inspirational words written on a phone

The (not so) secret path into an information security job (part two)

I’ve covered my philosophy about information security

In part one, I discussed how I view an information security job as a higher tier than information technology jobs.  This is based on my experiences applying for positions throughout my career and trying aggressively to break into the field.  Part two will complete the story of how I went from knowing nothing to where I am today.  Getting an information security job was a journey that took 4 years post graduation, 7 years from start to finish.  When I left off, I had just gotten hired as a systems administrator.

Not where I wanted to be

I never liked being a systems administrator.  I didn’t get it yet though that I needed to ‘level up more’ before I could make the transition.  It wasn’t but a few months before I put my CV out there, applying for security jobs.  Went to one interview where I might have had a shot but they wanted to pay me about half what I made as a sysad and I couldn’t do it.  I still don’t know if this was one of those rare entry level jobs or not.  At this point I had my MTA, finished my Net Sec degree, and was about 2 years post associates.  In my sysad role I learned a lot, including troubleshooting SQL databases and VMware virtual machines and hosts.  Finally, I went on another interview where they explicitly said for someone with a Net Sec degree, my networking skills were lacking.  I figured ok, I’ll go find a network administrator position to learn.

Learning networking on the job

How does one acquire a networking job when they are weak in networking?  I still believe the company was just desperate for someone and I lucked out with this one.  They told me later on that they needed someone who had worked with vmware before, and I was the vmware go-to person the entire time I was there.  They taught me everything I ever needed to know about networking though.  Troubleshooting and fixing routers, switches and communications equipment was what I focused on there for the first half of my stint.  The team I was on also handled security equipment, firewalls, mail gateways, VPN’s, etc.  I always asked to help troubleshoot these devices as a way of helping them and helping myself.  Eventually, I muscled my way into working on the security equipment when one guy left and nobody else wanted to do it.

Same place, new role

They paid me some more and promoted me to systems engineer.  I still wasn’t in a security role, I just maintained the equipment performing break/fix type work.  An offsite security team made policy changes and I implemented everything at our site.  It was a great experience though, and I was excited to be working with security appliances everyday.  I finally got my VMware certification, the VCA6-DCV, to prove my comfort level with virtual gear.  It was a great time for me, first time I had fun on the job to be honest.  I learned everything I felt I could and kept applying to security jobs.  I went on one interview for a security engineer position, and was flat-out told that I didn’t have security experience and wouldn’t ever work in security.  Another position offered me less money to work in security, but I still wouldn’t be deciding policy.

It was a long journey, but i finally reach my destination

I get a random contact on my Linkedin profile one day.  This recruiter asked me if I knew anyone looking for a security job because he had an opening.  I was angry that the recruiter didn’t bother to read my profile, but I responded saying, literally, ‘What about me?’  I got caught up in a whirlwind of internal reorganization of that company during the interviewing and hiring process and didn’t get an offer for months.  The job title of consultant kind of threw me off, because I thought it would be a sales role.  I basically do the same thing I did at my last job, install and repair security appliances, but I get to be THE person for it.  For the most part, I am in control of decision-making and policy recommendation.  Some customers decide to implement their opinion of what’s right and I must comply, but i give them my input.

Conclusion

The point of this was that my career is proof that the average person can’t jump into security out of college.  I tried every step of the way because I am passionate about security.  I had to build up my resume, my skills and my knowledge in order to catch the right attention.  Even when it did happen, it feels like randomness and magic.  I pride myself in being a generalist.  Every stop of my career I did my best to shore up my weaknesses.  I built a foundation of knowledge in every major field, help desk, sysad and networking.  It ended up taking me 7 years from start to security job, and even that is ‘quick’ compared to some.  I advise people to try to learn all of these things that I highlighted earlier in their schooling or careers.  You can probably knock off a few years if you really work hard towards learning a little of everything.  Just make sure you set the proper expectations about how long it might take and don’t give up.

If you enjoyed this article, please subscribe to be notified about the latest posts and comment below.  Thanks for reading!

Link to part one

Return to career page

Return to home page

Leave a Reply