General discussion

  • Creator
    Topic
  • #2273339

    InfoSec Career

    Locked

    by kratos7 ·

    I need some help with two problems. I am trying to make a career change, and in doing so, I recently graduated with my Master’s Degree in Computer Information Systems. I also obtained a newer certification called a Certified Information Assurance Professional. I guess I figured that once I got my MSCIS and CIAP, I could basically get a job without much problem. That is proving to be more of a challenge than I thought. The first problem I am having is that I currently work in a non I.T. related field, that being a Trooper with the Michigan State Police. When I apply for I.T. positions I usually meet or exceed the educational requirements, but not the “formal” experience because I have been Trooping for the last 10+ years. The second problem I am having is that since everyone wants your resume electronically, the law enforcement experience is the only thing on there, and it seems to over shadow the education in CIS. Added to that is with the electronic resume, there really is no avenue to verbally sell yourself to employers. It’s the old cliche, “You need experience to get hired, but you cant get the experience because no one will hire you.” I’m not trying to start off as the CISO, I just want to get my foot in the door, and go from there. What should I do to get someone to just give me a chance?

All Comments

  • Author
    Replies
    • #2725168

      it doesn’t sound like you have the experience..

      by secure_lockdown9 ·

      In reply to InfoSec Career

      lets put it this way.

      i would like to do what the guys on the CSI TV show do. but i dont want to go through police academy or work my way through the ranks of experince into CSI. can i do that?

      (this might be a very bad example. i know very little about law enforcement, so for all i know, perhaps it is possible to go straight into CSI..but i hope you understand where i can coming from)

      • #2725064

        Agreed

        by kratos7 ·

        In reply to it doesn’t sound like you have the experience..

        I totally understand your example, as a matter of fact I didnt get a computer forensic position over a person who described herself in a newspaper article as a “hobbyist”, however that is exactly my point. As I said, I’m not trying to start off running the infosec joint, I’m just trying to get my foot in the door so I can eventually run the joint in the future. Everyone at some point in time started off with little or no experience. Any grad student will go through the same thing. I’m just looking for some hints to break through. The law enforcement just helps me with the part of infosec that is not the technical portion.

        • #2725022

          Reply To: InfoSec Career

          by secure_lockdown9 ·

          In reply to Agreed

          it seems there are a lot of differing opinions on this. i don’t think anyone is an expert. there are “hands on” info sec guys that do the work and there are “hands off” info sec guys that don’t really get involved in the technology. they hire someone who knows how to work with the technology.

          my opinions. if you want to eventually run the joint, probably a good idea to take some management classes and/or go for MBA. knowing how to configure ACL security on a ISP level router with your eyes closed ain’t gonna really help you run a joint.

        • #2724953

          Path

          by kratos7 ·

          In reply to Reply To: InfoSec Career

          I understand that. I used the idea of “running the joint” merely as an example. I really just want a chance to do something. How did you get started?”

        • #2724915

          Reply To: InfoSec Career

          by secure_lockdown9 ·

          In reply to Path

          my friend needed someone. i was between jobs. i was techy. my friend gave me a job.

          the first 5 years, don’t count on much. you really don’t know anything. you learn through experiece, self motivated education and flying by the seat of your pants in crisis situations.

          bottom line – if you have x # of years in your field at x salary. to get into IT, you will have to probably start at the bottom, meaning your salary will be really bad. it’s a tough decison to make.

          are you sure you want to get into info. sec? it’s a lot of looking at log files. the “fancy pantsy” hacker chasers are all hard core *nix guys.

    • #2725840

      Which kind of InfoSec?

      by gralfus ·

      In reply to InfoSec Career

      There are some who specialize in working on just computers, recovering files, documenting whose account was logged on and when, what happened when that account was logged on, etc.

      Then there are those who concentrate on the network side, trying to figure out how a system was breached and what can be done to rectify it.

      I have just started on my track of computer forensics. I finished an intro class a couple of days ago and will take a week long class in a month. According to the teacher, the vast majority of people who call themselves computer forensics experts have very little IT background and experience. All they know is how to run EnCase or some other tool, but lack the knowledge to really investigate a case (examine proxy logs, server logs, router logs, piece together file fragments, examine activity that took place while an account was logged in, check date and time stamps along with the current CMOS time, interpret the results inculding exculpatory evidence, solid grounding in ethics, etc.)

      Find a reputable school or instructor and try to get education in computer forensics techniques that go beyond how to use a particular tool. Get the Security+ cert. Set up a system at home that you can use to try out tools and learn how to do the above mentioned things. You need things that you can put on a resume, and demonstrable skills to show to an employer.

