System Administrator vs IT security
libertygrad10
Member Posts: 7 ■□□□□□□□□□
Question for you guys! Everyone out there, do you think system administrator or IT security would be a better long term career for job security, pay, etc. Let me know your thoughts! I am studying for MCSA Server 2012 at the moment and was wondering after that what I should do, either stay on the system admin track or switch over to straight security.
Thanks so much
Thanks so much
Comments
-
darkerz Member Posts: 431 ■■■■□□□□□□I'd imagine it's difficult to go into InfoSec without a Systems, Programming or Network background.:twisted:
-
zxbane Member Posts: 740 ■■■■□□□□□□Darkerz is on point with his post, I agree completely. I work in a InfoSec/IA role myself now but I started out working my way through being a Sys Admin, and I can say my experience in that role helps me better perform my role in InfoSec.
-
markulous Member Posts: 2,394 ■■■■■■■■□□Being a network admin seems like a must for either way you go. After you get experience in at that, it seems you can continue down the networking path or at that point branch off into security.
-
jabney Member Posts: 61 ■■■□□□□□□□I was in InfoSec and my experience in sys ad and network admin helped bunches. With that said InfoSec in my case as a IA Analyst was BOOORING so after a little over a year of the various paperwork drills (certification& accreditation anybody, did someone say DIACAP ?) I left and went back to sys ad and couldn't be happier.
-
MacGuffin Member Posts: 241 ■■■□□□□□□□I have my opinion and it's worth exactly what you paid for it.
I believe that information security has more job security than other IT fields. Security by definition must be on site, can't off shore security. Security is a smaller field than systems administration so I'm guessing it may balance out in the end.
I will agree with darkerz somewhat, some sort of programming and/or network background is almost always required. Since you are already have a nice pile of certifications you may have that covered. I suspect that anyone hiring a infosec person will want to see a bachelor degree in computer science, engineering, or other related field. A BS in information security would be good, of course, to go with some infosec certification. I can see focusing too narrowly in infosec can be a downside, IT by its nature requires a wide range of skills. Knowing networking is a must. Knowing things like virtualization, desktop support, server systems, and basic programming are all a plus.
I'd think that some sort of programming background is nearly a requirement but I may be mistaken or biased. Setting up firewalls, routers, switches, and servers involves a lot of interpretation of code, rules, and general machine like language which is very much like any commonly used programming language. I'd think that showing you know how to write some code would be very helpful in an interview. Knowing programming will certainly help in doing the job, if only to get a better handle on how computers "think".
Doing some research I'd agree that the pay is better but I'd think that you'd have to show experience in a related field first before you can get a security job. I'd think it would be rare to just jump into infosec. Having a background in security would have to look good on a resumé for just about any IT job, I'd think. Security should be a concern at every level of IT. Experience tells me that security isn't a concern at every level of IT, but it should be.MacGuffin - A plot device, an item or person that exists only to produce conflict among the characters within the story. -
networker050184 Mod Posts: 11,962 ModSecurity by definition must be on site, can't off shore security.
Yeah, might want to send that memo to all the companies with out sourced IT solutions.An expert is a man who has made all the mistakes which can be made. -
rsutton Member Posts: 1,029 ■■■■■□□□□□The best career path is the one you are most passionate about. You will make more money, and have a better time doing it, if you pursue what interests you most.
-
xenodamus Member Posts: 758networker050184 wrote: »Yeah, might want to send that memo to all the companies with out sourced IT solutions.
Yep...we use Dell Secureworks to monitor and alert on our IPS/IDS/Firewall activity 24/7/365. In a shop our size there just isn't enough manpower to have a dedicated security guy.CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V -
unfbilly11 Member Posts: 100 ■■□□□□□□□□I would kinda lean towards System Admin being a more stable job because of the sheer fact that there are so many more jobs available. Mostly all companies have some kind of IT System Admin but very few have the money for a dedicated security specialist.
Just my opinion though! -
tpatt100 Member Posts: 2,991 ■■■■■■■■■□Take a look at what jobs are listed when you type in "information security" on Indeed. Most of them are more different than they are similar. I don't see how information security can be more stable than systems administrator. The perceived shortage of security professionals is because all of the jobs are so different from each other.
