At the InfoSec Career Crossroads

A little background on me: I've been working in a pure identity and access management role for the past five and a half years for a large bank/financial firm. It sucks. IAM is not really technical security nor policy/governance/compliance/audit side. It's just it's own thing, and especially for the firm I work at as we don't really use native AD for provisioning. They've just dumbed down the role to where you can pull someone from McDonalds to do the job. Really. Aside from this, I have a year and a half of both technical and policy/governance security experience at my previous employer.

I like both the technical side of security and the policy/governance/compliance/audit side. I would prefer to do the technical side as it's very hands on and always changing. After knocking out my CISSP last October, I am now working on the ITIL F and CEH concurrently. As well I am starting the MSISA at WGU on Feb 1st.

My problem is that I'm being constantly hit up via LinkedIn, Dice, and Indeed for security positions, however every time I am submitted I am either told that I don't have enough or any of the technical security experience they want, or I interview and am told the same or that they have someone with more. It's the age old dilemma of needing experience but how do you get it if you need it to get the job.

On the other side of the coin, I have been told that I've been selected for a policy/governance/compliance type of position at another large bank/financial firm that will be paying in the mid 70s. It's an AVP level position. This SHOULD be a huge step up job responsibility wise, and a good career boost as it fits in with longer term goals of security management. But....I'm having reservations. It's just annoying that someone as aggressive in self development as I am, who has a passion for security, cannot even break in somewhere where I can learn and grow into the technical roles.

Is there a different way I can go about trying to break out of IAM and into a more technical role? I'm open for any suggestions. I think the offer will come down by end of next week as they are finishing up with re-writing the job description and I have been told I can sign off on it and accept or turn it down. I am not sure if its the best idea to turn it down in hopes of landing the technical role. I'm not really a gambling man so it's just been rough going back and forth on what to do.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

YFZblu

ITIL and CEH aren't going to get you technical security roles IMO - Learning TCP/IP, Linux, and a scripting language are the directions you'll want to go.

From there you'll need to decide if you want to do security engineering or analysis. As you know the primary differences being exactly what they sound like - engineering is involved in the architecture, design, and implementation of security controls. A pure analyst role would be watching the wires for malicious activity / anomalies / responding to security Incidents.

lsud00d

@YFZblu hit it--what is it you want to do in a technical security-based role? I think once you determine that you can move on it and the certs you have listed as "Next Up" in your sig are on the right track.

IAM is a good starting point because you should have a leg up on authentication, authorization, federation, and all that jazz. This is a critical component in securing systems and not many people understand the underworld comprising these pieces of the puzzle.

JoJoCal19

YFZblu wrote: »

ITIL and CEH aren't going to get you technical security roles IMO - Learning TCP/IP, Linux, and a scripting language are the directions you'll want to go.

From there you'll need to decide if you want to do security engineering or analysis. As you know the primary differences being exactly what they sound like - engineering is involved in the architecture, design, and implementation of security controls. A pure analyst role would be watching the wires for malicious activity / anomalies / responding to security Incidents.

Thanks YFZblu. Yea the ITIL is just something that I really want to knock out real quick and it's more for being well rounded. The CEH I figure is a good intro to pen test methodology and tools, and from there the next step is something like OSCP/GPEN/ECPPT. Also the CEH is good for the resume from targeted job searches I've done. I agree on the TCP/IP and Linux and I do have the CCENT/CCNA:S planned for after the CEH. I also have an eye on the security tube Python course. As for Linux, I have been using it more with Kali, and I plan on continuing to get better with it. I'll probably study the Linux+ book just get more in depth.

I know it's a long road to have all of the requisite knowledge for a technical security role, but I just figured with me having almost 8 years of InfoSec experience, including some entry level technical security experience, I'd have a better time finding a company that would be interested in bringing me on even in an entry level role, and having me grow within the company.

JoJoCal19

lsud00d wrote: »

@YFZblu hit it--what is it you want to do in a technical security-based role? I think once you determine that you can move on it and the certs you have listed as "Next Up" in your sig are on the right track.

IAM is a good starting point because you should have a leg up on authentication, authorization, federation, and all that jazz. This is a critical component in securing systems and not many people understand the underworld comprising these pieces of the puzzle.

I should clarify, I've been targeting and have been targeted by roles that encompass the spectrum like SIEM software, IDS/IPS, firewalls, vulnerability assessments, pentesting. I've been looking at companies that have one or a small group of people doing the whole security spectrum. I've also been looking at managed security service providers as well. I do prefer being well rounded.

docrice

Sounds like you've become pigeon-holed into your niche. To be a technical infosec generalist, you should gain the basics of using Linux, knowing some IP networking, and of course Windows and AD domains. You should have your own home lab to practice in, break things, and fix things again. As a matter of fact, your entire home network should be a lab so if you break it, you'll be forced to find a way to fix it. Microsoft TechNet subscriptions are no longer available, unfortunately, but an MSDN might be worth the cost (and perhaps a tax write-off).

You have an upper hand among all other new candidates to the IT field though since you've been exposed to the industry and one of its primary faucets - authentication, identity management, access controls, privilege assignments, and so on. You could leverage your knowledge about it to poke into how AD works, assigns sessions tokens, etc. and perhaps write blogs, papers, or whatever else demonstrates your abilities to others.

What's your previous technical experience like at your former position? Work your way up from what you already know and with a little practice, you might be able to shoe-horn your way into a role that you'll appreciate more.