Getting out of infosec.

boredgamelad

This is going to sound like crazy talk to anyone who's looking to get into it, but... how do I get out of working in infosec?

A little background: I got into IT through what I called my office monkey job. I was working customer service for a web developer but the sysadmin needed someone to take care of the daily junk like password resets, print server access, file share issues, etc. Fast forward a year and a half and I hadn't done much beyond your basic small network admin. I was going to school at the time so I wasn't actively furthering my career, it was just a job to get by.

Then I moved, and couldn't afford the drive anymore. Which was fine because the experience wasn't all that to write home about. With just my Net+ and Sec+, I got a job with a managed services provider who sold security as a service. Basically remote firewall admin/monitoring with some IDS/IPS incident response. I figured it'd be good to get a few years' experience on the resume and get some exposure to technology above my skill level.

Late 2012 I saw the writing on the wall and figured that job was going to fall through before mid-2013, so in February I moved on (they're shutting down the office in May so good timing on my part). Now I'm working for a consulting company that does penetration testing, compliance audits, device provisioning, and other security consulting. As mentioned in another thread, I was lured in with 1.) good pay and benefits, and 2.) the promise of training, that hasn't really come along and doesn't appear to be coming. People are saying that I should just step up and train myself if I'm passionate about security, but I've been digging and I just don't think I have that passion.

What I really want is to be a network admin/engineer/technician; whatever means more time working on network design/setup/administration. My problem is that since I've spent 3+ years working in a security-focused role, people who are hiring for the jobs I want don't think I'm a match. And I can't blame them; I don't have a lot of dedicated network experience. I know I'm qualified to do the work, it's just that when people look at my resume (recruiters especially) they say "we're not looking for a security guy". I've pigeonholed myself, and I'm not sure how to break out of it. I can't exactly go out and get more networking experience if nobody is willing to hire me, and despite having some relevant certs (Net+, CCNA) people still look at me as a "security guy". Even trying to get hired for what most would consider a step down (i.e. helpdesk/NOC level 1 work) is hard because then I run into the overqualification problem ("why are you applying for an entry level job when you have 4 years of experience?").

I know a lot of this is my own fault for not trying to get out and pursue my goals sooner but life got in the way. Does anybody have any tips or advice on what I can do to get myself out of information security and back into what I want to do? At this point I'm seriously considering putting together a resume that makes me look like a fresh college grad and seeing what kind of response I get.

Sponx

This isn't going to be a helpful post... But wow, you have a job honestly that so many people are striving for! It's very unfortunate you're not happy.

boredgamelad

People keep saying that, but penetration testing isn't really what I thought it'd be like. Honestly, I find it kind of boring. Could be maybe it's just this company, or maybe it's something that's really cool when you're a few years ahead of where I am skill-wise. But it seems a lot of companies are just looking for a passing score so they can meet compliance requirements. A company we did a test for last year didn't hire us again this year because the guy who did last year's test found too many vulnerabilities they had to remediate. While it's cool when you find stuff and really cool when you're allowed to do intrusive & pivot testing, we rarely get anything other than non-intrusive tests. And there's the report writing that comes after, too, which can take as long as the test itself. Since we don't do just pentests, there's also all the non-technical work that comes with working in compliance, like writing use cases, risk assessment meetings, compliance walkthroughs, etc. to deal with, and there's more of that than I anticipated by far. A technical writer would do really well here.

On the whole, it's paradoxically less technical than my last job despite requiring more knowledge/skill to do the technical work.

dmoore44

Rewrite your resume to highlight the experience of the job you desire. Since you want a network admin job, you should make heavy mention of every time you configured switches, routers, firewalls, etc... If you audited configs for network devices and made recommendations on how to better secure them, make sure you mention that as well.

Master Of Puppets

Sponx wrote: »

This isn't going to be a helpful post... But wow, you have a job honestly that so many people are striving for! It's very unfortunate you're not happy.

+1 I just want to point out that I had my poker face on for 5 minutes after reading your post. Although I am in no position to give advice on this, I hope you find what is best for you!

boredgamelad

dmoore44 wrote: »

If you audited configs for network devices and made recommendations on how to better secure them, make sure you mention that as well.

Good idea. I did do some of this so I will definitely revisit the resume tonight and add some detail on that.

dbrink

This is funny because I'm trying to move from a sys admin position to a pen testing/vuln assessment position. I think we always think the grass is greener on the other side.

It is easy to look at pen testing and only think about how cool it would be to poke and prod someone's network and get paid for it but not think about all of the mind-numbing things that have to be done also....like report writing. It is the same thing with being a sys admin. People probably think it is cool to learn new technologies and setup new systems but don't think about things like dealing with irrational users and their needs, etc.

