Comments on: How to Get a Job in Information Security

By: gager

gager — Tue, 24 Apr 2012 14:46:04 +0000

I will be graduating with a B.S. in I.T. with ISS focus next year. What certs will help me land a job in the I.T. security field?

By: Grant Bugher

Grant Bugher — Tue, 20 Mar 2012 01:49:46 +0000

Noble: On one hand, yes, there is definitely a larger market for generalists. Most companies don’t have more than a couple of security professionals; only a large corporation or tech/Internet company would have enough to employ specialists, so most specialists work as consultants. On the other hand, specialists get paid more, and even as a generalist you’re going to need some kind of technical skill, whether IT/ops or engineering/development.

Gege: In my opinion Security+ has no value if you’ve ever had a job — it’s so entry-level that I would only recommend it to a college student or someone moving in from a non-tech field to show basic competence, and even then I’m pretty dubious — I totally ignore Security+ on resumes when I’m hiring, even if I *am* hiring someone entry-level.

As for CISSP’s experience requirement, really don’t worry about it. As I say above, a few years in almost any tech field will meet it, so this really only matters when you’re first starting out (which it sounds like you might well be.) You can always get Associate of ISC2 (i.e. pass the exam without meeting the experience requirement) then upgrade the cert later.

All this said, honestly since I wrote this post four years ago I think certifications have declined in value. There are so many “paper CISSPs” out there with no real tech/security background who just studied for the test that hiring managers tend to discount it. Same goes for CSSLP, CEH, and even the advanced ISC2 certifications. People still put a lot of stock into the SANS certifications (which are good but exorbitantly expensive) and the advanced Cisco certs (i.e. the ones above CCNA), but not a lot else.

At this point, most certifications are just something you put at the bottom of your resume to get past the HR screener and show up in LinkedIn searches; once you get to the interview, nobody cares and it’s all about ability to talk about your real-world experience and demonstrate technical skill.

Busi: If you want to stay in governance, risk, and compliance, CISA is useful. It’s well-respected in the GRC world, but is considered nontechnical. If you want to move out of it and into technical security, it’s not, and CISSP would be better.

The most important things, though, remain 1.) be good at more than one thing, and 2.) be able to demonstrate real-world technical skill. Certifications only open the door, you still have to walk through it, and this is even more true today than it was four years ago.

By: Busi

Busi — Tue, 20 Mar 2012 00:08:43 +0000

Thank u so much for this article, very informative & provided me with a bit of direction! I’m currently working as an acess control manager (physical + systems). I have a strong compliance background & would like to get more into info security from a risk & compliance point of view. I have a BCom Risk Mngt degree & am nw thinking of doing the CISSP & CISA before crossing over, what r your thoughts on this?

By: Gege

Gege — Wed, 29 Feb 2012 04:45:39 +0000

Thanks for your response Grant. Would you suggest to me to start by taking security + certification to start since it appears that you need to have a certain number of years of experience before taking the CISSP certification ? I have actively applying for internship but my lack of experience in the field makes it hard to get. Any ideas.
I appreciate your inside information.

By: Noble

Noble — Sun, 26 Feb 2012 05:34:44 +0000

Hi Grant Bugher,

Thanks for your Article. There’s a larger market for security generalists than specialists….. Very nice point.

By: Grant Bugher

Grant Bugher — Fri, 24 Feb 2012 18:44:21 +0000

The masters’ degree is a good start. The A+ will mean nothing and the Network+ very little; for the MCP it depends on what it’s in. I think the real question is what sort of job you’re wanting to get.

There are multiple paths in infosec — audit & compliance, risk & governance, engineering & architecture (with this divided into operations or development.) Demand for infosec jobs is really high — unemployment in security is low, which will work to your advantage. The most important thing is to learn an area and really know it well — this could mean studying operational certifications (ISO 27001, etc.) for an audit role, studying security policy and governance (and perhaps getting a CISSP) for a governance role, or studying programming or operations for an engineering role. There are certainly certifications in all those areas, but your degree and experience can probably get you an interview (which is all certifications do for you anyway.) Your ability to demonstrate knowledge in an area is what will get you a job.

