cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Community Champion

Re: A little help for an aspiring Information Security professional? :)


@Belg wrote:

@JKWiniger 

 

Here is the thing. It's not about what I like but what I CAN do at this point 🙂 Let's put it this way: I understand much more than I've ever had a chance to do. I can set up a network, but I haven't had a chance to do that much. Then set one up on your own.  I understand how to build a computer from parts, and I will easily get a hang of it, but I've rarely done in it real life. Then purchase one and build it. I have an aptitude for learning programming languages, and I can take very little time to learn and start thinking in terms of that language for solving problems, BUT I'm not going to just start learning programming languages at random. I really want to start leaning Python, but even in learning you need some guidance as far as how you need to use it and for what. So learn Python. So, at this point I'm more Ops than Dev, but I have always believed that one needs to be able to do both to succeed. For example, I don't believe that one has business talking about firewall rules and using them to mitigate risks if he or she does not actually understand how to write those rules. That may be an extreme position that is actually holding me back, and I may need to try and scale down my expectations of myself, but, on the other hand, it is very difficult to lower that bar for myself.


So I added some bold items in your post. The reason I did that is because I have been in the same position as you. You will never learn to ride a bicycle if all you do is read books on riding bicycles or just watch the Tour de France. If you wait until you know as much as you can about bicycle riding BEFORE actually trying to learn how to ride a bicycle then you will have missed many opportunities and be behind the curve in actually learning how to ride. Eventually you have to find a bicycle to ride. You either buy a used one, a new one, or find a friend that will let you borrow theirs. Perhaps you find a company to let you have a trial period on a bicycle.

 

I found out early in my career that there were a lot of jobs going undone because no one wanted to volunteer to step up and do them. There were plenty of opportunities to be had. Sometimes I had to create them myself. Once, while cleaning up, I found installation CD's with server OS's on them. I asked my boss if I could create a test network with them and some other spare parts lying around. Sure I didn't have the fastest servers out there but I knew how to set up a DNS, Exchange, DHCP, and other servers because I tried and failed and tried again until I got it working. I wasn't able to do this in my "regular duties" but I gained experience that I never would have gotten in my paid duties. I did however gain some valuable insight into those areas that helped me troubleshoot some issues I ran into during my normal duties. We had 30 printers lying around because they were "making loud noises and grabbing too much paper". The company had a need for more printers but no budget to buy more. I took a look at them and found out that the pick up rollers had been worn smooth and were the cause of the problem. I order some rollers to fix all of them for the cost of less than half of a new printer.  So you see, I made opportunities where there were none. I volunteered to take on tasks that were not being done, even inventing some myself. I created security roles that I could fill (and I am not talking about sabotage or intentional mis-deeds so I could rush in and be the hero). In other words there was no established responsible person for security so I volunteered to add those duties to my current duties. I kept looking for and finding opportunities to add more experience and bolster my resume.

 

I also have been the selecting official for hiring so let me shed some light on that topic. If you keep thinking you have to be perfect BEFORE you can apply for jobs, you will not get hired. I have yet to meet one candidate that had EVERYTHING listed in the job duties. I have also had the experience of having people that applied for jobs who overstated their experience. I once had a person apply for a server administrator whose IT experience consisted of using Microsoft Word, Excel, and PowerPoint. USING, not installing, maintaining, troubleshooting, etc. She lied on the experience questions and got past the computer filters. I interviewed her anyways to see if she would say something like " I know my professional work experience doesn't amount to much IT experience but, you see, I have this lab that I setup in my home where I practice installing OS' and other software, I rebuild computers to see if I can make them work. I read all I can and I am just looking to get a start in IT and I figure if I am just given a chance, that person won't regret the decision to take a chance on me." But I didn't get it from her. I might have taken a chance on her if she had. The interview just further proved that she was in over her head. (this is not bashing women in IT, just this one candidate who happened to be a woman. I have also had under qualified men too). I often look for candidates who are at least minimally qualified but show eagerness and passion for the field or ambition to learn and try. I prefer the golden candidate but rarely ever get it. I have gotten some that are close but they also had the passion or ambition.

