Security Basics mailing list archives
Re: Security Jobs
From: Stephen Mullins <steve.mullins.work () gmail com>
Date: Tue, 2 Jun 2009 13:39:01 -0400
If you think you can get one and don't mind your life being an open book for hordes of nameless, faceless bureaucrats then yes, I recommend it as most of the growth in the field is going to come via way of the government/military's focus on "cyber warfare" etc. Especially in the D.C. area, which is where you are. Really, nationwide there seem to be far less security jobs that do not require a clearance than those that do. The bottom line is that private industry doesn't really see the value, so they hire consultant pen-testers/auditors once a year and expect their systems guys like you to handle the rest. Most unfortunate in my opinion. I foresee this changing as stricter regulatory legislation comes into effect. Steve On Tue, Jun 2, 2009 at 1:26 PM, Curt Shaffer <cshaffer () gmail com> wrote:
You are correct there. I have never held a security clearance. I have not needed to in any of the positions I have worked in. Would you recommend getting a system admin job that requires a clearance just as a "foot in" so to speak? -----Original Message----- From: Stephen Mullins [mailto:steve.mullins.work () gmail com] Sent: Tuesday, June 02, 2009 1:23 PM To: Curt Shaffer Cc: security-basics () securityfocus com Subject: Re: Security Jobs Now I see your actual problem, lack of a security clearance. If in fact you have one, then I am baffled. Steve On Tue, Jun 2, 2009 at 12:48 PM, Curt Shaffer <cshaffer () gmail com> wrote:Thank you all for your input. I am going to attempt to include points from each in this response: I do have experience and exposure to a lot of security pieces. I have done firewall installations of many varieties for small companies to ISP level services. I have done the same with IDS/IPS deployment from SNORT to TippingPoint. I have dealt with email security, again from smallbusinessesto ISP level services including AntiSPAM/AntiVirus and encryption. I have worked with AntiVirus/IPS clients in the same arenas. I have used vulnerability scanners and feel I have a strong understanding what the results mean not only from a technology perspective but a business impact perspective as well. I have assisted in getting a Microsoft partner higher levels by contributing security competencies with an implementation of wireless that included certificates and RAIDUS using Microsoft's versionofeach of those. On top of all of that, no matter what I have done in the sysadmin role, it has always been based on security best practices. All of that said, in addition to my recent training in penetration testing from SANS and upcoming training for the CISSP, I think I have done what a lot of you have recommended. This is all on my resume but as Stephen mentioned, maybe I need to spin it a little more than I have. Obviouslynotlying but focusing even more on these things I have done and leaving off some of the other. I have always reiterated these things in the interview, but again it would come across like "great we need a system guy that is security focused", but again not what I would consider a true securityjob.The security job I seek is one that is about security in one way oranotherall day long as it is my passion. Someone mentioned doing auditing. I cannot see myself just doing audits. I feel penetration testing is more of an appeal to me. Either that, or being the security input on many pieces of the network like VoIP, network, and systems or both :) Someone else mentioned Jr. Security Analyst. I know I don't deserve the ultimate security job right off the cuff and I must pay more dues, but I would like to think after the experience I do have, I am worth more than they would pay for that and should deserve a little higher entry than that. Also, I live in the DC metro area so a huge pay cut wouldn't make life very easy as some of you may know it is prettyexpensiveto live around here. Overall I think I will attempt to modify my resume a little more andrepostit in the usual places. I think I will also try to make it more of a point to attend conferences and such related to security to get my network built up there as well. Thank you all for your input and ideas, you all havegivenme a lot to think about! -----Original Message----- From: Stephen Mullins [mailto:steve.mullins.work () gmail com] Sent: Tuesday, June 02, 2009 11:39 AM To: Curt Shaffer Cc: security-basics () securityfocus com Subject: Re: Security Jobs This answer assumes you are in the United States. I think your problem is how you market yourself. You need to emphasize your security experience over your systems experience as much as possible. If your resume says, "Systems Administrator for the past 10 years" then that's what you're going to be pegged as by the HR folks. Call yourself a "Security Administrator" if your job entails any level of security awareness whatsoever (and it should if you're a good Sys Admin). Companies these days look at every individual as a specific tool with a specific function within the organization. They hire the Systems guy to work on Systems and a Security guy to do Security. They have little to no interest in hiring someone that "is willing to learn" or "has an interest in" an area outside of their specialty. The average person under 30 changes jobs once a year. People over 30 change jobs once every 3 years. Companies have no reason to train someone because they won't be on the job long anyway. Exceptions - government or military jobs (non-contractor). I think you need to better understand the employment environment in which all of us operate. Steve On Fri, May 29, 2009 at 5:00 PM, Curt Shaffer <cshaffer () gmail com> wrote:This is just a general question for people in the security field outthere.I have been in the IT industry for 10 years now. I have a large range of experience with systems (Windows and *nix), and networks (wired,wireless,LAN and WAN). I have, what I feel and others have told me, an intricate knowledge of a range of IT related topics covering many areas. Insearchingfor a career, I have found myself getting bored over and over. The main reason is because I tend to get pigeon holed into one thing or another,itmainly seems to be systems only things. I've always like security andhavedevoted quite a bit of time to studying it pretty intensely over the past2years or so. The main reason is because it seems to me that being in security allows you to keep up on and working on a lot of differentpiecesin the IT spectrum. I have had the Security + certification for sometime.Iam working on my GPEN then following that with the CISSP by the end oftheyear. The problem is, I have been trying to break into a security job butIstill always find myself getting only systems related stuff. I will say I get people that say "we need a systems guy with a strong security focus", but the never equates to a security job. Can anyone out there in thefieldgive me some direction on how I can get a "real" security job? Thanks Curt ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in bothInstructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor meansyoupass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff!http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- Security Jobs Curt Shaffer (Jun 01)
- Re: Security Jobs Chris (Jun 01)
- Re: Security Jobs Drew Brown (Jun 02)
- Re: Security Jobs Stephen Mullins (Jun 02)
- Re: Security Jobs Peter Odigie (Jun 03)
- RE: Security Jobs Curt Shaffer (Jun 03)
- Re: Security Jobs Stephen Mullins (Jun 03)
- RE: Security Jobs Curt Shaffer (Jun 03)
- Re: Security Jobs Stephen Mullins (Jun 03)
- Re: Security Jobs Jeffrey Walton (Jun 03)
- Re: Security Jobs Chris (Jun 01)