Career change

slyph

Currently I have:

• under grad comp sci degree
• few years professional software dev experience
• decent all round knowledge - programming, scripting, different os's/networking protocols etc.
• done some of the vuln hub images

I am interested in a change to having an info sec career. I just find the area more interesting than traditional software development. I am bit bored of my current job... I find myself looking up and researching info sec topics rather than things related to my area of work. In particular I would like to have some kind of pen testing job I think.



Questions I have:

• is it necessary for me to get a masters in this area ? I have looked into the various ones available to do in Ireland.... most of them have alot of non technical content, which i am not sure how valuable it would be when I finally get a job
• or what if I got myself OSCP certified - would that along with my undergrad degree be sufficient to apply to jobs and not instantly get my cv binned ?
• what is the day-to-day like ? do you guys find the work interesting/satisfying ? i know this is very job dependent, but i really want to avoid another job where i find the work boring and can only do interesting stuff in my own time
• is there a decent job market for the entry level pen tester ? or realistically should i be applying to jobs with varied responsibilities - not just pen testing ?

Thanks !

DipStick McSwindler

This post has been deleted.

Khannie

IrishFeeney92 wrote: »

at the moment the majority of people in InfoSec wil have an MSc.

My experience says otherwise.

Khannie

slyph wrote: »

what is the day-to-day like ? do you guys find the work interesting/satisfying ? i know this is very job dependent, but i really want to avoid another job where i find the work boring and can only do interesting stuff in my own time

For me, this is the best bit. I find infosec fascinating, so moving (slowly) to an infosec only job has been very very enjoyable. I mean it's not all sunshine and lollipops or whatever. There are bits that are boring as sh*te, but I find it easier to power through them now.

IrishFeeney92

IrishFeeney92 wrote: »

but at the moment the majority of people in InfoSec wil have an MSc.

What?

This is not my experience at all.

slyph wrote: »

Currently I have:

Questions I have:

• is it necessary for me to get a masters in this area ? I have looked into the various ones available to do in Ireland.... most of them have alot of non technical content, which i am not sure how valuable it would be when I finally get a job
• or what if I got myself OSCP certified - would that along with my undergrad degree be sufficient to apply to jobs and not instantly get my cv binned ?
• what is the day-to-day like ? do you guys find the work interesting/satisfying ? i know this is very job dependent, but i really want to avoid another job where i find the work boring and can only do interesting stuff in my own time
• is there a decent job market for the entry level pen tester ? or realistically should i be applying to jobs with varied responsibilities - not just pen testing ?

Thanks !

Masters is not necessary unless you want to be an expert witness or lecture. based on your background it sounds like you would be a good fit for the industry.

Your MSc + OSCP and time spent researching security in your own time will speak volumes to serious employers.

I enjoy my job day to day (I focus on incident response and forensics). As with any job you have to take the good with the bad but in general if you work for the right company the people in this industry are friendly and helpful. Depending on your job some employers encourage employees to develop tools, conduct research, attend conferences, learn new skills etc.... this is the case with my job anyway but there is always an expectation you'll keep on top of your work while doing this.

"realistically" you should apply for the job you want, there is no point in applying for a position that requires you to conduct malware analysis when you're not going to enjoy it. That being said a lot of security analyst positions can have a varied work balance which makes things more interesting but it's completely a personal preference.

DipStick McSwindler

This post has been deleted.

syklops

No Masters here either.

You have to remember that a Masters in Information Security didnt exist until a couple of short years ago.

OP, I would say you are in an excellent position to start off in InfoSec. You can certainly start working toward an OSCP, but it is quite an intensive course. I would suggest going down the SANS route first. The GSEC is the basic general security course. You can do the self study route which works out relatively cheap. I did the GWAPT which is the web pen testing course a couple of years ago and found it quite easy, but I was already pen testing for a couple of years at that point. Do you know which area you would like to get into?

Blowfish

Add me to the list of non masters people too.

I've found InfoSec in general to be a good bit more flexible than a lot of careers in that there is no one thing that's absolutely required as long as you can demonstrate that you have knowledge in some other way, which could mean degree, certs, experience, contribution to relevant OSS projects, blogging/social media posts, claiming a bunch of bug bounties. Hell even a criminal conviction can get you a job in some areas.

Where you are now is definitely a good starting point, there aren't many areas of InfoSec where experience coding/scripting isn't at least somewhat useful.

DipStick McSwindler

This post has been deleted.

syklops

IrishFeeney92 wrote: »

Was the GWAPT a self study route?

Yep. Got the books and read through them and then went and did the exam.

ishotjr2

If you are bored/frustrated, I suggest you go talk to a professional career development person. Maybe some things you need to learn about yourself that will help you choose a new role that suits you (your current company may even pay for it). I do not think changing field will automatically fix it because any field can be boring.

If you are part of a large corporate security team ensuring compliance then that would be the very pinnacle of dull for me.

No of course you do not need a masters especially as a Pen tester that is talent, skill & dedication. (Look at these guys https://www.derbycon.com/). Out of all the folks I know in infosec I do not think any of them got there the same way, a few do not have a degree.

> is there a decent job market for the entry level pen tester ? or realistically should i be applying to jobs with varied responsibilities - not just pen testing ?

See if you really want to do it. Get other people stuff and break it, tell them about it and ask if there are any jobs going. (BugBounty etc...) If you are passionate and enjoying it you will find opportunities, might take a few years but everyone I know had to put in the time. I do not think looking for the ideal job description will work as you will end up making compromises at this stage that may defeat your goal.

Have you considered analyzing the code in your current role and highlighting security concerns, if not then maybe the problem is you do not like the company/manager etc....

Keyzer

You'd land a job no problem where I work with OSCP and a degree/masters.

Fitzinho

+1, know very few infosec people with a MSc. Many go for SANS certs if they're going to be spending that kind of money.

Khannie wrote: »

My experience says otherwise.

DipStick McSwindler

This post has been deleted.

syklops

IrishFeeney92 wrote: »

If you dont mind me asking, What books did you use?

The SANS GWAPT books.