-
jabney Member Posts: 61 ■■■□□□□□□□The best career path is the one you are most passionate about. You will make more money, and have a better time doing it, if you pursue what interests you most.
-
MacGuffin Member Posts: 241 ■■■□□□□□□□networker050184 wrote: »Yeah, might want to send that memo to all the companies with out sourced IT solutions.
I didn't say they won't try to outsource their security. I said it cannot be off shore. Someone responsible for securing the IT systems will have to be onsite. The responsibility for infosec may not be in the job title, it may not be in the job description, but if there is an issue with infosec there is going to be someone that is under the same roof that will be held responsible.Yep...we use Dell Secureworks to monitor and alert on our IPS/IDS/Firewall activity 24/7/365. In a shop our size there just isn't enough manpower to have a dedicated security guy.
That is an example of taking some of the infosec offsite. Not sure if that qualifies as offshore. Question is, if Dell detects an attack on your network what do they do about it? Do they handle that themselves too? I suspect they give you a phone call or otherwise alert someone onsite. That person that picks up the phone is now part of the IT security team.
A big part of infosec is physical security. Someone has to be onsite to make sure someone or something does not destroy the servers. To guard the information means also guarding the little bits of metal and plastic that hold the information. You can't do that from India if the systems are in Arkansas.
Thinking about this some more the terms "systems administrator" and "information security" both cover a large number of potential job descriptions and job titles. I know this may be a surprise to some people but not all servers run Microsoft. That's a shocker, I know. In the original post libertygrad10 mentions having a MCSA certification. That's great, if the systems you are administrating run Windows.
I worked at a couple places if you want to be the systems administrator you are going to have to know VMWare, Solaris, Linux, and some Windows. Having a MCSA in a place like that won't be worth much. It would help but that alone won't get you the job. If you are seeking certifications from Microsoft then you are not looking for work as a "systems administrator" you are looking for work as a "Microsoft systems administrator".
I don't know if I'm making sense here. Part of my point is that both systems administration and infosec are big fields, and they do overlap with each other. There are jobs in both fields and how one company defines "systems administrator" might be very different than how another company defines "systems administrator". Same goes for infosec. There might not be a person with the job title of "information security analyst" in a company but if that company owns computers then there is someone responsible for keeping those computers secure.
Another part of my point is that one cannot choose between systems administration and IT security, it's more a matter of how much you want to focus in either of those fields. You cannot secure a system if you know nothing on how to administer them, and if you administer those systems then you need to know something about security.MacGuffin - A plot device, an item or person that exists only to produce conflict among the characters within the story. -
ITcognito Member Posts: 61 ■■□□□□□□□□I don't see how you cant outsource your log monkeys (aka security analysts) and pen testers. But as a system admin, don't you have the perfect opportunity to apply security controls to the systems you manage and make risk management your focus?
-
antielvis Member Posts: 285 ■■■□□□□□□□"Security" is a diverse practice so you really need to decide what type of security? Are you going to be a penetration tester? Will it be network security or systems security? One could specialize in application security but do little with routers.
In my opinion, if you want to be a good security practitioner you should have years of experience in some other facet so you have a well rounded knowledge of what you're securing. You can't just graduate into the job.
I think much focus will be placed on security in the near to mid term future so it has a lot of potential as a practice. And..knowing security as a system administrator just makes sense. Much of what defines security is just proper administration (like NAP, proper NTFS permissions, etc). A good deal is also process related.
The real weak point with security seems to be smaller organizations. They often outsource their IT to small firms which are security focus. Now that I'm aware of security I look back at some of the networks I worked with and I shudder and think wow... -
YFZblu Member Posts: 1,462 ■■■■■■■■□□In my opinion, if you want to be a good security practitioner you should have years of experience in some other facet so you have a well rounded knowledge of what you're securing. You can't just graduate into the job.
It's funny, because the Security Analysts i work with do nothing but moan and groan when someone joins the team with previous admin experience. Reason being, developers, service owners, and admins are the people we're wrestling with during Incidents. Often times these people have been doing one thing one way for years, and it's difficult to impart our methodology on those types of bad habits. Now, I'm not talking about all admins, or admins here on TE; I think this group on TE is a higher-caliber of tech, generally speaking. But the stereotype of the older, button-pushing admin has been rampant in the security environments I've worked in.
