Security Basics mailing list archives

RE: How to get a job in IT-Security

From: "Robinson, Sonja" <Sonja.Robinson () fticonsulting com>
Date: Thu, 20 Apr 2006 16:38:07 -0400

Yes, you should probably start in the other areas before moving to
InfoSec.  You need to know the what's and how things work before you
start in security. However, you could also start in a junior level
security position in a larger InfoSec dept., i.e. you do password resets
and work in compliance to policies while others design the policies and
architecture.  This is hard to find however.  You need to understand the
basics of "why" you want to secure something and "how" to secure it will
also come.  Read this and other forums.  Pay attention to what people
say here.  There are very good people who answer questions on the list.
You can also start out in audit - but also be aware that audit
recommendations should be 1) achievable 2) actually take into account
the company and environment 3) not be completely ourageous.  Again, you
have to have SOME knowledge before you audit so you can understand what
IT is trying to explain to you, i.e. domain structure, security,
permissions, development, whatever.  Read the hacking exposed books and
actualy try what they say so it clicks.  Test test test

Also, be aware that normally companies hire only a few security people
to do it all (compliance, architecure, authentication, development,
networking, etc), which unfortunately gives rise to Saqib Ali's last
paragraph.  True, I may not have an experise in web app security but web
app people don't have an expertise in os security that I do.  So there
are definatley some issues, and you can't always get the expertise in
every area.  Hopefully, you will have enough coverage within your
InfoSec dept to cover all areas - but that is an ideal world.  Just as I
wished my developers programmed more securel to begin with.  Again,
there are developers and there are secure developers.  (Just an example,
no flaming or knocking intended).


Sonja L. Robinson, CISSP, CIFI, CISA, CISM

Forensic Lab Manager

F T I 

646.453.1283 direct

Sonja.Robinson () fticonsulting com

 

3 Times Square, 11th Floor

New York, NY 10036

www.fticonsulting.com


-----Original Message-----
From: Saqib Ali [mailto:docbook.xml () gmail com] 
Sent: Tuesday, April 18, 2006 5:09 PM
To: Alexander.Bolante () gmail com
Cc: extremwert () gmail com; security-basics () securityfocus com;
ilaiy.e () gmail com; alexander.bolante () gmail com
Subject: Re: How to get a job in IT-Security

I don't think it will be wise to apply for a security job right after
you graduate. eSecurity is a very wide area, which covers many aspect
e.g. network security, application security, physical security, data
security, desktop security etc.

I would suggest that being a Computer Science major, you get an
application development / design job, and then work your way up to
application / database security position. This will give you experience,
and make your resume more credible. A person who has developed
application is in a better position to understand "secure application
development process" than a person who has never written a piece of
code.

One of the issues that I see with security people is that they don't
have the background in the area of where they are trying to implement
security. Getting a CISSP or similar doesn't give them this experience.

--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------

------------------------------------------------------------------------
-
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected.

Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
------------------------------------------------------------------------
--


-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected.
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------

Current thread:

How to get a job in IT-Security extremwert (Apr 18)
- Re: How to get a job in IT-Security ilaiy (Apr 18)
- Re: How to get a job in IT-Security Alexander Bolante (Apr 18)
  - Re: How to get a job in IT-Security Saqib Ali (Apr 19)
- Re: How to get a job in IT-Security Alexandros Papadopoulos (Apr 18)
- Re: How to get a job in IT-Security Alice Bryson (Apr 19)
- Re: How to get a job in IT-Security Nick Owen (Apr 19)
- Re: How to get a job in IT-Security Alice Bryson (Apr 20)
- <Possible follow-ups>
- RE: How to get a job in IT-Security Robinson, Sonja (Apr 21)
- Re: Re: How to get a job in IT-Security oldgrue (Apr 21)
  - Message not available
    - Re: Re: How to get a job in IT-Security Nathan Dayton (Apr 26)
- Re: How to get a job in IT-Security lists (Apr 24)
- Re: Re: How to get a job in IT-Security extremwert (Apr 26)