Starting an InfoSec Career (by Lesley Carhart)

docricedocrice Member Posts: 1,706 ■■■■■■■■■■
Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/

Comments

  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    This is awesome! bowing.gif
    The first page about her thoughts on infosec is great, the second part about getting into different infosec job roles is a must read for those who wants to go into infosec but have no idea what they want to do. icon_wink.gif

    Since this forum has a focus on certification...
    Certifications are a trickier question because there are so many out there, and they serve different purposes depending on the niche field the applicant wishes to get into. I’d consider certifications a ‘nice to have’ for an entry level candidate – they are not likely to tip the balance much in a hiring decision, but they usually don’t hurt.

    Due to the employment requirements and the purpose of the certification, I find it inappropriate when entry level applicants with no experience have [somehow] obtained their ISC2 CISSP ®. The certification is made for people already employed in the field with a number of required years in the field, so it looks a bit fraudulent.

    About GIAC
    I’ve recommended SANS / GIAC line of certifications in the past because I find their training and tests some of the most legitimate. Their certifications are some of the most technically respected to have on a technical resume. However, their certifications are also extremely expensive, with courses and books in the thousands of dollars and tests in the hundreds.

    OSCP
    Offensive-Security offers the OSCP certification and course which is a fantastic choice for InfoSec applicants who wish to take a more offense-based route (or indeed, as exposure to those techniques to anybody in InfoSec). It’s real-world lab heavy. The course and certification are still expensive at around a thousand dollars, but may be more realistic than the cost of a SANS course.


    Waiting for chapters 6 and 7.
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    Definitely a good read, but I'd point out a reoccurring theme. It would seem, based off of the experiences written by the various people in their positions, that most got into their positions through networking. They knew someone, were part of some community or were already at the company at the time that they moved into a security role. This is a pain point that should be focused on. If you don't have that network to utilize then your only option becomes school and/or certifications. Doesn't mean it has to be an infosec degree (I'd argue that it not be an infosec degree), but some formal education is going to be required.

    "I had an acquaintance that I played golf with that offered to float my resume around since he knew I had some technical skills. It took about a year before I heard back from him about a job." <---This quote just about sums up how things work. I had a buddy who wound up in his security position in the same manner. Was help desk for a web payment processor, left that job and was having issues finding another one. His dad was a contractor so he spoke to a buddy at another firm about getting on with them for a security related contract. The guy interviews him, says "I didn't have experience when I got this job, but hey you gotta start somewhere" and wham he gets the position. He had a degree and maybe two years of help desk.

    My own journey consisted of luck, knowing someone and a degree. I've been fortunate that only two positions in my entire working life have been through knowing someone. In turn, I've known qualified people who I've helped to get on because I know their foundation is exactly what will allow them to succeed in a security position with my team. Moral of the story is start networking. Join an organization, attend mixers and go to events in your area. This is how things get accomplished and people with ability get to where they want to be.

    I'll leave you with this. One company I worked for was run in a very interesting manner. Any major decisions wasn't made at the numerous meetings that were held on a daily basis, but were actually made over a daily lunch. The VP of Operations would schedule vendor meetings and not realize they were close to lunch. He'd cancel or send one of us because he knew that at lunch a decision on any number of items would be made. I never quite understood it and I always thought it was hogwash. But then at a different company I started attending Happy Hours. People from various departments at varying levels would attend and then the thing I noticed was that most of the conversations revolved around business. Something discussed on Friday at 11 PM suddenly turned into policy on Monday morning.

    <World's Most Interesting Man Voice>Stay social my friends.</World's Most Interesting Man Voice>
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • Danielm7Danielm7 Member Posts: 2,310 ■■■■■■■■□□
    Completely agree with the_Grinch. I had a ton of sysadmin experience, a degree in IT security and a few certs. You know how I got my current job? Because the recruiter was close friends with the hiring manager and he called him and said I seem like a good guy who is really determined and it's worth talking to me. I barely got calls back just trying to send blind resumes to jobs.

    You don't have to have a ton of friends, I keep that real life list pretty tight, but go to some local security events if they exist. If not, start one, a guy did that locally and it became a fairly big meetup group. The guy who started it doesn't even have a security job, but he wants one, and is really interested. A month later he has speakers, a sponsor and a place to hold the monthly events, pretty impressive really.