That's not to say I completely disagree with your statement, and yours is an opinion that many people hold. On the surface it does make sense; however the field is expanding, and people with literally no administration experience are getting Level 1 infosec jobs. Myself included. I do think the security team needs to be mature and experienced in order to make this work, but it is being done successfully. You'll see this mostly in larger environments, where the analysts are responsible for defending all the things. Generally speaking you won't find sysadmins who did everything for a large organization. Sure, the team can diversify and have certain people with certain strengths - but in a 24x7 operation all Analysts need to be competent to handle at least the initial IR.
In my opinion, less important is having previous administration experience, more important is finding Analysts who have a nice baseline of technical knowledge (regardless of how they got it), are starving to learn more about EVERYTHING, and are inherently security minded. Finding that balance is extremely difficult however. Hiring good security analysts can be a nightmare - I have seen situations in which a company was too loose and hired flat out morons (I once worked with a guy who suggested filtering all protocols but HTTP and HTTPS outbound) - and on the other side you have the picky organization which can't fill seats because nobody qualified is available. There is no easy answer. -
YFZblu Member Posts: 1,462 ■■■■■■■■□□I don't see how you cant outsource your log monkeys (aka security analysts) and pen testers. But as a system admin, don't you have the perfect opportunity to apply security controls to the systems you manage and make risk management your focus?
It can be done, if security is just a checkbox or if finances don't permit for a dedicated security team.
Having a dedicated CIRT on-site doing thorough analysis of the environment with buy-in from Officers of the company is a much better solution. That being said, if finances won't allow for it, outsourcing security is better than no security. -
W Stewart Member Posts: 794 ■■■■□□□□□□I didn't say they won't try to outsource their security. I said it cannot be off shore. Someone responsible for securing the IT systems will have to be onsite. The responsibility for infosec may not be in the job title, it may not be in the job description, but if there is an issue with infosec there is going to be someone that is under the same roof that will be held responsible.
That is an example of taking some of the infosec offsite. Not sure if that qualifies as offshore. Question is, if Dell detects an attack on your network what do they do about it? Do they handle that themselves too? I suspect they give you a phone call or otherwise alert someone onsite. That person that picks up the phone is now part of the IT security team.
A big part of infosec is physical security. Someone has to be onsite to make sure someone or something does not destroy the servers. To guard the information means also guarding the little bits of metal and plastic that hold the information. You can't do that from India if the systems are in Arkansas.
Thinking about this some more the terms "systems administrator" and "information security" both cover a large number of potential job descriptions and job titles. I know this may be a surprise to some people but not all servers run Microsoft. That's a shocker, I know. In the original post libertygrad10 mentions having a MCSA certification. That's great, if the systems you are administrating run Windows.
I worked at a couple places if you want to be the systems administrator you are going to have to know VMWare, Solaris, Linux, and some Windows. Having a MCSA in a place like that won't be worth much. It would help but that alone won't get you the job. If you are seeking certifications from Microsoft then you are not looking for work as a "systems administrator" you are looking for work as a "Microsoft systems administrator".
I don't know if I'm making sense here. Part of my point is that both systems administration and infosec are big fields, and they do overlap with each other. There are jobs in both fields and how one company defines "systems administrator" might be very different than how another company defines "systems administrator". Same goes for infosec. There might not be a person with the job title of "information security analyst" in a company but if that company owns computers then there is someone responsible for keeping those computers secure.
Another part of my point is that one cannot choose between systems administration and IT security, it's more a matter of how much you want to focus in either of those fields. You cannot secure a system if you know nothing on how to administer them, and if you administer those systems then you need to know something about security.
Actually I've never really seen anyone with a dedicated onsite security guy. Not saying they don't exist but it seems to be more common to outsource security to a msp. Maybe it's different for larger companies. I work at a web hosting company who outsources security for networks that need to be pci complaint to another company called stillsecure. Those guys could be in india for all we care. I do agree that the jobs can overlap. A career as a systems administrator can definitely get your foot in the door as a security professional and at least over here in the Tampa, FL area the security market seems to be bigger than the market for linux admins so maybe this is where everything is being outsourced to. -
MacGuffin Member Posts: 241 ■■■□□□□□□□Actually I've never really seen anyone with a dedicated onsite security guy.
