I have a vocational-tech certificate in information security management and I am looking for an entry level position. What advise could you give me to try to obtain a career in information security? Thanks.
I've been asked this question a lot. Here's my take; your mileage may vary. I’ll try to outline some thoughts I have about starting a career in cyber. Bear in mind that I’m just one person – one opinion. But my degrees are from real colleges (not diploma mills), I've been doing SW development for 17 years and cyber for 6. I’ve been in technical roles, formal leadership roles, you name it. I like to think I can give actionable advice.
tl;dr -- In my area, it's easiest to get an entry level job with a gov't org or contractor. Get some experience to beef up your resume: Be able to talk to DISA tools, know what RMF is, set up a home lab to run tools, signup for online courses at edx.org and the like, learn Linux, Python, Ruby, among other things.
When you say "information security management", have you asked yourself, what does that mean? I'm not trying to be difficult here it's just that term means A LOT. Are you looking for a management role? A technical role? How do your interests correspond to such roles?
I think for someone getting into cyber, IA, security, whatever, it boils down to type types of disciplines: defensive cyber and offensive cyber.
Your best bet at landing an entry level job is probably in defensive. So the body of this email will focus on that. In my geographic location, the majority of those jobs have government customers (I don't know if that differs for you).
I'll also focus on becoming technically inclined. I do this for two reasons:
1. There are already too many people in IT/IA/cyber/etc., with certs who don't know technical stuff. We don't need anymore test takers polluting the industry.
2. I don't know of many decent management/analysis entry level roles -- unless you went to a top tier university.
The good news is it will be way easy (provided you accomplish a few things below) to get hired in a gov’t, defensive, job once you meet some mandatory requirements. I’ve seen reqs open for up to 2 years as companies compete try to find enough bodies to fill open positions. There's just not enough people to meet that kind of demand right now.
The bad news is in gov't work you’ll work with a LOT of difficult people who talk a good game and think all the alphabet soup after their name equals credibility -- here's a hint, it doesn't. Practical, relevant, experience equals credibility. A cert like the CISSP is really just for auditing purposes these days (meaning someone can get a Sec+ or CISSP these days without having acutal knowledge; you'll see it everyday when you get experience) . But you need it to get your foot in the door!
If you find an offensive job req and get an interview, go for it!!! But, just to be fair, there aren’t many offensive, penetration testing jobs at the entry level. I would expect you to get hammered on Linux, OSI layers, TCP/IP layers, memory stacks, attack methodology, payload injection, bypassing intrusion detection, bypassing antivirus, scripting – especially lots of scripting, ARP, NAT, DNS, and a whole bunch of other alphabet soup. NOT just the theory of those things but during the interview going into a lab and setting up a man in the middle or ARP poisoning attack for the people you're interviewing with.
For defensive roles, the following will make you a good candidate for scoring an interview:
1. You need a certification (mandated by federal reg that people who have access to information systems have to have some type of cyber cert). Go for the CISSP. It still has cachet. You can still take the test and become an Associate of ISC2 until you get enough time on the job to become awarded the full CISSP. Someone on my team fresh out of college did that with no problems.
2. You need to know Linux. I imagine there are some Windows only shops around there but the fact of the matter is Linux is used throughout IT and you WILL come across it one day.
3. Be able to speak to RMF. The Nov/Dec 2017 issue of the ISC2 magazine has a sidebar listing all the sources to read for RMF. Check it out.
Also, set up a development environment at home. I personally like to see initiative in people I interview -- that goes a long way! There are lots of free tools for creating a lab... Oracle VirtualBox is a great VM manager (especially from the networking side of things) and is free. Linux is free. I would recommend staying away from Ubuntu to learn Linux. Go with something RPM based. CentOS is just like RedHat but without the updates configured out of the box. Give it a spin.
Speaking of free... and trying to get more experience:
There are two websites which are collaborations of universities which are free. Sometimes their pages throw popups or ads for upgraded services but you can audit any course for free. Simply ignore the paid for prompts.
Go to https://www.edx.org sign up. It was the first MOOC and started by MIT. Since then, highly regarded schools, such as the California system, Texas, Harvard, Michigan are now part of the program.
If you type Linux in the search box, you’ll see lots of goodness. The first two results are: “Introduction to Linux” & “Fundamentals of Red Hat Enterprise Linux”. That’s an awesome start. When you get familiar with these taking a MOOC class, you’ll come across more offerings (like Python, Ruby, etc. -- take those courses).
Go to https://www.class-central.com/universities and search too. This site is okay (it also links to coursera.org) but I will say two things about it. It’s a portal for 800 organizations. Therefore you may come across a link back to edx.org. Also, do watch out some of the courses from the University of Colorado System where Edward Chow is the instructor. I took Fundamentals of Hacking and Patching with him and it was poorly organized, communication was a barrier, and technically, there were some fundamental problems with it. My course critique and errata was longer than all the homework I did combined. It’s harder to unlearn baloney than it is to learn something correctly the first time... so be careful.
Learn what a STIG is. For a defensive cyber role in government, this will come up. https://iase.disa.mil/stigs/Pages/index.aspx
Everything on that site, except for For Official Use Only stuff, can be downloaded from anywhere.
Learn how to use a STIG. One method to use a STIG is called SCC. SCC is a SCAP tool. DISA doesn't allow downloading it from non-official sources so you'll have to use OpenSCAP (google that) instead.
Learn the difference between an automated check and a manual check. For manual checks, try to come up with some methods to automate them (hint: scripting -- bash and powershell).
Good luck!
Thanks for the suggestions.
Great Question. Have had my CISSP since July and Sec+ CCENT CHFI and ITIL V3 Foundation before that and still cant buy a job in INFOSEC! Either i have to learn to lie like the rest of the industry or become a plumber!! lol!
> Have had my CISSP since July
You mean just having a CISSP employers aren't throwing themselves at you? That's not what I have been told in here!
</sarcasm>
On a serious note, I hope something pans out for you soon.