Working IT for 8 years with no certifications or degrees, looking for insight.

First of all I'd like to say thank you for taking the time to read this. I'd like to get some insight on possible career paths, and what certifications are worth the time and money to go after.

A little history:
I've been working in IT professionally for 8 years now, all at the same company. I started with PC building and repair, specifically deploying DVRs with both custom linux distributions and windows XP embedded. I did this for 2 years under supervision, when my supervisor left I took over. I took over the software imaging and made various improvements such as implementing a recovery partition and customizing windows further to suit our needs. 3 years later I began programming for the company as well. It is mostly javascript, lua, and C, with a lot of work on embedded systems. I developed programs for internal operations, so I don't have a public profile of my programming work.

That's pretty much where I'm at now, I never went to school for IT, I was just interested in it as a kid and started programming when I was 14 for fun. As such, when I'm looking at job listings I feel very unqualified due to not having a BS in computer science, or any certifications.

I'm looking into three possible fields to pursue certifications in and would like to know how realistic it is to expect employment with my experience but lack of professional qualifications.

Infosec - I'm looking at CEH and CISSP here. For CISSP it seems like I'd have to land a job before the certificate is in effect, being considered an associate in the meantime. For CEH I'd take their training and that would be that, but I don't believe a CEH combined with no IT experience focusing on security would land me a job.

Data Science / Business Intelligence - I'm looking the the MCSE Business Intelligence certification here. Seems like this is fairly cheap compared to the others, especially if I can get a deal on the training.

AWS:CSA - This looks pretty intensive and is directly tied to Amazon. It's also listed as the top paying IT certification for 2016. I've set up a trial AWS and am messing around with it. I've got a lot of experience working with virtual machines and linux, but nothing like setting this stuff up. This would probably take the longest to achieve and might not get me any work without experience in running servers even with the certification.

I have a little leadership experience, but that was around 11 years ago when I was in the Marine Corps.

Are these certifications worth the effort, or am I going to be stuck with them for nothing due to lack of specific experience?Would I be better off pursuing certifications having more to do with programming and embedded systems?
Maybe this is a dumb post and only I can really answer this all, but typing it out is helping me organize my thoughts and I'd love to hear about any first hand experience some of you have with this kind of stuff.

Thanks again!

Find more posts tagged with

Comments

gespenstern

They are.

It's more of a where do you want to be in a long run. Which should be what do you enjoy the most. IT and IT security especially are pretty hard and get old quickly so it demands reinventing yourself all the time and learning new tricks. It's very hard to do it if you don't like what you do.

Overall, it's nice that you started thinking about investing in yourself. Maybe later than some others here, but it's better to do it late than never. Certs and education certainly do help to promote yourself and help in landing a higher paid job. Everybody in IT should set aside some percentage of their time to invest in themselves through the certs and education each day, otherwise they are taking a too big of a risk of being underpaid, undervalued, not being able to land a job, etc.

Also, your experience, according to your description, should let you get the CISSP. Both working on DVRs, configuring OSes and programming are CISSP security domains and should satisfy experience requirements. If you pass the exam just send them your resume and they will figure this out. I'd say you are eligible.

beads

Any certification is worth it when you have the appropriate experience to back it up. From what you've written sounds more likely your looking for more money and a better job while doing it and less drive for one discipline over another. You really need to be driven to want to do something in Security really well to want to stick with it otherwise you won't stay in security for long. Seen it many times.

Gespenstern is right on the money when it comes to InfoSec more so than any other discipline in IT. We are constantly upgrading our skills to do tomorrows work if not today and more often than not - yesterday's backlog.

In reaction to Gespenstern's acclamation that you qualify for the CISSP. Really? If that's the case I would let the ISC(2) make that determination as they seem to believe almost anything, anyway. Personally, I am highly skeptical but that's what I am known.

- b/eads

PJ_Sneakers

beads wrote: »

Any certification is worth it when you have the appropriate experience to back it up. From what you've written sounds more likely your looking for more money and a better job while doing it and less drive for one discipline over another. You really need to be driven to want to do something in Security really well to want to stick with it otherwise you won't stay in security for long. Seen it many times.

Gespenstern is right on the money when it comes to InfoSec more so than any other discipline in IT. We are constantly upgrading our skills to do tomorrows work if not today and more often than not - yesterday's backlog.

In reaction to Gespenstern's acclamation that you qualify for the CISSP. Really? If that's the case I would let the ISC(2) make that determination as they seem to believe almost anything, anyway. Personally, I am highly skeptical but that's what I am known.

- b/eads

Dude, I thought you were having a glass-half-full kinda day until the third paragraph. Hah!

gespenstern

beads wrote: »

In reaction to Gespenstern's acclamation that you qualify for the CISSP. Really? If that's the case I would let the ISC(2) make that determination as they seem to believe almost anything, anyway. Personally, I am highly skeptical but that's what I am known.
- b/eads

Working on DVRs fall under "Security Engineering" domain easily as they removed "Physical Security" and now it is a subdomain of "Security Engineering". Specifically it is "Embedded devices and cyber-physical systems vulnerabilities" subdomain and "Physical Security" itself. Also some parts of this type of work are related to different "Security Operations" subdomains. Actually DVRs and stuff is more known as "electronic security", but (ISC)2 puts this into physical security as this area of knowledge is too shallow anyways so it doesn't make much sense to introduce another one as shallow as that, it's easier to add everything non purely information related to physical.