I never said that there would be, or that there should be. I said that there must be someone onsite that is responsible for securing the computer systems. That responsibility is likely shared among several people. Physical security is part of the information security. That might be outsourced, but it's not offshore.
Offshore means the people providing the service is outside the nation's borders. Onsite means the people providing the service is under the same roof. Outsourced means the people providing the service is not a company employee but works for someone contracted to provide the service, they may dedicate part or all of their time to providing the service to that one company. Outsource does not mean they are offsite, something can be outsourced and still under the same roof. Offshore does mean offsite, but offsite does not necessarily mean offshore.
A person does not have to be dedicated to being the onsite security guy to be the onsite security guy. The onsite security guy will very likely have many other tasks to perform daily, and onsite security will be just one of them. I believe that if you can show you have the skills and aptitude in IT security then you are more likely to find a job and keep that job. That job may have the title of "systems administrator", and if so then who cares? The point is finding work you enjoy that pays enough to live on.
If all you want to do is IT security then you might find yourself very unhappy or very unemployed. It's unlikely for someone to find a job doing just IT security. You will likely also be doing networking, system administration, database administration, web development, or whatever. If you are doing systems administration then you are going to have to know something about security. If you do IT security then you are going to have to know something about systems administration. Unless you are working for a very large company expect both to be a large portion of your job duties regardless of which you choose as your focus.MacGuffin - A plot device, an item or person that exists only to produce conflict among the characters within the story. -
YFZblu Member Posts: 1,462 ■■■■■■■■□□Actually I've never really seen anyone with a dedicated onsite security guy.
You work for a web hosting provider - It makes sense that companies who can't/don't host their own stuff probably don't have a security team.If all you want to do is IT security then you might find yourself very unhappy or very unemployed. It's unlikely for someone to find a job doing just IT security.
Not really - Good security people are not short on dedicated security work. -
MacGuffin Member Posts: 241 ■■■□□□□□□□Not really - Good security people are not short on dedicated security work.
I know a guy. He and a friend of his do computer forensics work. Sounds like it makes them money but not enough to do it full time. His day job is to teach IT classes, mostly security classes but also some networking and Microsoft stuff. Between classes he sets up the classroom computers, works on the company servers, and other odd jobs. I can see it would be possible for someone like him to do only IT security but I can also see that as rare. Anyone that knows enough to configure the firewalls (hardware or software) will almost inevitably be tasked with setting up the routers, switches, user accounts, and things like that which are related to security but is more in the realm of system administrator or networking person.
I can also imagine a dedicated infosec person that has a stack of infosec certifications that's waist high. Works for a big company so they need that person to do things like pen testing, watch the logs for attacks, monthly review of procedures, Wi-Fi site evaluations, and whatever we might imagine an infosec guy to do. Then the company decides they need to shrink the company a little. There's another guy with a stack of certifications that is waist high, a mix of infosec, networking, and desktop applications. Which one is more likely to keep their job? The jack of all trades or the master of one? Which one if they lose their job is more likely to find work elsewhere?
So, I see you're point. People that are really good at what they do will find work. I'm just thinking that it might also be a good idea to expand your skill set so you don't end up seeing yourself out of work because you're not flexible, and can't find work because you are overqualified for your field and under qualified for anything else.MacGuffin - A plot device, an item or person that exists only to produce conflict among the characters within the story. -
YFZblu Member Posts: 1,462 ■■■■■■■■□□I know a guy. He and a friend of his do computer forensics work. Sounds like it makes them money but not enough to do it full time.
I'm turning down jobs right now for Associate-level Security Aanalyst work starting at 85k, in an area of the country that isn't really expensive to live in. Level 2's are looking at 90 - 95 in the same area. From there you have Senior Analysts and specialized skillsets (threat intelligence, malware analysis, intrusion detection, etc.) who are looking at six figures and up. There is plenty of decent money to be made in infosec.I can also imagine a dedicated infosec person that has a stack of infosec certifications that's waist high. Works for a big company so they need that person to do things like pen testing, watch the logs for attacks, monthly review of procedures, Wi-Fi site evaluations, and whatever we might imagine an infosec guy to do. Then the company decides they need to shrink the company a little. There's another guy with a stack of certifications that is waist high, a mix of infosec, networking, and desktop applications. Which one is more likely to keep their job? The jack of all trades or the master of one? Which one if they lose their job is more likely to find work elsewhere?
