Transition - Physical to Information

Jroberts0508 · ‎09-26-2020

Hi All,

I have currently been working within Physical Security for the past 12 years. Done ok with my career and climbed the ladder from being an Officer, to having regional accountability.

Recently I have been involved in managing a few projects with access control systems and CCTV - transitioning to IP. Information Security has always peaked my interest and something I have been considering for a while now.

I am on the road to completing the certificate in information security management principles, looking further at Network+ & Security+. The only thing with the transition to which I am asking for some guidance is the starting point, I have read in some places it is essential to start with a job such as IT Support before moving into security, then other places stating its possible to start in Information Security direct.

Just wondering peoples thoughts on this? As trying to obtain a IT Support job is likely to be a massive pay decrease in comparison to my current role, but if this is a must so be it...

I have no experience in a specific IT role, but as mentioned above, have some project management experience within. Any suggestions on other certifications/learning that could help would also be greatly appreciated.

Thank you.

rslade · ‎09-26-2020

> Jroberts0508 (Viewer) posted a new topic in Career on 09-26-2020 02:30 PM in the

> I have currently been working within Physical Security for the past 12
> years. Done ok with my career and climbed the ladder from being an Officer, to
> having regional accountability.

Welcome. I'd say you were in a pretty good position. I did a stint in physical
security myself, I know the field more than most of my geek colleagues 🙂 I've
always said that the physical security people were our natural allies in the business
environment.

> Recently I have been involved in managing a few
> projects with access control systems and CCTV - transitioning to IP.

Internet Protocol or Intellectual Property? 🙂

> Information
> Security has always peaked my interest and something I have been considering for
> a while now. I am on the road to completing the certificate in information
> security management principles, looking further at Network+ & Security+. The
> only thing with the transition to which I am asking for some guidance is the
> starting point, I have read in some places it is essential to start with a job
> such as IT Support before moving into security, then other places stating its
> possible to start in Information Security direct. Just wondering peoples
> thoughts on this? As trying to obtain a IT Support job is likely to be a massive
> pay decrease in comparison to my current role, but if this is a must so be it...

Yeah, getting an IT support job *would* definitely be a massive pay cut, and,
unless very carefully chosen, is unlikely to get you the background you need very
fast. You might, on the other hand, look for a job *managing* IT Support ...

> I have no experience in a specific IT role, but as mentioned above, have some
> project management experience within. Any suggestions on other
> certifications/learning that could help would also be greatly appreciated.

I'd say you were in a relatively good position to go for a job managing information
security. You've got the management background, which is the important thing,
and harder to obtain or build. In terms of getting the tech background, you might
want to start with our good old recommendation of "Security Engineering," by
Ross Anderson. ( http://www.cl.cam.ac.uk/~rja14/book.html )

For other technical areas, I've got a bit of a recommended reading list at
http://victoria.tc.ca/int-grps/books/techrev/mnbksccd.htm
separated out by domain (although using the older 10-domain model, as it is a bit
cleaner, academically).

Don't know where you are, physcially, but I'd look around for local security
groups, and get in touch. Good way to build contacts and get advice. Also get
stuck into any volunteer infosec projects going. Yes, during the pandemic some
of that is going to be more difficult. However, there are still virtual meetings
going on (look in the Chapters area, if it's stll open), and virtual BSides events.
(Our Vancouver Chapter is open to all, and we've got ongoing discussions via both
email and Slack http://www.infosecbc.org/ ) You might even want to offer
presentations on topics like the physical security of technical equipment, and that
sort of thing.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
All persons ought to endeavor to follow what is right, and not
what is established. - Aristotle
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

JKWiniger · ‎09-26-2020

@Jroberts0508 @rslade While I agree with everything that was said I want to add a different point of view!

I can understand how it is easy to focus on the technical aspect of information security, but there are other aspects, which I feel you might have and not give yourself credit for! What is you understand of security risk? Backups? Redundancy? A lot of these I see more as soft skills rather than technical skills, and the apply to both physical and information security. The higher up you look at positions the more you get away from the hard technical skills and more into the soft skills.

Information Security has such a wide range of different jobs and duties forget what people say and really look into things and ask yourself what do you want to be doing. And I bet it's not support! Can you understand what things might be possible risks, single points of failure, knowing how to pivot if a situation happens? I could be wrong but I'm betting you have a lot more to offer than you let yourself realize, and I only say this because I have the same problem!

What are your thoughts? I would rather see people work with you to get the right answer than just an answer...

Hope this made sense..

John-

Jroberts0508 · ‎09-27-2020

Thank you for the warm welcome! Great to also hear from someone who has been through this transition.

May I ask how you entered information secuirty from the physical background?

Thank you very much for the recommendation material and appreciate you taking the time to reply.

Jroberts0508 · ‎09-27-2020

Hi John,

Thank you for your response.

To answer your questions, yes, I have knowledge on risk management, backups, redundancy, single point of failure etc. This knowledge was originally gained through completing the CSMP - Certfied Security Management Professional Level 6 Diploma. Further transferring this into my job role along with vulnerability analysis, protection in depth etc.

Maybe I am not giving myself enough credit! I think my original worry was I have "earned my stripes" within physical working from the ground up gaining experience at all levels. I worry jumping into Info Security management not having the knowledge to advise on the technical aspects since I would be managing a technical team. Although, I am hoping the cert in information security management principles, Network+ & Security+ would give me a good base knowledge along with the recommendations on this thread.

I actually have enough experience, in enough domains to go for the CISSP... but I think this would silly given I have no direct, specific IT experience - not to mention the difficulty with my experience!

