Good morning, good afternoon or good evening... Sorry, I just had to steal that greeting from Brandon Dunlap who moderates most of the ISC2 online events 🙂
I was wondering if someone had a suggestion on getting a foothold in the in Information Security in the Greater Atlanta Area. It is amazing how businesses lament left and right that there are severe staffing shortages in the field, but even positions that are purportedly "entry-level" usually list "3-5 years of experience in [insert Information Security domain here]" as a prerequisite. I understand that it is a logical and prudent business expectation to want experts who will hit the ground running after they had gained their experience elsewhere and on someone else's time and dime, but sometimes it is really worthwhile to invest in... well, I digress 🙂
A little bit about myself. Well, maybe, not a little bit. This is more like a story of my past 10 years of work, so, please, bear with me 🙂
I just turned over a decade of working for a mail services company, where I have mostly worked in the background data operations, if I may call it that. I wound up with the company on sheer accident, just looking for a paycheck while searching for something completely different. I immediately realized that production operations were severely deficient both in terms of technical knowledge locally and in terms of centralized data management processes at the corporate level. So, I spent the majority of my time at the company finding and devising ways to alleviate the deficiencies in local technical and data analysis support. Imagine trying to alleviate the lack of centralized data governance locally with common tools like Microsoft Excel... In truth, I have been, for quite a few years, secretly trying to steer away and change both the company and the career (if I can call it that)... However, the broad terms "computer-savvy" and "analytical mindset" that adequately described my skills and abilities did not resonate well enough... I couldn't say anything else because there was, frankly, nothing more to say... I just filled a knowledge gap very well, but even since my first day there I had already been overqualified to fill that gap, so there was not much to build on... So, I decided to at least get more education. Perhaps, I waited too long even for that.
At the end of 2018, after taking a database design and development class as part of my MBA/MSIS curriculum, I "rejuvenated" the site's data management by moving most of the data into Microsoft Access. Unfortunately, MS Access is the only database system that we are allowed to use at the site level, which is rather embarrassing, actually. After graduating in 2019, I studied for about a month or so and then passed the SSCP exam in August. The difficulty level seemed average to me. Information Security has always interested me as a field and as one of the potential career options. Fortunately for me, I was able to substitute the required one year of experience with my MSIS degree. Another fortune was the endorsement from my Information Security instructor, the only person I knew who was certified by the ISC2 at that time. And so, I became certified...
I knew from the very beginning that simply getting the certification was not a magic bullet, especially a "secondary" certification like SSCP. No offense to anyone holding it, but the only truly recognized certifications at the ISC2 are the CCSP and the gold standard, the CISSP. The former is the "hottest" and the most relevant, and the latter is just... well, the gold standard, enough said. All the others are good and useful, BUT just go and look at the number of holders compared to the number of CISSP's. The numbers speak for themselves... Even an Information Security professional is likely to not recognize those abbreviations at first sight. Maybe, not even at second sight...
The greatest benefit of becoming a member of ISC2 for me was the access to the breadth of knowledge. I had no hands-on experience (I still don't), but at least I could get those hands on as much content as I could possibly digest.Today, considering that the required number of CPE's for an SSCP is 20 per year, I'm already at 60+. I have already been to two Cyber Security conferences and had a change to participate as a Russian translator for the Center for Cyber Safety and Education (waiting for for opportunities there as well). I have been and continue to absorb Information Security knowledge across its entire spectrum - from risk management and compliance to cryptography and threat hunting - at a rapid pace, and I cannot get enough, but knowledge can only get you so far... I also tried learning some practical tools and skills, like packet analysis with Wireshark and (recently) forensic data analysis with Autopsy. I also plan to finally start learning Python, which I have been putting off for a while now. I know that it makes a very good pair with SQL, that it would be very beneficial for me to learn it, and that that would be a healthy but not overwhelming challenge, but simply learning practical tools without guidance is also very frustrating for me. I like to learn something that I can apply immediately rather than just learn and forget it because I don't have a chance to use it. Also, considering that the digital world changes every day, I cannot let myself fall behind, but simply learning by myself will not help me keep the pace...
So, with that said, if you have gotten through, then I might have caught your interest 🙂 I'm just an aspiring Information Security practitioner looking for an open door to become a professional and join your ranks. I probably will not hit the ground running on day one, but I can definitely do a brisk walk and will not take long to pick up the speed 🙂 I have a solid knowledge base to start working in any area - from GRC, IAM and Information Asset Security to SIEM, deep packet analysis, application security and digital certificate management. There will obviously be a learning curve, but nothing that I would not be able to handle in allotted time. A part of my job currently includes managing physical security, workplace safety and facilities - in addition to data analytics. I took the position because it opened, but I don't believe that that is my place, and I don't believe that the company has a suitable one for me. Perhaps, your company or agency does. Perhaps, you know someone whose company or agency does. Perhaps, you just have a suggestion. Send me a message if you think you could help a future colleague 🙂
You have a lot here and I will probably miss some of the point you mentioned, but let me give it a try.
