Security Security Security....is it really the BIG thing?

5502george · March 2013

I am currently an IT security specialist for the DoD and all I ever hear anyone in IT talking about is security being the HUGE thing in the future. Although I agree that security is important, do you think that sole security positions will increase or stay the same?

.....The reason I ask is that the military has trained me to be a security specialist, but have failed to teach me the fundamentals of networking or coding. So, the way I figure it is that an already seasoned net admin or programmer can specialize in security and be way more effective that individuals specifically trained solely in security?

.....Your thoughts?

chrisone · March 2013

I think the main security risks are what? Hackers! So the best form of security would probably be to combat Hackers. Which is why Penetration testing skills are in high demand. Penetration Testing will always lead the fore front of security. It will always be in high demand.

5502george · March 2013

chrisone wrote: »

I think the main security risks are what? Hackers! So the best form of security would probably be to combat Hackers. Which is why Penetration testing skills are in high demand. Penetration Testing will always lead the fore front of security. It will always be in high demand.

Copy, but don’t you think that a pen tester would be more effective if he/she was a network/code expert prior to specializing in pen testing. IE: White hat, Grey hat in software or network...

...Basically, do you think it is possible to be an effective IT security tester with ONLY security education?

lsud00d · March 2013

5502george wrote: »

...Basically, do you think it is possible to be an effective IT security tester with ONLY security education?

No...security is a big-picture IT domain and by virtue is built upon many others, especially for what you are inquiring about.

the_Grinch · March 2013

Without a foundation you'd have a hard time securing things. On the civilian side most people work their way up the ladder, general help desk then to system administrator or network administrator, and then into a security role based off of whatever area they specialized in first. I don't know what branch you are in, but I know the Navy CTN's go through a good base of networking before getting the the security C School. The best thing for you is to get that foundational knowledge via certifications and perhaps a degree, then you should be good to go on the outside

nerdydad · March 2013

I think that is why even security people should be specialized in specific areas. If you want to secure the network, you need to know what is going on in the network, but the network guy isn't going to know the ends and out of a database in order to keep it secure.

5502george · March 2013

the_Grinch wrote: »

Without a foundation you'd have a hard time securing things. On the civilian side most people work their way up the ladder, general help desk then to system administrator or network administrator, and then into a security role based off of whatever area they specialized in first. I don't know what branch you are in, but I know the Navy CTN's go through a good base of networking before getting the the security C School. The best thing for you is to get that foundational knowledge via certifications and perhaps a degree, then you should be good to go on the outside

Good points, I do know some networking and really find it very interesting. My management is really pushing for me to go the CISSP route, but i really feel that I need more of a foundation of networking to build upon like CCNA.

It’s like this, I know how to operate the software to find network/host vulnerabilities, execute patches, configure baselines etc...BUT that’s it, I am like a monkey that can drive the vehicle but does not know how it operates lol!

EDIT: I am in let’s just say one of the branches of the military and yes they had a crash course on networking, but not by any means the in depth knowledge I should know to defend the networks:)

5502george · March 2013

nerdydad wrote: »

I think that is why even security people should be specialized in specific areas. If you want to secure the network, you need to know what is going on in the network, but the network guy isn't going to know the ends and out of a database in order to keep it secure.

Absolutely correct, now it is just a matter of explaining this concept to management and having them understand it that is the problem.

5502george · March 2013

So having explained my situation, what route should I go to get the fundamental knowledge I NEED for my job of securing the network. CCNA?

the_hutch · March 2013

Security is continuing to grow (and will continue, IMO) because it is one of the most self-perpetuating industries I've ever seen. The major companies that offer security solutions are the same companies that supply the tools to compromise systems that don't have those solutions...
Hacking tools = Security tools
I see no better formula for growth and job security, than that.

thegoodbye · March 2013

5502george wrote: »

I am currently an IT security specialist for the DoD and all I ever hear anyone in IT talking about is security being the HUGE thing in the future. Although I agree that security is important, do you think that sole security positions will increase or stay the same?

.....The reason I ask is that the military has trained me to be a security specialist, but have failed to teach me the fundamentals of networking or coding. So, the way I figure it is that an already seasoned net admin or programmer can specialize in security and be way more effective that individuals specifically trained solely in security?

.....Your thoughts?

George,

Security already is the huge thing and the demand for highly skilled security professionals will only continue to grow. At the RSA Security conference this year, expert keynote speakers conveyed that their is a 0% unemployment rate for security professionals. They actually went on to say the figure was closer to negative 30%, as they couldn't find enough highly qualified people to fill voids. Various news articles (I won't link them here) also second this notion.

My experience (correct me if I'm wrong) is that most government jobs are very compartmentalized. You tend to work in your one area of expertise, whether that be resetting passwords all day, or only making firewall changes. Very few security professionals have a high-level overview of a problem from start to finish. General networking experience may only be marginally effective in a situation like this where you have entire teams of people dedicated to those tasks and can be leveraged for any questions or data that you desire. If this is the case, then generalizing instead of specializing will not provide much benefit.

A security specialist should have a good fundamental understanding of networking and coding, especially coding. Good automation techniques will take the average security pro and elevate them to a different level. I agree that a seasoned network professional and/or coder who decides to specialize in security will have an advantage over someone lacking those other skills. However, they'd be similarly skilled as a seasoned security professional that picked up some additional networking/coding skills later in their career.

At the end of the day, you have to do what makes you happy. If I were in your shoes, I'd grab the CISSP first and cycle back on some other areas. Assuming you only have your security+ and not taking into account any experience you may have, you're still a security novice in the big picture of things. The CISSP will teach you a little bit about networking in their Telecom and Network Security domain. The certification will also qualify you for a number of new roles in the DoD 8570.01-M.

This post ended up being a lot longer than I had anticipated. Hopefully it's helpful. Best of luck.

Security Security Security....is it really the BIG thing?

Comments