IT or IT-S, or "Advice for a 46 year-old JOAT"

I'm back. Last year I posted "Advice for a 45 year-old JOAT". I'm basically in the same position as last year, except I'm fatter. My friend that was going to hire me, turned out to only be able to hire me part-time, so I ended up staying where I was. I did manage to get in to web-development, so about 1/3 of my job is that. Which is nice. But time for a grand plan.

I'm planning again to go to WGU, and get a BSIT degree. At least then, I will be less stressed about my ability to stay employed. If I get a degree, I may be about 50 when I get it, and should have another 15 years of work left in my career (assuming I retired at 65). The prospect of doing software development for another 15 years does not excite me. I was trying to think, what in IT did I think was *fun*. In my 25-year IT degree, it stopped being fun after about 5 years. Then it was just a way to make money. In my first 5 years, I ran a PC/LAN system for a warehouse, and did everything. I was the programmer, network admin, night-time support, everything. It was fun because I was learning a lot.

Now I'm thinking of majoring in IT-Security at WGU, instead of just IT. What little bit of IT security I have done, was a lot of fun. I imagine it is a job where you get to work on a lot of different things, because technology and the associated threats constantly change. I really don't know much about what IT-S people do, I am googling around trying to find out. It seems like there are now many branches in the field.

A long time ago, the "security" people were all hard-core server admins, I never thought it was a field you could get in to without having been a long-time admin. I guess the times have changed, and now you have web-security, mobile-security, network-security, etc.

Does anyone know what kind of InfoSec jobs you would be qualified for after taking the WGU IT-S path? I work as a developer/JOAT, and do not have access to Cisco equipment. How realistic would it be to get in to InfoSec without server-admin experience?

I'm trying to pick out something that would be *fun* for me to spend the last 15 years of my career doing.

Find more posts tagged with

Comments

docrice

Information security / IT security has a growing number of branches. For example, "network security" has many subdomains now where it used to be more about general perimeter defense (firewalls and router ACLs). If someone were to try being everything-network-security these days, that person would have to cover not just the tools like firewalls, switches, routers, and other basic equipment, but also analyzing logs, going in-depth with traffic inspection, understanding web attacks, learning key management process for load balancers, attack methodologies, and on and on.

Personally, I think there's great value in having a generalist background because you can visualize where a certain security function fits into the large scheme of things. It keeps your perspective on the larger picture in terms of what the overall organization wants to accomplish, but at some point you'll probably be more effective on the job if you have a specialization or two. Having that depth of knowledge on a few subjects which really interest you and applying it is going to be a key differentiator. Trying to grasp everything at a deep level will be difficult or next to impossible unless your ability to absorb new information is light-speed beyond most people.

Infosec is ever-expanding and always changing. It's a recipe for burnout unless you really like this area. It sounds like you prefer the dynamic environment and this path could be for you. Everything builds on the foundations. Typically there's the non-technical path (like compliance) or the obvious technical route, but even with the former it's good to have the technical fundamentals so the context of what you're assessing is in place and you can advise accordingly.

I'm not sure how much an infosec-related degree will help you on finding an infosec job, but with the demand rising for experienced professionals who avail themselves to this corner of the technology field, you're in a good position to leverage your existing skill sets. The one thing almost every security-related position asks for is industry experience. It doesn't necessarily mean "security experience" but being in IT (either or both systems and networking) is often sufficient as long as you have a mindset edged towards risks and mitigations.

LionelTeo

Related infosec job split into two areas
Compliance and Technical
Compliance are examples of auditor, manager, BCP/BRP, IT Security for writing policy. Work type related to documentation, enforcing to standards and regulations.

Technical are Security Analyst, Penetration Tester, Forensic Analyst, Incident Handler; advanced path to exploit or malware researcher.

Another technical branch will be Security Engineer supporting device like firewall, IDS, SIEM, etc. Setting up and deploying them. Sysadmin may somewhat overlap in this area as well.

Infosec degree usually cover the compliance area, because the Penetration Testing is too gray to teach in some country, while Incident Handling and Security Analyst are consider specific area that individuals had to develop in their own time.

If you want fun stuff, passion matters a lot, because if you don't have the passion in learning, chances are you landing in a documentation job or just another work supporting appliance is high. Passion should be really high enough to drive the hard work in learning things. If you really want for a start. A really simply area is to pick up some of the books and see if it is to your liking

- Counter Hack Reloaded (For start in penetration tester/incident handler)
- The Basics of Hacking and Penetration Testing, Second Edition: Ethical Hacking and Penetration Testing Made Easy[For starting in Penetration Testing]
- Internet Core Protocol (Reading Hex, Packets, Binary and understanding protocol) [For starting in Intrusion Analyst]
- Incident Response and Computer Forensic [For starting Incident Handler, Forensic Analyst]
- Network Security Bible (For starting in compliance)

I had owned all of them except the second one. For start I highly recommend to look at them and see which one are to your liking. Focus on it while your studying for your degree.

bhoops

Thank you docrice and lionel. I will try to figure out what area in IT Security I think I might enjoy. I will get the books lionel mentioned, and any others that have IT Security job comparisons. I ordered the "InfoSec Career Hacking" by Chris Hurley, it got good reviews back in 2005 (its a bit dated).