By: Gege

Gege — Fri, 24 Feb 2012 07:08:17 +0000

I like your article for the great advice that you provide. I am about 5 courses away from completing my Masters in Information Assurance combined with a MBA. I have been teaching IT to high school students over the last 8 years and I am preparing for a career change. Even though I have a A+, Network + and a MCP , I am concerned about my lack of experience in the field to be able to land my first job. What would you recommand? Some people are telling me to study programming and Linux. I enjoy infoSec and aim a little concerned after graduation.

By: Grant Bugher

Grant Bugher — Fri, 24 Feb 2012 00:03:01 +0000

Honestly, with a masters’ degree I would not bother with Network+ or Security+ — those are both certifications for entry-level technicians. Honestly, the industry has changed a bit since I wrote this post over 4 years ago. CCNA can be useful if you’re going the networking route, though mostly as a route to Cisco’s more advanced and more respected certifications. It’s on par with a Microsoft or Sun certification, really.

The CISSP is not really a high bar. It’s not a capstone cert like it was many years ago, it’s just above entry level and has little value by itself unless you have experience to back it up. With a masters’ degree I think you have all the “certification” you need for a first job; what’s going to help you the most now is actually working in the industry for a year or two, preferably in security but at the very least in a networking or development role.

By: infosectutorials

infosectutorials — Thu, 23 Feb 2012 23:57:17 +0000

Very nice artical, you real helped me know which way to go from now because I’ve just graduated with MSc. in Info sys security and wasn’t clear on where to go from now. I was thinking for someone with very little budget, would Network +, security+, CCNA and then CCNA security be as good or close to CISSP. Also I’ve just put this web on to share knowledge, would you and the rest of community following this site be so kind to vist it (www.infosectutorials.com) and give me your openion and guidance on any of the topics there.

much appreciate it

By: guru

guru — Wed, 30 Nov 2011 05:01:08 +0000

nice artical very useful one keep gooinggggggggggggg

By: Sanjay

Sanjay — Thu, 10 Nov 2011 06:20:45 +0000

which type of course i need to learn to get this job ?

By: IT Security Jobs – How to get one | Security

IT Security Jobs – How to get one | Security — Wed, 27 Apr 2011 08:04:30 +0000

[...] this higher level of production also has weak spots that need to be addressed. This is where an IT security professional comes to [...]

By: Detektiv Blog hoopo.de » IT-Security Jobs – Wie eins zu bekommen

Detektiv Blog hoopo.de » IT-Security Jobs – Wie eins zu bekommen — Sun, 30 Jan 2011 18:28:21 +0000

[...] höhere Niveau der Produktion hat auch Schwachstellen, die behoben werden müssen. Dies ist, wo ein IT Security Professional zur Arbeit [...]

By: How to get an IT security job « jobposting.org

How to get an IT security job « jobposting.org — Wed, 03 Nov 2010 17:48:09 +0000

[...] this higher level of production also has weak spots that need to be addressed. This is where an IT security professional comes to [...]

By: Calculated Decision » Blog Archive » Entering the Infosec Field From the Dev Side of the House

Fri, 29 Feb 2008 07:14:26 +0000

[...] Grant Bugher of the Perimeter Grid blog had a post covering another route to the information security field. The route he describes and has personally taken pulls heavily from experience in development and writing secure code. This route is crazy interesting to me and I’m glad to see I’m naturally heading down the road he’s talking about. [...]

By: OS-Based Mitigations Against Common Attacks | Perimeter Grid

OS-Based Mitigations Against Common Attacks | Perimeter Grid — Mon, 04 Feb 2008 23:41:54 +0000

[...] How to Get a Job in Information Security [...]

By: Umang

Umang — Fri, 01 Feb 2008 19:48:21 +0000

Great Job, Great Article. Nothing better when you get to read the right stuff at the right moment. I am an Entry Level Masters in Information Management with Database Systems Specialization and an intense desire to carve my career towards CISA / CISSP. Nothing could have helped me make an informed decision as this article has done it now. I came across this article while I was looking for proven approaches towards Information Security Career. I would be happy to subscribe to any letters / articles (if there are any) that are focused on adopting right path towards Info Sec Careers.

Thanks again.

Regards

Umang Doshi
umang_doshi@yahoo.com