topic Re: Career change in Career Discussions

Career change

Jack_Burton — Sun, 03 May 2020 13:36:33 GMT

Hello ICS2

I am a 40 year old Talent Acquisition professional (recruiter) for a top 10 US Bank (household name) looking to make a career change and enter into the world of Cybersecurity. I have a BA in Psychology and no technical training whatsoever. The majority of my career has been cororate and agency technology recruiting.

I was advised by a Security Executive in my company to study for and take the CISSP exam as he said this would be the most appealing cert to Info Sec hiring managers. Since I dont have the prerequsite work exp to actually become CISSP certified, I realize I would only become and Associate if I pass. Im ok with that.

Here's my question; should I go straight to the CISSP or are there other (read:easier) certs that I should pursue first? I work full time, have 2 kids and they are home with us full time given the pandemic so study time is scarce but I am willing to make adjustments to my life to make it work.

Whats my passion you ask? Ultimately I would like to be as close to the tech as I can be... things like Pen Testing, Red Teaming, Malware Analysis, and the like are very interesting. I have never written code, nor do I have an infrastructure background but I am not at all afraid to learn. My secondary career choice would be threat intelligence and threat risk management (advising the business as to how to maintain secure operations, etc) if I were somehow unable to learn the tech. There are Security pros in my bank that would help me transition into their field so I am extremely lucky in that regard...

Having heard all of this, do you agree with my Security Executive's opinion that I should go straight for the CISSP or would you recommend starting with smaller or easier certifications? My primarly goal at the moment is entry into the Info Sec field. I dont have to step straight into the tech side; taking another role in the field and latticing into the technical stuff would be fine.

Thank you all in advance for any thoughts you have.

Re: Career change

denbesten — Sun, 03 May 2020 16:54:41 GMT

You might start by reading ISC's CISSP web page, especially the "Ensure the CISSP right for you" section. CISSP is most definitely NOT a "close to the tech" certification.

Re: Career change

CraginS — Mon, 04 May 2020 12:18:29 GMT

@Jack_Burton wrote:
Hello ICS2

I am a 40 year old Talent Acquisition professional (recruiter) for a top 10 US Bank (household name) looking to make a career change and enter into the world of Cybersecurity. I have a BA in Psychology and no technical training whatsoever. The majority of my career has been cororate and agency technology recruiting.

I was advised by a Security Executive in my company to study for and take the CISSP exam as he said this would be the most appealing cert to Info Sec hiring managers. ... Having heard all of this, do you agree with my Security Executive's opinion that I should go straight for the CISSP or would you recommend starting with smaller or easier certifications? ...

Jack,

Your "Security Executive" is an ID10T and has given you TERRRIBLE advice. The CISSP is not an entry level certification, and is worthless to seek as an entry point into the cybersec/infosec field. If you were to follow his advice the best you could do is accomplish the test by rote and luck, then spend ~~three~~ six years as an Associate of (ISC)2 and then not be eligible to be certified, unless you got a solid security position within a year of passing the exam. [Edited 5/4 to correct the timeline as not d by Alec @AlecTrevelyan below.] You would lose your Associate status at the end of your allowed experience period, and have to start over with a new exam.

Since that "executive" is still above you in the company, remain polite with that person, but ignore any "helpful career advice" coming from that source.

That said, there is value in obtaining the Official (ISC)² CISSP CBK Reference, Fifth Edition and reviewing to learn the breadth of job types that make up then infosec world. Do not study it as for the exam, read it to learn how and why there are eight domains, and the sort of work that constitutes information security.

Next, go look at the NIST NICE program and in particular their cybersecurity workforce framework for a breakdown of tasks and work in the security field. By combining what you learn from the NICE framework and the (ISC) CBK domains, you will be able to determine with area your interests and talents may be best seated. Then plan your development course of action to learn more about those ares, while also picking up side knowledge in the other fields.

Next, go for advice with people who will know what they are talking about. (I repeat, your "security executive does not.) If there are active chapters of ISSA or (ISC)2 in your area, join them. Talk to the hands-on security practitioners in your company, since you said they are willing to help you transition. There are many legitimate infosec tasks and jobs that are not hard-line tech, but you do need to understand some aspects of technology to practice in any sub field.

If you wish to build on your psychology education, look at areas in human factors, and threat analysis. There is a crying need for social scientists in cybersec/nfosec to deal with the people part of our work that many techies ignore.

For formal training and education to enter the field, as well as credentialing that will make sense for your situation, (the CISSP does not). consider one of the many master's degree programs available online that are designed specifically for holders of undergrad degrees wishing to transition into the field. For meaningful certifications as formal credentials, CompTIA has a few that are relevant for basic tech into, particularly the A+, Network+, and Security +. Even if you work in a non-tech area of cybersec, the basic knowledge of those certifications will benefit you.