Here's where the mindset needs to be shifted - The guy who's plate is full of application management, network administration, etc etc is not going to have the time or resources to be a real security person. At that point his/her job is to keep things running - Understanding threat landscape is a full time job. Identifying risk in the environment is a full time job. Putting People Processes and Technology in place to mitigate risk is a full time job. Managing security devices is a full time job. Being eyes on the wire, monitoring the data generated by those devices is a full time job. Properly managing the data being collected is a full time job. My point is, good thorough security in larger environments requires dedicated teams of people with a specialized focus. It isn't something to be dumped off on someone with an unrelated mindset.
Regarding your point of keeping a job, the reality is that security has few technically qualified applicants compared to the amount of infosec resume's out there - if the firm I work for dumped me and consolidated duties I would get at least a $25,000 raise when I went to the next place. That's just how it is right now. In terms of expanding my skillset, I'm not too worried about it anymore - If absolutely needed I would adapt like everyone else in IT adapts as technologies/needs change. In fact during Incidents I find myself having to be a subject-matter expert on a wide variety of technologies every day where I work - I have become much more well-rounded because of my job in security. -
MacGuffin Member Posts: 241 ■■■□□□□□□□I'm turning down jobs right now for Associate-level Security Aanalyst work starting at 85k, in an area of the country that isn't really expensive to live in. Level 2's are looking at 90 - 95 in the same area. From there you have Senior Analysts and specialized skillsets (threat intelligence, malware analysis, intrusion detection, etc.) who are looking at six figures and up. There is plenty of decent money to be made in infosec.
Those jobs will be location specific. Depends on the size and type of corporations that exist. The very nature of infosec does require someone onsite to be security minded but that can also be outsourced. I can imagine, for example, a bunch of small local banks outsourcing their infosec duties to a single company. That one company would have a few high paid infosec people, providing the outsourced infosec onsite at those banks. There's probably a greater number of jobs where someone is the jack of all trades, where security is an element of their job.Here's where the mindset needs to be shifted - The guy who's plate is full of application management, network administration, etc etc is not going to have the time or resources to be a real security person. At that point his/her job is to keep things running - Understanding threat landscape is a full time job. Identifying risk in the environment is a full time job. Putting People Processes and Technology in place to mitigate risk is a full time job. Managing security devices is a full time job. Being eyes on the wire, monitoring the data generated by those devices is a full time job. Properly managing the data being collected is a full time job. My point is, good thorough security in larger environments requires dedicated teams of people with a specialized focus. It isn't something to be dumped off on someone with an unrelated mindset.
I agree. The problem is that not every company is big enough to take on the cost of a person that only does information security. In a company like that you might have a person with the title of "chief information security officer" but they are going to be responsible for things outside of security. An example would be that since the routers and switches are where most of the security issues lie, and VOIP phones are inherently tightly integrated with those routers and switches, it would fall on the security guy to keep the phones working.Regarding your point of keeping a job, the reality is that security has few technically qualified applicants compared to the amount of infosec resume's out there - if the firm I work for dumped me and consolidated duties I would get at least a $25,000 raise when I went to the next place. That's just how it is right now. In terms of expanding my skillset, I'm not too worried about it anymore - If absolutely needed I would adapt like everyone else in IT adapts as technologies/needs change. In fact during Incidents I find myself having to be a subject-matter expert on a wide variety of technologies every day where I work - I have become much more well-rounded because of my job in security.
It appears that you are making my point for me. You have more job security because you have a strong background in infosec, but also have knowledge in related fields. Someone that knows only infosec is a near impossibility, there is an inherent need to know something about the systems they secure. If the infosec people cannot step in for their non-infosec co-workers on occasion then they are not going to be very effective. On the other hand systems administrators that cannot secure their systems will not be good at their job.
If someone chooses to go into systems administration then they should have some basic knowledge in infosec. Someone that chooses to go into infosec should have some knowledge on the systems they secure, or at least know that they will be expected to learn about those systems on the job.
