Shifting career from IT audit to IT security

Guys just want to hear your opinions in my "career dilemma". Recently, I discovered that my passion is in the field of IT security this is maybe because of the EC-Council training which I attended last year. BTW I'm a CEH(but I don't have any hands-on experience in the field of networking and handling of Operating Systems)...Though security is a part of IT audit, its main focus is more on IT risk management...What I desire is more on the technical side of IT security such as vulnerability assessment, review of firewall logs, etc. In your expert opinions, what are the trainings/courses should I take to reach my goal of shifting to IT security? and can I transfer to the said field with my current experience?

Note: I'm not a Computer Science nor an IT graduate...and my knowledge of IT security is "very basic" and more on theories

Hoping for your guidance

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

paul78

Welcome to TE. I don't run into too many people that come into hands-on IT security from audit. But more so, the other way around. But it doesn't mean thats not possible. Perhaps start with the basics, try a certificate like security+ or if you have the experience - CISSP.

kratosver.1

Thank you so much sir paul78 for the prompt response...Is it possible to go directly to Security+ or should I learn first the basic of networking or learn some programming language? I really don't know where to start

Jasiono

The only thing you need to know network wise for the security+ is the OSI stack, but your study material should go over whatever you need to know. You also need to know what a data packet is and the difference between UDP and TCP. Also port numbers. Otddoesn't hurt to know it but for the exam materials you study from should give you ebough information.

Jasiono

Sorry for the typos. I'm on my phone and it really lags.

paul78

I would agree with Jasiono - starting with Security+ should be pretty straight-forward. It's considered a basic entry-level certification. And the structure of preparing for the certification should start to give you some good insight into IT security. Also, not everything about IT security has to be hand-on - and networking is just one of the many different areas.

kratosver.1

Thank you so much sir paul78 and jasiono for the enlightenment

surely I will consider your advice...Besides the security+ certification what other IT areas should I focus on if I wanted to be on the technical side of IT security?

paul78

Others may have a different idea but I think you are probably better off starting in the more general and broad categories of what is covered in Security+. From there - maybe try to get a job in IT security (whatever you can find) - once you have some exposure, you can then find the niche that interest you.

burfect

I am very interested in this as well. Reason being is because I feel like it might be a quicker path towards IT security, than trying to buildup a bunch of un-related "techie" experience first.

I could be totally off but I am surprised I don't see more people from IT auditing transition in to IT security, or vice versa to be honest.

I'm not too up on the CIISP but would it be possible to achieve that cert if your entire career was IT audit based? And, if so... why don't more people shift from domain to the other more often?

paul78

@burfect - what exactly is your background? I do know people that have qualified as a CISSP with an audit and/or governance background. I suspect the exam was a bit more challenging for them but with hard work - it is possible. A few of the auditors that I encounter during an audit also hold CISSPs.

As for the shift - I expect it's probably preference for the role/function. I know auditors and assessors that really enjoy what they do. That's simply the career choice that fits with them. For me personally, I probably could shift into auditing or third-party assessments as well but that's not my interest and I only support that function tangentially.

burfect

To be honest, my background is simply a BS in CIS (completed last year). I held a IT support gig for a few months where I was literally helping an office of about 10 people, and I currently working in technical sales pertaining to virtualization.

Reason I ask is because I have also had an interest in InfoSec, but sometimes job offers appear and you have to do what's best for you. I have a friend who works in non-IT auditing for healthcare and the CSO at his company comes from a pure IT auditing background and holds a CISSP. Another friend who also works in healthcare in a systems role who's CSO comes from more of a technical side mixed with some auditing, also holding the CISSP.

I seem to see (whether it's linkedin or through networking etc) that a lot of people with IT audit backgrounds hold CISA etc and ultimately the top guys hold a CISSP. Specifically at the big 4 financials.

I guess, considering my background in business and a light technical side, I am wondering if leveraging my background towards an IT audit position might be a better entry point to InfoSec rather than trying to go the pure technical (desktop support etc) route.