General discussion


Best way to enter into Info Security Career

By redsgirl ·
I am a recent college graduate with a degree in CIS. So far, I have only held two 'computer related jobs'; one with the title of 'Computer Support Specialist' and my current title of 'Computer Operator'. More and more I am becoming interested in Information Security. I was wondering if anyone has any suggestions/ideas/comments, etc. on 1.) how to come from a job of 'Desktop Support'...
User:"Um, How do I turn on my computer? (lol)
..." to entering into the world of Information Security.
2.) Should I begin to study for CISSP this early in the game? Is CISSP the right starting point cert? Do I need to start w/ a cert?
3.) What should I be doing NOW in my current job(I report to Sys Admin)to 'dabble'in this area?
...By the way YES I have been on the internet and reading a few books, just thought I'd poll the TR community & get some wisdom/suggestions from you guys!!!


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

gaining experience

by stress junkie In reply to Best way to enter into In ...

The real trick to security is getting used to what is or is not a security problem. Whenever you see any kind of system configuration you will immediately start to look for weaknesses. It helps if you know what kinds of problems have been experienced.

For instance, one temp job I was working was to install DEC Pathworks on a DEC Unix machine in a Windows for Workgroups environment. The people were spending a lot of money to make the server more secure because a beligerent employee had deleted all of their files and then quit. Naturally they didn't have backups and they wanted to be able to restrict each employee's access to files. Now when I look at any computer configuration I try to think of all the ways that a beligerent employee could do damage and then I try to figure out how to close those holes in the security. That's just an example. I've learned a lot by being called to this business or that business to repair some damage caused by accident or malevolence. It's hard to study for that. You just start to get a feel for it.

If you are on good terms with the system administrator to whom you report then ask if you can do a thorough security audit of the business systems under your care. You will learn a lot. You still won't know what to look for unless someone shows you or you see what has happened in the wake of bad security + bad or ignorant people. You can look into various security tools such as nmap for network access vulnerabilities. Looking for these tools and then using them on your own systems would be good.

I don't know where there is a comprehensive list of security vulnerabilities such as having wide open file access to system files or other users' files. You can look at,,, and other sites like that. It still won't give you a really good feel for security but it is a first step.

Collapse -

Some pointers

by Kjell_Andorsen In reply to gaining experience

Instead of trying to jump directly from endd user support to Security I would strongly advise trying to move into a network admin or sysadmin role first. Getting to know the ins and outs of how a network works is essential for really understanding the security aspect. Once you're very familiar with networks you can start specializing in security. There are numerous Security related Certs, the VVSP seems pretty hot these days and might be worth looking into.

Collapse -

info on VVSP?

by elrico-fantastica In reply to Some pointers

hey peeps,

im interested in heading in a similar direction also with my career.
im already in a sysadmin role and wouldnt mind getting some required reading or starting to study for the right certs.

I googled VVSP certification but i cant find info on it. does anyone out there have some direct links or this or other security certs?


Collapse -

The value of proof-reading...

by Kjell_Andorsen In reply to info on VVSP? that you don't make embarassing mistakes like I did. I meand the CCSP not VVSP. Sorry about that

Collapse -

Few more points to add ...

by unni_kcpm In reply to Some pointers

1. As mentioned above, Information Security
arena is a very critical and wide
information + experience required area
and freshers with limited experienced
won't suit to it(No discouragement but
to give yourself a yardstick).
2. Sure, it's a VERY VERY CHALLENGING and
promising job area(Me too aspiring for
it !!).

Certifications :

CEH(Certified Ethical Hacker),CISA
(Certified Information Security Auditor),
CISSP and many others are some of them
besides MS, CISCO related certifications
which will give you more throughput and
knowledge in the IT field.

Best Wishes !

Collapse -

Making the jump.

by bgrime In reply to Best way to enter into In ...

I just recently made this move (Desktop to Security) and the one pointer I will give is show and interest and make it known that you have an interest in Security. I told the Director of IT that I had an interset and I also showed an interest with the current Security staff. What this does is when a position opens if your company considers you to be an asset they will know that you have an interest and hopefully with working with the Security staff they will be more willing to trust you.

Collapse -

Certification a good start

by goonigoogoo In reply to Best way to enter into In ...

CISSP certification would be an excellent start. However, the ISC2 governing body now requires experience and the reccomendation of another CISSP (in addition to passing th exam) to earn the certification. Passing the exam alone can earn you the Associate of ISC2 certification. This will open some doors for you. You can then get some experience, and later get the CISSP title by experience and continuing education.

The CISSP is much more broad then many of the other certifications. So depending on your interests may not be the best path for you. Typiclly, CISSP are senior level security personnel. They are more focused on decision making, and less hands on.

I am a security architect (studying for my CISSP), and typically network secuirty, system admins, and physical security people take action based on my recommendations. This is not true for every organization (and is not meant to diminish the value of other certifications), but the CISSP is not nearly as technically deep as many other hacking and network security certifications.

Good Luck!

Collapse -

Other cets?

by eva2k1 In reply to Certification a good star ...

In your reply you mentioned other "network security certifications". Can you tell me which ones? I have been considering Security + and CISSP. I already have a CISA, and I work mostly in audit, but I really want to jump to security design and implementation. Thank you.

Collapse -

RE: Other Certs

by goonigoogoo In reply to Other cets?

If you really want to get into the implementation, you can get certificatins from a number of vendors (in addition to those offered by security bodies -,,, Microsoft, Novell, Sun, Cisco, IBM (per system AIX, iSeries, Mainframe) all offer certifications on their security products and architectures.

Collapse -

Just do it

by ~Neil In reply to Best way to enter into In ...

Authors have a saying when they're asked the question; "to be a writer, you must write."

Experience doesn't mean you got paid for it (that's 'job experience'), it means you've done it. Feee experience is still experience.

Regardless of what part of computers you are interested in, do it at home. Old cheap hardware is readily available. Set yourself up a home lab, and try the stuff out. Put two PCs together, and try to crack one (*not* somebody else's). Harden it. Repeat. Every time you break it, fix it. Every time you fix it, try to break it. If you can't do a lab, try virtualized PCs. Books are a start, but actually immersing yourself in the stuff is how you learn it.

When you sit down with a job candidate, and talk to them for a couple of minutes, it's fairly apparent who has read about it, and who has done it. They will ask you "have you ever used X" questions, but I've never had one care *where* I used X.

If you can speak knowledgably and comfortably about security issues (and the nuts and bolts stuff) then you are a resource for your admin; it's easier to get security-related tasks from them.

Not to knock the certifications, but experience trumps paper. Having both puts you yards ahead of your competition.

Related Discussions

Related Forums