I'd recommend that anyone that wants to get into systems administration should consider getting some sort of security certification along with whatever certifications they choose. Not only does it look good on a resumé but you'll very likely get on good terms with the security people very quickly. On the other hand any one wanting to get into infosec should consider gaining knowledge outside of pure infosec. Security certifications like those from Microsoft and Cisco will require this. I'll be taking a course for the CEH certification soon, sounds like there will be a lot of exposure to pen testing tools on a number of platforms.
Thinking back and looking back at what I wrote I realized I've been jumping back and forth on which has a better job outlook, systems administrator or infosec. Where I have not changed my mind is that there is a portion of infosec that must be onsite. I believe that having something on your resumé that demonstrates you know infosec will improve your chances of getting a job. I further believe that applying this infosec knowledge in your work will make you valuable to your employer and therefore provide more job security and potentially better pay.MacGuffin - A plot device, an item or person that exists only to produce conflict among the characters within the story. -
YFZblu Member Posts: 1,462 ■■■■■■■■□□Those jobs will be location specific.
I'm not sure how that relates - My post was in response to the blanket statement being made that pure information security roles are extremely difficult to find and may not pay enough to live on exclusively. At least that's what I gathered from your posts above. The fact is, the work exists and the pay is good.I agree. The problem is that not every company is big enough to take on the cost of a person that only does information security.
As my posts indicate, I'm referring to larger organizations. It's a given that smaller companies (generally speaking) will have fewer resources to dedicate to information security.It appears that you are making my point for me. You have more job security because you have a strong background in infosec, but also have knowledge in related fields.
But understand how I'm getting that knowledge in related fields - my larger point is that I know more than I otherwise would because of security. Incidents arise all the time where a service owner / admin has no clue about how their service actually works. During the course of my investigations I have to basically become a SME for the service in order to accurately and intelligently override the inevitable push-back I'm going to get when I propose changes to that service. Doing this over and over has enabled me to expand my skillset at a rate which would be otherwise impossible had it not been for my career in security. Security would never pigeon-hole me, it does the exact opposite. -
MacGuffin Member Posts: 241 ■■■□□□□□□□I'm not sure how that relates - My post was in response to the blanket statement being made that pure information security roles are extremely difficult to find and may not pay enough to live on exclusively. At least that's what I gathered from your posts above. The fact is, the work exists and the pay is good.
It appears we agree more than we disagree. Where I live the options to find full time work doing only IT security are few. We just don't have the population and businesses like that around here. I'm certain that in certain places there are going to be plenty of opportunity to be a full time infosec guy, that's just not everywhere and as far as I can tell it's not here.
I just don't want to create the expectation that someone can always find a job where all they do is infosec. It sounds like even in your job you have been asked to step out of your role as infosec expert to do something that better fits the role of system administrator, network engineer, or what have you.
I realize I took that a bit far into being hyperbolic. It's been my experience that those that do infosec work will also end up performing tasks outside of strict infosec. It might mean filling in for people when illness, weather, vacation, or whatever prevents the person primarily responsible for not being there. It might mean that their daily responsibilities will involve something outside of strict infosec, there is just some things that need to be done in a company where the infosec guy is the best person for that job. As you point out there is an inherent need for infosec people to know these things, or perhaps they will simply pick them up as they do their job.
I also wanted to point out about my "location specific" comment is that there are just some things in infosec that must be onsite. I went over that several times already, I believe I made my point by now.MacGuffin - A plot device, an item or person that exists only to produce conflict among the characters within the story. -
YFZblu Member Posts: 1,462 ■■■■■■■■□□I just don't want to create the expectation that someone can always find a job where all they do is infosec. It sounds like even in your job you have been asked to step out of your role as infosec expert
Ultimately any research I'm doing is always within the confines of a security mindset. 100% of the time the work I do is to help bring perceived risk to an acceptable level - So I don't separate those duties out at all and it is purely a security role all the time.Where I live the options to find full time work doing only IT security are few. We just don't have the population and businesses like that around here. I'm certain that in certain places there are going to be plenty of opportunity to be a full time infosec guy, that's just not everywhere and as far as I can tell it's not here.
