grad school would be beneficial. Just would like 2 cents from someone who has been there before.

Thanks.

As someone who is in grad school and going for a MBA, trust me when I say that grad school (in a employable field, like IT or MBA) is well worth the investment. Almost all of the IT managers here have a masters degree (most of them have MBAs), and if you want to get ahead, it's one of the better ways to do it.

I think if you calculate lifetime earnings as well, you get a extra 500k over your lifetime if you have a MBA. The cost/benefit of getting one is a no-brainer.

I had a IT undergrad degree. When I was taking advanced managerial finance courses, I was like, why didn't I learn this stuff sooner! It's important, useful, and good to know.

Now, since you have a B.S. in accounting and finance, you might want to get a Masters in IT. I don't think you need to get a MBA - get something different to diversify your skillset.

frobro989

The issue with finding a reputable Masters in IT is most of them require a Bachelor's in Computer Science or related field, or an extreme amount of technical experience.

I assume that I need to just wait it out, get the experience, and then grab the graduate degree. Until then I can self study and maybe grab some lower level certs.

beads

Looking at some of the lower level IT certs won't hurt and it will give you a really good feel for the annoyance/difficulty of prepping as well actually sitting for these exams can be. Think doing your CPA over and over again "for fun".

Other than that if you can find a position that will help expand your auditing scope the CISA is a natural fit.

- beads

UnixGuy

What everybody else said. Go the auditing route, and start doing IT audits from there. Think about CISA/CISM, maybe CISSP. and ISO Lead Auditor cert. Work your way up..

frobro989

Thanks for all the help guys. I've decided to do the Masters in IT starting (hopefully) in January when I'm done with the CPA exam, then I'll try to get my foot into the IT audit practice during that time. I'll also try to pick up some certs during the time frame....Net+, Sec+, Linux+, maybe the SSCP.

GoodBishop

Don't forget to stop by in 6 months / 1 year and let us know how you're doing.

We like hearing success stories.

frobro989

Most definitely.

burfect

Curious as to any updates as I think this is a top notch thread.