Non Technical InfoSec Career

niall.nf

Just curious about peoples opinions on career paths in information security with limited technical skills.

What are the career paths/choices available?... governance, auditing, risk??

LionelTeo

Basically they call it a compliance path.

Audit, BCP/DR Manager, A general Security Manager, Security Compliance Team. Those jobs are usually open to people with more than 4 years of IT Sec Experience. At some point you still need to have some technical knowledge, especially when your new to the field, the closest you can get in a compliance path for a junior its either being an assistant/associate , audit or being a sort of analyst for a very different type of SOC type of work that monitor for mainly compliance.

I personally find technical path to my liking more at the moment.

higherho

Most IA people I bump are not that technical. They claim to be and can spit out top level information but never granular details on security itself. Risk Analyst, business risk, policy, vulnerabilities, etc can be non technical but more paper based jobs. One clear difference between practical security individuals (OSCP) and paper (CISSP).

aftereffector

higherho wrote: »

One clear difference between practical security individuals (OSCP) and paper (CISSP).

Hey, someone has to be in charge of all those pentesters!

higherho

Very true!

JoJoCal19

I work in Information Security Risk Management. I basically manipulate excel spreadsheets, email, and use IE all day. Can't get any more non-technical than that. It's easy to me, but not fulfilling. I wish I could work in a more technical side of security.

paul78

The other area besides audit, compliance, risk management, governance - is incident management.

the_Grinch

I work in the regulatory enforcement realm. I review network designs, security policies, incident response policies, change management policies, review compliance, and review changes to the systems we are monitoring. You honestly have to be technical to get into such a position because while looking at a higher level and not doing the actual setup you have to understand how it works and where the holes might be. As it stands right now about 50% of my job involves "paperwork" type things. The other 50% requires actual technical skill (Linux, Nagios, Virtualization, Python, Bash Scripting) because a large amount of what we do can be automated. Also testing the changes before they are made is also required.

I had four years of full time experience in largely support roles before I entered my current position. Without that experience I wouldn't have gotten a second look. Yes positions do exist where you could have never consoled into a router or setup a user in Active Directory, but I'll assure you that people in those positions aren't having an easy and enjoyable time. I take your post to mean that you want a position in information assurance, but currently lack the technical skills required. As you will see a lot of people here say, build that foundation and then start looking to build the house. My years on the help desk and in the server/network side of things only served to make me much better at my job.

CodeBlox

Enterprise risk management!

proph21

Just wanted to chime in with my thoughts even though I have no professional experience. I got my degree in Cybersecurity and see myself being interested in the compliance side of the field. I talked to many of my professors who have been in the field for quite a while. They basically all agreed that it is important to get a foundation of technical knowledge before entering compliance. They told me that having less technical gaps when entering the compliance side will not only make the job easier, but more enjoyable as well. Following their advice, I have been learning some Cisco networking, Windows server, Linux, and other things on my own time.


Also, I haven't come across many entry-level infosec positions involving compliance (I live in MD). At least for my scenario, I will probably be entering the field through tech support and/or systems administration (maybe some network engineering).