My Action Plan - Need some advice and insight from experienced Infosec professionals

Good morning guys and gals!
I'm so glad I found techexam community, you guys are awesome.I'm looking to make a career transition to infosec but could use some help and guidance. I have 15+ years of experience in IT (server admin, networking, helpdesk, trouble shooting, systems analyst) and 8 years experience in information, cyber, physical and network security; 8 years being part of 15+. I want to move away from pure technical roles in IT to a cyber security job having lot more overall involvement (having business, design input etc.) so prefer to get into Threat Risk Assessments or GRC roles in a solid company having dedicated security departmentS so I can learn as much as possible.
I have several certifications including CCNP (security), CEH, Sec+, N+ and CISSP.
What I dont have is lot of infosec experience on my resume nor do I have infosec related job titles. Nor do I have exposure and hands on experience of managing security devices like Firewalls, IPS, IDS etc. or SIEM etc. I never did any projects, security or IT.
My plan is to learn the above mentioned as much as possible by self study using resources like youtube, udemy, internet, nist publications, focus groups etc. and get my cism, crisc, cisa etc and then look for a dream job. However, I am not sure how much one can learn by reading and watching as against working on a job. And will having high demand certifications help me land a plum post? I don't want to rush into something to get certified, and waste time and money.
Am I on the right track or am I being too ambitious and not realistic? or what would you do if you were in my shoes - get certified as much as possible or get any cyber security related job and then certify as you go along? (assume no financial issues for 6 months)
I will be thankful for any advice

Find more posts tagged with

Comments

yoba222

I would think you could apply for security management positions as-is, with your certs and experience.

TheFORCE

You can apply for any Information Security jobs including GRC roles with your current experience and certs. Not everyone gets to work with Firewalls and IPS/IDS right away but there are plenty of other projects that you can be involved in Security, personally, I hadnt touched a firewall being in IT for over 7 years, depends how the departments are structured and who manages those devices. But you can apply right now to Infosec jobs with no fear.

Danielm7

infosecs wrote: »

8 years experience in information, cyber, physical and network security; 8 years being part of 15+
...
What I dont have is lot of infosec experience on my resume nor do I have infosec related job titles. Nor do I have exposure and hands on experience of managing security devices like Firewalls, IPS, IDS etc. or SIEM etc. I never did any projects, security or IT.

Unless I'm reading this totally wrong, or you have very specific definitions for what is security vs infosec, seems like some conflicting info above. Doesn't 8 years of cyber, physical and network security count for a lot of infosec on your resume?

ITSec14

I believe your diverse background is great to transition into one of these roles. What you should focus on is how your experience can translate into those roles and sell it to HR/hiring managers. Obviously, your chances of landing one of those jobs will depend on a number of things as well such as, if you're a good fit on the team/organization, how your experience matches up with the job description, etc.

Don't be intimidated though. I came from a background in retail banking, then SharePoint design/administration, level 2 sysadmin, etc. and now I'm a security engineer for a global company. If you work hard and want it bad enough, you can make it happen.

TechGromit

Not sure I understand, a CISSP is at the Apex of Cyber Security certifications, and you need experience to obtain one. Just having a valid CISSP will get you an interview in most organizations. If you walk in and say I want this job, but I have no experience, I would immediately assume you brain dumped the CISSP cert and lied on your paperwork to ISC, I think I should report this guy.

redsteel

The requirements are 4 years of experience in 2 of the 8 domains for CISSP if you have a qualifying degree or 5 if you don't. Why would you think this man isn't qualified? He clearly has the experience needed to crossover. His problem is that he doesn't see the value in what he has done in his life and isn't great at translating that experience to others. You are ripe for a security management role. If you want to get your hands dirty, go work for a Security firm for a few years, but do not doubt your ability. I would wait on further exams unless you think you have to have them. Put together a 6 month plan to get into a security role, redesign your CV to match what recruiters are looking for and get to it!

TechGuru80

When you say you have network security experience...but no cyber experience....what do you mean? Do you mean no SOC type experience?

Honestly you should have enough experience to get into GRC, since some of it means having technical knowledge...you just need to get exposure to the diffferent frameworks. Have you started to apply? CISA would be a good step to start learning about risk and risk management.

cbdudek

When you talk about getting that role as a cyber security manager, I have to ask about your education. Do you have a degree? When you are applying for higher end security manager roles, your experience is king, but your education will be weighed just has heavily as your certifications. Most hiring managers are going to ask for not only your level of experience, but also your degree, and certs. If you are lacking in one of those areas, you will find some people that are strong in all three and they will be the ones to get the interviews. This is why I went back and got the certifications I needed to be successful in my career.

The other thing you have to consider is being a manager or expert requires knowledge of the business. Yes, you can talk tech, but can you do cost-benefit analysis, risk assessments, and so on? Do you have a track record of doing those things? Once again, these are key as you go higher at a company.

