Advice Needed: Career Change

cguido

Hello everyone!

I'm currently transitioning from a career in public history to information security, and I'm eager to learn from your experiences. The cybersecurity field is incredibly fascinating to me, and I'm open to exploring various career paths within it.

I recently earned my ISC2 CC certification, and I'm actively preparing for the CompTIA Security+ exam. I'm also considering pursuing CompTIA A+ to strengthen my foundational IT knowledge.

My background in public history has provided me with valuable transferable skills. Specifically, my experience at a history museum involved significant data analysis, meticulous auditing, and detailed record-keeping, all of which I believe are highly relevant to compliance roles within cybersecurity. I am also very proficient with research, and communication, both written and oral. I'm also open to roles in risk management, and security awareness training.

I'm aware that my lack of formal IT education might be a concern for some employers, but as I only received my degree a few years ago, going back to school is not really an option for me.

My questions are:

Given my background and certifications, what are the most effective strategies for breaking into the cybersecurity field?
- What sub-field would you recommend that I start in?
What additional skills or certifications would you recommend I pursue to enhance my employability?
How can I best highlight my transferable skills and demonstrate my passion for cybersecurity to potential employers?
Are there any specific entry-level roles or internships that would be a good fit for someone with my profile?

Thank you for any advice/ help!

nkeaton

Congratulations on your CC. I would not recommend against reading CompTIA materials, but I would not recommend taking the exams. While I have helped hundreds get their Security+, it no longer differentiates a candidate. The last brag saw from CompTIA was 700K certified in Security+. So that is the competition, and they have completely flooded the job market. A+ is worse. Besides the materials being very out of date, it takes 2 exams making it much more expensive than Security+. People who come to me can pass the first exam but not the second. The maintenance fee for Security+ is $50 a year. It is much more complicated and frustrating to do continuing education with CompTIA than ISC2. As far as a next certification, I would suggest the SSCP. It is very similar in content to Security+ but is much less expensive ($249 vs $404) and no performance based questions. You will only have one continuing education system to deal with. ISC2 is much easier and more flexible for earning continuing education. The annual maintenance fee goes up to $135 but would be paying $100 for both your CC and CompTIA. That amount never goes up even when you earn the CISSP.

Not keeping to your format, but look in your area for active cybersecurity chapters, and attend meetings. People there will have a much better idea of local job opportunities. Join no cost organizations such as Infragard and CSA. Even if they don’t have active local chapters, you will get other information and can list the memberships on your resume.

Spirnia

Congratulations on earning your ISC2 CC certification!

Next, I recommend you study for and pass your CompTIA Network+ and Security+ certifications. These certifications do not have a work experience requirement for earning the certification.

An ISC2 SSCP certification cannot be earned until you have completed one of the following:

- One year of cumulative work experience in one or more of the domains of the ISC2 SSCP exam outline; or

- A college degree in Computer Science, Computer Engineering, IT, MIS, or another approved related curriculum; or

If you pass your SSCP exam but do not have one of the above, you will earn an Associate of ISC2 designation until you have completed the required experience.

Since you mentioned transferable auditing skills, I recommend you look into the ISACA CISA certification for later on in your career.

emb021

Let me add to the comments of both @Spirnia and @nkeaton made.

I would advise you to look into the different types of cybersecurity roles. Without a lot of technical knowledge, some may not be a good fit for you. As you noted your experience in the area of audit, and feel that compliance, such as security audit and assessments may be a good fit for you. Take a look at ISACA. While their CISA cert isn't something you can get now, some of their audit related certificates (and the training for them) maybe a good fit.

For more technical training, tho it IS expensive, there is the SANS Institute. Look at their "work study" program to lower the costs.

While I would not recommend getting the A+ cert, I do think getting the Sec+ and Net+ certs a good idea. Regardless that there are just TOO many Sec+ holders out there, too many companies respect it more so then the CC. So having it you avoid being ignored. I would agree that looking to the future of getting the SSCP and CISSP a good idea.

I also encourage getting involved with local groups. Look for local chapters of ISSA, ISC2, ISACA, and the like. I'd also recommend Infragard as well. Attend local events, especially BSides Conferences, which often will have a job track or the like, and local recruiters and consultant companies who may be hiring. In getting involved with local groups, please realize that this is a long-term investment in your networking. Don't expect an immediate payoff, but I know of many who have gotten their 2nd, 3rd, etc jobs thru their networking connections (myself included). It's just not going to happen overnight.

Finally, if you DO want to get into more GRC type roles, you WILL need to become more knowledgeable about various standards, frameworks, and regulations. This means getting up to speed on things such as the CIS Controls, NIST RMF and NIST CSF, ISO/IEC 27001, PCI-DSS, et al. For some of these there are courses and even certificates, and while learning about some of these can be low cost, this isn't always the case.

Hope this helps.

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow

Spirnia

Good thinking, regarding SANS:

The SANS Cyber Academy, although quite competitive, I would recommend as well!

nkeaton

@emb021 Thank you. I do try to do full disclosure on pricing, in this case AMFs. I think that the $135 for ISC2 is maybe more of an advantage to the $50 + $50 for CC + Security+ especially since it never goes up even if add a CISSP (right now my $135 comes to $19.29 per certification a year). DoD started the mess with Security+, and unfortunately private industry followed. Fortunately though DoD has changed their requirements and now values experience and education over certifications; hopefully private industry will follow again. SANS is a good security organization. I am not always impressed with their training, but I would only recommend them if an employer was paying. They carry a hefty price tag. It does bother me that their materials are highly proprietary as well. I appreciate you giving your thoughts as well. They did ask for a lot of information. Hopefully they make the right choices for themselves with any information that we give them. This post was much more thought out and detailed than the usual asking by beginners, thank goodness. The interesting thing about ISACA is that a person can pass an exam but cannot submit the application until they have the experience (you and I know that but just detailing it for those that do not know). I have mixed thoughts on that. It might reduce some of the issues with Associates of ISC2 misrepresenting themselves but would not be as profitable to ISC2. I have run into a couple of fairly bad examples of that and did end up turning someone in recently. I didn't like it, but they were the one that was misrepresenting themselves. An Associate of ISC2 is only a membership and not a certification for anyone reading this that does not know.

dcontesti

As @emb021 has said, find local chapters of (ISC)2, ISACA, Infragard, etc. and attend their meetings. Talk to folks at these meetings. Ask about volunteer positions that you may be able to pick up.

I would recommend that you apply for the SSCP, (you did state that you recently graduated), so you would have the pre-requisite.

I would also say that you should take some basic IT courses. CompTIAs A+ and Net+ are good places to pick up information and new skill sets..

ISC2, also offers a number of certificates (not certifications) that you could take to augment your existing skill set.

https://www.isc2.org/professional-development

The organisation also offers a number of Express Courses that might assist you in defining "who you are" to a potential employer.

Regards

d