Getting started in the security field [books, resources, advice]

Re: Getting started in the security field

From the side of the federal contractor, it is also important to note that hiring trends ebb and flow in regards to people with or without clearances. We've had periods when we'd only hire someone with a clearance, and other times when we've gone on a spree and hired otherwise-qualified people (sometimes called an "investment hire") and sucked up the time waiting for their clearance. Unfortunately, for someone without a clearance it isn't necessarily easy to know when these such periods occur.

Re: Getting started in the security field

Most of that list depends on where you are planning on working. If you are going into a regulated space, such as Banking, Healthcare, Power Generation and Transmission, then you need to have a decent grasp on compliance and regulation. If you're work for a Federal Contractor, then your chances are greatly increased if you have that DoD clearance. Incident Handling/Response is always good to have, but again, depends on where you're working on if you'll be able to use it or bank on it in an interview.

I think the real key is to research the position and company to whom you're applying, then making sure that your application matches (and exceeds) the request as best as you can. The goal is to get past the HR drones to the hiring person where you have a better chance to exercise your knowledge.

my 2c

Re: Getting started in the security field

Yesterday Dark Reading had an article about "Six hot and sought-after IT security skills" http://www.darkreading.com/vulnerabi...leID=224701863 Some of them are not exactly skills though (security clearance, for example). Do you guys think this is an accurate list?

My professors have been encouraging me to get into penetration testing and to learn some more computer forensics stuff on the side. They basically said that sometimes having a more unique skillset but less experience is more appealing to an employer than having a few years of experience in only one area. I guess that varies depending upon what jobs one is seeking and what skills one actually has.

I am supposed to start my final semester in June. I am still trying to figure out if I should do grad school or look for a job right away and save grad school for later. At this point, I am interested in so many aspects of IT Security that I am not sure what I would like to specialize in.

Re: Getting started in the security field

This is a Good Idea(tm).

Not necessarily, particularly as applies to that latter statement.

While there may be room to move around, it's going to very much depend on the employer in question. Internal hires may be desirable, but having an employee make a lateral move from one department to another may not put the best candidate into the open slot.

As an example, I worked for a company where we did an internal hire from QA into IT. This was fine on paper, but IT ended up with someone who couldn't ramp up to IT's needs quickly enough - and couldn't go back to QA because that position had been filled with an outside hire immediately after he moved. End result: QA's capabilities are diminshed, as are IT's.

While I understand that this is a narrow example and could have avoided becoming a problem in the first place (hint: other management had been playing favourites with that specific candidate), it is representative of one issue with lateral moves and should give some insight as to why they are not necessarily looked on favourably.

Another consideration: head count. Someone moving out of or into my department brings pretty much the exact same movement-of-bodies issues as a new hire or open position - except that in the case of a lateral transfer, it affects two departments instead of one. And no matter how smoothly these things are supposed to go, they never do.

One thing to consider as a candidate is how internal moves are going to look on a resume. Let's say you've put in 10 years with General Dildonics, making an interdepartmental (or group-to-group) move every two years. You're now interviewing for a position with a different company. While the interviewer may be able to see that every move you have made is a logical career step, that ten years of experience in those roles with only one employer tells that interviewer that you're used to doing things the General Dildonics way, and may not be a good cultural fit for the position he has open at e-buttplugs.com.

Obviously there are exceptions in every case - but the generalities do hold true.

Negative. You are expendable anywhere. While benefits and other perks are nice to have, never, ever assume that you are indispensable. You may be valuable to the organisation in your role, but all it takes is one round of budget cuts or pissing off the wrong person and you're out the door.

To expand on this: the question is predicated on the assumption that you should go work for a big company, presumably right off the bat. While I have no problems with people working for companies of any size, this really is a case where size doesn't matter. Consider that in a large organisation it's easier for incompetence to go unnoticed for longer than in a smaller one - and if I'm your interviewer (who has worked in both environments), I'm going to be wary of someone who doesn't have experience outside of a place that may have served as a shield for the fact that their job duties really consisted of pulling into the parking lot 15 minutes after they were meant to be at their desk, spending the next 45 minutes trying to get a parking place 3 spots closer to the exit door, then sitting in their cube all day trying to avoid the pornography filter and figure out how to leave at 3.30 without anyone noticing.

These are all good points. Soft skills count for as much as (and in many cases more than) technical ability.

Yes and no. While it does demonstrate a certain amount of personal discipline and knowledge in a field of study, there is no shortage of people out there with degrees who believe that that piece of paper makes them zero-experience experts in the field they're trying to be hired in. I've interviewed plenty of them, and they typically can't figure out why they don't get the job. Further to that:

Being prepared to (literally) work at Starbucks while you get your foot in the door somewhere should be an expectation. If you can get a company to hire you in this fashion, great - just be sure it's the right move to make, and be prepared to move again in a couple of years if it turns out not to be.

