Information Security careers 2

[okpeery]

I am interested in possibly going into this field. I don't have any real experience and am looking at ways to gain it. I have been getting conflicting advice and wonder if anyone can clear this up. Is it better to try to get a master's degree in IS or just try to get a job as a low level employee in an IS company and work your way up? I know there are variables but many people tell me IS degrees or Computer Science degrees with an emphasis on IS are relatively meaningless that most people in IS got started on the hacking end.

Here is me
I teach computers at a small public school. I teach about 1/2 time and I serve as the network administrator, technician, webmaster, overall IT go to guy. We have 4 servers, I create server databases, run network applications, manage permissions to ensure integrity of the network, and many other things. I work with a variety of ages of machines and have learned to make anything work in a reasonably secure manner. I work very closely, my choice, with the IT dept districtwide and have learned lots and lots. I give this background only to say I have no formal training but have taught myself and worked closed with those wiser than myself to learn as much as possible. I can make websites solely by code so I know I can learn programming languages. I know html, css, and java script are not heavy duty but I am proud that I learned them all myself without formal training. I am motivated and hard working and have lots of evidence. Most of all I crave an intellectual challenge and like to figure things out. this is what attracts me to IS. Am I glorifying it? Is it really more mundane?

What direction should I go?

 

[jrbarnett]

I only accidentally got into doing the security side of things when I discovered major holes in some of the apps I support and the discovery that my employer will be pen tested and audited sometime this year.

I got the Hacking Exposed book first, then tried to apply the knowledge in there to the systems I support and manage, at the application, operating system and database server levels. Since then I've followed with the Database Security handbook and Gray Hat Hacking, each of which has increased my knowledge and depth in this area (see the Security Support Book thread for more details if interested).

I'm now knee deep in rewriting to close major loopholes, but as a side benefit this new code is a lot faster than the current live system (I'm using ADO to connect to SQL Server to run SP's rather than linked tables via Access).

I must say I'm actually enjoying this part of my job, I'm learning a great deal and finding benefits other than security enhancements.

The official mark of the professional IT security person is the CISSP qualification. I'm a long way from even considering starting that, but if I get bored, maybe sometime. Your own career path is obviously your choice, but perhaps before going for any professional qualifications in this area (the most basic being Security+), you may want to try out the things I have mentioned and see if you can discover holes you never knew existed.

John

 

[Arctific]

Every one I meet who gets into Information Security has a story to tell. There are many reasons. The career paths generally have two tracks.

1) Manage a company and need to add InfoSec ideas to the table also.
2) Technically gifted and also need to see the larger picture security picture.

For the technical person, I recommend getting a technical certification that has some security implications as part of the total package: CCNE, MCSE, Firewall certifications from vendors, database administration certs, or secure JAVA/C/VBasic/Website programming certs.

Then, build up some experience and reach for a brass ring certification in the area of Information Security, Privacy, Risk Management, Forensics, or IT Audit. For some certs, a college degree or specific degreees will be desirable. Spend sometime searching the internet job postings to look for degree and certifiction trends.

But, hold on to your hat. IT is a massive and continuous learning curve. At the brass ring level, plan on at least 40 CPE credit hours per year to keep such a cert.


Don Turnblade
MS, CISSP, MCSE
Arctific Inc

 

[LadySlinger]

I'm currently working on my Masters in Information Assurance. There are select schools labeled as "centers of excellence" by the NSA. The degree isn't necessarily recuitment for the government as many of the information you learn can be applied to the public sector as well. A lot of what I'm currently studying can be found in the CISSP prep books to (in short the IT Life Cycle).

If you want to get into security this is one route as well.

 

[tfg13]

To tell the truth, I stumbled into mine. Was a system administrator (contracted to the government), hardening systems, writing scripts to do so, using Markdmac's scripts, the vast knowledge on Google, and a position opened up, as a government employee, and I took a shot. Helps knowing the boss, but he hired me on ability alone (or so he says).

Anyway, getting back to the question of how to get into the field, being a "top" administrator may open up other job opportunities. Because you are recognized as an excellent administrator, have some experience with tools that check for system vulnerabilities, and experience in locking down servers, you may very well be moved over (that really depends on where you work).....