IT security vs. other IT related job

ChildInTime

Hi everyone, know it's was asked many times, but I read most of them

So I just finished my bachelors degree in IT service management, and now going to be studying master's in Computing Science with Computer Security specialization in Europe.

Even though it's a good program, I know it's just a degree and most important thing is what you learn yourself. I have no idea what I want to do as a job, but it's definitely related to IT. Now salary is something which is important for me even though I know you will say "you should do what you love", I don't know what I love, so I look into salary as well.

From what I've read, it's quite tricky in security field because to have good job with good salary you need ~10+ years experience, and by that time I am already old (of course I am exaggerating here but you get my point). After finishing my masters I would like to immediately get a job in related field, and if it's very hard in this field without experience then it's a big factor for me.

So how would you compare job position in security vs. software engineer or programmer. I guess programmer's salary probably will be better and finding a job will be much easier due to very big number of positions available. What are the benefits of working in security vs. programming apart from personal preference?

Thanks

danny069

I would go for computer $ecurity, since you are going for your masters in IT management, you should do security management certs such as CISSP, CISM, CISA, these certs will go hand in hand with your degree since they are geared towards management, you don't necessarily need 10+ years of experience to make the big bucks.

ChildInTime

Danny, I got my IT service management already (bachelor) and will go to masters in Computing Science, which has specialization called Computer Security, so those whole 2 years I will studying computer security in 3 different universities (that's how program is done).

danny069

Yes I understand you have your bachelors already, I think it's great that you want to go for your masters, having those certs will make you very marketable and well rounded if you choose to go into the security field.

networker050184

ChildInTime wrote: »

From what I've read, it's quite tricky in security field because to have good job with good salary you need ~10+ years experience, and by that time I am already old (of course I am exaggerating here but you get my point).

Pretty much any field is going to take time to work up to a higher salary. Thats just the way it works. Companies aren't going to pay someone large ammounts of money to do something they have never actually done before.

ChildInTime

Yeah, my concern is that after studies there won't be many entry level jobs for a guy without experience in security field. I would like to work in Germany, and know that programmers there are really in demand, no idea about security field though.

networker050184 wrote: »

Pretty much any field is going to take time to work up to a higher salary. Thats just the way it works. Companies aren't going to pay someone large ammounts of money to do something they have never actually done before.

Definitely, but getting entry level job in software development company seems like a much easier task. I am not saying I am afraid to search for job or anything, but I want to work abroad, and I probably won't be able to handle X months without job after I finish my studies due to me being not in my home country where everything is much cheaper.

Master Of Puppets

Getting a job as a programmer is easy. I have many friends, with no experience and just some entry level skills from their degrees, getting hired and trained. I had to turn a billion offers for programming gigs because I don't want to code for a living, my passion lies in networking. However, that may differ according to location. So, IMHO, it will be a lot easier getting a job as a programmer vs a security role. What's more, are you sure you want to get into security? You said you want to do IT and you don't have a clear idea what. That's very broad. Are you sure you know what security is and what you are getting yourself into?(had to ask the usual question since no one did until now ).

Read this http://www.infosecisland.com/blogvie...o-Infosec.html . I think it's going to help.

On a side note, I did not mean any disrespect in case you get a similar false feeling from my post. It is just that everyone wants to get into security without any idea what it is. Your reasons have to be more serious than - because everyone is doing it, because I watched a few movies, because I saw about Anonymous on the web, because they talk about hackers on the news etc. I'm saying that because I'm starting to get pissed off when someone hires people like that (for some unknown reason) and they go full retard on my networks/systems. I generally don't care that much about people going full retard but when I have to go fix it after them it gets on my nerves. It is probably true for every field that you have to love what you are doing but here you just can't make it without that. In case you don't know what it is, how can you be sure you like it?

Also, if you happen to have a certain field in infosec that you are interested in, we can probably give you more specific and hopefully useful advice. This is where we can make a distinction of which has what benefits and other comparisons(security is pretty broad).

ChildInTime

Master Of Puppets wrote: »

What's more, are you sure you want to get into security? You said you want to do IT and you don't have a clear idea what. That's very broad. Are you sure you know what security is and what you are getting yourself into?

Thanks for good answer

I don't know what security is and I don't know what I am getting myself into. I read what's in that link, it's little bit more clear, but I guess you can write similar list for any IT position, so it does not explain things very well imo.

Now "code monkey" does not sound like a good job, but I thought network engineer or similar position is also sitting whole day near computer and doing stuff? I may be completely wrong here.

Now I have a chance to study masters in computer security that's why I want to use this chance and get into field.

I would really like to hear some benefits of working in information/computer security vs. creating software other than obvious personal preferences. Or maybe I can get a link where I can read about what I am getting myself into? I am searching all the info meanwhile myself.

Master Of Puppets

Here is a very good thread that I think will answer some questions http://www.techexams.net/forums/jobs-degrees/57886-programming-vs-networking-career-your-experience.html

The work in security as a whole is very dynamic and there is a lot of variety in it. You have to learn non stop and get better constantly or you're out of the game. Most people don't start in security. No one hires you to do their security if you don't know what you are securing. My advice would be to start somewhere in IT and get a feel of what it's like. After that you will have a better idea of security. It's not for everyone and you might not like it. There are different roles in security and different benefits that come with them. For example, it is not the same being a network security engineer and being a pen tester.

docrice

Security is commonly seen as tools, techniques, and compliance mandates. But when you really look at it, it's about understanding the purpose and overall goals of something (typically business goals), enumerating the risks involved in the operation of the organization, and making recommendations and implementing controls to mitigate those risks to an acceptable level. The drivers for these typically are about regulatory requirements, branding / market position sensitivity to risk exposures, and reducing potential cost (at least based on the perceived scenarios of what-if's and their likelihood).

