Getting Started in InfoSec

EpistemeEpisteme Registered Users Posts: 1 ■□□□□□□□□□
Hey guys, I'm sorry to raise a topic that's probably been addressed a thousand times on this forum, but is it possible to get a career started in information security without a degree or experience? I'm aware that experience will be the most important component of your resume, but the old catch-22 is that you mostly need experience to get experience.
So, is it possible to get a career started in information security without IT-related experience or a degree, and only with a variety of different certifications in your arsenal (e.g. security+, net+, A+ etc.)?
I'm pretty clueless, if you can't tell, but I'm really interested in having a career in information security, so if any of you who are much more well acquainted with the information security field would be willing to offer your musings, it would be much appreciated. Thanks in advance!

Comments

  • yzTyzT Member Posts: 365 ■■■□□□□□□□
    As you said, thousands of times on this forum. You want to start a career in infosec? Start by learning how to search for information, as this is going to be one of your main needs.
  • EngRobEngRob Member Posts: 247 ■■■□□□□□□□
    Infosec is one of those fields that you go into after having knowledge of the environments you are securing. You can't secure what you don't know.

    Start with learning the basic IT skills and get some years experience under your belt. You will likely have to start at Help Desk and work up from there. Infosec will come much further down the line.
  • LionelTeoLionelTeo Member Posts: 526 ■■■■■■■□□□
    So, is it possible to get a career started in information security without IT-related experience or a degree, and only with a variety of different certifications in your arsenal (e.g. security+, net+, A+ etc.)?

    I started my infosec experience in my country (Singapore) without any IT Experience, Degree and Certifications. I started at a Security Operation Analyst in a Managed Security Service Security Operation Center (MSS-SOC). The analysts in the SOC are all being outsource to a external contractor, so the main company gets to maximise its profit; the outsource external contractor gets fresh diploma graduates from the market to maximise its profit, while they try to use technology and Security Engineers (who helps to improve the technology) to try to 'close the gap' lacking in the new fresh graduates to analyse the traffic.

    To help with your answer, is it possible? It's a matter of luck, try look up indeed.com and see what you find in Security Analyst work. Hopefully you can find something really similar to my situation.

    Does it matter? After 4 years of infosec experience, I realise it doesn't really matter. All you really need to get into something like a network, or sysadmin, and while within this jobs, grab security certs and study like your on steriods and you can easily get back on the right track of Security work on your susequent job hop, if you love the company, ask for an internal transfer to its Security Department. I also would let you know it doesn't hurt in such while preparing for CISSP exam as well, since being in network or sysadmin would somehow cover some of the domain, and havings 4 years of experience with 2 being cover by IT job and 2 within infosec, isn't going to hurt your salary and career either.

    Of course I am in the 'special case' where the 2 years of SOC work help me, 2 years of SOC work land me in another work to start a SOC and part of a global team, and this experience has been valuable in employers eyes in terms for both SOC, Arcsight, Security and Certification; thus moving to another SOC has been relatively easy work for me.

    The rule of the thumb to infosec career is simple.

    1) Study - Aim for 2000 - 6000 pages per year, my suggestion is to keep whacking books after another
    2) Formulate a Study Plan - aiming to study 6000 pages isn't enough, you need to know when are you going to pick up your book and not a controller, for me, I study on my way to work and home, as well as on my way to meeting GF. At times I will do a practical lab at home before studying
    3) Virtualise - Set up a home lab, windows XP 2 with DVWA and webgoat, Kali Linux on the other. If you are into hardening then you need to grab the respective servers you are interested to work on.
    4) Game - After being burn out you deserve a break once in a while
    5) Certify - To show your employer what you are made off

    Sounds big, but you can always take one step at a time, somehow one day you will have to pick up your 'first book' in infosec, if you can't, you cannot go far in infosec.
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    EngRob wrote: »
    Infosec is one of those fields that you go into after having knowledge of the environments you are securing. You can't secure what you don't know.

    This is preached constantly, and it does hold some truth; however it is taken far too literally. Associate-level positions exist for a reason, one doesn't have to know all the things to get started in security. That being said, one should WANT to know all the things in order to have a successful career.
  • chopstickschopsticks Member Posts: 389
    LionelTeo wrote: »
    I started my infosec experience in my country (Singapore) without any IT Experience, Degree and Certifications. I started at a Security Operation Analyst in a Managed Security Service Security Operation Center (MSS-SOC). The analysts in the SOC are all being outsource to a external contractor, so the main company gets to maximise its profit; the outsource external contractor gets fresh diploma graduates from the market to maximise its profit, while they try to use technology and Security Engineers (who helps to improve the technology) to try to 'close the gap' lacking in the new fresh graduates to analyse the traffic.

    To help with your answer, is it possible? It's a matter of luck, try look up indeed.com and see what you find in Security Analyst work. Hopefully you can find something really similar to my situation.

    Does it matter? After 4 years of infosec experience, I realise it doesn't really matter. All you really need to get into something like a network, or sysadmin, and while within this jobs, grab security certs and study like your on steriods and you can easily get back on the right track of Security work on your susequent job hop, if you love the company, ask for an internal transfer to its Security Department. I also would let you know it doesn't hurt in such while preparing for CISSP exam as well, since being in network or sysadmin would somehow cover some of the domain, and havings 4 years of experience with 2 being cover by IT job and 2 within infosec, isn't going to hurt your salary and career either.

    Of course I am in the 'special case' where the 2 years of SOC work help me, 2 years of SOC work land me in another work to start a SOC and part of a global team, and this experience has been valuable in employers eyes in terms for both SOC, Arcsight, Security and Certification; thus moving to another SOC has been relatively easy work for me.

    The rule of the thumb to infosec career is simple.

    1) Study - Aim for 2000 - 6000 pages per year, my suggestion is to keep whacking books after another
    2) Formulate a Study Plan - aiming to study 6000 pages isn't enough, you need to know when are you going to pick up your book and not a controller, for me, I study on my way to work and home, as well as on my way to meeting GF. At times I will do a practical lab at home before studying
    3) Virtualise - Set up a home lab, windows XP 2 with DVWA and webgoat, Kali Linux on the other. If you are into hardening then you need to grab the respective servers you are interested to work on.
    4) Game - After being burn out you deserve a break once in a while
    5) Certify - To show your employer what you are made off

    Sounds big, but you can always take one step at a time, somehow one day you will have to pick up your 'first book' in infosec, if you can't, you cannot go far in infosec.

    I like what you wrote.
  • EngRobEngRob Member Posts: 247 ■■■□□□□□□□
    YFZblu wrote: »
    This is preached constantly, and it does hold some truth; however it is taken far too literally. Associate-level positions exist for a reason, one doesn't have to know all the things to get started in security. That being said, one should WANT to know all the things in order to have a successful career.

    I agree, and I probably worded my reply a little too vague and didn't mean to infer that you needed to know all things to be in Sec. There are entry level security positions out there but from my experience (or maybe just location) they are much fewer in quantity. Having more knowledge and experience would open up more options.
Sign In or Register to comment.