Information Security

I was wondering if it's possible to land a job within cyber security without any real world experience in I.T but a number of infosec certifications, say security+,SSCP, eJPT, CSA+ and CASP?

Find more posts tagged with

Comments

JasminLandry

Personally, I wouldn't hire anyone in security without experience. Certs are only a piece of paper that shows you passed an exam. Nothing beats experience.

Infosec85

I get what you're saying, however in order to pass the exams you require the knowledge.

Also someone new to I.T with no experience and say A+ and Network+ can land a helpdesk job so what's the difference? Especially if the above certs are high level and teach you how to use the majority of tools used within security.

Remedymp

Security is a speciality of IT. Usually if you don't have a background in IT, the time to cultivate that resource can unfathomable for role intended.

jamesleecoleman

Infosec85, if you're having a difficult time getting direct infosec experience then you'll have to create work that involves infosec. For example, create and maintain a risk register for your organization if they don't have one. Then build off of that. I was having a difficult time getting direct infosec experience but now I'm creating work to get that experience and because it's needed at my job. If you have the opportunity to volunteer somewhere and do infosec work, go for it.

I understand what you're saying about the knowledge part and I agree but experience is like having that hands on portion. I can read NIST documents all day, everyday to gain the knowledge but if I'm not putting to use what I know in a live environment and learning from that, it's not really helpful. But I also think that if someone has the knowledge, they shouldn't be put off to the side just because they don't have the experience.

Since securing systems or physical objects is needed, knowledge/experience with the systems and physical objects will also be needed. I can't secure something properly without knowing how it works and how it affects the organization.

Someone without certifications can land a job without experience, as long as they show that they're learning as much as they can. There's nothing wrong with spending a few years in helpdesk before getting into a field that you want to get into.

p@r0tuXus

jamesleecoleman wrote: »

There's nothing wrong with spending a few years in helpdesk before getting into a field that you want to get into.

I appreciate your post and agree with most of your points. Your last sentence got my eyebrow raised. Are you saying 3 years at the helpdesk is adequate experience for moving into security? Maybe if one works 3 years in a NOC, moving to a SOC might not be a stretch. But 3 years at the helpdesk with certifications earned and drive would be enough to convince you a person is ready? Let me say, I'm not taking a position on this but I'm curious. Most people on these forums (understandably) seem to share the opinion that admin experience is required. Preferred I can see, but I've never been sold on the "required" notion. I don't work directly in security, though tasks I perform daily revolve around it. Take that for what it's worth.

Infosec85

p@r0tuXus wrote: »

I appreciate your post and agree with most of your points. Your last sentence got my eyebrow raised. Are you saying 3 years at the helpdesk is adequate experience for moving into security? Maybe if one works 3 years in a NOC, moving to a SOC might not be a stretch. But 3 years at the helpdesk with certifications earned and drive would be enough to convince you a person is ready? Let me say, I'm not taking a position on this but I'm curious. Most people on these forums (understandably) seem to share the opinion that admin experience is required. Preferred I can see, but I've never been sold on the "required" notion. I don't work directly in security, though tasks I perform daily revolve around it. Take that for what it's worth.

So are you saying that someone without helpdesk experience could move directly into a security role?

kiki162

In the late 90's, I would say yes to that. Now you really need the practical experience. Think about it, even if you passed all of those certifications, you need that core experience to really understand what the heck is really going on. Now you don't always need to go the helpdesk route, but you could certainly jump into some type of jr. role instead.

What types of "infosec" roles are you looking at?

PC509

Possible? Yes. However, competition is going to be fierce. You might get an entry-level SOC position, but that company will be getting resumes from hundreds of people for that position, including those with the same certs but 5-10+ years in IT behind them.

You need to understand the basics before moving up. Someone might take the chance on you, and I've read posts here where it's happened, but it's not the norm.

For me, the help desk and admin stuff relates directly to security. You see how things are used in the environment, you see the limits of access, you see how AD works, etc.. When you're working the security side of it, you can tell if it's a real attack attempt or if it's someone using the wrong credentials because a help desk employee left his user name there and the employee isn't used to changing users.... There's a lot of little things that can make a huge difference. So, experience with the basic things can mean a lot.

JoJoCal19

How will you know how to secure networks if you've never worked with them? How will you know how to secure endpoints if you've never worked with desktops or servers? Same with databases, applications, etc, etc.

