Figuring out career path

alexander77

So I think I have an idea of what I would like to shoot for career wise, I like the idea of planning and implementing security policy as well the idea of being able to get more technical as well. I would like to eventually get into being an ISSO someday but would like to know from others experiences or advice on how I could obtain maybe a Jr. ISSO role?

The Technomancer

Always learn the tech first, if for no other reason than eventually you're going to have to deal with the systems admins, and if you can't explain the technical reason why something has to be done, your security policy will go absolutely nowhere, and that's the best case scenario.

Gorby

I actually had a similar question, I want to find a jr it security job focusing on network security and policy but I just don't know where to start.

My previous experience has been on desktop support and noc experience, but most of job listings for the Jr roles ask for previous experience with Nist standards or Fisma compliance.

instant000

alexander77:

The route to security goes through knowing the systems first. How can you secure what you don't understand?

Gorby:

You're searching for jobs in the D.C. area, of course they're going to focus on NIST/FISMA.

FISMA is law that basically says that federal information systems have to be managed in a certain way. FISMA is the overriding legislature that then feeds into the branch-specific policies for information security. If you work on federal information systems, you should read this, anyway.

NIST is a government body, but they share their goods.

Helpful links:
Federal Information Security Management Act of 2002 - Wikipedia, the free encyclopedia
NIST.gov - Computer Security Division - Computer Security Resource Center
http://csrc.nist.gov/drivers/documents/FISMA-final.pdf

NIST.gov - Computer Security Division - Computer Security Resource Center
NIST Computer Security Publications - NIST Special Publications (SPs)

You may find yourself desiring information on the ISO series at some point, as though NIST is open, ISO isn't necessarily so, and you have to purchase a lot of their standards. NIST should be enough to give you a strong background, though.

Hope this helps.

Gorby

Thanks for the advice instant000, I read through some of the links you provided and they were helpful in gaining an understanding of what NIST is and how FISMA plays a role in agency policies. Do you think I should concentrate on a System/Network Administrator role and gain more experience before applying for more security jobs that may involve more knowledge with Nist publications or other security policies?

I'm just trying to map out a plan in the next 5 years instead of just going everywhere, after talking to a few IT security guys I decided that I wanted to go in that direction..it's just how from my current experience in a help desk/noc role.

redz

Gorby wrote: »

how

Apply for Jr. ISSE positions with contracting firms. Many serving the DoD only require IAT II, which you have. Often, they won't require much experience, and will get you a clearance as well.

210mike

Make sure you guys fully understand what the IT Security field is really like. I find it tends to be romanticized quite a bit online due to movies and TV's portrayal of IT security. You are probably not going to be standing in some giant war room with 5000 monitors screaming at people to stop Chinese hackers. You're also probably not going to be getting into Penetration Testing, or anything else super cool hacker 1337. Those jobs exist, but they're few and far between.

IT Security is very boring to be blunt. In my experience with 'Corporate IT Security' people, they're policy makers and auditors. Our IT security folks have zero access to any of our IT systems. They create and recommend policy, hold a ton of meetings, and work with auditors to ensure compliance. They make recommendations for IT to implement, but we do the implementation.

Our IT security guy's workweek looks like this

Attend project meetings, make sure projects are following established policies
Create documentation and/or PowerPoint presentations (You better really like PowerPoint)
Stay up to date on latest industry threats and trends
Review Qualys scanning reports and Splunk logging systems for any vulnerabilities or issues. Bring them up in weekly meeting to have corrected by IT staff.

redz

210mike wrote: »

You're also probably not going to be getting into Penetration Testing, or anything else super cool hacker 1337. Those jobs exist, but they're few and far between.

I don't think I've ever met an unemployed pentester. There are tons of those jobs. They aren't easy to get into, or be qualified for, but there are plenty of them. I blame PCI, personally.

210mike wrote: »

Our IT security guy's workweek looks like this

Attend project meetings, make sure projects are following established policies
Create documentation and/or PowerPoint presentations (You better really like PowerPoint)
Stay up to date on latest industry threats and trends
Review Qualys scanning reports and Splunk logging systems for any vulnerabilities or issues. Bring them up in weekly meeting to have corrected by IT staff.

This would cause me to commit a murder-suicide.

Is the security field romanticized? Yes.
Is it fun? That depends... The breadth of Information Security is enormous. Saying it is all (or even mostly) auditing and policy is, honestly, a very uninformed notion.

I love the Security field, but that's because I love business and management consulting, which plays extremely well with eGRC roles.

210mike

Thanks for sharing your experience in the field. I admittedly have a very narrow view of the field limited to experience in midsized/large business IT and my interactions with our corp IT Security guy and various auditing groups.

I tend to get frustrated because I run into lots of folks online and in real life that want to get into "IT Security" because they think its like the movies and they'll be hacking the gibson or some crap like that, when reality is much much different.

docrice

Security isn't necessarily a specific role, but it's an inherent part of everything. Sort of boils down to risk management. Some organizations have a dedicated team, some have a jack-of-all-trades person assigned to the umbrella of security, and other organizations just shuffle the responsibility into existing roles.

Where I'm employed, my role is specifically on security tasks and it's not just auditing. On top of it, I'm in the information security industry, so in a sense I'm at the center of it all and it's an extremely fast-paced, hands-on technical position that's neverending with minutia. Many would find it tedious day after day after day. It's a very high-maintenance, demanding lifestyle (at least for me) because the speed and dynamics of the environment is non-stop, especially with so many things knocking on your door. There's noise, and then there's "interesting noise" that you need to recognize and follow-up on.

There are many variances to security roles from "boring" to "I'm-never-going-to-sleep" and this all depends on the organization you work for, its objectives and staff structure, the industry it plays in, your specific role, your interests, and other variables. A 5-year plan can be considered a relatively large span since things change quickly these days.

My suggestion is first find the area(s) that interest you (whether it's policy, compliance/auditing, systems, networks, applications...), really understand why you find them desirable, and then learn all you can about those areas. Security is not a separate component, but a stronger focus on the risks and practice around those subjects. If you have a natural curiosity about your areas of interest, the better your chances of succeeding because you'll have a three-dimensional understanding of the playing field compared to the rest of your peers.

As someone who's in the trenches every day (and I do mean every day), you should consider paying your dues in technical roles so you understand how teams function and contribute to an organization, the politics that go with it, and the drivers of the business. Even if your long-term goal is to become a policy officer, it's important to understand the overall mission of security objectives, what can realistically be achieved with a finite set of resources, and the ever-changing landscape at the bleeding edge of technology and integration which information security tends to be at the forefront of.

alexander77

Thank you guys for the advice, I'm looking to move more into policy or compliance side of security because I've always been a policy/business minded person, even before the cyber security craze I wanted to move into a security role. I'm still going to get my masters degree in business but right now I wanted to get an IT degree with a focus on Information Technology. I've done a few years of technical support already so now I'm just planning on a way OUT of support.