Should you be successful in entering the cybersec field, some years down the road the CISSP will become meaningful and appropriate. Should you get the basics of tech and wish to practice in the tech arena, then target the SSCP from (ISC)2 as a goal, after at least the tech knowledge from an appropriate MS or MA degree, or the A+ and Network+ certs.

Please stay active here in this forum with both questions and reports on your progress.

Good luck,

Craig

Re: Career change

AppDefects — Mon, 04 May 2020 01:45:17 GMT

@CraginS wrote:
@Jack_Burton wrote:
Hello ICS2

I am a 40 year old Talent Acquisition professional (recruiter) for a top 10 US Bank (household name) looking to make a career change and enter into the world of Cybersecurity. I have a BA in Psychology and no technical training whatsoever. The majority of my career has been cororate and agency technology recruiting.

I was advised by a Security Executive in my company to study for and take the CISSP exam as he said this would be the most appealing cert to Info Sec hiring managers. ... Having heard all of this, do you agree with my Security Executive's opinion that I should go straight for the CISSP or would you recommend starting with smaller or easier certifications? ...
Jack,
Your "Security Executive" is an ID10T and has given you TERRRIBLE advice. The CISSP is not an entry level certification, and is worthless to seek as an entry point into the cybersec/infosec field. If you were to follow his advice the best you could do is accomplish the test by rote and luck, then spend three years as an Associate of (ISC)2 and then not be eligible to be certified. You would lose your Associate status at the end of your allowed experience period, and have to start over with a new exam.
Since that "executive" is still above you in the company, remain polite with that person, but ignore any "helpful career advice" coming from that source.
That said, there is value in obtaining the Official (ISC)² CISSP CBK Reference, Fifth Edition and reviewing to learn the breadth of job types that make up then infused world. Do not study it as for the exam, read it to learn how and why there are eight domains, and the sort of work that constitutes information security.
Next, go look at the NIST NICE program and in particular their cybersecurity workforce framework for a breakdown of tasks and work in the security field. By combining what you learn from the NICE framework and the (ISC) CBK domains, you will be able to determine with area your interests and talents may be best seated. Then plan your development course of action to learn more about those ares, while also picking up side knowledge in the other fields.
Next, go for advice with people who will know what they are talking about. (I repeat, your "security executive does not.) If there are active chapters of ISSA or (ISC)2 in your area, join them. Talk to the hands-on security practitioners in your company, since you said they are willing to help you transition. There are many legitimate infused tasks and jobs tha tare not hard-line tech, but you do nee to understand some aspects of technology to practice in any sub field.

If you wish to build on your psychology education, look at areas in human factors, and threat analysis. There is a crying need for social scientists in cybersec/nfosec to deal with the people part of our work that many techies ignore.
For formal training and education to enter the field, as well as credentialing that will make sense for your situation, (the CISSP does not). consider one of the many master's degree programs available online that are designed specifically for holders of undergrad degrees wishing to transition into the field. For meaningful certifications as formal credentials, CompTIA has a few that are relevant for basic tech into, particularly the A+, Network+, and Security +. Even if you work in a non-tech area of cybersec, the basic knowledge of those certifications will benefit you.
Should you be successful in entering the cybersec field, some years down the road the CISSP will become meaningful and appropriate. Should you get the basics of tech and wish to practice in the tech arena, then target the SSCP from (ISC)2 as a goal, after at least the tech knowledge from an appropriate MS or MA degree, or the A+ and Network+ certs.
Please stay active here in this forum with both questions and reports on your progress.

Good luck,

Craig

I agree with @CraginS and his solid advice about building upon your psychology and HR experience. You could be that person that pulls together everything we know or should know about "securing the human".

Re: Career change

AlecTrevelyan — Mon, 04 May 2020 08:24:48 GMT

@CraginS wrote:
...
...
then spend three years as an Associate of (ISC)2 and then not be eligible to be certified. You would lose your Associate status at the end of your allowed experience period, and have to start over with a new exam.
...
...

I'm not sure what you mean by this? Associate status can be maintained for N+1 years. Where N is the number of years of experience required to qualify for the full certification. In the case of the CISSP this is 6 years (5 + 1).

Re: Career change

AlecTrevelyan — Mon, 04 May 2020 09:17:55 GMT

@Jack_Burton

I agree that CISSP is probably not the right choice for you at the moment as for one thing, as per @denbesten's comment, it is not close to the tech at all.

You need to build a foundation that will get you to where you want to be. All the things you mention (pen testing, red teaming, malware analysis etc.) require fundamental knowledge in how computer and network systems function in terms of both their hardware and software. So my advice to you is to start by exploring learning opportunities that will teach you the basics of those things such as those @CraginS mentioned. e.g. CompTIA A+ and Network+ (I would also add Linux+ or some other Linux basics certification). Earning these should then allow you to find employment in the field.

Once you have a good foundation and are earning some experience, you can then start to look to move on to intermediate and security specific training. e.g. CompTIA Sec+ or ISC2's SSCP.