Infosec85

At present none I want to get my technical knowledge down and then move onto some more practial certifications. I think ideally a security analyst role. I dont want to put time effort and money into security certs if in reality I should be doing microsoft certs etc and just aiming for helpdesk.

Infosec85

JoJoCal19 wrote: »

How will you know how to secure networks if you've never worked with them? How will you know how to secure endpoints if you've never worked with desktops or servers? Same with databases, applications, etc, etc.

I have certifications in networking, servers and security, including Linux. I've been around computers from the 90s I also have formal education within Software Dev so I'm no noob but I don't claim to be a pro either.

Infosec85

Please no one think I am looking down my nose at helpdesk either. I'm just trying to get a guage. If it's entirely impossible to move into security without serving time first etc then maybe i should put the likes of CSA+ and CASP in the back burner and move towards certifications that are more in line with helpdesk.

NetworkNewb

Infosec85 wrote: »

I have certifications in networking, servers and security, including Linux. I've been around computers from the 90s I also have formal education within Software Dev so I'm no noob but I don't claim to be a pro either.

That is good and all, but the experience companies are looking for is experience on corporate networks and dealing with security on an enterprise level. Not just people who have certifications and been around computers for awhile. Huge difference between knowing how things work on paper (certifications) and playing around with the topics in a lab and actually dealing with them in an corporate environment.

Master Yoda

You must have experience... you will struggle to find any job in the specialty field of security without security expedience it's way too risky for the company to do this considering you have no experience on securing a network. I recommend an internship or pick it up as a minor in college along with IS/IT or CS. That's my advice I have 3 buddies from college that work for banks doing this stuff they wouldn't hire you without experience to get them coffee. It's just the brutal truth you need to start lower and work up to that level of specialty in the industry.

p@r0tuXus

Infosec85 wrote: »

So are you saying that someone without helpdesk experience could move directly into a security role?

Someone without helpdesk experience explicitly, no doubt. There are network engineers, system admins, developers and managers that go the security route all the time. Going into security without helpdesk experience or any other experience, i highly doubt it... for all of the reasons mentioned by most of the good people here. My question was more to Jamesleecoleman: are you saying 3 yrs helpdesk experience is enough to transition to security? It doesn't seem like it'd be a popular opinion and I was curious why they may have thought that was good enough, if that's what they were saying. I wasn't trying to take a position on it because I'm not sure i have the experience in security to make that call. I would imagine it would depend on education, certifications, the interview of the person and the position they were going for - before I could answer that. So more like a case-by-case basis. I've known people at the helpdesk or in a NOC that were there for more than 3 years that I wouldn't trust to handle anything security related.

infoscrub

Infosec85 wrote: »

Also someone new to I.T with no experience and say A+ and Network+ can land a helpdesk job so what's the difference?

The difference is how much damage you can do and the level of responsibility.

Typically helpdesk can only break a couple computers. Security can end up on the news.

Infosec85

p@r0tuXus wrote: »

Someone without helpdesk experience explicitly, no doubt. There are network engineers, system admins, developers and managers that go the security route all the time. Going into security without helpdesk experience or any other experience, i highly doubt it... for all of the reasons mentioned by most of the good people here. My question was more to Jamesleecoleman: are you saying 3 yrs helpdesk experience is enough to transition to security? It doesn't seem like it'd be a popular opinion and I was curious why they may have thought that was good enough, if that's what they were saying. I wasn't trying to take a position on it because I'm not sure i have the experience in security to make that call. I would imagine it would depend on education, certifications, the interview of the person and the position they were going for - before I could answer that. So more like a case-by-case basis. I've known people at the helpdesk or in a NOC that were there for more than 3 years that I wouldn't trust to handle anything security related.

Thank you for your input. I totally get what you're saying and every company has those type of people I suppose.

Depends on the person their goals and if they wish to be the best at what they do.

BlackBeret

CEH, Sec+, and a security clearance will get you an "entry" level security position in a LOT of .gov contractor companies for infosec. Just ignore the requirements when applying, most of those companies are so desperate for warm bodies they'll give you the test **** if you only have a clearance.

On the same note, join the Army, get a clearance, sent to some high speed training, then sent to 5-6 SANS courses (just sit in class, tests are optional but paid for if you want them), then be an "expert".
Cyber Operations Specialist (17C) | goarmy.com

scenicroute

BlackBeret wrote: »

CEH, Sec+, and a security clearance will get you an "entry" level security position in a LOT of .gov contractor companies for infosec. Just ignore the requirements when applying, most of those companies are so desperate for warm bodies they'll give you the test **** if you only have a clearance.