Working on DVRs TS is most likely pretty experienced in video acquisition process, cameras, effective camera placements and lighting and some parts of crime prevention through environmental design, using coax, twisted pair and ethernet to pass the video flow from a camera to a DVR or a multiplexor on all stack layers from physical to application, web servers as any IP camera is a web server, video frames, multiplexing, analog to digital conversion, video or frame compression, encryption, storage, databases, retrieving information from databases, hunting for anomalies across large volumes of video data, troubleshooting everything here and underlying operating systems.

And programming in Lua and C is self explanatory. TS may need to supplement all of this with tons of other information and review existing knowledge from a security point of view, but if what he says is true I'd say he's eligible.

jivex5k

gespenstern wrote: »

Working on DVRs fall under "Security Engineering" domain easily as they removed "Physical Security" and now it is a subdomain of "Security Engineering". Specifically it is "Embedded devices and cyber-physical systems vulnerabilities" subdomain and "Physical Security" itself. Also some parts of this type of work are related to different "Security Operations" subdomains. Actually DVRs and stuff is more known as "electronic security", but (ISC)2 puts this into physical security as this area of knowledge is too shallow anyways so it doesn't make much sense to introduce another one as shallow as that, it's easier to add everything non purely information related to physical.

Working on DVRs TS is most likely pretty experienced in video acquisition process, cameras, effective camera placements and lighting and some parts of crime prevention through environmental design, using coax, twisted pair and ethernet to pass the video flow from a camera to a DVR or a multiplexor on all stack layers from physical to application, web servers as any IP camera is a web server, video frames, multiplexing, analog to digital conversion, video or frame compression, encryption, storage, databases, retrieving information from databases, hunting for anomalies across large volumes of video data, troubleshooting everything here and underlying operating systems.

And programming in Lua and C is self explanatory. TS may need to supplement all of this with tons of other information and review existing knowledge from a security point of view, but if what he says is true I'd say he's eligible.

Yes, lots of experience working with all that except the databases aren't full fledged SQL servers or anything, just the database that's built into whatever software the particular DVR is running on. Tons of troubleshooting, mostly windows but also some embedded work on DVRs and routers. We use a lot of Mikrotik hardware with special configurations for the customers so I know how to write scripts for them. I don't do any field work, so no experience with camera placement or running cables.

As far as programming I don't know much specifically related to security, it's mostly digging though source files to get stuff working on our embedded platforms, and setting up simple servers on our hardware. We run OpenWRT on these little routers, I set up lua scripts on the backend and use javascript for the frontend. I've got tons of experience with OpenWRT, I dig through those source files to get stuff working (like bluez) and it's mostly in C.

zesty2016

Hiya, I am by no means an expert in career advice or any of the areas of IT that you have listed. What I would say, and this is just to pass on some advice that was given to me when I reached out to a pen testing company, is that although the CEH is a good course, if you are serious about IT Security then you should be looking to do the OSCP instead or as well as. It was enough to make me change my focus from the CEH.

Other than that, good luck & best wishes.

jivex5k

Thanks for the responses everyone. I've heard of the OSCP, that it's more respected among hacking circles but not as recognized as the other two when it comes to HR or Managers/CEOs that don't know a lot about IT. It sounds like the most fun though, reminds me of finding an exploit in my school's web server when I was a senior.

I have access to some free CISSP training through some military veteran resources I'm going to check out for now.

volfkhat

You might also consider earning your Associates from a community college.
Not exactly Glamorous... but an AS coupled with your Experience could be a worthwhile (backup plan).

Obviously, you would have to "want" to get your Associates. (2 years is a LONG time if you don't have the desire)

my 2 cents

zesty2016

jivex5k wrote: »

Thanks for the responses everyone. I've heard of the OSCP, that it's more respected among hacking circles but not as recognized as the other two when it comes to HR or Managers/CEOs that don't know a lot about IT. It sounds like the most fun though, reminds me of finding an exploit in my school's web server when I was a senior.

I have access to some free CISSP training through some military veteran resources I'm going to check out for now.

I have seen a lot of people quoting CISSP but I have not had a chance to look into it much. I will do once I have finished my OSCP tho.
I keep being sent these security deals from Tecmint.com where they bundle 9 courses for $30 (or something crazy like that), that might also be an avenue that you would like to explore. I think I bought the security one but haven't even downloaded it yet.

jivex5k

zesty2016 wrote: »

I have seen a lot of people quoting CISSP but I have not had a chance to look into it much. I will do once I have finished my OSCP tho.
I keep being sent these security deals from Tecmint.com where they bundle 9 courses for $30 (or something crazy like that), that might also be an avenue that you would like to explore. I think I bought the security one but haven't even downloaded it yet.

Yeah, I've seen those deals on slashdot too. How is your MCSE certification paying off?