I'm currently seeking my next position, but having a tough time of it. I started in IT management and have been moving into security for the last 10 years, but I am guessing that my limited experience is putting off perspective employers.
I'm looking for new opportunities and suggestions on how I might advance my experience while I'm searching for my next job. (ie. classwork, labs, demos, new certs. CISA or CISM?)
Thanks in advance for any advice or suggestions.
The most actively asked question about security is how do I gain traction in the security field without experience? Answer is, it's difficult but not impossible. First you need to ask yourself what exactly do you want to do in security and what are your skill gaps to get there? Security in general is a huge field but one that you really need to know the underlying technology to be able to secure it. I had no idea until recently just how complicated Identity and Authorization Management could get, taking months to learn all the various layers and complexities of securing this environment and hundreds of hours of combined effort to get there. This is an example of hard learning that took more effort than imagined at the start. The result is my architecture will meet the clients demands as the technology become robust enough to satisfy the requirements. In a couple of years. Again, you really need to understand what it is your working with before you can secure said technology.
Today I work with a number of past and present security managers, directors, all the way up through CSO/CISOs doing remarkably well on the front lines as security engineers and architects. Really, not uncommon to see former executives on the front lines than you may think. Reason is simple, most management level positions no longer exist. My current project team of 750 has one true manager but a ton of lead roles. We are extremely flat and I do not see this changing anytime soon. Then again, I am a consultant so we have more project managers to fill those gaps.
Security and certificates can become a bit uncomfortable here depending on whom your discussing the topic. From what I am reading you would likely be seeking another management role looking for the CISM or CISA as the bridge to another management role. The CISA is the gold standard for auditors and probably the best place to start your security based career. If you already have 3 years (its been a while) of audit experience already this is an excellent certification to obtain. Otherwise, its also one of the most fluffed up certifications on resumes. I see this cert too often on recent college grad resumes with zero work experience.
The CISM is aimed at active security managers and high level engineers or architects with management responsibilities. Certainly, a good bolstering cert if your already in the field but in my experience is just another nice to have element on your resume. Sorry, when Certification Magazine asks me if I outright cheat exams I know its become as common place as my consulting peers openly tell me.
Starting in security is a bit like choosing a major in college. Good luck.
Some simple suggestions:
1. Make a short list of your interests
2. Check out job boards for similar job posting, to identify requirements
3. Match those requirements against your skills
4. Map out feasible paths
Best of luck!
Your reply is greatly appreciated. So, I guess I need to break out my CEH lab book and start working on my hard skills. I agree about the different layers of new technologies. I was in the middle of implementing several security projects at my last position and Privilege Access and IAM had complex inter-connectivity. There are positions out there for specialists. IAM seems big, but I don't have expert knowledge of any particular technology. My strength lies in seeing big picture and putting together a plan of action and carrying that out.
I am finding that most organizations are making themselves more lean by getting rid of management positions. I still have decent systems skills on top of my security skills, but I'm not getting much interest in my resume. I'm considering removing the management experience.
Do you think prospective employers might hire a former manager because they might be soft??
Again, thank you for you reply.
Almost all my peers at the architect level are former executives: A CISO, a couple of former directors and a bunch of managers. So, no I see nothing stopping you from entering the security field as an analyst or engineer level. My past few managers have all been extremely technical but really just hold more fancy titles than titles may indicate. This includes myself. I was once a CIO after climbing the ladder, finding myself doing more and more hands on technical work.
I would serious suggest looking at the CCSP or other cloud specific (AWS, Azure, Google or IBM) certifications as these exams should have better RoI than a generic "tour of tools" types of exam(s).
As far as actual pentesting goes I have reduced my former pentesting team by 90 percent by use of really good product automation. Really, some of this software is actually much better at detecting flaws than the manual testing we once did. But always "shift left" by first finding flaws at the developer level fist and working your way up the chain. Pentesting is now like throwing a life preserver when the victim is under water.