Good morning, good afternoon or good evening... Sorry, I just had to steal that greeting from Brandon Dunlap who moderates most of the ISC2 online events 🙂
I was wondering if someone had a suggestion on getting a foothold in the in Information Security in the Greater Atlanta Area. It is amazing how businesses lament left and right that there are severe staffing shortages in the field, but even positions that are purportedly "entry-level" usually list "3-5 years of experience in [insert Information Security domain here]" as a prerequisite. I understand that it is a logical and prudent business expectation to want experts who will hit the ground running after they had gained their experience elsewhere and on someone else's time and dime, but sometimes it is really worthwhile to invest in... well, I digress 🙂
A little bit about myself. Well, maybe, not a little bit. This is more like a story of my past 10 years of work, so, please, bear with me 🙂
I just turned over a decade of working for a mail services company, where I have mostly worked in the background data operations, if I may call it that. I wound up with the company on sheer accident, just looking for a paycheck while searching for something completely different. I immediately realized that production operations were severely deficient both in terms of technical knowledge locally and in terms of centralized data management processes at the corporate level. So, I spent the majority of my time at the company finding and devising ways to alleviate the deficiencies in local technical and data analysis support. Imagine trying to alleviate the lack of centralized data governance locally with common tools like Microsoft Excel... In truth, I have been, for quite a few years, secretly trying to steer away and change both the company and the career (if I can call it that)... However, the broad terms "computer-savvy" and "analytical mindset" that adequately described my skills and abilities did not resonate well enough... I couldn't say anything else because there was, frankly, nothing more to say... I just filled a knowledge gap very well, but even since my first day there I had already been overqualified to fill that gap, so there was not much to build on... So, I decided to at least get more education. Perhaps, I waited too long even for that.
At the end of 2018, after taking a database design and development class as part of my MBA/MSIS curriculum, I "rejuvenated" the site's data management by moving most of the data into Microsoft Access. Unfortunately, MS Access is the only database system that we are allowed to use at the site level, which is rather embarrassing, actually. After graduating in 2019, I studied for about a month or so and then passed the SSCP exam in August. The difficulty level seemed average to me. Information Security has always interested me as a field and as one of the potential career options. Fortunately for me, I was able to substitute the required one year of experience with my MSIS degree. Another fortune was the endorsement from my Information Security instructor, the only person I knew who was certified by the ISC2 at that time. And so, I became certified...
I knew from the very beginning that simply getting the certification was not a magic bullet, especially a "secondary" certification like SSCP. No offense to anyone holding it, but the only truly recognized certifications at the ISC2 are the CCSP and the gold standard, the CISSP. The former is the "hottest" and the most relevant, and the latter is just... well, the gold standard, enough said. All the others are good and useful, BUT just go and look at the number of holders compared to the number of CISSP's. The numbers speak for themselves... Even an Information Security professional is likely to not recognize those abbreviations at first sight. Maybe, not even at second sight...
The greatest benefit of becoming a member of ISC2 for me was the access to the breadth of knowledge. I had no hands-on experience (I still don't), but at least I could get those hands on as much content as I could possibly digest.Today, considering that the required number of CPE's for an SSCP is 20 per year, I'm already at 60+. I have already been to two Cyber Security conferences and had a change to participate as a Russian translator for the Center for Cyber Safety and Education (waiting for for opportunities there as well). I have been and continue to absorb Information Security knowledge across its entire spectrum - from risk management and compliance to cryptography and threat hunting - at a rapid pace, and I cannot get enough, but knowledge can only get you so far... I also tried learning some practical tools and skills, like packet analysis with Wireshark and (recently) forensic data analysis with Autopsy. I also plan to finally start learning Python, which I have been putting off for a while now. I know that it makes a very good pair with SQL, that it would be very beneficial for me to learn it, and that that would be a healthy but not overwhelming challenge, but simply learning practical tools without guidance is also very frustrating for me. I like to learn something that I can apply immediately rather than just learn and forget it because I don't have a chance to use it. Also, considering that the digital world changes every day, I cannot let myself fall behind, but simply learning by myself will not help me keep the pace...
So, with that said, if you have gotten through, then I might have caught your interest 🙂 I'm just an aspiring Information Security practitioner looking for an open door to become a professional and join your ranks. I probably will not hit the ground running on day one, but I can definitely do a brisk walk and will not take long to pick up the speed 🙂 I have a solid knowledge base to start working in any area - from GRC, IAM and Information Asset Security to SIEM, deep packet analysis, application security and digital certificate management. There will obviously be a learning curve, but nothing that I would not be able to handle in allotted time. A part of my job currently includes managing physical security, workplace safety and facilities - in addition to data analytics. I took the position because it opened, but I don't believe that that is my place, and I don't believe that the company has a suitable one for me. Perhaps, your company or agency does. Perhaps, you know someone whose company or agency does. Perhaps, you just have a suggestion. Send me a message if you think you could help a future colleague 🙂
@Steve-Wilme Tried to take a look but you need to make an account and everything just to download it, and just not in the mood to create yet another account for a simple download.