      Since you are a trooper, ask about how your state handles such investigations and what they look for in people they hire. Do an informational interview to find out what they do and if you really want to get into that branch. My teacher indicated that the majority of cases he deals with are civil and not criminal cases (divorce, contesting wills, wrongful terminations, etc).

      • #2720482

        Infosec Type

        by kratos7 ·

        In reply to Which kind of InfoSec?

        I’m looking at it from a wholistic perspective. Not concentrating solely on one. I lean more to the best practices to do the security, ISO 17799, not just on the technical aspects. From the research and education I’ve done, it appears that most people concentrate on the network, the techinical stuff. They work hard on making sure that John Q. Hacker doesnt get in, but they neglect or dont emphasize enough personnel controls. It’s good that no one can hack the network, but it’s all for naught if Sally Sue answering the phone is stealing the information on paper, or taking home laptops so she can really work on stealing information at home. It’s my belief (correct me if I’m wrong) that the tech stuff is the easiest. Most COTS aps come with some level of protection. So I guess I’m leaning more toward the management, operational, and administrative side as I believe the techinical will largely take care of itself.

        • #2720062

          Sounds more like gov’t specs

          by gralfus ·

          In reply to Infosec Type

          That level of security wouldn’t go over well in the typical company, so I’m assuming you are going to be looking for gov’t type jobs. However, most agencies and companies are going to want you to know the technical side as well so that you can be competent to judge the real dangers, not just regurgitate the theory given to you by books and teachers.

          Do you really think the technical will “take care of itself”? How will management prevent Sally Sue from doing whatever she wants with the info on the laptop once she has it? More and more companies are encouraging employees to work from home to reduce the cost of facilities (lunch rooms, lighting, etc). Security theories sound fine on paper, but reality (project deadlines, funding, work load) often dictates a different action.

        • #2719869

          Technical

          by kratos7 ·

          In reply to Sounds more like gov’t specs

          When I say the “technical will take care of itself”, I’m not saying that to trivialize it, I’m saying it from the stand point of keeping it in perspective, and that it is not the be all and end all to information assurance.

          For example, I went on an interview a few weeks ago with a company that did managed infosec services. (They were really more like Amway except with infosec services not products.) When I walked in the door, there was no receptionist, no bell on the door to announce that I was even in there. The receptionist left NUMEROUS invoices, addresses, checks, account numbers and stuff like that on the desk. How did I know what they were you ask? Because I had enough time to look at them! I actually had to walk through the office to find someone to help me, so I could have the interview. Sure their network was probably locked down tight, but had I been less scrupulous, I could have ripped that company off for millions of dollars before the week was out and forget the job. Out of all of the fraud investigations I have handled over the past 2 1/2 years, not one information theft has come from a hacker. It has always been from people stealing or mishandling the physical information. How many times have you gone to the doctor or dentist office and see those shelves of patient files out in the open, without any way of securing them? My doctor’s office got hit by an employee who stole the information of over 80 patients and one employee in a matter of two or three days, most of which was done outside of the network. I recently read a study that showed that companies lose more money through information fraud then through hackers and denial of service etc.

          So I’m not saying ignore the technical by any means, just that since much of that is automated and monitoring the automation as you eluded to, lets spend some time on the people and processes that deal with the information before it even gets into the network because that it is a bigger threat than people believe.

          I well know that the practical and the theory will clash, as they do in any industry, including law enforcement, but the best we can do is use that theroy as a foundation and implement as much of it as practically possible within the constraints.

    • #2725826

      If you have time in your schedule…

      by mlayton ·

      In reply to InfoSec Career

      …I highly recommend volunteering. There are many places that can use people right away, even for short term projects – and all that adds up to experience. Check out the non-profits in your area, or even some of the campaign hqs, or check with daycare/schools that may need some extra help. I also recommend looking at adding a SANS cert, which will give you a “practical” to undertake and that gets posted on the Internet, so then there is some referenceable work that you have as well. Good luck!

      • #2719919

        Helpful suggestions

        by jsfald ·

        In reply to If you have time in your schedule…

        Thanks for answering his question. It has helped me, too.

      • #2719867

        Good Idea

        by kratos7 ·

        In reply to If you have time in your schedule…

        I’ll have to look into that. The key you mentioned was “if you have time in your schedule”. I might have an opportunity to do some base teaching of infosec concepts, but that’s still up in the air. It would concentrate more on infosec exposure for interdisciplinary standpoint, for exapmle HIPPA for nursing students, etc.

Viewing 2 reply threads