I would say you are sadly hitting a very common problem. You see everywhere that there is suck a skills gap but then the job posting want so much and often don't want to pay for what they are asking for. Deidre founder of CyberSN is often posting and speaking to just these issues.
Security can be a bit tricky in the fact that most of us have more security experience than we realize because many security items are just blended into so many other duties, as they should be. A person who is setting up network shares and assigning permissions is involved in security if you really think about it. You may not have had a security title, but you may have more experience that you realize. It would seem like I heard a bit of governance and design in there. Maybe they too flush out some of what you really did.
I also believe I see you heading down the bad path that I went down, learning all you can! I did it because I simply love to learn but the down side is that it can leave you fragmented and a little unsure of where you really fit. Security has become a rather large area and I think it's ease to get lost. I would ask yourself, what things do you really like and dislike doing in order to help focus a little. Governance and packet analysis are worlds apart and you probably would not ever be doing both, so which way do you lean?
I think you will find there are 2 types of companies out there, 1 that will expect you to know everything they use and be able to hit the ground running, which I think is unreasonable. With such a wide range of technologies out there trying to find this will be next to impossible. The other type of company, and I would say the one we all want will be the one where they see how you are able to understand things and pick things up and know you will be able to ramp up on whatever is needed rather quickly.
Job description are junk! I have heard from many people how their company write these impossible job descriptions and one guy told me how he company just hired someone who only met 20%, why, it was the best fit the could find!
Not sure how on target that was, and I need some coffee... I hope we can all turn this into a good discussion because It's needed...
Thanks for joining the conversation, John 🙂
I hope that we can turn this into a discussion. You were on point with everything you said.
For one, yes, I, like most people who have to interact with IT, often end up doing things that actually considered Information Security. For example, even before I got the physical security oversight added to my responsibilities, I was managing our local systems, assigning access levels, provisioning and de-provisioning user accounts, serving as liaison to our Corporate IT team helping them troubleshoot issues and perform data backups. With the added physical security role, I do even more of that. But in truth, at least for me, I have rarely made a mental note of that. Those activities were just a part of my responsibilities in a position that did not have an IS/IT Security words in it - and thus those things did not feel as such. I also participate in Business Continuity and Incident Response planning, but there is no mention of IT there, so I would usually discount them as "business as usual." Also, I often end up bogged down with the wording... e.g. "5 years of experience in..." If I happen to do 10-20 minutes of user account management a day - I cannot call it a full day, and then I cannot call a certain number of such days a year. But in truth, if you are spending all your time managing user accounts, day in and day out, then something is terribly wrong with your systems 🙂
Then, regarding learning anything and everything, I understand exactly where you are coming from. I am like you in that sense, because I like to learn everything I come across, and Information Security has grown to become a very wide field. And yes, I often become inundated and overwhelmed with all the available material, for example, that I would like to see. So, of course, in truth, I don't "like" every domain equally, but I still try to keep abreast regarding the recent developments in most of them. I know that that will change, because I have already found myself letting go of some learning opportunities simply because I was not interested in the topic. So, you are absolutely right, there is absolutely a need to select a healthy spectrum that you can manage professionally and physically. I think picking just one thing (which is not really possible anyway) makes you very narrowly positioned, but biting the entire spectrum - from GRC to packet analysis - is not something that anyone can chew. So, yes, I do have my "preferences," if you can call them that. On the other hand, I don't want to limit my choices too much, because then I may miss out on something that turns out to very good for me. Overall, this is about finding a healthy medium, and it is different and difficult for everybody.
And regarding job descriptions, I'm pathologically honest, so it is extremely difficult to me to even answer to a posting that asks for something for which I don't have anything to show. "Do I have 2-3 years of experience in ...?" - Not really. But... Perhaps, I actually have that experience if I considered that, that and that. But then it feels like stretching the truth, which I have a hard time doing also, so I will not likely apply. And in cases where I absolutely do not have the required experience - I don't even bother because I cannot claim something that I don't have. So, I cannot be the guy who only matched 20% of what was being asked - because I won't apply to be that guy in the first place. Maybe, I should try that one day. But if I do, then what if I end up being the guy who applies for something for which he does not qualify even remotely - and never gets it. Everything seems to be a double-edged sword, or am I just overthinking things?