I can only say what others have said and that is to take your resume and experience and try to highlight the sys admin type things you get to do, that is what I have to do with my resume right now to highlight some of the security stuff I'm working with.

Good Luck.

bdub

I dont blame you at all, as I was in a similar situation. I went from a systems admin position to an infosec position and did not like most aspects of the job and just as you have come to realize, you will be pigeon holed into being "the security guy" whereas admin and engineer positions do not as much because the nature of those positions is more dynamic. Lucky for me I worked with another guy who felt similar and from talks we had it helped me realize this before it was "too late" and I did not spend much time in that role. Now I am in a systems engineer role and am much more happy.

Security really is one of those things you have to have a true passion for. A few of the guys I worked with literally live and breathe security and are the epitome of "the security guy", I definitely am not that guy.

As suggested already, rewrite your resume to emphasize the things you did that play into the kind of role you want. Be honest about your experience but show your eagerness and willingness, let them know where your true passion is and why you are looking for a change. I'm sure you'll find someone willing to give you a chance.

UnixGuy

Interesting post, and I agree with above comments that a lot of people wish to get into Pentesting.


How do you know that you want to be in Network administration? I'm a system admin and it gets boring, there has to be some kind of repetition. Besides, with cloud computing and outsourcing, perhaps InfoSec is a safer bit? I don't know.

vCole

I'm sure most will say and some already have said "But you have a job that other people would kill for!" That may be true, but same can be said for any other positions that people find themselves not enjoying. Don't try to fit a square peg in a round hole, find out what you're really passionate about. Check out the job descriptions for positions you find interesting, and tailor your resume to highlight those skills(if you have them).

gbdavidx

What about trying to find another company to work for? or are all infosec jobs the same?

ptilsen

Obviously I share the general dismay at wanting to get out of infosec. I can empathize in a way, though, as I'm fairly stuck in systems engineering and would like to get into security. It's really the same issue. How do I leverage my experience to get something in a different track without taking a huge pay cut? Do you do the same?

My only advice is to look at how you can present what you have done. Write your resume to highlight your non-security accomplishments and responsibilities. Anything you configured or managed that wasn't truly a function of just security can be spun to appear as not security. Note I'm not saying to lie or misrepresent. It's just a matter of showing the stuff you want to do, instead of the stuff you don't.

Outside of that, really, any position in this field is at some level about knowing computers. If you know the basics of networking and common operating systems, it can't be that difficult to get into an admin job not focused on security. At the very least, you ought to be able to get a job focused on the defensive side, which is as much systems or network engineering as it is security, if not more so. Ironically, I view such a position as my way out of administration and into security, but it could work the same way for both of us.

networker050184

I know where you are coming from. Security is the last thing I want to spend my days doing.

I'd start looking for a network security type gig. From there you could move more into a networking only type role.

traceyke

I literally had to do a doube take when I saw the title of this post. I thought I would never see the day when someone is striving to escape info sec!

ChickenNuggetz

As some of the others have said, it seems you have networking experience so you really just need to rewrite your resume to cater to the job that are wishing to get. I wouldnt worry about overqualification, you'll be applying for entry level networking gigs because you DONT have the engineering/ops experience in that area. I really feel like your infosec skills would give you a leg up when applying for those kinds of roles. Just remember its all about how you present yourself and how you spin the information. The question will inevitably arise "why are you leaving infosec, etc" and you'll be able to honestly answer, that you want to do more of the administration/engineering aspect of the networking world.

YFZblu

Even from afar, pen testing for an organization does not look all that exciting and I can understand why someone would want 'out'. It looks very asymmetric as far as work and payoff; and the exciting moments are few and far between in many cases.

Valsacar

Yeah, refocus your resume to highlight the network experience. Oh, and find a better recruiter, that guy is an idiot. Any serious company doesn't want just "security guys" doing security, they want every level of their staff (IT and non-IT) to understand and apply security. There's a reason the DoD requires ALL IT people to hold security certifications + job specific ones.

Qord

I wonder how often and how easily this happens, getting pigeon holed into a security position. The thought of that makes me a little nervous because I have an honest interest in systems/network security, but do not want an infosec job. What I want is knowledge and the ability to secure any device I put in place, not to be a pen tester or perform forensic investigation or incident response. Hell, I don't even want to have to run nessus scans if I can avoid it. I definitely wouldn't mind having the know-how to effectively perform those jobs, but that's not what I want in my day-to-day duties and responsibilities. If I were to take training and learning too far, would I too be stuck (or feel stuck) in that position?

RoyalRaven

You would not be stuck...at least nowhere near as bad as other IT transitions. Security is essentially a combination of many disciplines rolled together, which is why it's usually a long-term goal for most folks. You usually go that route after you've mastered other areas.