LionelTeo

Just dug my books and want to recorrect myself. Network Intrusion Detection by Stephen Northcutt has a better content than internet core protocols. Feel free to go to google book preview to read up some content. Its a really nice feature I recommend.

Strong1

I am almost finished with the WGU BSIT-Security degree. It isn't a true InfoSec degree. It is really just a specialization in Network Security. The only security certs you get are the Security+ and the CCNA Security. If you go for the Masters degree then you get more into the actual InfoSec compliance area, but it is geared more towards Security Managers rather than pen testing and such. FYI

bhoops

Strong1, how realistic is it to get the Cisco certs, if I never work with networking hardware at my day job?

zxbane

Great post LionelTeo,

I plan to read some of the books you mentioned and just recently started reading the Network Security Bible 2nd Ed.

ram1101

No need for hardware...download GNS3 and should be able to complete all the way to your CCIE written.
you probably will need some switches but i think you can do some switch labs on GNS3 now as well.
Keep looking man you need to go above and beyond if you really want to have a career on IT

Strong1

bhoops> Kinda my point. The BSIT Security may or may not be the right degree for you. Don't get me wrong, WGU is awesome and you get some great certs, but if your goal is pen testing, or something other than network security the CCNA Security may not help very much. I'm sure other's on here can give you much better advice, considering I don't currently work in the security field yet, but I was just letting you know the WGU degree might not be exactly what you are looking for.

bhoops

Strong1, my main problem is, I don't know what I like. I've worked in IT for 25 years, and have done a lot of different things. Since I never had a degree, I have always made a lot less than normal, and tended to be given the least fun tasks to do. For about a year I pursued an non-IT BS degree, so I could do something else, since IT was beginning to seem like not a lot of fun. Recently, I decided I should find what was "fun" in IT, and do that for the last 15 years of my career (if possible). So I'm now trying to find out what the day-to-day life of an "IT Security" person is like. The few times I've been involved in security, it has seemed fun. I worked at a place that got hacked, and the IT Manager asked for my help in figuring out what happened, and to do pen-testing on remaining systems. That was a lot of fun.

When I was a child, I was taught to be super law-abiding, so I never became an illicit "hacker". I never even explored it, because it seemed like to be good at it, you had to do it. Now there is an entire IT Security field, white hat hacking, etc. I've been too busy making a living to pay attention to it, but now I am. The prospect of doing more of the kind of work I have been doing, demoralizes me. Getting a 4yr degree should open up more job opportunities, and getting a degree in a sub-field (like Sec), might open up that sub-field to me.

I like doing varied smaller tasks rather than large complex ones, so I think InfoSec work might be more appealing than writing software. I would also learn domain knowledge than private knowledge, for example, learning how Cisco routers work, rather than learning how some guys app computes shipping costs.

I like helping people, and doing varied tasks. Perhaps I might like doing "compliance training", or "auditing", or one of those type jobs.

I read where 50% of the American programmers expect to become millionaires, I know have. Now that I'm getting old, I don't want to make a million dollars. I want a job that I enjoy.

TheChameleon

I don't think at this stage for you that an IT specialization is necessary. I believe the specialization is needed for those that don't have the depth of experience. None of these certs will teach you how to really be in the IT field, nor specialized IT field. They are meant to prepare you to enter the IT field. Beyond this, a Masters program could prepare you for specialization.

Any IT degree would suffice at this point. If you want to move up, then seek higher certs: CISSP, CEH, CCNA, MCSE, etc. Either way in my experience most IT Security people aren't true security professionals, just good book learners and passed the test. One person I knew really was not an IT person, they did project management and never touched any code and went for a CISSP and passed it.

People like this get security jobs and simply push paper downhill to others like you and me to prevent or understand the issue, document it, remediate it and they simply collect the results. Some paper PEN testers simply learn how to run some programs that provide a report output, try to find at least two things they can document whether bogus or not and they are done.

All the things you mentioned are really good career goal contemplations. At this point, just get a general IT degree to complement your experience, figure out what you really might like to do by continuing to try new things and take on bigger challenges. Sometimes you may not like what you are doing until you build enough knowledge and therefore confidence to keep going.

There are also certifications for IT Trainers. IT management may also be an option as well.