    I've known a few people to get jobs because they were in the right place, right time, that they never would have qualified for otherwise. A buddy of mine is a computer forensics employee at an FBI lab. Before that he worked helpdesk at a local courthouse for a number of years. He made friends with the state police that were in there, they gave put in a good word for him, he got training and he's been there almost a decade now.
  • markulousmarkulous Member Posts: 2,394 ■■■■■■■■□□
    Good read. Gives me some good insight on what I can look for getting started in infosec. I was thinking of going towards my CEH, but if the certs I have now aren't really a big difference, I may hold off on that especially considering the whole v8/v9 thing.
  • IronmanXIronmanX Member Posts: 323 ■■■□□□□□□□
    I've been reading through some of the Reddit Pen Tester AMA's and most of them ended up in the field with no prior knowledge or experience.

    Tough for people trying to break into the field by gaining knowledge. However it seems to me this is how many tech jobs work the most knowledgeable don't always get/have the jobs most of the time it is just luck. People leave the person with the next most seniority gets promoted. There is money for certain projects but money ended for other projects and people get laid off based on project and not performance/knowledge.

    Being a consultant seems the way to go if your unlucky but highly knowledgeable.
  • Danielm7Danielm7 Member Posts: 2,310 ■■■■■■■■□□
    Make your own "luck", if you have the skills, both technical and personal skills, then you just have to find a way to get in front of someone to show them that. Sometimes it's random, aka, luck, but most times people but themselves in the right positions to make the right moves.

    Sort of like how someone might look at a really fit person and say they are so lucky to be thin/built/etc, when really they might work their butt off to stay in shape.

    I think sometimes people put too much weight on an AMA or a blog post where 1-2 people say their career has gone a certain path and assume that's how the entire world works. For example, a few months ago there was an AMA with a few owners of small security consulting companies. The views on certs were mixed, some said they were pointless, others said the OSCP was more legit but still not the only thing you need for your career. I saw a number of people quote that AMA saying they were going to change their career plans, stop chasing certs, etc, but, that's just a few companies. For every place that doesn't care if you have a degree there might be 3 more where it's the only thing they care about. Some places might think the CEH is garbage, others might think you must walk on water.

    The job I have now, my final interview they told me how important it was that I got along with everyone and they have a tight team. They liked that I could joke with people and still be serious. Sure, there was lot of technical screening but they flat out told me they already eliminated people because they were socially awkward.
  • IronmanXIronmanX Member Posts: 323 ■■■□□□□□□□
    Anyone work in the security field and work primarily remotely?
    Seems to me working remotely would work really well for the technical security field yet I don't know any one who does work remotely in the security field.

    I don't work in the security field primarily. I have a few colleges that work remotely but they started on site and then moved to a different city.
  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    Danielm7 wrote: »
    I saw a number of people quote that AMA saying they were going to change their career plans, stop chasing certs, etc, but, that's just a few companies.

    I know that AMA was definitely eye opening and made me realize just how much I didn't know, and also made me feel like I would never know that much. The amount of time and effort I would have to put in to be at that level, is not something I'm willing to do. I strive to have a good work/life balance. It seems to be at that kind of level, one would have to eat, sleep, and breathe that stuff.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • IronmanXIronmanX Member Posts: 323 ■■■□□□□□□□
    JoJoCal19 wrote: »
    I know that AMA was definitely eye opening and made me realize just how much I didn't know, and also made me feel like I would never know that much. The amount of time and effort I would have to put in to be at that level, is not something I'm willing to do. I strive to have a good work/life balance. It seems to be at that kind of level, one would have to eat, sleep, and breathe that stuff.

    Really I have not been that impressed with many of the AMA "authors". Most have very little coding ability.
  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    IronmanX wrote: »
    Really I have not been that impressed with many of the AMA "authors". Most have very little coding ability.

    I haven't checked out that many AMA's, but this one was pretty eye opening and was one of the best ones I've seen.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • gothicman02gothicman02 Registered Users Posts: 4 ■■■□□□□□□□
    Amazing read. This has alot of good insight into what is needed to do in terms of career path.
  • IronmanXIronmanX Member Posts: 323 ■■■□□□□□□□
    JoJoCal19 wrote: »
    I haven't checked out that many AMA's, but this one was pretty eye opening and was one of the best ones I've seen.

    @JoJoCal19 Which AMA was that?
  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    IronmanX wrote: »
    @JoJoCal19 Which AMA was that?

    It was this one: https://www.reddit.com/r/netsec/comm...panies_ask_us/ I think 4 guys who started their own (appsec) companies.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
Sign In or Register to comment.