Hi everybody,
I'm wondering how to acquire experience in Cybersecurity if you have few. It is not easy if you work in an environment and want to get in another. I thoguht the volunteering could be an option, but it seem that nobody is interested about that (!!!). I tried to see in my country chapter (the italian one), but nothing. I wrote, but nobody answered. So I think that a godd idea could be to organize some fake trainig-on-the-job that could be useful for those who wants to earn experience to report in CV resume. For instance, a real incident management handling or a risk assessment, or something like that. It could be the country isc chapter that could organize such workshops. This is different from a course, because a course are considered with suspicion from recruiteres or companies that are searching for an experienced consultant. Certifications are not so much considered. Everybody is looking for experts, with several years of experience. So if you want to change your area of competence, is more or less similar to win the lottery...
Some interesting thoughts - I would certainly not advocate the creating of "fake experience" or recommendations etc - sooner or later you will be found out through background checks and Social Media links etc. Then your career will finish rather abruptly indeed. No matter how, tempting it might be to elevate yourself.
One can feel desperate at times in such cases - a lot of times it is about relationships, getting involved in various security groups, not just ISC2 or ISACA but seeking out other avenues - Information Technology groups, Cloud Computing groups or even Developers and getting known in the community?
Are there any interesting security groups or even local hacking groups?
There is a great call for "New Collar" people, who have the aptitude to work in security positions from Security Analysts, and building up a solid reputation.
It may be very tempting to "fake it", but eventually time and reputation will catch up on you.
Regards
Caute_cautim
Hi Andy69,
why not try to take the CISSP exam? Of course, you will "only" get the "Associate" title after passing, but simply preparing for the exam would help gain a great insight into the main cybersecurity topics. And in the end, such a preparation and the certification might open with a bit of luck a door to a junior cybersecurity position. Just mentioning the fact that you prepared for such an exam might be a reason to be invited to an interview. In the end, the only measurable experience is the job experience. Anything else is simply to hard to estimate or appreciate.
It's, of course, a bit annoying that almost all companies look for experienced security experts - we all have to start somewhere. I advise you to look for companies in the consulting area, they are more willing and have the appropriate budget to invest in your career development as a future cybersecurity expert.
From the inside tends to work well. Since you have a CSSLP, you likely have a job in software develop or perhaps project management. Within this job, take a visible interest in the components with security aspects (input validation, testing, release management, volunteer for DR rehearsals, etc.). Also, read up on the areas you feel weak and ask others in your company to help you learn things (e.g. the networking group can explain the difference between routers and switches and the AD group can explain how group policy is used for privilege management). As you show interest, you will find that assignments with those aspects tend to come your way.
Back when I ran firewalls, I had someone approach me this way every year or so. I was always happy to help. In part my interest was to "advance the profession", but my more immediate goal was that when my colleagues understand how my equipment works, the requests for service become more implementable and the colleagues start to become advocates (especially with troubleshooting).
@Andy69 wrote:So I think that a godd idea could be to organize some fake trainig-on-the-job that could be useful for those who wants to earn experience to report in CV resume. For instance, a real incident management handling or a risk assessment, or something like that. It could be the country isc chapter that could organize such workshops.
Such role-playing and case study activities can be high value training, and I would never refer to them as "fake." But they should also be portrayed in resumes and interviews as real-world oriented training, not as work experience. Many SANS courses use just this sort of activity in their training, to great effect.