OK, you're definitely on point with that - In my experience pure infosec roles aren't necessarily everywhere in the sense that general admin roles are pretty much everywhere. For me, being ready to move for my career is just so ingrained in me at this point, I assume it's an option for everyone. An inaccurate assumption, obviously. That being said, for someone willing/able to relocate those jobs definitely exist and are not difficult to seek out. -
MacGuffin Member Posts: 241 ■■■□□□□□□□Looking back through the thread I think some of the confusion came from the example of the guy I know that does infosec part time. The reason he keeps his day job as an IT certification instructor is because there is just not enough call for his infosec services to do it full time. It sounds like he gets paid well for his services so it's not a matter of the pay. It's a matter of not having enough customers. I don't live in a huge metropolis, it's not a cornfield but it's not Los Angeles either.
Once companies reach a certain size then they are likely to get their own security guys. So, people like the one I know that offer contract infosec services may find themselves unable to do it full time. I'd guess that someone like the guy I know could find work doing infosec full time he simply chose not to because he had a job he enjoyed being an instructor and systems administrator. If he did choose to do infosec full time around here he may have to take a pay cut because of the local market.
I have no doubt that infosec people get paid better on the average than systems administrators. It just may be that where you live the current job openings in infosec might not pay as well as the current openings for systems administrator.MacGuffin - A plot device, an item or person that exists only to produce conflict among the characters within the story. -
W Stewart Member Posts: 794 ■■■■□□□□□□I never said that there would be, or that there should be. I said that there must be someone onsite that is responsible for securing the computer systems. That responsibility is likely shared among several people. Physical security is part of the information security. That might be outsourced, but it's not offshore. Offshore means the people providing the service is outside the nation's borders. Onsite means the people providing the service is under the same roof. Outsourced means the people providing the service is not a company employee but works for someone contracted to provide the service, they may dedicate part or all of their time to providing the service to that one company. Outsource does not mean they are offsite, something can be outsourced and still under the same roof. Offshore does mean offsite, but offsite does not necessarily mean offshore. A person does not have to be dedicated to being the onsite security guy to be the onsite security guy. The onsite security guy will very likely have many other tasks to perform daily, and onsite security will be just one of them. I believe that if you can show you have the skills and aptitude in IT security then you are more likely to find a job and keep that job. That job may have the title of "systems administrator", and if so then who cares? The point is finding work you enjoy that pays enough to live on. If all you want to do is IT security then you might find yourself very unhappy or very unemployed. It's unlikely for someone to find a job doing just IT security. You will likely also be doing networking, system administration, database administration, web development, or whatever. If you are doing systems administration then you are going to have to know something about security. If you do IT security then you are going to have to know something about systems administration. Unless you are working for a very large company expect both to be a large portion of your job duties regardless of which you choose as your focus.
Nobody is arguing that physical security can be outsourced although if you want an argument for that, our customers have dedicated servers with us so everything including physical security is outsourced to us. We have customers in other countries as well so it can all be outsourced and off-shored depending on the nature of the business.
The point I'm trying to make is that their are managed security providers that small businesses and even larger companies outsource security to. We use one of them where I work and I've even been approached by another one for a job but will probably turn it down. Sure somebody needs to be on-site to physically secure a box just like somebody needs to be on-site to swap a power supply but those jobs are typically pretty low on the totem pole and I doubt it's the type of position that somebody is usually referring to when contemplating between a systems administrator career and an IT security position. I'm pretty sure somebody aspiring to have a career in infosec is looking to do more than be an on-site security guard.
To further clarify so there's no confusion, I'm referring to your original post that said "Security by definition must be on site, can't off shore security." Again, I agree, physically securing the box has to be done on-site but when someone talks about a career in IT security they're usually not just talking about being a physical security guard which is what you are if you're only job is to physically secure the box while the actual management of security solutions are being outsourced or even off-shored to an MSP. That being said, I don't think it'd be a good idea to try to off-shore security solutions and many government positions probably wouldn't even allow it. Just making the point that it's not impossible and some companies will do anything to save money. -
MacGuffin Member Posts: 241 ■■■□□□□□□□I'm pretty sure somebody aspiring to have a career in infosec is looking to do more than be an on-site security guard.
Agreed. I bring up physical security only because that is the easiest case to make that everyone can understand.Just making the point that it's not impossible and some companies will do anything to save money.
