Good morning, good afternoon or good evening... Sorry, I just had to steal that greeting from Brandon Dunlap who moderates most of the ISC2 online events 🙂
I was wondering if someone had a suggestion on getting a foothold in the in Information Security in the Greater Atlanta Area. It is amazing how businesses lament left and right that there are severe staffing shortages in the field, but even positions that are purportedly "entry-level" usually list "3-5 years of experience in [insert Information Security domain here]" as a prerequisite. I understand that it is a logical and prudent business expectation to want experts who will hit the ground running after they had gained their experience elsewhere and on someone else's time and dime, but sometimes it is really worthwhile to invest in... well, I digress 🙂
A little bit about myself. Well, maybe, not a little bit. This is more like a story of my past 10 years of work, so, please, bear with me 🙂
I just turned over a decade of working for a mail services company, where I have mostly worked in the background data operations, if I may call it that. I wound up with the company on sheer accident, just looking for a paycheck while searching for something completely different. I immediately realized that production operations were severely deficient both in terms of technical knowledge locally and in terms of centralized data management processes at the corporate level. So, I spent the majority of my time at the company finding and devising ways to alleviate the deficiencies in local technical and data analysis support. Imagine trying to alleviate the lack of centralized data governance locally with common tools like Microsoft Excel... In truth, I have been, for quite a few years, secretly trying to steer away and change both the company and the career (if I can call it that)... However, the broad terms "computer-savvy" and "analytical mindset" that adequately described my skills and abilities did not resonate well enough... I couldn't say anything else because there was, frankly, nothing more to say... I just filled a knowledge gap very well, but even since my first day there I had already been overqualified to fill that gap, so there was not much to build on... So, I decided to at least get more education. Perhaps, I waited too long even for that.
At the end of 2018, after taking a database design and development class as part of my MBA/MSIS curriculum, I "rejuvenated" the site's data management by moving most of the data into Microsoft Access. Unfortunately, MS Access is the only database system that we are allowed to use at the site level, which is rather embarrassing, actually. After graduating in 2019, I studied for about a month or so and then passed the SSCP exam in August. The difficulty level seemed average to me. Information Security has always interested me as a field and as one of the potential career options. Fortunately for me, I was able to substitute the required one year of experience with my MSIS degree. Another fortune was the endorsement from my Information Security instructor, the only person I knew who was certified by the ISC2 at that time. And so, I became certified...
I knew from the very beginning that simply getting the certification was not a magic bullet, especially a "secondary" certification like SSCP. No offense to anyone holding it, but the only truly recognized certifications at the ISC2 are the CCSP and the gold standard, the CISSP. The former is the "hottest" and the most relevant, and the latter is just... well, the gold standard, enough said. All the others are good and useful, BUT just go and look at the number of holders compared to the number of CISSP's. The numbers speak for themselves... Even an Information Security professional is likely to not recognize those abbreviations at first sight. Maybe, not even at second sight...
The greatest benefit of becoming a member of ISC2 for me was the access to the breadth of knowledge. I had no hands-on experience (I still don't), but at least I could get those hands on as much content as I could possibly digest.Today, considering that the required number of CPE's for an SSCP is 20 per year, I'm already at 60+. I have already been to two Cyber Security conferences and had a change to participate as a Russian translator for the Center for Cyber Safety and Education (waiting for for opportunities there as well). I have been and continue to absorb Information Security knowledge across its entire spectrum - from risk management and compliance to cryptography and threat hunting - at a rapid pace, and I cannot get enough, but knowledge can only get you so far... I also tried learning some practical tools and skills, like packet analysis with Wireshark and (recently) forensic data analysis with Autopsy. I also plan to finally start learning Python, which I have been putting off for a while now. I know that it makes a very good pair with SQL, that it would be very beneficial for me to learn it, and that that would be a healthy but not overwhelming challenge, but simply learning practical tools without guidance is also very frustrating for me. I like to learn something that I can apply immediately rather than just learn and forget it because I don't have a chance to use it. Also, considering that the digital world changes every day, I cannot let myself fall behind, but simply learning by myself will not help me keep the pace...
