Do entry level InfoSec positions exist?

ITcognito · June 2013

Hey guys,

I'm currently in an 4 year bachelors undergrad InfoSec program and am worried about finding a job after graduation. My program does have a mandatory co-op term in which I hope to gain some relevant experience, but will it be enough? I've heard that entry level infosec positions dont exist and that I will be required to start off in helpdesk or server administration and break my way in. Are my fears valid or am I just being panicking unnecessarily?

WafflesAndRootbeer · June 2013

You are correct. Entry level INFOSEC positions DO NOT EXIST. You more or less get into INFOSEC by obtaining INFOSEC certs through self-study while working in another field and then, if you are lucky, you might get an INFOSEC job.

ChooseLife · June 2013

Do entry level InfoSec positions exist?

No.

Understand that InfoSec is not a separate field, it is an advanced layer of Information Technology / Information Systems. To become proficient in network security, one must first gain knowledge of networking. Same goes for other branches of InfoSec.

ChooseLife · June 2013

Reference: http://www.techexams.net/forums/jobs-degrees/84806-how-does-one-break-into-security-industry.html

docrice · June 2013

Let me break the trend here and say entry-level infosec positions do exist. However, the term "entry-level" in regards to infosec has a different meaning, which brings us back to the point others here make about that. In general, people start off doing lower-level grunt work and then eventually move into security positions, because security is a natural extension of existing job verticals like systems and network administration.

If you were to start off doing pure security work with no real experience on the subject matter you're securing, then you'd be blindly pushing buttons without the relevant context. Books and training provide starting points, but on-the-job experience instills wisdom because information technology environments are essentially massive logical machines with thousands of components moving (often not) harmoniously. The fine details count, and without having done a lot of the actual cooking in the kitchen, you'll never realize how different ingredient combinations create different results with different reception from diners with different tastes.

But panic not. These days there's a lot more highlight and awareness in regards to security, so I'm under the impression that the job market for it is expanding. Even if you're doing desktop support, there's security in there somewhere (looking at logs, authentication events, correlating events together, etc.) and that helps form the basis of interacting with the gears of the machinery. And understand that the machinery is not just the digital Legos on the wire, but also how they work within business processes, objectives, and human interactions.

ITcognito · June 2013

It's kinda discouraging hearing stuff like that, but the truth is bitter. A know I few guys who've graduated from my program and have landed security analyst positions, so perhaps there is hope yet.

If I'm to be a server admin with my eyes on InfoSec, what do you advise I get certified in before working on security certs? MCITP/MCSA?

YuckTheFankees · June 2013

May I ask what interests you about InfoSec? What do you think your day-to-day tasks would be for a security analyst?

YFZblu · June 2013

ITcognito wrote: »

It's kinda discouraging hearing stuff like that, but the truth is bitter. A know I few guys who've graduated from my program and have landed security analyst positions, so perhaps there is hope yet. If I'm to be a server admin with my eyes on InfoSec, what do you advise I get certified in before working on security certs? MCITP/MCSA?

It totally depends on what you want to do in security. Do you know yet?

Master Of Puppets · June 2013

YuckTheFankees wrote: »

May I ask what interests you about InfoSec? What do you think your day-to-day tasks would be for a security analyst?

That is what I was going to ask as well. Important question, indeed.

paul78 · June 2013

Entry-level security positions do exist, but it large depends on what area of security you are interested in. The big four, for example, do hire many interns for their risk assessor businesses. Similarly, for administrative activities related to security and risk, there are also entry-level positions. By administrative, I'm not referring to server or network administration but activities related to project and operations management such as governance, compliance, or project management.

Obviously, some of the more technical areas of security and management activities require more concrete experience and evidence of accomplishments.

As for certifications, in my experience, most hiring managers that I know are more interested in an individual's accomplishments, individual integrity, judgement, and ability to communicate.

