Re: Career Advice

["Dan McGinn-Combs" <dgcombs () gmail com>]

And don't overlook naisg.org. The price for joining is right and it has chapters all over.
Dan


--
Dan McGinn-CombsOn Sep 8, 2010 11:24 AM, Bill Swearingen <hevnsnt () i-hacked com> wrote: 

Hey Josh,
I would suggest you get as involved with your local security community as you can (time-wise) afford. Check out 
Infragard, ISSA, HTCIA, ASIS, ISACA, hackerspaces, etc.

Second, keep looking.  Dont let one interview get you down and out.  Just because you were not what they were 
looking for in this particular job, doesn't mean that you aren't exactly what someone is looking 
for another job.  I know I have personally had to turn away some incredible talent simply because they were not 
exactly what I was seeking for to fill that particular position.

As a hiring manager, I am more interested in your side projects, what you do at home, and what you do to keep yourself 
updated on the latest security threats.  Dont be afraid to work on your offensive side, and to talk about it in 
any future interviews (depending on the job of course).  Oh.. and you should come to KC for the CyberRAID (a 
little plug there)

Also, dont forget that we aren't exactly in a booming economy right now. =) So dont leave your current 
position until you find that next one.  Security can be a difficult area to "break in to" but dont give up, it 
will be that much more rewarding when you find that right one.

-Bill



On Wed, Sep 8, 2010 at 7:28 AM, Josh Little <josh () zombietango com> wrote:



  

    
  
  
    So, I've been trying to leave my job of 11 years for a
        dedicated security position and have had little luck. I've had
        one set of interviews, where I was passed on for what may have
        been team personality issues - no big deal, these things happen.
        But I can't keep but wonder if there is something I'm missing -
        well, I know there are things missing, I just don't know how big
        a deal they are. What advice would you guys give me, given the
        following:

        

        - I've got some 13-14 years IT experience, with 11 of that being
        in the enterprise sector in the advertising industry. The
        experience is across the board - helpdesk, operations, network
        & infrastructure administration, security, and web
        application work. The past 4-5 years I have tried to specialize
        as best I could in security, while also being required to
        perform the tasks of a network administrator, network engineer,
        voice engineer, and "digital/web guy". Our entire network
        operations team is only 5 guys for an entire multi-site
        enterprise operation, so I cannot just work in one area. This is
        the main reason why I am looking to leave - the breadth of work
        experience has been helpful in doing the security work, but I
        want to be a dedicated security person, not an NA that also
        kinda does security. Also, our operation (and our industry in
        general) is not terribly concerned with security for cultural
        reasons. We have very little management buy-in for security
        initiatives. Even after incidents occur, management may be
        concerned for a month or so before slowly ignoring the controls
        put in place to help prevent another incident.

        

        - I've "concentrated" on intrusion detection, network analysis,
        incident response, and web app testing. This has mostly been out
        of necessity, as these have been the areas most needed at my
        current job. I've dabbled in other areas of security, but these
        are the ones that I get the most exposure to. My skills are, I
        believe, decent but not awesome. They are decent enough that I
        can reliably find compromises, explain why the machine is to me
        considered compromised, find the source of the compromise, and
        determine to some level how it came to be that way. I obviously
        don't know if I am missing anything - I may just be able to find
        the bottom rung of owned machines. There in lies problem number
        two - I have no one to compare myself to or learn from. The
        security program at my current place of work was developed
        pretty much by me and no one else there has a strong security
        background beyond the basic security concepts. I listen to PDC
        and most of the other security podcasts and have no trouble
        following along and taking what is said and applying it back
        into my own organization, so I know I'm not just a clueless
        n00b, but I have no benchmark by which to compare myself. I've
        signed up to the Security Mentors program, both as a mentor and
        a mentee, but have heard nothing back from them. There are a
        couple local groups that meet - one is attached somehow to U of
        M in Ann Arbor (40 minutes away) and meets on a college students
        schedule. I'm looking into the local Infraguard chapter. 

        

        - I have no certifications or special training. Everything I
        know I've either learned on the job or taught myself. My job
        will not pay for security training for me and I've found the
        cost of most training to be outside my budget in the past. Would
        you consider this to be a big minus? If so, where would you
        suggest I start? I'm not looking to spend a year + taking
        classes and earning certs, mainly because I don't have the time
        or money to do so, but if there was one, possibly two classes to
        take what would you suggest?

        

        I think I've got a lot going for me. I've gathered a good sense
        of business, something that a lot of younger security guys don't
        have. My skills are good, though just how good I'm not sure. I'm
        at the "strong" part of my career (I'm 35), but I just want to
        make sure I take it in the right direction. It's now time for me
        to make that next step, but I'm not really sure if I'm in the
        position to do so. Let me know what you guys think.

        

        PS - If anyone is interested in taking a look at my resume, I
        can provide that privately. 

        

        ZT

      
  


_______________________________________________

Pauldotcom mailing list

Pauldotcom () mail pauldotcom com

http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom

Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com