So, with that said, if you have gotten through, then I might have caught your interest 🙂 I'm just an aspiring Information Security practitioner looking for an open door to become a professional and join your ranks. I probably will not hit the ground running on day one, but I can definitely do a brisk walk and will not take long to pick up the speed 🙂 I have a solid knowledge base to start working in any area - from GRC, IAM and Information Asset Security to SIEM, deep packet analysis, application security and digital certificate management. There will obviously be a learning curve, but nothing that I would not be able to handle in allotted time. A part of my job currently includes managing physical security, workplace safety and facilities - in addition to data analytics. I took the position because it opened, but I don't believe that that is my place, and I don't believe that the company has a suitable one for me. Perhaps, your company or agency does. Perhaps, you know someone whose company or agency does. Perhaps, you just have a suggestion. Send me a message if you think you could help a future colleague 🙂
Here is the thing. It's not about what I like but what I CAN do at this point 🙂 Let's put it this way: I understand much more than I've ever had a chance to do. I can set up a network, but I haven't had a chance to do that much. Then set one up on your own. I understand how to build a computer from parts, and I will easily get a hang of it, but I've rarely done in it real life. Then purchase one and build it. I have an aptitude for learning programming languages, and I can take very little time to learn and start thinking in terms of that language for solving problems, BUT I'm not going to just start learning programming languages at random. I really want to start leaning Python, but even in learning you need some guidance as far as how you need to use it and for what. So learn Python. So, at this point I'm more Ops than Dev, but I have always believed that one needs to be able to do both to succeed. For example, I don't believe that one has business talking about firewall rules and using them to mitigate risks if he or she does not actually understand how to write those rules. That may be an extreme position that is actually holding me back, and I may need to try and scale down my expectations of myself, but, on the other hand, it is very difficult to lower that bar for myself.
So I added some bold items in your post. The reason I did that is because I have been in the same position as you. You will never learn to ride a bicycle if all you do is read books on riding bicycles or just watch the Tour de France. If you wait until you know as much as you can about bicycle riding BEFORE actually trying to learn how to ride a bicycle then you will have missed many opportunities and be behind the curve in actually learning how to ride. Eventually you have to find a bicycle to ride. You either buy a used one, a new one, or find a friend that will let you borrow theirs. Perhaps you find a company to let you have a trial period on a bicycle.
I found out early in my career that there were a lot of jobs going undone because no one wanted to volunteer to step up and do them. There were plenty of opportunities to be had. Sometimes I had to create them myself. Once, while cleaning up, I found installation CD's with server OS's on them. I asked my boss if I could create a test network with them and some other spare parts lying around. Sure I didn't have the fastest servers out there but I knew how to set up a DNS, Exchange, DHCP, and other servers because I tried and failed and tried again until I got it working. I wasn't able to do this in my "regular duties" but I gained experience that I never would have gotten in my paid duties. I did however gain some valuable insight into those areas that helped me troubleshoot some issues I ran into during my normal duties. We had 30 printers lying around because they were "making loud noises and grabbing too much paper". The company had a need for more printers but no budget to buy more. I took a look at them and found out that the pick up rollers had been worn smooth and were the cause of the problem. I order some rollers to fix all of them for the cost of less than half of a new printer. So you see, I made opportunities where there were none. I volunteered to take on tasks that were not being done, even inventing some myself. I created security roles that I could fill (and I am not talking about sabotage or intentional mis-deeds so I could rush in and be the hero). In other words there was no established responsible person for security so I volunteered to add those duties to my current duties. I kept looking for and finding opportunities to add more experience and bolster my resume.
I also have been the selecting official for hiring so let me shed some light on that topic. If you keep thinking you have to be perfect BEFORE you can apply for jobs, you will not get hired. I have yet to meet one candidate that had EVERYTHING listed in the job duties. I have also had the experience of having people that applied for jobs who overstated their experience. I once had a person apply for a server administrator whose IT experience consisted of using Microsoft Word, Excel, and PowerPoint. USING, not installing, maintaining, troubleshooting, etc. She lied on the experience questions and got past the computer filters. I interviewed her anyways to see if she would say something like " I know my professional work experience doesn't amount to much IT experience but, you see, I have this lab that I setup in my home where I practice installing OS' and other software, I rebuild computers to see if I can make them work. I read all I can and I am just looking to get a start in IT and I figure if I am just given a chance, that person won't regret the decision to take a chance on me." But I didn't get it from her. I might have taken a chance on her if she had. The interview just further proved that she was in over her head. (this is not bashing women in IT, just this one candidate who happened to be a woman. I have also had under qualified men too). I often look for candidates who are at least minimally qualified but show eagerness and passion for the field or ambition to learn and try. I prefer the golden candidate but rarely ever get it. I have gotten some that are close but they also had the passion or ambition.