 

If you see a job that you have at least 50% of the skills and have the ambition to learn the rest, then apply. Or if it is in a specialty that you have a lot of experience in but lack a lot of the other duties, apply for it it. If you learn Python but end up getting a job that uses something else, you still will have learned some valuable skills. Learning the desired programming language will also be easier. Don't count yourself out if you don't have everything or do not feel like you are a guru at some of the item. 

Highlighted
Newcomer III

Re: A little help for an aspiring Information Security professional? :)

@CISOScott 

 

Thank you for that post. It really means a lot coming from someone who actually does the hiring in the field. The bike analogy is a little bit simplistic, though 🙂 To make it more fitting, we need to mention that the bike is very expensive, and someone has to take on the risk of letting you use it knowing that you haven't actually ridden. Someone has to be willing to say, "Okay, you seem to know a lot about bikes, and you really want to ride them and learn even more. I have an expensive bike here that really helps our business make money. I'm going to let you ride and take care of that bike, and I trust that you will do a good job and not put our business in jeopardy" 🙂

However, you seem to be the person who would do just that, and I really appreciate it. I will take heed an try myself where I may not fit 100% on paper. In truth, I know that there is literally no chance where you can fit 100% right away, but it is still daunting to even come to an interview knowing that you are not up to par. That makes any negotiations much difficult, in my opinion.

Highlighted
Community Champion

Re: A little help for an aspiring Information Security professional? :)

@Belg you are correct about the interviewing part too. Not enough people practice interviewing and are therefore nervous. One of the things I do to help my workers is this: When I am performing interviews, I will invite them in to sit as a quiet observer as the panel interviews several people. Doing this allows them to see how interviewees look from the other side of the table. This is valuable experience to be gained by watching other people interview. Ask your boss if they might be willing to let you sit in while they interview people as a learning experience. They just might let you do that.

 

A word about interviewing. Most interviews I have been in follow an almost predictable bell curve. There is a group that does poorly (too nervous, inexperienced), there is a group that does moderately (some experience) and then there is a group that does well (confident, says the right things, has the things we are looking for). You need to practice. One tool I recommend is Googling "VA PBI interview questions" It is a spreadsheet put out by the US Dept of Veteran Affairs and it has about 80 or so interview questions that are PBI, or Performance Based Interview questions. I recommend downloading this and then going through each one and coming up with work/life experiences for each one. If you find you do not have enough experience to answer the questions, go find the experiences. Remember that volunteer experiences count too, it doesn't always have to be paid experience. If you will do this your confidence will increase in interviews and you will find that even if you do not get the exact same questions, you will have some answers that can be adapted to fit other ones you may receive. Also Google "Tricky interview questions" to help prepare you for some of the wacky ones you may get.

 

When you have done this, then have someone practice giving you mock interviews.

Highlighted
Community Champion

Re: A little help for an aspiring Information Security professional? :)

@Belg @CISOScott 

 

Thanks, for joining in, more opinions is always better! I am reminded of when I interviewed someone for a hardware position years back. I pointed to an IBM thinkpad docking station, yes, the big one you could drives in, and told him to open it. He was a bit nervous, said a few times that he had never seen one before, he tried and he opened it. To me, he was honest, he did not know how to do it, but he tried and figured it out. I saw these are great qualities and hired him. There was some else who was hired when I was out. After doing no work for a week or two because he was bust reloading his desktop, which he did not ask if he could do, he had to go!

 

Something I feel a lot of us face, I know I do so that sometimes we look at positions and think they are much bigger than they are. I think I imagine what I would expect the position to entail instead of finding out what it really entails. I'm going to be looking for a new position and with my knowledge I can pretty much pick what I want. This is where a wide breath of knowledge can make things hard. On one hand I am  EXTREMELY good at troubleshooting and root cause analysis, so I think to myself, in an engineer type of a role I could resolve all kinds of problems. But on the other hand I am good at seeing the bigger pictures and developing plans and strategies, so a management role could be too. I decided that I should probably look more towards management because if I am helping making work at that level hopefully things will run smoother at the lower level and require less troubleshooting. I am tossing around the idea of looking into a CISO position, but since I have not held that role before it can be a little scary as I probably think it's more than it is. And from what has been said here and other places it can be a pretty crappy job depending on the company. There is also the aspect of pay verse responsibility. If a lesser role pays the same and has a lot less headaches is it worth going after the higher role?

 

John-