Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Re: Career Advice
From: Robin Wood <robin () digininja org>
Date: Wed, 8 Sep 2010 16:34:53 +0100

On 8 September 2010 13:28, Josh Little <josh () zombietango com> wrote:
So, I've been trying to leave my job of 11 years for a dedicated security
position and have had little luck. I've had one set of interviews, where I
was passed on for what may have been team personality issues - no big deal,
these things happen. But I can't keep but wonder if there is something I'm
missing - well, I know there are things missing, I just don't know how big a
deal they are. What advice would you guys give me, given the following:

- I've got some 13-14 years IT experience, with 11 of that being in the
enterprise sector in the advertising industry. The experience is across the
board - helpdesk, operations, network & infrastructure administration,
security, and web application work. The past 4-5 years I have tried to
specialize as best I could in security, while also being required to perform
the tasks of a network administrator, network engineer, voice engineer, and
"digital/web guy". Our entire network operations team is only 5 guys for an
entire multi-site enterprise operation, so I cannot just work in one area.
This is the main reason why I am looking to leave - the breadth of work
experience has been helpful in doing the security work, but I want to be a
dedicated security person, not an NA that also kinda does security. Also,
our operation (and our industry in general) is not terribly concerned with
security for cultural reasons. We have very little management buy-in for
security initiatives. Even after incidents occur, management may be
concerned for a month or so before slowly ignoring the controls put in place
to help prevent another incident.

- I've "concentrated" on intrusion detection, network analysis, incident
response, and web app testing. This has mostly been out of necessity, as
these have been the areas most needed at my current job. I've dabbled in
other areas of security, but these are the ones that I get the most exposure
to. My skills are, I believe, decent but not awesome. They are decent enough
that I can reliably find compromises, explain why the machine is to me
considered compromised, find the source of the compromise, and determine to
some level how it came to be that way. I obviously don't know if I am
missing anything - I may just be able to find the bottom rung of owned
machines. There in lies problem number two - I have no one to compare myself
to or learn from. The security program at my current place of work was
developed pretty much by me and no one else there has a strong security
background beyond the basic security concepts. I listen to PDC and most of
the other security podcasts and have no trouble following along and taking
what is said and applying it back into my own organization, so I know I'm
not just a clueless n00b, but I have no benchmark by which to compare
myself. I've signed up to the Security Mentors program, both as a mentor and
a mentee, but have heard nothing back from them. There are a couple local
groups that meet - one is attached somehow to U of M in Ann Arbor (40
minutes away) and meets on a college students schedule. I'm looking into the
local Infraguard chapter.

- I have no certifications or special training. Everything I know I've
either learned on the job or taught myself. My job will not pay for security
training for me and I've found the cost of most training to be outside my
budget in the past. Would you consider this to be a big minus? If so, where
would you suggest I start? I'm not looking to spend a year + taking classes
and earning certs, mainly because I don't have the time or money to do so,
but if there was one, possibly two classes to take what would you suggest?

I think I've got a lot going for me. I've gathered a good sense of business,
something that a lot of younger security guys don't have. My skills are
good, though just how good I'm not sure. I'm at the "strong" part of my
career (I'm 35), but I just want to make sure I take it in the right
direction. It's now time for me to make that next step, but I'm not really
sure if I'm in the position to do so. Let me know what you guys think.

Get into the community, write a blog, create some tools, do some
research and publish a paper. Keep at that and get a name for yourself
while you are waiting, then when you go for an interview you'll be
able to show you have an interest beyond just more money. And if you
don't know where to start pick an area you are interested in and look
at that. Get into it and ask questions then maybe write up the answers
and publish on a blog. If you've had to ask them then other people
will have had to as well.

As for training there are loads of videos, slide decks and other free
stuff out there. Download the last Shmoocon/Toorcon/Defcon videos and
watch those. IronGeek does loads of free training videos on his site.
Again, if you get an interview you can mention the things you've seen,
something as simple as "yes, I saw X do that on a Y con video" would
mark you out from someone who was putting effort in.

Robin
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]