RE: Security Jobs

["Curt Shaffer" <cshaffer () gmail com>]

You are correct there. I have never held a security clearance. I have not
needed to in any of the positions I have worked in. Would you recommend
getting a system admin job that requires a clearance just as a "foot in" so
to speak?

-----Original Message-----
From: Stephen Mullins [mailto:steve.mullins.work () gmail com] 
Sent: Tuesday, June 02, 2009 1:23 PM
To: Curt Shaffer
Cc: security-basics () securityfocus com
Subject: Re: Security Jobs

Now I see your actual problem, lack of a security clearance.  If in
fact you have one, then I am baffled.

Steve

On Tue, Jun 2, 2009 at 12:48 PM, Curt Shaffer <cshaffer () gmail com> wrote:
> Thank you all for your input. I am going to attempt to include points from
> each in this response:
>
> I do have experience and exposure to a lot of security pieces. I have done
> firewall installations of many varieties for small companies to ISP level
> services. I have done the same with IDS/IPS deployment from SNORT to
> TippingPoint. I have dealt with email security, again from small
businesses
> to ISP level services including AntiSPAM/AntiVirus and encryption. I have
> worked with AntiVirus/IPS clients in the same arenas. I have used
> vulnerability scanners and feel I have a strong understanding what the
> results mean not only from a technology perspective but a business impact
> perspective as well. I have assisted in getting a Microsoft partner higher
> levels by contributing security competencies with an implementation of
> wireless that included certificates and RAIDUS using Microsoft's version
of
> each of those. On top of all of that, no matter what I have done in the
> sysadmin role, it has always been based on security best practices.
>
> All of that said, in addition to my recent training in penetration testing
> from SANS and upcoming training for the CISSP, I think I have done what a
> lot of you have recommended. This is all on my resume but as Stephen
> mentioned, maybe I need to spin it a little more than I have. Obviously
not
> lying but focusing even more on these things I have done and leaving off
> some of the other. I have always reiterated these things in the interview,
> but again it would come across like "great we need a system guy that is
> security focused", but again not what I would consider a true security
job.
> The security job I seek is one that is about security in one way or
another
> all day long as it is my passion.
>
> Someone mentioned doing auditing. I cannot see myself just doing audits. I
> feel penetration testing is more of an appeal to me. Either that, or being
> the security input on many pieces of the network like VoIP, network, and
> systems or both :) Someone else mentioned Jr. Security Analyst. I know I
> don't deserve the ultimate security job right off the cuff and I must pay
> more dues, but I would like to think after the experience I do have, I am
> worth more than they would pay for that and should deserve a little higher
> entry than that. Also, I live in the DC metro area so a huge pay cut
> wouldn't make life very easy as some of you may know it is pretty
expensive
> to live around here.
>
> Overall I think I will attempt to modify my resume a little more and
repost
> it in the usual places. I think I will also try to make it more of a point
> to attend conferences and such related to security to get my network built
> up there as well. Thank you all for your input and ideas, you all have
given
> me a lot to think about!
>
>
>
> -----Original Message-----
> From: Stephen Mullins [mailto:steve.mullins.work () gmail com]
> Sent: Tuesday, June 02, 2009 11:39 AM
> To: Curt Shaffer
> Cc: security-basics () securityfocus com
> Subject: Re: Security Jobs
>
> This answer assumes you are in the United States.
>
> I think your problem is how you market yourself.  You need to
> emphasize your security experience over your systems experience as
> much as possible.  If your resume says, "Systems Administrator for the
> past 10 years" then that's what you're going to be pegged as by the HR
> folks.  Call yourself a "Security Administrator" if your job entails
> any level of security awareness whatsoever (and it should if you're a
> good Sys Admin).
>
> Companies these days look at every individual as a specific tool with
> a specific function within the organization.  They hire the Systems
> guy to work on Systems and a Security guy to do Security.  They have
> little to no interest in hiring someone that "is willing to learn" or
> "has an interest in" an area outside of their specialty.  The average
> person under 30 changes jobs once a year.  People over 30 change jobs
> once every 3 years.  Companies have no reason to train someone because
> they won't be on the job long anyway.  Exceptions - government or
> military jobs (non-contractor).
>
> I think you need to better understand the employment environment in
> which all of us operate.
>
> Steve
>
> On Fri, May 29, 2009 at 5:00 PM, Curt Shaffer <cshaffer () gmail com> wrote:
> > This is just a general question for people in the security field out
> there.
> > I have been in the IT industry for 10 years now. I have a large range of
> > experience with systems (Windows and *nix), and networks (wired,
wireless,
> > LAN and WAN). I have, what I feel and others have told me, an intricate
> > knowledge of a range of IT related topics covering many areas. In
> searching
> > for a career, I have found myself getting bored over and over. The main
> > reason is because I tend to get pigeon holed into one thing or another,
it
> > mainly seems to be systems only things. I've always like security and
have
> > devoted quite a bit of time to studying it pretty intensely over the past
> 2
> > years or so. The main reason is because it seems to me that being in
> > security allows you to keep up on and working on a lot of different
pieces
> > in the IT spectrum. I have had the Security + certification for some
time.
> I
> > am working on my GPEN then following that with the CISSP by the end of
the
> > year. The problem is, I have been trying to break into a security job but
> I
> > still always find myself getting only systems related stuff. I will say I
> > get people that say "we need a systems guy with a strong security focus",
> > but the never equates to a security job. Can anyone out there in the
field
> > give me some direction on how I can get a "real" security job?
> >
> > Thanks
> >
> > Curt
> >
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: InfoSec Institute
> >
> > Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both
> Instructor-Led and Online formats is the most concentrated exam prep
> available. Comprehensive course materials and an expert instructor means
you
> pass the exam. Gain a laser like insight into what is covered on the exam,
> with zero fluff!
> > http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
> > ------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------