Sup E-H.net,

I've decided to add onto this thread cause I'm still in a sort of confusing position and I'd like some of your guys' opinion / advice on the subject. Alright about last year sometime around now (about 11 months ago) I opened a thread, wanting some advice on possibly what I should try to major in, in college. The thread can be found here:
http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,2563.msg11437/#msg11437.

Here's where I currently am. I decided I'd go to a community college (not the one in town here, but one out of town) and I've been taking some programming classes and I took an Introduction to Information Systems Security class there. I'm currently in my second semester and will be finishing up really soon. I had recently decided to check back with ITT Tech to see if they re-opened up their software development course so I could go into that. Bad news though, they never got it back opened, and unfortunately, the other ITT Tech in my area, doesn't have it either. I was wondering, is software development a declining field? There's not alot of people who signed up for the course over there so I'm wondering, does that work out in the long run, since there's not alot of people wanting to become Software Developers would it eventually be easier for me to find a job in this field? What they're offering at the college I go to right now is a programming certificate but I'm actually wanting to go for a degree. It's not neccessarily that I favor that school, I get it's pretty expensive, but I'm just wanting to go to a school where it's like really hands-on, 70 or 80% of the program of your choice is geared towards those classes, while the other 20% is geared towards your general ed. I'm not trying to take a crap load of general ed for a degree because my academics aren't exactly as high as I want them to be.

Throughout this past year though, my interest in the InfoSec field has grown a little bit more too. I tried to take the Off Sec course last year, but since I was still in high school they didn't think I was old enough to do the course and wanted me to send over a copy of my photo ID, and that's how that conversation ended between the off-sec guys and I. I'd eventually like to go into Penetration Testing but I know it's just not one of those things where you go, "Alright, I have a degree in Information Systems Security, maybe a certification or two, here's my resume...bam you got the job" type of thing. My question I have here is that, I can't exactly expect to go directly into Pen Testing just by holding a degree right? Wouldn't they want you to have some Network Administration experience or something along the lines of that before applying for a job doing that? Even trying to get a job doing it fresh out of college, wouldn't it be next to impossible considering companies are wanting people with 10+ years of experience under their belt? Not that I blame them, it just seems pretty difficult to get the job. I've also noticed, that alot of people are going into this field...you may all notice we get people weekly who come here asking for advice for what they should do to eventually get into doing security for companies, etc. My question is, should I even opt to go into this field or should I stick with programming? I've been coding since I was around 15 and a half, and have always wanted to be a programmer, but I've always wanted to have the job as an Ethical Hacker/Penetration Tester as well. I'm just a little confused on which should I go for at this point. I was thinking I should look into the Information Systems Security course offered by ITT Tech and then if I didn't care for it, drop and then go into programming else where (considering they don't offer it there), but I'm all open to your opinions/advice. My bad if it sounds like I'm ranting in this one...Thanks in advanced.

In my experience experience is king.  Some things you can do to get IT field experience (and document some security experience along the way) involve volunteering.  Most churches and non-profits are woefully inept at IT like tasks and especially so when it comes to security.  Most have SOHO networks and many have websites (most of these are contracted out).  You can offer to help out with IT support and while you're at it do security assessments that can be documented on your resume.  Note I'm not talking about using a non-profit's SOHO network as a pen testing lab, but locating places where they are vulnerable and offering suggestions on how to fix it without breaking their "infrastructure".  I know a network admin who stepped her way into a paying contract job as a direct result of her volunteer work with an unrelated non-profit.

Good luck.

I wasn't trying to suggest that you were a noob. I jusst did not know your background and I would give the same advice to pretty much any one out there. After all, we live in a MS domincated world. Back on topic though, we do pen testing where I work, but it is usually associated with doing certification and accreditation testing. We get contracted to do the vulnerability assesment and then often come back and then do a pen test on the system. What you are seeing is that there are few if any that do nothing but pen tests. My background includes a BS in Software Engineering and a Masters in InfoSec. BEing able to read and write code helps, but I wish that I had more sysadmin experience. So as former33t said, do some non-profit work. Programming will never go away. We are too wired these days. Good luck.

Thanks you two. Much better info in that one sgt_mjc. Was hoping to also get some responses from Chris Gates, Ryan Linn & Don on the subject too? If you guys aren't too busy?

I'd also have to agree with a lot of what has been said already. And like Ryan mentioned, programming isn't going away. A quick glance at the job boards will tell you that. I've seen more programming positions than network/system admin/support positions.

The biggest thing to do is figure out what you enjoy doing, and do that. That's pretty much exactly what I did back when I was where you are a few years ago. I tried school for criminal justice and realized I loved working on computers - since that's what I spent all my free time doing.

If you really enjoy programming and can sit there for hours and hours coding away, then follow through with it.

If you enjoy doing network or system administration stuff, stick with that instead.

Either path can eventually lead you into a security position.

And like someone else mentioned, a degree is definitely not required. I don't have a degree - and I know some others here don't either. When I see job postings asking for one, I ignore it and submit my resume anyway. I still receive calls back and they typically won't even mention a degree. So don't be afraid to try and do your own thing and run with it. You can certainly still be successful

BillV

Not to pass the buck, but based on the responses in this thread, other threads and articles on this site, I think you have a lot to think about. So instead of rehashing the good advice already given, how about I leave the door open to answer any specific questions that come out of your own planning. Have you written down your wants, desires, goals, etc. for the next 5 yeras, 2.5, 1, 6 months? I do it in reverse purposely. You should, too.

Don

I'll agree with previous statements,

I found planning (and writing down) where you want to be AND the intermediate steps you need to get there are a major improvement to the generic 'I want to be in security'. From my experience it helped provided some focus as to what was needed now, and provides a good way of measuring progress and if you are achieving your goals.

I found Don's DIY career talk great in this regard. Also check out Mubix's Couch to Career in 80 hours or less. If you can follow the advice and be honest with yourself then you should be in great shape to start down the road to your chosen career.

Good luck out there