Its probably the experience requirements that will go against myself when applying for these roles, as many request 2-5 years experience in information security management.

Can I ask what your background is and how you broke into the infosec industry?

Thanks again, much appreciated.

JKWiniger · ‎09-27-2020

@Jroberts0508

I know exactly what you mean about feeling like you need to earn your strip, but it seems that it not really the world we live in anymore. It is a good thing, but so many have little knowledge, think they have way more than they do and get get jobs. You have probably seen many threads about how broken job descriptions are where they want 2-5 years experience for an entry level position, or there was one I saw where they wanted more years experience that the product existed for!

As for me, I have been in IT for 30 years. I worked my way up and worked in most areas, I did as you say earn my strips. But now, it seems like that doesn't really matter. I see good looking jobs requiring a lot less experience than I would have imagined. Having come up doing so much has actually hinder me. I can do so many things in so many areas I struggle with figuring out what I want to be doing next. I have noticed where sometimes a lower position seems to pay more than higher level positions, which makes no sense to me. When I said you need to give yourself more credit, I tell that to myself all the time. I pick things up easily and because of that I don't give myself the credit that I should. I am not sure if you are aware of imposter syndrome, but I had seen a post that changed that for me. Basically it said something like, stop trying to have all the skills you need because everything is always changing so that is next to impossible, but rather look at what challenges you have overcome and what challenges can you overcome! That really spoke to me.

Here is something I have been realizing, I can see the big picture, how different systems interact with each other, how seemingly unrelated items actually tie in and effect each other, and it's because I earned my strip and have been in so many areas that I can do this. I also see things that others don't. I remember a long time ago walking through a sever room and just hearing the wrong high pitch.. listened more closely and was about to point out a hard drive that was starting to die and the pitch was the spindle going bad. With lower level positions people with only know a small part of the bigger picture that they need to do their jobs because that's all they need to know. I kind of miss those times because things where easier. Now I'm going ok, so where do I fit in. Another good point is I have worked for places where there wasn't much of a job description so after years I had to figure out what has this stuff I have been doing called? I can't just say, I do stuff!

OK, I really need some coffee...

That's my story if I went off on a tangent at times,, ya coffee that's it!

John-

Jroberts0508 · ‎09-27-2020

You definitely earned that coffee John! Ha.

I can relate about individuals acquiring jobs thinking they have advanced expertise but in reality have basic. Seen it may times before and I am realistic/honest about my capabilities when interviewing - probably works against me!

I seen the job role you are talking about with the experience outweighing the product release, LinkedIn done a good job a sharing that! I suppose I should just start applying for these roles that interest me and disregard the experience requirements... hopefully a company will take the punt!

I have not heard of imposter syndrome, but something I will have a read into.

Thank you.

JKWiniger · ‎09-27-2020

Sadly the coffee didn't seem to do the trick today!

I wouldn't say to ignore the required experience, but rather that a lot of your experience in physical security carries over to information security, and it maybe experience you can't just pick up in a book. This is not always easier to do, but see if you can step outside of yourself. Find a job you are interested in and think of yourself as the person hiring for this job, and your resume is just something that came across your desk. If you can do this it lets you be really objective about what is needed and what the person who submitted that resume has to say and offer. It's like if this was on someone else's resume what would I think of it? Are these just random tasks or do I really get a feel for what this person has and can do. Personally I am working on coming up with one line scope summaries of what I did in past positions, and then the bullet points under neither will be more of the tasks I did to achieve what was in the scope. I have been procrastinating it because to me I it's new to me and I don't want to get it wrong, and if I was talking to someone else I would say there is no right or wrong, but telling that t myself isn't always easy...

Just something to think about..

John-

TonyVizza · ‎09-27-2020

Hi Jroberts0508,

Well done on considering a career in cybersecurity! I have been involved for many years with the physical security industry (in fact have published a number of articles for a magazine called Security Insider in Australia that is written for physical security. I can categorically suggest that many of the day to day skills you would have picked up in your career there will definitely be transferable to cyber security. I also note your project management background as well which will bode well for a cyber career.

My suggestions to you are that your current approach (Network+, Security+ etc) will help you further some of the fundamental knowledge that a person in Cyber will need. A good certification to further this and one that I would also recommend is the SSCP.

I would also suggest that a good potential career in cyber for you utilising your current skill set and incorporating your knowledge that you are acquiring will be in the governance, risk and compliance areas, and perhaps even in auditing. You may want to augment your skills further and pursue ISO27001 Auditor status, for example, or PCI-QSA. These roles wont need you to be highly technical but will allow you for the most part to use what you know and apply them to a cyber context.

Hope this helps!

rslade · ‎09-28-2020

> Jroberts0508 (Viewer) posted a new reply in Career on 09-27-2020 04:26 AM in the

> Thank you for the warm welcome! Great to also hear from someone who has been
> through this transition. May I ask how you entered information secuirty from
> the physical background?

Actually, I had been researching malware (specifically computer viruses) for some
years before I got into physical security. Oddly, all my research in that area, and
the fact that two of my books were in the reference library for validating exam
questions, counted for nothing, and the fact that I'd worked in physical security
was the only thing that I could use for endorsement after the exam. (In those
days you only needed one domain.) In the eaarly days, I wasn't allowed to speak
at security conferences, because nobody figured that computer viruses were a
security issue.

> Thank you very much for the recommendation material
> and appreciate you taking the time to reply.

Quite welcome.

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 0367682699
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468