Concerned Water · June 2013

I've seen some online before, but once in a blue moon.

bigmantenor · June 2013

I will go against the grain and argue that they do exist, but are not common. I got my current job as a security analyst with no previous IT experience other than building computers for friends. I did have a few certs, a bachelor's degree, and they had an aptitude test which I passed with flying colors. If you can find the right situation, and/or the right hiring manager, then you may be able to find someone who will take a chance on you if you show aptitude and interest. A lot of shops will gauge your interest by asking you what security blogs/websites you read on a daily basis, what books have you read, what conferences you have attended (Defcon, etc.).

Don't get too discouraged if you don't find something in security right out of the gate; while this job has worked out great for me, I was pretty overwhelmed the first few months (drinking from the firehose of networking). Also, if you are open to relocation then you may be able to find something more easily. I live in Texas, and there are no shortage of IT jobs in our various metro areas. Various companies either have their HQs or TACs in DFW (Checkpoint and SecureWorks are two off the top of my head that always seem to be hiring). Good luck!

ITcognito · June 2013

Not sure yet what area of InfoSec I'd like to get into. Maybe penetration testing.

boredgamelad · June 2013

Yeah, I also started in infosec as a newbie. I worked a SOC helpdesk, monitoring perimeter security devices (Check Point, Juniper, Cisco ASA firewalls and their associated IDS/IDP solutions) and doing incident response for a few years. I got bumped up to a second level role (ticketing and change management), then moved to another company into a consultant job. Based on my own experience, discussions with my co-workers and at networking events, I'd have to say it is possible, but not common, to get into infosec at entry level.

phoeneous · June 2013

ITcognito wrote: »

Not sure yet what area of InfoSec I'd like to get into. Maybe penetration testing.

It's not as glamorous as it sounds.

the_Grinch · June 2013

They're few and far between when it comes to entry-level security jobs. Honestly, saying you want to get into IT Security is like saying you want to get into IT. There are many layers to IT Security just as there are in IT. It's always wise to get into a generalist IT position just so you can work out what you'd like to do. From there you can decide do you want to go into networking, system administration, etc. After that, you'll have a good foundation to move into the security of whichever area of IT you started to specialize in. You think pentesting might be the route you want to go, but without a good foundation you'll just be someone running a script. You don't want to be that guy.

So take this time to find entry-level IT positions if for not other reason then to see what area of security you'd like to move into.

bobloblaw · June 2013

ITcognito wrote: »

Not sure yet what area of InfoSec I'd like to get into. Maybe penetration testing.

I've yet to hear of anyone ever starting out doing pen tests. That said, getting your CEH and OSCP could help expedite you landing that job.

ITcognito · June 2013

I still have two more years of college education, so I'm not sure what area of security I'd like to get into. I'm not really studying IT for the glamour, but more for the passion. I've always loved computers and technology and have desired to learn more and more. I find the TCP/IP model fascinating.

What areas of security are there and can you provide a brief summary.Forensics, Penetration Testing, Network Analysis, Disaster Prevention/Recovery, etc.?

the_Grinch · June 2013

Lot's of areas you could go in, it seems to me (and someone can correct me if I'm wrong) for every specialization in IT there is a security side to it. Perhaps not completely dedicated, but definitely a security leaning. Anyway, to your question:

Forensics - Pretty sure you know this, finding data on a device for whatever is dictated by the client, lawyers, or search warrant

PenTesting - Attempting to break into a network and systems, lots of paperwork and documentation

Disaster Prevention/Recovery - Basically you perform a risk assessment, assign levels based on what will have the biggest impact on the company, and then mitigate it as best you can. This area will definitely be ramping up as most companies now have to show due diligence in order to get insurance and to not face fines.

Network Security - Protecting the network. Firewalls, IDS, and all the other wonderful tools that go with that

Auditing/Regulation - Another branch that is pretty big (this is also a side I am in the process for a job). Making sure procedures are followed, confirming policies are in place, and setting up policies to protect various customer and corporate data. HIPAA, PCI Compliance, etc.

Do entry level InfoSec positions exist?

Comments