Obviously I disagree, and I'll explain why. Imagine a denial of service attack. The offsite security company sees the security cameras go dark, the internet connection to the company appears dead. They don't know for sure if it is a denial of service attack, a fire, or someone put a backhoe through the network link. What do they do at that point? They aren't even sure what is going on because they don't have any eyes onsite. They call someone onsite, right? Okay, who do they call? They can call the contract security guard in the neat blue uniform but what is he or she going to do about it? They don't know what a denial of service attack is, and explaining that over the phone is not going to be the quickest means of resolving the issue. In that case you need someone that knows what a denial of service attack is and what that means for the company. You are going to need someone that has access to the network equipment and knows how to operate them.
Another example. The offsite security company sees activity in the internal network that does not "look right". Maybe it's a network connection going up and down unexpectedly. Perhaps they see a new device appear on the network where there was no ticket logged for that to happen. Perhaps they see that someone is doing something suspicious on the network. Perhaps all they need is someone to verify that the logs they are receiving are accurate. In every case you need someone on site that has the vocabulary to know what they are talking about and the knowledge of what might cause what they are talking about.
This person that is onsite might not carry the title of onsite IT security but in fact that is what they are. The person that the offsite security contractors call is by definition the onsite IT security person. If they do not have someone onsite to contact in the case of an issue then they are not providing security, they are just peeping toms. I say that because unless they can do something about the security issue quickly then all they are doing is watching. Watching is not security. Logging the issues is not security. There needs to be an ability to respond effectively to be able to have security.
In some cases with IT security the response can be done offsite. An external attack on the network might be resolved with someone offsite. Perhaps even some internal attacks can be prevented from onsite. To get to the point to have offsite security there needs to be someone with hands on the hardware to setup the means to provide security offsite, and that hardware needs to be maintained. That person that maintains the security systems needs to have training in information security. It might not be in their job title, it might not be their only responsibility, but that person is the onsite security person.
Offsite security is impossible. It's going to be real hard to convince me otherwise. Any company will find offsite security as a cost savings until they get a determined attacker. Then it will be real expensive.MacGuffin - A plot device, an item or person that exists only to produce conflict among the characters within the story. -
W Stewart Member Posts: 794 ■■■■□□□□□□I can agree that you'll always need somebody on-site and that doesn't apply to just security. It goes for your internal infrastructure as well. It's also beneficial to the company if that person has some security knowledge allthough I've seen plenty of companies with admins and techs who don't always know the basics you would expect them to know. Security isn't in my job description as an admin but I just happen to have some security certs that I didn't have when I got this position. Security is oftentimes an after though to many companies because they don't take it seriously until they get attacked. When they hear that they can basically pass that responsibility on to an MSP instead of paying for inhouse training it usually seems to be the route that they take. I'm not necessarily saying that companies are taking this route because it's more effective or that it's even the smartest way of doing things but companies are in-fact making these kinds of decisions because they don't see the practical side of it that you laid out above.
The company that I work for for example outsourced their development to india or some other country for reasons I don't know. Well those developers suck at their job. They took four years to design a piece of junk ticketing system for a million dollars and it sucks so bad that we still have to use the old ticketing system along with the new one one when the older one was supposed to be phased out a long time ago. We even had an inhouse admin who was good with perl and built another system that kept track of customer's servers. He built his system in 6 months in his spare time at work. He tied the system in with nagios and our old ticketing system but quit because the devs wouldn't give him access to their ticketing system.
Basically the point to that example is that companies aren't always going to see things practically the way that we see them. There are a lot of bonehead executives at the top of different companies that make bad decisions which is probably part of the reason there's this whole push to the cloud and probably why some companies are outsourcing everything, even security to managed service providers. We all know as IT professionals that there will be repercussions but nobody is actually going to listen to us.
In addition, look up digital hands. that's an outsourced security provider. As the guy that has to be the on-site hands when the msp can't connect to the firewall's I like to consider myself pretty knowledgeable about security and even manage the cisco asa firewall's for other customers but when it comes to actually managing pci compliant security solutions, I just follow the steps I'm given over the phone until the msp has connectivity again, then my job is done. That's not to say that I couldn't get a security position or that my job doesn't involve security but in the context of systems administrator vs IT security, I fall into the systems administrator category. In the same manner, I'm ccna certified, know something about routing and switching and believe that networking knowledge is important for systems administration but I don't consider myself a networking professional because we have a dedicated networking team that handles all of the routing and switching.