Information security???

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I currently hold a good degree in computer science and 3 months experience in IT 2nd line support which I gained during the placement year. After I graduated I didn't pursue a career in IT instead I worked as an Administration assistant and now I'm looking to build a career in IT security as this the area that interests me.

Please can you advise on the best route to take to get into this field?

 

I'd try and get a job as a Pen Tester if possible.

 

Landing into an IT Security job just like that is not the easiest of tasks for someone relatively new to the world of IT. Sometimes you get to it via a knowledge of other technologies such as MIIS/ILM/FIM (Identity and Access Management is considered a branch of IT Security) and a strong knowledge of AD, Group Policies and recommended hardening practices as was the case with me.

But you can also get to it by starting off as a gray/white/black hat hacker with solicitations to help various industries or government bodies (but you better be good and able to crack your way into it in such a manner as to be able to provide true value that would help your employer protect themselves). Security practices and certificates are also included in networking branches from Cisco and of there's Security+ which can give you a general idea. Hey, you could even get hired to be the guy to built a secure data center from the group up by laying out the floor plans, man traps, badge access rules etc. It's a form of IT Security, but on a more logistics level.

You need to first determine a realistic path based on your current skills and eagerness to develop upon those skills. Then you go out and grab the bull by its horns.

 

As above, firstly what area of information security do you want to work in? Pen testing, risk management, ops security? It's a big area with many different job roles.

Sec+ is a good start, it's a general cert that touches a few different areas of the subject. Then once you start to focus on particular areas you can start getting a bit more specific with the certs.

If trying to come in from working in support or an operational side of things then the best thing to do is to try and get involved with as much security stuff in your current role as you can.

I moved into pen testing (briefly) from an infrastructure support type role where as well as being in the team who looked after things I was working doing various things such as vulnerability scanning + management, patching, implementing new security systems etc.

Pen testing at higher levels will require certification up to CHECK equivalent levels as most customers want to see this.

Have moved on again since then and now in more of an security architecture/advisor type role, if you've got any questions feel free to drop me a pm.

Again can't echo enough the comments of try and narrow down what area it is you want to work in within security.

I've known people who have wanted to get into security but not really known what it was people actually do and have ended up hating it as it's not all exciting stuff ;)

It's by no means a bad role, has it's ups and downs depending on who you work for and what you want to be doing.

Usually referred to as physical security

 

I know its not going to be easy as there are no entry level jobs in Information Security that I have come across. I was thinking of going from an entry level help desk postion to third line and then from there look for opportunities to get into IT Security but this route will take time and was hoping there is a quicker way.

If I just studied comptia network+ and secuirty plus would this help land a job in IT security? At the moment I don't have a fixed area of interest in IT security, I was hoping to learn from the different areas and then decide later which area I want to specialise in.

 

Id take the Security+ first if you have no idea about the area. You are better off going for an entry level position to start off.

How do you know you are interested in security if you know nothing about it ?

 

I did a module on my course at uni which covered some aspects of data security and I grew an interest from there. I wanted to do a masters in Information security but I didn't have the funds to do it.

Are there any entry level positions available where you can gain skills in this area?

 

Explain what you mean by 'data security' and why you think an employer would pay you for it and what skills you would require...

Employers want people that add value to the organisation, for most businesses security is a necessary evil and comes low on the list when compared to many other commercial interests.

Generally security gets added into other roles in most organisations, your a programmer - you program security, your a DBA you configure DB security, your a Systems Administrator - you configure OS security, your a Network engineer - you set up Firewalls / IDS, Facilities Manager - you manage physical security etc.

Generally only a few specialist or senior roles allow you to focus on just IT security and not the other activities that are more in line with the core business objectives.

The government / defence are the two biggest employers for security work in general. Since many jobs pay fairly poorly you might be able to get a role and some training there. You will most likely need to pass security clearance so being a UK national will help in this regard.

 

There are entry level type role in infosec but as you say they can be hard to come across.

For instance one company I worked for had an infosec department of around 60/70 people. Within that dept there were many 'unskilled' roles that were good starting points for people wanting to get into the area.

One team within the dept was responsible for logical access/user revalidation. Basically going through lists of users on systems and going through the motions periodically to ensure that access was still required and authorised etc. That might sound dull as dishwater (and to be honest it is ;) ) but that's the sort of thing a lot of infosec work is, box ticking compliance activities. Whilst it's basically an admin type role it can be a good starting point, many people who started doing that then moved on to some of the more 'proper' infosec positions within the dept.

There was also an IT security dept who dealt with the nuts and bolts technical stuff.

Most medium sized and upwards companies will have dedicated infosec resource, how much depends on the company though.

So if I were you I'd start studying for your sec+ and just generally cracking on with your job now trying to get involved with as much security stuff as possible. A move to third line or project type work might see the scope for you to be able to do this increase so it's not a bad move.

And echoing DMarsh I really would try to narrow down what sort of thing it is you want to do in infosec, look at job ads and see what appeals.

Where abouts are you based?