I would expect a transition out would not be so rough, short of having missing skills for the new role. I have done this already myself - left an admin/security based role and dove back into sysadmin work. It was painless. Just pick up the new projects and run with them. Now I'm working a heck of a lot more on the security aspect and I'm working on being in that role again 100%...so it's coming full circle. I think most folks need a refresher/major change every couple of years to stay relevant/challenged.

Don't peg yourself as a one-trick pony either. Keep accumalating skills and you'll be extremely resourceful, regardless of role. I can't tell you how many times my background in other areas has significantly helped me in places I didn't expect. Windows NT and 98 skills? I still used them to support my fundamental knowlege of file systems while learning forensics (but that is about it for those now...lol). Security work has helped me tremendously with sysadmin work as I'm comfortable building (more) secure systems on rollout plus I have a completely different perspective on things than most of my coworkers.

cmitchell_00

I used to want to do the security only job and I realized I would be bored to death. The pay can be really nice but, if you enjoy coming to work you won't do go at your job. I love working on networks because I touch servers, phone systems, wlan devices, routers/switches/firewall etc. plus doing some form of security in those areas. I would just redo my resume and just keep sending them out and you'll get something especially when you have your CCNA.

YFZblu

Qord wrote: »

I wonder how often and how easily this happens, getting pigeon holed into a security position. The thought of that makes me a little nervous

It's not unlike anything else in IT - If you're doing something you do not enjoy or if your goals have changed, your skillset must evolve. Learn something, get a cert (or don't), put it on your resume, and get after it. The best part about this field is that it's knowledge-dependent, and you have complete control over what you want to learn.

blargoe

I think I'll recommend what I recommend to helpdesk/deskside folks... find a job at a smaller company. In this case, find something where the network and security roles are covered by the same person/people. That will get you an "in", and as you get more experience in networking, you can move toward more of a networking role or shift toward an infrastructure generalist role.

boredgamelad

Thanks for the advice, everyone (even those of you who think I'm crazy). I'm refocusing my efforts this week on reaching out to my LinkedIn contacts to see if anyone knows of any openings. Barring that I'll be revising my resume this weekend and really working to highlight the networking experience I do have, and targeting smaller companies definitely seems like a good idea.

jdancer

You need to parlay your experience to penetration testing to packet analysis which definitely involves networking. Use as many networking incidents as possible.

JoJoCal19

I started a thread with a similar situation. I too am seriously considering leaving infosec and moving to networking, or at least a network security role. Have over 6 years of infosec experience but I like the more defined (in my opinion) career path for networking.

paul78

gbdavidx wrote: »

What about trying to find another company to work for? or are all infosec jobs the same?

@JoJoCal19 and @BoredGameLad - the question raised by @gbdavidx is quite valid. Not all infosec jobs are the same. And I'm sure not all networking jobs are the same as well.

The area that you are describing is network pentesting. If that's not interesting to you and you prefer design and engineering - there's the other side of pentesting which is actual network security engineering. Basically, if you don't like being on the security red teams. Go play for the blue teams and be the ones that design and engineer the networks to defeat the red teams and pentesters.

JoJoCal19

paul78 wrote: »

@JoJoCal19 and @BoredGameLad - the question raised by @gbdavidx is quite valid. Not all infosec jobs are the same. And I'm sure not all networking jobs are the same as well.

The area that you are describing is network pentesting. If that's not interesting to you and you prefer design and engineering - there's the other side of pentesting which is actual network security engineering. Basically, if you don't like being on the security red teams. Go play for the blue teams and be the ones that design and engineer the networks to defeat the red teams and pentesters.

That's a good point and one I'm working on now. I think my biggest issue is the company I work for. I'm not happy that my current employer doesn't seem to care to give me the time of day when posting for or expressing interest in internal positions and I've recently starting applying to a few targeted positions at other companies. I actually had a phone interview, and then contacted for online assessment I did well in, and now I have an onsite interview at a prospective employer I would love to get in with. It's for another security position doing similar work to what I do now but there is better internal opportunity and security is much more centralized there allowing better job shadowing and growth opportunities.

As for the side of network security I'd be interested in, blue team is it. Pen testing is interesting and I plan on studying for CEH (part of WGU MSISA I look to start soon) but just for knowledge sake. I'm more interested in the securing of networks/systems, policy and governance, and audit and compliance. I'll be graduating with my BS in Business Administration from UF in a little over a week, and Im studying for my CISSP which I hope to test end of June or beginning of July. Adding those two to my resume and with my experience, updating my resume on Indeed, LinkedIN, and elsewhere, should net me a good bit of interest.