Getting back to earlier comments regarding lateral moves: be prepared to do that, but going from employer to employer. Helpdesk (see: Starbucks) may be the big green weenie you have to chow down on for a while before you get to the position that leads to the position you actually want.

Re: Getting started in the security field

Just to throw some advice in the bucket, since I'm likely to break into the security field in the next 6 months or so.

Get into a company with diversified IT needs. Even if you're a developer, support technician, or a sysadmin you can move around. Best of all, they expect you to move around. Added bonus? A company that big tends to be more stable, have more benefits, and the barrier to excellence is lower (read: useless desk warmers abound). The downside? You're expendable, until proven otherwise. Consider that last bit a challenge; make your mark.

The next question you're going to ask is, "How do I get into a company that big with no experience and no degree?"

You don't. Degree first, paltry pay next, and then you can level up with some experience. The Bachelor's program may seem like a waste of time and money, but the skills you'll learn (i.e. how to learn, social skills, dealing with pebkac gracefully) will be worth it. You might even build a good social network and be able to skip step two. Don't underestimate the power of your own network.

Having a degree is the gold standard. Our company goes around the country looking for new grads. We prefer to bring in the young so that the aging workforce can impart their knowledge to them before they retire. You need to make sure you don't get pinned with the duties passed down from your predecessor. Do your job, and do it well -- but don't get stuck. If you stop learning, then it is time to move on.

I spent the last two years writing code for systems I could care less about. In that time, I realized that we have no clue about security. You mention XSRF and SSL strip to our leads and their eyes glaze over. So I spent the last year looking for a way out; a way to make a difference. I interviewed all over the place: Facebook, internally, and even at old jobs I enjoyed. Finally, I ended up in the place I wished I had been three years ago. I'm joining a leadership development program. Yes, it sounds ridiculous and down right useless but... I get a new job every 6-9 months -- and I get to pick where I go.

My first assignment isn't 100% technical, and it certainly isn't a red team assignment, but it is a door, and my foot is in it.

Re: Getting started in the security field

I'm far from an expert on the field of job gaining. Especially in this crap economy. But I will pass along some great advice from people who have taught me. First and foremost, get your degree in the field. Sucks, I know. You've been hacking and cracking since birth, so sitting down in a classroom and listening to somebody ramble about stuff you already know may not be the best of times. But the reality is that is what employers are looking for. It's a weeding process. Get as many certs as you can and be familiar in as many protocols as you can retain. Being diverse is imperative. Next bit of advice has been mentioned, learn TCP/IP inside and out. Even as a coder (which I am), being specialized is sometimes a hindrance. It also narrows your marketability. In most places it's all about the network setup. Even if you're a glorified tech-support weenie, you're the go-to guy when the network finds its way to the dumpster.

Re: Getting started in the security field

I want to say you all "Thank you all".
I absolutely know nothing about security field.
But From now on,I began to be a security in the internet.
I will learn to be the best.
Thank my brothers...............

Thanyawzinmin

Re: Getting started in the security field

I just moved to GA, where is this lovely job?

Re: Getting started in the security field

So what are some other areas that I should focus on.

Re: Getting started in the security field

If you are willing to move to georgia than I can tell you now you can easily get a job as an AIT teach for all the new dumb privates coming into the army. Other than that, anything DOD wise will basically be open to you since you have all that stuff.

Re: Getting started in the security field

You think this will be a good entry level start if I have security+ networking+and A+. I do have a top secret security clearance or what would be another road I should take. Any help would be greatly appreciated. Thanks in advance

Re: Getting started in the security field

Pittsburgh, PA

Re: Getting started in the security field

What/Where is your area?

Re: Getting started in the security field

Anyone have tips for getting an entry level job? I've yet to see anything entry level posted in my area.

My current plan is to study and take the CCNA between now and graduation, and just try and network like hell between now and (which will sadly be limited to the local DC group and 2600 meeting :( )


A little background:

I'm working on finishing up a bachelors in information science, concentration information security, and will graduate Jan 2011.

I know there's a lot of debate about the value of a degree... I did it mainly because I wanted to, not because I thought it would get me a job. I definitely enjoyed it, and picked up some good skills along the way (probably would not have become interested in cognitive psych or behavioral economics if I hadn't done some required classes...) but I'm worrying that I have too little real experience.


I did a summer internship at a local start up which was mostly systems admin type stuff, and will be working at a university research lab as an undergrad researcher this summer, but I don't really have any formal experience.

Re: Getting started in the security field

There is no contradiction. My original post was overly simplified as a result of underestimating the comprehension of the reader. For this I appologize.