In what I am reading I think we have a lot in common. I have been the guy who got backups running at a Fortune 500 and got them to start sending tapes off site to Iron Mountain. Did I think I was doing disaster recovery planning, oh course not, I was just making sure the servers where properly backed up! But that's what DR planning is. For years I have run IT for a few small businesses and most of the time I told them what to do instead of them telling me. So when you are calling the shots and deciding what has to be done putting labels on things drops even further and this is something I have been struggling with. I can't just put on a resume, I did stuff! SO taking the time and really thinking about what I did and what it would be called has been a real pain in the butt. Learning how to put labels to the work we do might be challanging but it is need and well worth it.
When it comes to learning for me it comes down to a depth of learning. I have found there are things I have learned inside and out and there are other things I just have a basic understanding of. I think if you need the deep understanding then get it, but if it is just a matter of interest, just learn it till you get it. I have found that having learned so much is a very large asset when dealing with others because since I have an understanding they cannot BS me as easily as someone who never looking into things.
I will call you out on a problem it sounds like you have that I also share, a perfectionist mentality. I could get into the deeper reasons for why one develops this type of mentality but I'll skip that for now. We tend to think we have to know something front to back to say we know something or else we can't say we know it at all. It also comes down to a level of black and white thinking. We need to learn to embrace the idea of "good enough." Have I done X a thousand time so I can do it in my sleep, nope, but do I understand it good enough so when I bring that contractor in to do it I will understand it good enough, yup! IT has expanded so much that we can't know it all, but as long as we know enough to understand how things relate and connect is what I think matters.
And I really do invite others to join in on this, I think it hits on things many of us deal with!
The more you say, the more I feel that we are very much alike. I know that at some point I will narrow my focus more and more when I decide to go deeper and deeper into something, but for now I'm not only learning but scouting as well. If I may, ask, how did you manage to succeed and where did you end up? Or, rather, where are you right now? In terms of career and expertise, not the company, of course.
Sorry I did not reply sooner but my mother took a fall, broke her are and is in the OR..
But anyway... Not sure where to start... lets just say I grew up poor and I learned the only one I can count on is me... I lead to going into book and knowledge because I didn't want was outside... I deal with imposter syndrome because since I learned so much at a young age things come easier for me than most, so since it comes easy I figure I must not know it or I must be missing something. We all have our issue we need to overcome..
Big surprise, my LinkedIn is: https://www.linkedin.com/in/jkwiniger/
Go figure, hide in plain sight...
I hate resumes and LinkedIn because they are so subjective...
Technology is a passion, not just a job. The more we learn the more we are able to apply critical thinking and conceptualize and visualize complex systems. Allowing us to be able to infer meanings from sparsely connected and related systems in order to perceive the unknown unknowns and give us the courage to quickly pivot when unacceptably high risks have been perceived.
is the current better or worse? I hate subjective things..
I hope your mother gets better soon.
You know, it is strange that no one besides you joined this topic. Employment in Information Security is a very pertinent topic. I understand that right now is not the best time for it, considering what the virus is doing to the world economy, and to the U.S. economy in particular. However, once everything subsides, this topic will return, and it will be more important than ever. Right now is not a good time by any means to change careers and employers 🙂
You could consider becoming an ISC2 associate and acquiring a CISSP pass, which would become the qualification with the required number of years experience. Obviously that depends on what happens with lock down, exam centres etc. And I suppose that is my point, you may already have more relevant experience than you realise. It would probably be worth doing a full inventory of you're skills and experience against a published skills framework in the security field. You don't have to be 'expert' in each area, just be honest with yourself as it's the first step to thinking through how you could get more relevant experience for when the economy improves and you can change careers.
That's a good suggestion, Steve. I was about to go line by line through my resume and compare them with what I have done at work. To me, the challenge lies in the fact that I have never had an Information Security title, so I have never considered anything that I have done to be an "Information Security experience." I manage user accounts, I oversee physical security and access controls, I help with data backups (which is an essential part of DR prep), but I don't do either of those things "full-time." Naturally, no one does their prescribed duties full-time, but for me it is more psychological that factual. I've been told before that I tend to downplay my experience. I'm so conscious about not exaggerating anything that I do exactly the opposite... And as far as being the ISC2 member, I already am. As an SSCP. Taking a CISSP and passing it now may not make much difference in the sense that I would have to pay for exam and end up not having enough experience right away. With an SSCP, one year of experience can already be waived for me, but I still will not have enough. The best thing to do right now, I think, would be to follow your and John's advice and to really look at what I have already done through the lens of information security domains. Some people can easily talk about themselves and present what they had done in a way to benefit themselves in a particular case. I am much more categorical than that. If I hadn't done information security per title, then I haven't done it all... Now that I said that, that approach feels very self-deprecating, lol.
Take a look at the CIISec skills framework.
There are other similar skills frameworks out there.
If you examine the actual content of your various roles against it, it should be useful.
Just going over your resume may not be enough.