If you see a job that you have at least 50% of the skills and have the ambition to learn the rest, then apply. Or if it is in a specialty that you have a lot of experience in but lack a lot of the other duties, apply for it it. If you learn Python but end up getting a job that uses something else, you still will have learned some valuable skills. Learning the desired programming language will also be easier. Don't count yourself out if you don't have everything or do not feel like you are a guru at some of the item.
Thank you for that post. It really means a lot coming from someone who actually does the hiring in the field. The bike analogy is a little bit simplistic, though 🙂 To make it more fitting, we need to mention that the bike is very expensive, and someone has to take on the risk of letting you use it knowing that you haven't actually ridden. Someone has to be willing to say, "Okay, you seem to know a lot about bikes, and you really want to ride them and learn even more. I have an expensive bike here that really helps our business make money. I'm going to let you ride and take care of that bike, and I trust that you will do a good job and not put our business in jeopardy" 🙂
However, you seem to be the person who would do just that, and I really appreciate it. I will take heed an try myself where I may not fit 100% on paper. In truth, I know that there is literally no chance where you can fit 100% right away, but it is still daunting to even come to an interview knowing that you are not up to par. That makes any negotiations much difficult, in my opinion.
@Belg you are correct about the interviewing part too. Not enough people practice interviewing and are therefore nervous. One of the things I do to help my workers is this: When I am performing interviews, I will invite them in to sit as a quiet observer as the panel interviews several people. Doing this allows them to see how interviewees look from the other side of the table. This is valuable experience to be gained by watching other people interview. Ask your boss if they might be willing to let you sit in while they interview people as a learning experience. They just might let you do that.
A word about interviewing. Most interviews I have been in follow an almost predictable bell curve. There is a group that does poorly (too nervous, inexperienced), there is a group that does moderately (some experience) and then there is a group that does well (confident, says the right things, has the things we are looking for). You need to practice. One tool I recommend is Googling "VA PBI interview questions" It is a spreadsheet put out by the US Dept of Veteran Affairs and it has about 80 or so interview questions that are PBI, or Performance Based Interview questions. I recommend downloading this and then going through each one and coming up with work/life experiences for each one. If you find you do not have enough experience to answer the questions, go find the experiences. Remember that volunteer experiences count too, it doesn't always have to be paid experience. If you will do this your confidence will increase in interviews and you will find that even if you do not get the exact same questions, you will have some answers that can be adapted to fit other ones you may receive. Also Google "Tricky interview questions" to help prepare you for some of the wacky ones you may get.
When you have done this, then have someone practice giving you mock interviews.
Thanks, for joining in, more opinions is always better! I am reminded of when I interviewed someone for a hardware position years back. I pointed to an IBM thinkpad docking station, yes, the big one you could drives in, and told him to open it. He was a bit nervous, said a few times that he had never seen one before, he tried and he opened it. To me, he was honest, he did not know how to do it, but he tried and figured it out. I saw these are great qualities and hired him. There was some else who was hired when I was out. After doing no work for a week or two because he was bust reloading his desktop, which he did not ask if he could do, he had to go!
Something I feel a lot of us face, I know I do so that sometimes we look at positions and think they are much bigger than they are. I think I imagine what I would expect the position to entail instead of finding out what it really entails. I'm going to be looking for a new position and with my knowledge I can pretty much pick what I want. This is where a wide breath of knowledge can make things hard. On one hand I am EXTREMELY good at troubleshooting and root cause analysis, so I think to myself, in an engineer type of a role I could resolve all kinds of problems. But on the other hand I am good at seeing the bigger pictures and developing plans and strategies, so a management role could be too. I decided that I should probably look more towards management because if I am helping making work at that level hopefully things will run smoother at the lower level and require less troubleshooting. I am tossing around the idea of looking into a CISO position, but since I have not held that role before it can be a little scary as I probably think it's more than it is. And from what has been said here and other places it can be a pretty crappy job depending on the company. There is also the aspect of pay verse responsibility. If a lesser role pays the same and has a lot less headaches is it worth going after the higher role?