That security clearance is the true hard part.

JoJoCal19

Infosec85 wrote: »

I have certifications in networking, servers and security, including Linux. I've been around computers from the 90s I also have formal education within Software Dev so I'm no noob but I don't claim to be a pro either.

Having just paper knowledge and thinking you can do the actual job will get you killed in this industry. You said in your original post you have no real world IT experience. Knowing how to answer questions on an exam doesn't mean you can step into a production environment and do the job. Trust me on this. Even the certs that require hands on labbing to achieve (CCNA, MCSA, RHCSA) still aren't going to enable people to deal with every facet of a production environment. However, I was addressing your post from the standpoint of leaping into a security position, not entering an entry level network or systems position.

jamesleecoleman

p@r0tuXus wrote: »

I appreciate your post and agree with most of your points. Your last sentence got my eyebrow raised. Are you saying 3 years at the helpdesk is adequate experience for moving into security? Maybe if one works 3 years in a NOC, moving to a SOC might not be a stretch. But 3 years at the helpdesk with certifications earned and drive would be enough to convince you a person is ready? Let me say, I'm not taking a position on this but I'm curious. Most people on these forums (understandably) seem to share the opinion that admin experience is required. Preferred I can see, but I've never been sold on the "required" notion. I don't work directly in security, though tasks I perform daily revolve around it. Take that for what it's worth.

As far as people spending time in helpdesk, then going into the field that they want... they're gonna have to learn as much as they can before the transition. I came off a helpdesk role and back into one where I do security related things. But I've had to do a lot of studying and obtained a couple of security certifications to help me out with what I'm doing. Say the OP went from helpdesk for 3 or 4 years at a corporate environment and then went to a small organization where the OP is the IT department or part of a small team. Thats the opportunity right there to make that move into InfoSec or atleast start working on the transition.

I have a friend who was the only person in the IT department at his organization. Now he has two people under him and while he's doing Windows Server stuff, he also has to implement and maintain the security portion of the network to stay in compliance with different standards. Before he got his job, I don't think he had a lot of experience.

Moving from nothing into a straight up security role would be super tough due to how things build off each other. I even got asked at an interview why I didn't apply for the security role even though I was working on a masters in security at the time. I told them straight up that I would not do well, just because I know for a fact that my knowledge was very limited.

636-555-3226

Wow I'm only a day late to this thread but there's dozens of replies already. My two cents - yes, having the certs will get you a job somewhere. Everybody in my area is hiring infosec people like crazy, but there aren't any out there, so they're scooping up anybody with any vague interest in infosec. Having the certs will get you a job at one of them. You'll suck at the job and fail miserably, but you'll at least be getting a paycheck for at least a few months if not longer if you're lucky. Keep in mind, though, that some places, including mine, will test your knowledge of the certs.

If you've got a penetration testing cert, I might put a laptop in front of you with Kali on it and ask you to provide me with a port 23 scan of my network in XML format, or I might ask how you'd crawl my internal network and give me a screenshot of the landing page of every web server in my environment.

Have the CSA+? I'll give you a few DNS **** from my SIEM and ask you what you can figure out from them or what additional types of info you'd need to be able to figure anything out from them. Nothing CompTIA-level, either, I'm talking the real deal

IN other words - you can get a job, but you sure won't be working for me!

Mike7

To OP. Just to add that cert only indicates that you have a minimum level of knowledge. Experience matters. Since you are from Ireland, you may want to look at CREST. I understand CREST certifications (and CHECK) are standard requirements for UK jobs similar to US's DoD 8570/8140.

Take note that CREST CRT (and higher) exams are performance based, your laptop hard disk contents will be deleted after the exam.

Cyberscum

BlackBeret wrote: »

CEH, Sec+, and a security clearance will get you an "entry" level security position in a LOT of .gov contractor companies for infosec. Just ignore the requirements when applying, most of those companies are so desperate for warm bodies they'll give you the test **** if you only have a clearance.

On the same note, join the Army, get a clearance, sent to some high speed training, then sent to 5-6 SANS courses (just sit in class, tests are optional but paid for if you want them), then be an "expert".
Cyber Operations Specialist (17C) | goarmy.com

Forget what he said.

3D0X3 Air Force.....Sorry BlackBeret

BlackBeret

Well, if you're going AF at least tell him 1B... Then remember that it's not open to entry level. Go Army!