Leaving Audit for Pen Testing

Tom Servo · December 2013

So after spending about 4 years doing Help Desk, about 4 years as SysAdmin, and a bit over three as an IT auditor, I'm thinking about shifting to Pen Testing. I want to do more hands on with security vulnerabilities than the theoretical analysis I have been doing. I have my CISSP, CEH, CISA, MCP for Server 2003, and plan to finish CIA (Certified Internal Auditor) in February since I only have one more exam to take. I also have a BA in an unrelated field.

For 2014 I am torn on what would make me a more attractive candidate. I am going to take the OSCP for sure. After that, I have a few options. Should I do the WGU MSISA, or would it be better to self study and challenge a few SANS certs? Or would it be best to get some certs from ECCouncil/SecurityTube/eLearnSecurity? Or would it be better to simple sandbox, practice, and maybe take a few courses from someone like Joe McCray (Strategic Security ++ Pentest Lab Access)?

A second consideration is timing. I may be stuck in my current position due to a bit of job hopping. How bad does this look?

Helpdesk - 3 years at a University
Sys Admin - 4 years at a University
Sys Admin - 1 month at a small company (I was fired. I leave this position off of my resume, but my employment gap may come up in interviews)
Unemployed 3 months
IT Audit/Compliance/IT Risk - 2 years at a large publicly traded company
IT Audit/Compliance/IT Risk - 10 months at one of the Big 4 (Deloitte, PwC, EY, KPMG)
IT Audit - Current - 3 months, medium sized financial brokerage

I'd prefer not to stay in my current role longer than 1.5 years.

My third consideration is pay. I anticipate a pay cut in switching roles, and can afford a 30% pay decrease. I checked glassdoor and pay for penetration testing positions is not a widely reported number it seems. Any thoughts on typical pay for new pen testers with security experience?

chrisone · December 2013

Going for pentesting? I would recommend anything in what you said, "ECCouncil/SecurityTube/eLearn Security." You will get all the sandbox practicing you need with those courses. Well from my own experience you get a sandbox/lab environment with elearnsecurity courses. However I do have planned to take the security tube metasploit course in 2014. I wanted to do OSCP however its a little expensive and already very similar so what I have been doing in eLearnSecurity. The PWK course from offensive-security is very intriguing since its using new material with Kali Linux.

I am not to familiar with any of the SANS courses or certs or anything WGU related. So I cannot comment on those.

If that is your goal, its a reasonable goal and you dont need to justify your switch with your past experience. I.T. is I.T. and anything with auditing involves some form of security , risk assessment, etc. Infact your auditing experience would be a major plus for pentesting. It shows you know the discipline of probing and you are detail oriented. Plan your goal out and achieve it. Dont let frustration or anyone tell you , you cant do what you want to do.

Goodluck!

Tom Servo · December 2013

Thanks for the advice and encouragement chrisone. As recruiters contact me I'm telling them what I'm looking for, but so far the general consensus seems to be it will be very difficult to make the transition without pen test experience. The age old problem of needing experience to get a job, but needing a job to get the experience will certainly be an obstacle. I'm hoping that spending a year working on learning the ins and outs will get me over that hump. I kind of doubt that getting a Masters degree will push me over that experience hurdle (at least in the short term). I think that once I have exhausted specific pen test training and certs I will pursue the additional degree.

EngRob · December 2013

Hey Tom!
I think the OSCP would be a good start and would possibly open up some Pen Testing job possibilities. I'm in a similar situation and would love to transfer into Pen Testing but need to get some more experience and skills first. I hope to start OSCP in about a year when my WGU dies down but my employer is likely sending me to SANS GPEN class within the next 6 months. Have you considered that to compliment (or intro to) the OSCP?

Thanks for the info about Joe McCray's classes, I think I will get signed up for the next Network Pentester Night School class.

Good luck!

Tom Servo · December 2013

My biggest problem with SANS is the expense. My boss does not value any additional technology certs/education, so financial support from work is a no-go. While I did figure that into my salary requirements, SANS is still a huge chunk of change compared to alternatives. SANS has top-notch courses though, so hopefully your employer will send you

. I got on Joe's mailing list at some point, and he typically runs discounts for the first 10 people that sign up for any given class session. I have yet to take one of his classes, but would be interested in a review if anyone has taken or does take one of them. Good luck on the transition to pen test. It does not seem to be the easiest part of IT to get in to.

NovaHax · December 2013

I made the move from vulnerability management to PenTesting with OSCP. Would highly recommend.

bobloblaw · December 2013

Tom Servo wrote: »

My boss does not value any additional technology certs/education

Run (don't walk) away from that boss and job.

Tom Servo · December 2013

bobloblaw wrote: »

Run (don't walk) away from that boss and job.

The problem I've found is most places I've worked do not encourage IT auditors to develop IT skills. It is the most bizarre line of thinking I've ever seen. I find that IT auditors need to know loads about a multitude of topics (and often don't). After I got the CISSP and CISA, that was about as far as I could convince anyone for certs. I don't get support for the CIA cert series as it is viewed as more of a 'financial audit' certification, so developing both audit and IT skills is purely an independently funded (time wise and monetarily) activity.

NovaHax - did you find yourself getting recruited after getting OSCP, or did you have to pound the job boards? I know there aren't a lot of job postings calling for OSCP, so I'm curious about your transition.

tpatt100 · December 2013

I am an IT auditor currently and I think the reason why some places do not encourage IT skills is because they are worried more about compliance to an established standard due to a requirement. So if they have to perform an annual audit to show compliance they want to make sure their auditor is really good at making sure the documents they submit as part of the package get them cleared for that year.

Since you have auditing experience currently you will find you will be more marketable once you get more technical experience, well you already have some but maybe some additional. Reason is you can explain the "why" parts of an audit that the technical security people might not understand the logic behind it.

I am currently in the middle between the security team and management so my job is usually to go back and forth between management, security as well as HR and I guess translate and explain why my audits ask for the things they ask for.

Something that might help you in pen testing that you learn from auditing usually is attention to detail, report writing and documentation skills.

Leaving Audit for Pen Testing

Comments