I see that the Department of Defense (DoD) has formally implemented the separation of duties between IT and Information Security. Now you’ll have to choose your track. I was blown away by this reality at a job interview. I was invited out to an interview for information security where we had a social night and were encouraged to bring additional resumes and visit other organizations within the company. I thought that it was only to my benefit to visit IT so long as I was there.
The hiring manager who received my resume was quite uninterested in me initially and he wanted to immediately pass me over to Security. I explained to this hiring manager that I did have IT experience. He began to ask me what he thought were very technical questions – all of which I not only answered, but where I could, I gave audit and security measures or solutions where appropriate. It’s my opinion that he was quite impressed since both of his areas were interested in offering me a job in IT. He was quite upset with the way that I wrote my resume “only to security” and not IT. However, IT is where I amassed all of my skills and lead to my current career in Information Security.
I guess it’s a sad chapter as I arrive to what I believe is the apex of my career. I honestly didn’t intend to come this far in Information Security, only to the detriment of my IT knowledge. I am from the old school of thought where they go hand-in-hand. However, it’s understandable why government contractors and the federal government would take this approach. Confidentiality of the "CIA" rules the day in government and federal contractors must comply.
I too cut my teeth in IT. I feel it gives me a very good understanding in how tech works, but also to be able to architect security solutions with the currently available resources. When I come across security people with background in theory and very little hands-on experience, they normally (not always) are very rigid in their application of security practices and are not very flexible at all. I think it is a very big benefit to be able to know how IT works from a hands-on perspective. My advice to people wanting to succeed in IT security is to get some hands on experience, and more than just a once a week or once a lesson lab during your studies. I think that is one of the benefits of the CISSP is that they require you to have some experience in the field.
I see the separation as a natural evolution. I have been many places where there was not a dedicated security team. Mary did 10% security, Frank did 30% security, Joe was pulled into security roles when needed. IT security was spread out amongst many IT people, but no one person was declared IT security. This co-mingled approach did not allow for great reporting on the true IT security stance. Also the budget was co-mingled as well. It made it hard to fight for budgetary needs when the CIO controlled the budget for IT security as well.
I feel you on this one. Unfortunately, you are at a point in your career where your evolution through IT has cast a shadow on the IT things that got you where you are now in Security. I see it as a natural evolution as well, for larger organizations, where you can have two separate teams and two separate budgets. I hope that this resume reviewer now recognizes that a resume should be read and not gleaned and discarded because of keywords. Sounds like this person saw CISSP and immediately said this person only knows security.
Well this hiring manager evolved pretty quickly after he put in a little effort to investigate my systems skills. There's that rule to keep your resume as simple as a couple of pages... a rule that I never bothered to adhere to. Mine has necessarily been four pages or more because I spent a great deal of time as an IT / Security Consultant and in the military spanning 30+ years. I don't document all thirty - just my last ten. The HR filters could eliminate a qualified person based on what one may choose to leave off their resume. At the same time, not having enough information on the resume might encourage a hiring manager to move on from a viable candidate because that candidate attempted to follow the rule of two pages. SMH. It's crazy out there!
Right! You never want to feel you left something out, that may have gotten you in front of the right people. Also afraid that you may cause a tl;dr situation. Ugh!
Having come up through the ranks of both IT and later Audit before tackling security I can only hope this practice is limited to the US Government or dies a quiet, if not well deserved demise.
A security practitioner or auditor, in my personal opinion, effectively do the required work without having a deep and practical knowledge base in IT, systems, networking or development. The idea offends me on so many levels. Leave it at that.
Cutting half our skills in half may be a great way to recruit people into the field but would hurt us, considerably, in the long run.
I'm in a similar boat with a long career in both IT and Cybersecurity. I made the leap in 2005 with a CISSP, and haven't really looked back.
Lately I find lots of IA folks who have no IT experience, and they seem to have difficulty understanding the business end of things, and the delicate balance between the two. They also often lack the understanding of the difficulties of scheduling maintenance with high availability and geographically diverse modern IT systems.
When I started my career there was no exclusive security domain. Access management, security policies, anti virus, and firewalls was all the security there was.
I had to understand IT systems, protocols and technologies to be able to defend the infrastructure.
Security was not taught in colleges and most of my colleagues and I learnt on the job. Sometimes from our mistakes, sometimes from other peoples mistakes.
I understand the Segregation of Duties are required so that no one person is responsible for the custody, authorization and record keeping of an asset. I can't understand the need for SOD between IT and security though.
Match your resume and job description using https://jobscan.co
Disclosure: I do not make any money or get paid if you use it.
My last "gig" with a US Federal Civil agency was a real test of my patience. They were practicing this very thing to the point of wanting the IT staff to complete the IA documentation! I vehemently opposed that. The customer agreed but my contractor didn't. Needless to say I'm now much happier elsewhere and the current DoD customer is not practicing this mind numbing philosophy. Past customer is sadly saddled with the same contractor who is loosing work elsewhere also. Hmmmmmmm