Had to grab a quick flight, not the best time, but we have to do what we have to do. Back home and getting caught up.
I think you are right that I would have thought more people would have joined in on this. I think a lot of the jobs that are being let go are more around hospitality and travel. Information security is a core item that should not be affected too much from what is going on. I think interviewing and the such might be a little harder now but if a company finds a really good candidate I am hoping they would not them them slip away because of all this.
As they say, good people are hard to find!
Ps. I would have thought WFH would have more people on here.. idk...
I tried downloading it, but it gave me an error saying that I did not have the right to view the content after I "purchased" it for $0. Any idea what might have gone wrong?
Yeah, it may be more difficult under the current circumstances and afterwards for quite a while. Right now I find myself happy to even have a job... I read every day how people are losing our jobs. And you are right, it should not affect Information Security per se, but considering that this profession usually constitutes one of the cost centers in a business, less revenue (if any) means less spending on the cost centers... This is the time when many things must be pushed back. The backbone of Information Security needs to function, naturally but everything else will likely be suspended for a while...
@Belg For the longest time IT in general was seen as a black hole, all cost no profit, but then companies started implemented charge back systems and then moved to the cloud. I see the cloud as a great thing for IT because everything requires a subscription which can be directly tied back to a business group. This greatly reduces the IT black hole, and when the charge back model was used IT actually became a profit center. I don't know if security would just ride that wave or if we would need something else.
I have seen people in security saying they have been played off and it make me wonder if it's time for security it start requiring contracts and retainers! Once enough laws have been passed we will not be an option but rather a requirement, and if you want to keep me I need reassurance you will not cut me because there are a lot of other companies who need and want me..
Just a thought..
That would be the idea, yes. But, as usual, some business will take heed and some will not 🙂
@Belg I am just thinking of starting a thread and call it self discovery. I think is might help myself and well everyone and become something. It would almost turn into a tree.
Do you like to build computers and networks, or write programs that run on them?
This question is more about are you ops or dev and then we drill down from their..
Here is the thing. It's not about what I like but what I CAN do at this point 🙂 Let's put it this way: I understand much more than I've ever had a chance to do. I can set up a network, but I haven't had a chance to do that much. I understand how to build a computer from parts, and I will easily get a hang of it, but I've rarely done in it real life. I have an aptitude for learning programming languages, and I can take very little time to learn and start thinking in terms of that language for solving problems, BUT I'm not going to just start learning programming languages at random. I really want to start leaning Python, but even in learning you need some guidance as far as how you need to use it and for what. So, at this point I'm more Ops than Dev, but I have always believed that one needs to be able to do both to succeed. For example, I don't believe that one has business talking about firewall rules and using them to mitigate risks if he or she does not actually understand how to write those rules. That may be an extreme position that is actually holding me back, and I may need to try and scale down my expectations of myself, but, on the other hand, it is very difficult to lower that bar for myself.
@Belg Makes perfect sense. What I was getting at is that in time is can get overwhelming trying to learn and keep up with everything. To me Ops vs Dev seems to be the first choice a lot of people make when deciding what path to go down and what to learn. I have programed in the past but it's not really my thing, I would much rather design systems. With networking I get board dealing with routing tables so I don't focus on it. I do plan on learning python just because it would be helpful if I need to dig into something, but I have no plans to be a programmer. And I know what you mean about need a reason to learn something. I tried to learn linux a few times but it wasn't until I had a few programs that I had to run on linux that I actually had a reason to dig in and learn it. One of the problems I think a lot of places face is just what you said, people making decisioned without really understanding what they are doing. I think I am also reflecting a bit on how I have been told by recruiters that I can do anything I want, and then the question comes back as to what do I really want to be doing, and there isn't really a job where you can just do everything. Well not in a bigger company, smaller ones yes, but there are pros and cons to both options.
There are indeed benefits to both, but, at least right now, I'm looking more into a smaller company. The reason being is that you get exposed into everything, you get to participate, for example, in designing policy, then in helping build a system that supports that policy, and then in monitoring this system at work. On the other hand, the company takes a big risk in letting itself be your playground. However, smaller companies do take bigger risks anyway. It comes to balance between the breadth and depth of knowledge, and that is something very difficult for me achieve, because I subconsciously try not to limit myself, lol.