After that you can do more advanced training like eJPT if you want to be a pen tester, but hopefully by this point you will have a clearer understanding of exactly where you want to be and what it will take to get there, and will have the solid foundation needed to be able to achieve it, whether that is earning the CISSP or otherwise.

Good luck!

Re: Career change

CISOScott — Mon, 04 May 2020 12:00:09 GMT

I understand where your cyber security executive was going by recommending the CISSP, but I think they should have phrased it like this: In your journey you should strive to get the CISSP as it is important to your future success. Here are some recommended posts to look at and ideas to consider:

https://community.isc2.org/t5/Industry-News/Security-Podcasts/td-p/2567/page/2

For the newbies go read The Cuckoo's Egg by Cliff Stoll. This will give you an idea how someone with no computer knowledge can make a big impact on cybersecurity.

https://community.isc2.org/t5/Industry-News/Building-a-cyber-range/m-p/9404#M806

https://community.isc2.org/t5/Career/A-little-help-for-an-aspiring-Information-Security-professional/td-p/33828

https://community.isc2.org/t5/Career/Starting-out-in-cybersecurity-alternative-paths-and-backgrounds/m-p/30082#M2316

https://community.isc2.org/t5/Career/CISO-to-CIO/m-p/32563#M2423

https://community.isc2.org/t5/Career/Looking-for-Advice-on-Next-Steps/m-p/10406#M886

https://community.isc2.org/t5/Career/Developing-yourself-and-your-staff-A-different-take-on-cyber/m-p/30637#M2338

These are just some to get you started and further encourage you as you start your journey. Welcome to the field.

Re: Career change

CraginS — Mon, 04 May 2020 12:26:19 GMT

@CISOScott wrote:

For the newbies go read The Cuckoo's Egg by Cliff Stoll. This will give you an idea how someone with no computer knowledge can make a big impact on cybersecurity.

Full support for everyone in our field reading Cuckoo's Egg! However, Stoll was not "someone with no computer knowledge." He was running the computer system for the observatory, and discovered the initial clue to a problem by reviewing the system logs. Further, he designed and implemented the first honeypot and intrusion alarm on that system, although did not use either of those names.

Craig

Re: Career change

Steve-Wilme — Tue, 05 May 2020 08:02:25 GMT

It's become very common to look at formal certifications first, for people thinking of entering the security field. In some ways that's unhelpful as it detracts from considering what you find intrinsically attractive about the work in the field and what those entering it can bring to it from the previous experience.

Re: Career change

Jack_Burton — Sun, 10 May 2020 13:54:18 GMT

Thanks @denbesten going to dive in to that this week

Re: Career change

Jack_Burton — Sun, 10 May 2020 14:41:03 GMT

Thanks @CraginS there is a lot here to unpack. Ive ordered the CISSP CBK as you recommended just for its guidance; I agree that there is just too much about the field that I dont know and if you feel that this is a good reference manual for the field then that is where I will start. The link you provided for the cybersecurity workforce framework didnt work, I suspect this was the address you were trying to take me to: NICE Cybersecurity Workforce Framework.?

Im going to start by reviewing the CISSP CBK as a reference manual and then consider the CompTIA certs. Ill consider a Masters degree if I get to a point where I feel its required, but at the moment I dont want to commit to that level of schooling given the weight of other responsibilities in life at the moment. I suspect my interests will galvanize (and change) as I learn more about the field. I have a conversation lined up with our Sr Manager of Threat Intelligence (to which our CSOC reports in to) later this week. Our SOC does more entry level hiring than any other corner of InfoSec so it seems like a good point of entry to consider (it also sounds interesting!). Im told from at least one gent that works in my Bus Tech Rism Mgmt function that starting in the SOC is a good place to learn how the organization looks at and handles threats on a basic, front line level. That sounded like a plausible statement; anyway, Ill be speaking with that Sr Mgr this week.

For the time being, the CISSP is going to take a back seat.

I appreciate your direct and practical advice CraginS and Ill continue to update / ask questions as I learn more.

Re: Career change

Jack_Burton — Sun, 10 May 2020 14:42:49 GMT

That was a very intriguing piece of his post. The idea hadnt even occured to me but its one Ill look further into for sure

Re: Career change

Jack_Burton — Sun, 10 May 2020 14:49:54 GMT

Very helpful Alec, thank you. I am fascinated by the tech and for the moment, I do think I want to go in that directon but Im going to begin reading the CISSP CBK as CraginS mentioned and have a few more conversations before I take action on the certs you mention.

Re: Career change

Jack_Burton — Sun, 10 May 2020 14:51:58 GMT

Thank you CISOScott, Ill dive into these links this week

Re: Career change

Jack_Burton — Sun, 10 May 2020 15:01:56 GMT

Thanks Steve, at the moment, all of it is interesting. I feel like a kid in a candy store but Im sure that will change as time goes on. The tech seems the most intersting, the policy side seems the least; I suspect I may end up somewhere in the middle but we'll see