I.T Security jobs and experience.

Tony648

Hi All,
This question is aimed specifically at people in IT Security jobs and it relates to their first position in I.T Security.

I work in quite a big multinational IT Company, and I work as a BA and technical consultant, I am studying for a masters in IT Security and I am a certified security tester with experience in Pen testing but nothing extensive. Most of my knowledge is theoretical, and while I try to simulate networks and applications etc for testing and strengthening, I am stuck in the catch 22 situation of not having enough real world experience to get into an IT Security job, and thus not getting the experience
Im hoping from advice from anyone out there who has been through this path, Im wary of the fact that every day I waste not being in an IT Security role is doing me damage, and I cannot practice or suggest any of what I do in my current company, this avenue is simply not open.

Any advice at all would be welcome, Im just wondering how people have managed to get past this first hurdle?

Thanks

fret_wimp2

I cannot practice or suggest any of what I do in my current company

Ok, you cannot practice or gain experience in your current role due to red tape or not having permissions to perform the role. Your not going to get the experience by just giving up.

Im not a security guy, but ive had a few IT Jobs. If you want to get into an area your not experienced in then make your experience:

-If its network security, buy a cisco router and switch from ebay. they are relatively cheap. set up a home network and do tutorials you find online ( there are many).

-Do a CCNA or other networking course. You cannot be a security specialist in some area without knowing the area first. e.g, how could someone be a traffic warden if they dont know the rules of the road?

-Become familiar with security software (Tripwire is the only one i really know anything about).

-read blogs. then read more blogs. then read more blogs. find out the heavy hitters in the field you want experience and follow their blogs.

-join user groups. I know the dublin sql user group is meeting tomorrow night to discuss Database Security, more precisely the tools you can use:
http://mtug.ie/Home/tabid/38/ctl/Details/Mid/369/ItemID/96/Default.aspx?ContainerSrc=[G]Containers/_default/No+Container

Look for a job where you can do some of the work you want do gain experience in, either as a junior role, or a job where you go in as an expert in yoru current field, but get the oppertunity to gain experience in the field your interested in(might be worth discussing this option with your current employer. whats the worst they can do, deny you the oppertunity and leave you to do your regular job).

If you really want to get into the a particular field, you will make it work.

Good Luck.

Tony648

Hi Fret Wimp,
Yes youre totally right, I have no intention on giving up though This is what I want to do with my life, so giving up is not an option.
Just to clarify, Im CCENT and CCNA Qualified, Im a qualified security tester and I have a BA in Computer Science, Im presently mid way on a masters and I have a chain as long as my arm of qualifications I want to do, however this is not where the problem lies, I have used IDS and IPS systems and have extensive system admin experience, the problem is that security is unlike other IT fields in that you need to have the experience in real world before getting in, and this is where the catch 22 is, no ammount of testing home built networks, simulated vbox setups will prepare you for this, it requires hands on on job experience, and this is where Im stumped, so Im wondering firstly how those guys out there at the moment got into these roles, or any advice on what to do aside from the already mentioned.
The fact of the matter is that Im confident to the point of almost certainty that I could do anything asked of me, but its hard to project a theoretical knowledge into real world experience, security professionals dont seem to see this.
I wont stop on my track, as I have said, its not an option to stop, but Im just looking for some advice to give me something to work towards that will give more of a guarentee of getting an IT Security job, whether it be junior or whatever level.

I appreciate you taking the time to reply though, youre advice is indeed correct, and youve re-inforced the fact that I need to keep the chin up and keep hammering at this mission

Tony

fret_wimp2

Hey Tony.

No probs. As you seem to have all the required knowledge ,it seems all that is holding you back is your lack of experience.

In that case I would suggest your update your CV to demonstrate how much you know, and dont dwell on your lack of experience.

Apply for every job out there in the field. chances are you will get at least a few interviews.

Im of the opinion that if someone gets an interview, the job is their's to either take or lose. Make sure in the interview you sell yourself on your knowledge, dont dwell on lack of experience, show how much you know and how you will benefit the company. Prove you are the person for that job. they gave you the interview, they are interested, they want to give the job to the right person. be that right person!

Tony648

Hi Fret Wimp, I think you might have it on the head there, sometimes its good to have someone elses opinion on these matters to point out the obvious things
Thanks a million for your time in replying again, Much appreciated, and I think I will adopt this attitude and see how that goes

Tony

harney

I am not sure of the maturity of the security market in Ireland, but have you considered moving to the UK?

The following site normally has a number of security roles http://www.cwjobs.co.uk/

The only issue you will most likely face in the UK, at least in pen testing, is nationality and security clearance. To undertake government work you need security clearance, not necessarily an issue for an Irish person, however there will most likely be cavaets around this clearance that will prevent you undertaking certain testing work.

Have a look at http://www.crest-approved.org/ It is the new basic standard required to undertake government work. They are trying to push it forward as the new international standard. It is not easy, but becoming quite important as a badge in the UK.

Tony648

Hi Harney, Many thanks for your reply. Yes it has been a consideration to move, however my wife is a little more deeper into her career, so we are trying to balance both our needs, and for now this means trying a little longer in country.
I have looked at the crest certifications, I beleive my current qualification leads directly into the crest certified tester, so this will likely be the next pursuit on the side of my masters, they seem to be a well recognised organisation.

Thanks again

Welease

I had a friend who was in a similar position, luckily enough he had wider experience that allowed him to join a large multi national, and once there to continue to talk to and work with the security organisation so that when the opportunity arose they took him on internally..Maybe that approach could work with your current company..

Another option for experience would to start getting engaged in Open Source projects.. There are literally thousands around which would have various levels of security design or testing requirements.

Tony648

Hi Welease, now thats an idea I didnt think of, getting involved in open source projects. Thanks a million for your suggestions and advice, much appreciated!!

stereo_steve

Hi Tony,

Do the CISSP exam. Its the best thing you can do. It opens doors left right and centre in Ireland. You need to have five years experience to get the certification after passing the exam but you'll still be an associate during that time . You can still tell people in interviews that you have passed it.

PM me your email address. My place is hiring in a couple of weeks. I'll let you know about it.

/Steve

Tony648

Hi Steve,
Thank you very much, thats very kind, Ill pm you shortly.
Have the CISSP book at the house here, have read the odd chapter here
and there for information on specific topics, but have never gone through it back to back, but by the sounds of things, thats the one to go for.

Tony