Security career track

[PuppettMaster001]

I will be taking my Security+ exam in July and am curious as to what my next security certification should be. A friend of mine recommended Penetration Testing with Backtrack (formerly Offensive Security 101) but I am not sure of the still level I should have before attempting this course.

Some background on me. I have been a computer hobbyist for close to 10 years but only got serious about it about 3 years ago. I have been more of a Desktop/Network technician but the security field interests me the most. I have no certifications at this point but took classes for my Network+, A+, 70-290, 70-70-270, 70-291, and CWNA.

Thanks,
Gino

 

[SecPro]

Networking, networking, networking. If I wasn't clear let me repeat myself. In my opinion a deep and solid background in networking (firewalls, ids/ips, routers, switches, etc) is the baseline for any security professional. And I'm talking about real network experience here not just enough to pass some cert exam. Real experience setting up some internet facing LAN's/WAN's with DMZ and extranets, understanding routing, traffic flow, packet analysis, etc. Establishing the hard crunchy shell in a defense in depth/layered security model is the keystone of the whole thing and is certainly the prerequisite if you want to be a pen tester.


Certs are no sustitute for experience. Don't be one of those people who studies or knows just enough to get a cert.

 

[PuppettMaster001]

I defintely don't want to be one of those guys that took classes/certs but doesn't really know anything about what they are doing. I have vLabs setup at my house and really love implementing and trying out the things that I learn, but there is only so much I can setup without the right equipment. Unfortunately, I am the only IT person at my job so I don't have any "mentors" that could help me learn at work.

I have a lot of Network experience but I am defintely not an Network Engineer. After I get my Security+ I would like to look for a job in the security field to get more experience with actual security.

 

[Zugzwang152]

Originally posted by: SecPro
Networking, networking, networking. If I wasn't clear let me repeat myself. In my opinion a deep and solid background in networking (firewalls, ids/ips, routers, switches, etc) is the baseline for any security professional. And I'm talking about real network experience here not just enough to pass some cert exam. Real experience setting up some internet facing LAN's/WAN's with DMZ and extranets, understanding routing, traffic flow, packet analysis, etc. Establishing the hard crunchy shell in a defense in depth/layered security model is the keystone of the whole thing and is certainly the prerequisite if you want to be a pen tester.


Certs are no sustitute for experience. Don't be one of those people who studies or knows just enough to get a cert.

This is true to a point, depending where you work and how large the security team is. A lot of companies out there have a small security staff, and you are expected to be competent in a wide variety of fields, instead of an expert in one. In my opinion, the market for people with extremely proficient technical skill but little other business acumen is shrinking.

I did not have a high degree of networking experience coming in to security, but what made me a more attractive hire was the fact that I was competent in several complementary technical areas, and brought a certain degree of soft skills at the same time. I would even venture that networking is one of my weaker areas. Again, the skillset varies widely by company and YMMV. But the point of this post is to reiterate that that is not all that's out there in the security world.

Definitely learn your networking basics, but don't think that being a whiz at networking will make you a whiz at security.

 

[Phynaz]

CISSP

Period.

 

[SecPro]

Originally posted by: Zugzwang152

Originally posted by: SecPro
Networking, networking, networking. If I wasn't clear let me repeat myself. In my opinion a deep and solid background in networking (firewalls, ids/ips, routers, switches, etc) is the baseline for any security professional. And I'm talking about real network experience here not just enough to pass some cert exam. Real experience setting up some internet facing LAN's/WAN's with DMZ and extranets, understanding routing, traffic flow, packet analysis, etc. Establishing the hard crunchy shell in a defense in depth/layered security model is the keystone of the whole thing and is certainly the prerequisite if you want to be a pen tester.


Certs are no sustitute for experience. Don't be one of those people who studies or knows just enough to get a cert.

This is true to a point, depending where you work and how large the security team is. A lot of companies out there have a small security staff, and you are expected to be competent in a wide variety of fields, instead of an expert in one. In my opinion, the market for people with extremely proficient technical skill but little other business acumen is shrinking.

I did not have a high degree of networking experience coming in to security, but what made me a more attractive hire was the fact that I was competent in several complementary technical areas, and brought a certain degree of soft skills at the same time. I would even venture that networking is one of my weaker areas. Again, the skillset varies widely by company and YMMV. But the point of this post is to reiterate that that is not all that's out there in the security world.

Definitely learn your networking basics, but don't think that being a whiz at networking will make you a whiz at security.

The IT security staff where I work is myself and three others. I do not have a deep background in networking but have (had) a broader skil set in IT and management. I will stand by my reccomendation that a deep understanding and experience in networking is the baseline for someone entering the security field. It is much easier to grow a broader set of security skills from that point.

 

[SecPro]

Originally posted by: Phynaz
CISSP

Period.

Wrong.

Period.

CISSP is a management cert. designed to show a wide, basic knowledge on a not too technical level. Does an inch deep and a mile wide ring any bells? It is not something I would look for from someone looking to enter the security field.


<----------- CISSP #103726

 

[Zugzwang152]

Originally posted by: SecPro

Originally posted by: Zugzwang152

Originally posted by: SecPro
Networking, networking, networking. If I wasn't clear let me repeat myself. In my opinion a deep and solid background in networking (firewalls, ids/ips, routers, switches, etc) is the baseline for any security professional. And I'm talking about real network experience here not just enough to pass some cert exam. Real experience setting up some internet facing LAN's/WAN's with DMZ and extranets, understanding routing, traffic flow, packet analysis, etc. Establishing the hard crunchy shell in a defense in depth/layered security model is the keystone of the whole thing and is certainly the prerequisite if you want to be a pen tester.


Certs are no sustitute for experience. Don't be one of those people who studies or knows just enough to get a cert.

This is true to a point, depending where you work and how large the security team is. A lot of companies out there have a small security staff, and you are expected to be competent in a wide variety of fields, instead of an expert in one. In my opinion, the market for people with extremely proficient technical skill but little other business acumen is shrinking.

I did not have a high degree of networking experience coming in to security, but what made me a more attractive hire was the fact that I was competent in several complementary technical areas, and brought a certain degree of soft skills at the same time. I would even venture that networking is one of my weaker areas. Again, the skillset varies widely by company and YMMV. But the point of this post is to reiterate that that is not all that's out there in the security world.

Definitely learn your networking basics, but don't think that being a whiz at networking will make you a whiz at security.

The IT security staff where I work is myself and three others. I do not have a deep background in networking but have (had) a broader skil set in IT and management. I will stand by my reccomendation that a deep understanding and experience in networking is the baseline for someone entering the security field. It is much easier to grow a broader set of security skills from that point.

I think we agree solid networking knowledge is necessary. However, I think real/hard network admin experience helps, but is not necessary at the entry level.

 

[Zugzwang152]

Originally posted by: Phynaz
CISSP

Period.

Oh my

Perhaps you can share where your opinion comes from? The OP has no security work experience, so he is at least 4-5 years away from a CISSP. The best he could do is a Associate of ISC2 in the interim.

 

[WobbleWobble]

CISSP I think is valuable when job hunting, as a lot of places won't look at you without it. Having it doesn't mean that you're qualified, but it's similar to how a lot of places won't look at you if you don't have MCSE, CCNA, etc. But as Zugzwang mentioned, you can't get CISSP without the experience.

I understand that finding a job is tough and finding a job where you don't have formal experience is tougher. So I would recommend finding a company that will let you grow into a security role and starting as a network admin I think would be a good start. Another good place to get experience is in an audit firm like the big 4 (Deloitte, KMPG, E&Y and PricewaterhouseCoopers) but that's easier to do in a major metropolitan area.