You have a great base of experience and certs. There may be areas you can shore up to improve your chances of getting that next gig that you want.

infosecs

I am thankful to everyone who has replied so far. Your replies are very helpful and encouraging as they reinforce what I have been hearing. Many security consultants I have spoken to so far have all pointed out the same thing as mentioned in this thread that I do have adequate experience. The more the better of course but it should not stop me from getting a job. And just to answer some other points I have not applied to any job so far and have never worked in SOC but have worked in help desk handling security incidents.
So why am I thinking of getting lot more experience? Well, as redsteel mentioned above my experience touched some domains but not all. My real full blast exposure of cyber security was the cissp exam content. And boy o boy was it huge! On top of that I see that some jobs require quite a bit of exposure to Siem, Firewalls, IDS, Designing of Security architecture, assessment of vendor security profile and so on. when i compare that to my exposure I feel like a minnow in information security. Obviously infosec is a huge domain with lots of various subsets so I am confused and intimidated by all these processes, methodologies, hands on experience etc. and wonder if I need to familiarize myself well with each of these and get hands on experience (of each) before applying?
That is the question.

Codeman6669

I have mianly only network related certs, no security. I was recently on a work trip and the guy i trained with was moving back into a new security role with a great company. He basically said this to me: choose what team you want to be. Red or blue. Me personally red. So he said honestly, with you network knowledge, exposure to linux, and having taken some classes in security, he encouraged me to go look at what types of software or tools the jobs you want, look for (look at job postings). You might see metasploit ALOT depending on what you want to do. Then he said go home and play with those enough to be able to hold a good conversation about them. Do that and you will land a job.

Guess what im doing right now... LOL

BTw while im here, i work in support and i gotta admit i fukn hate it now.

TechGromit

Codeman6669 wrote: »

Red or blue.

There's also Purple, which is a little of both.

TheFORCE

Codeman6669 wrote: »

I have mianly only network related certs, no security. I was recently on a work trip and the guy i trained with was moving back into a new security role with a great company. He basically said this to me: choose what team you want to be. Red or blue. Me personally red. So he said honestly, with you network knowledge, exposure to linux, and having taken some classes in security, he encouraged me to go look at what types of software or tools the jobs you want, look for (look at job postings). You might see metasploit ALOT depending on what you want to do. Then he said go home and play with those enough to be able to hold a good conversation about them. Do that and you will land a job.

Guess what im doing right now... LOL

BTw while im here, i work in support and i gotta admit i fukn hate it now.

Usually there is not 1 tool that Red teams use, they build their own tools, scripts, exploits etc etc. Learning a bit of Metasploit doesnt mean you are now an expert Red team player.

Codeman6669

TheFORCE wrote: »

Usually there is not 1 tool that Red teams use, they build their own tools, scripts, exploits etc etc. Learning a bit of Metasploit doesnt mean you are now an expert Red team player.

Understood, but i was meaning more towards a jr. security role trying to get in the door. Dosnt make you an expert, im talking getting in the door

infosecs

You guys are truly awesome. I am floored by the quality of replies and the encouragement. Thank you.
First let me address why I think my exposure is inadequate even thouh I do have a bachelors degree. You are right that i have been exposed to some domains of information security. My full blast exposure ot wonderful and vast world of cyber sec was cissp exam content. And Boy o Boy was it huge? Holy cow. That and some job postings I saw on job portals and the fact that I dont have any SOC experience have made me believe that i must know everything from devices to vendor engagement audits to desiging a security architecture to SIEM specialist...... This is why I feel so intimidated and look upon myself as a minnow in this vast ocean of knowledge and skills. Now I do understand that there are several slices with infosec and its better to start somewhere and keep on gaining exposure to diverse cyber security technologies.
So I guess the next logical step for me is to land a job and get lot more hands on experience rather than try to learn while trying to get CISA CISM etc.

infosecs

Thanks for the wonderful responses

ITSpectre

Codeman6669 wrote: »

I have mianly only network related certs, no security.

CISSP is a security cert....
CCNP (security), CEH, Sec+

So I guess someone did a big brain **** to get some certs huh???

Plus im totally confused on how you have 15 yrs of experience

You stated earlier that....

"I have 15+ years of experience in IT (server admin, networking, helpdesk, trouble shooting, systems analyst) and 8 years experience in information, cyber, physical and network security; 8 years being part of 15+"

How ????? Because you clearly state that you have experience in cyber, physical, and net security.....

ITSpectre

You should already know what metasploit is and what it does based on your 8yrs of exp... and 15+ years of experience in IT in general. The fact that your studying Metasploit because a friend told you to raises a red flag with me....

Think you may have brain dumped your CEH, and CISSP.... because you don't know what tools to use YET you have CEH..... In the CEH they give you tools to use.....

NavyMooseCCNA

Don't you need to do considerable labs for the CCNP in Security? Having this cert should have gotten you exposure to the CLI and the commands you need to configure the equipment. I'm not familiar with what CEH requirements are, but I am familiar with Security+ and CISSP (from studying for the exam for several months).