So that's a high-level way of approaching it. When it comes down to the day-to-day work, security involves every corner of the organization - the physical construct of a building, the legal requirements to have x and y in place, audits to prove that these things are configured as expected, computer systems and their implementations, software development/deployment practices, determining if employees can be tricked into giving up confidential information, handling and storing practices of data, etc..

In other words, virtually any subject area has a security discipline attached to it. You tend to hear about host/network/application security most often as well as legal compliance. Some roles are very narrow and specific to one or two areas, while other roles are cross-discipline where one has to wear many hats. It depends on the company, the nature of its business, and other factors. Job functions with the same title can vary wildly depending on industry, company size, and so on.

And while it seems easy to separate being a software developer/code money from doing network security, at some point they all have the potential to overlap. If you're a generalist security engineer and you're doing a vulnerability assessment, discover that some hosts in your environment have a critical vulnerability exposed for which there's no patch yet, realize that your organization is required to have certain controls in place to mitigate this particular threat within a certain time window, then get alerted by your intrusion detection monitoring system that someone launched exploit code against those systems and you can validate the event-of-interest since you see the actual code that was in the traffic packet payload ... what do you do? Activate your incident response plan? Do you have one? Does the organization have a forensics team? Is proper logging in place? If the breach has taken place and customer data is compromised, is your organization required to provide a public notification of the event? How do you proactively approach this to prevent future attacks? Are the risks high enough?

Information technology is a wide field. Take your time to find what interests you (sample/read a little about everything to get a sense of what's out there if you can't figure that out), move into it, and if you really care about its integrity then you'll find the motivation to maintain its security from the threats that can have an adverse effect. Security tends to be just an extension of existing subject areas.

I work in the information security industry (my employer is a security vendor). I go to conferences, training courses, and do the technical network security nitty-gritty every day ... but at the end of it all, it comes down to protecting the organization's brand and reducing risk sufficiently so the business can continue to function without being damaged beyond repair.

tpatt100

I said it before numerous times but if you already work in I.T. make security part of your current job. Read a decent security book and focus on the principles and find ways to bring it to your current job.

Helpdesk: Find ways to address issues with access control at the helpdesk level like recognizing why password resets or user account creation is done a certain way. Find ways to make it better and more secure like implementing two factor authentication to address possible social engineering attempts.

Network Administration: Again look at why you do certain things and find ways to improve security.

A decent security book should not just be highly technical but also address administrative issues, physical security, social engineering, the basic easy stuff that we tend to ignore.

DissonantData

As far as I know, there was a class at my college called "network programming." There you do socket programming and shell scripting. Programming knowledge would probably be useful in networking.

emerald_octane

danny069 wrote: »

I would go for computer $ecurity, since you are going for your masters in IT management, you should do security management certs such as CISSP, CISM, CISA, these certs will go hand in hand with your degree since they are geared towards management, you don't necessarily need 10+ years of experience to make the big bucks.

It should be mentioned that those certs each require atleast 4-5 yrs experience.

ChildInTime

Master Of Puppets wrote: »

Here is a very good thread that I think will answer some questions http://www.techexams.net/forums/jobs-degrees/57886-programming-vs-networking-career-your-experience.html

The work in security as a whole is very dynamic and there is a lot of variety in it. You have to learn non stop and get better constantly or you're out of the game. Most people don't start in security. No one hires you to do their security if you don't know what you are securing. My advice would be to start somewhere in IT and get a feel of what it's like. After that you will have a better idea of security. It's not for everyone and you might not like it. There are different roles in security and different benefits that come with them. For example, it is not the same being a network security engineer and being a pen tester.

Yeah I read that thread already, I actually read every topic in last 2 years which has word security in it

docrice, thanks for awesome explanation. I wonder how does company's management measure the security work done? I mean for software developer, it's quite easy to measure how much work he done. Now working in security, if everything is calm, does that mean security guys are doing their job fine or is there some other way to measure that? Probably newbie question, but just wonder.

tpatt100, good advice!

ChooseLife

ChildInTime wrote: »

if everything is calm

It never is in security
Overworked and stressed out - yes, calm - no

But you are raising a valid question. There is not a single good answer (IMO), although there are some good discussions. Short answer is: measuring success in InfoSec is not easy.

Master Of Puppets

Yup, one of the numerous challenges is knowing you are compromised. Believe it or not, a lot of companies get breached without finding about it. That's way some people are more worried when it is too calm(if there is such a thing like ChooseLife mentioned )

ChooseLife

Gets even harder to assess the success if we look at the larger goal - identifying, qualifying and quantifying risks/threats and minimizing/countering them...

ChildInTime

Guys, what do you like/love about working in information/computer security?

ChildInTime

ChildInTime wrote: »

Guys, what do you like/love about working in information/computer security?

I want to hear your opinion on this please

paul78

Interesting question - but so intangible.

I'm in management so my reasons may be different than others. I suppose for me, I enjoy the fact that information security allows me a reason to maintain some level of proficiency in multiple and broad technology areas. I like the jack-of-all-trades technical breadth that is required. The other aspect that I enjoy is the holistic interaction with other parts of the business - especially legal.

I also like the idea of a role where I feel that I'm doing some good through the protection of data assets.