I need some advice for a plan to become a network security professional, including how and when to get work experience and certifications.  For others in a similar situation, the advice here should be tailored to someone who has not got their foot in the door, who loves hacking and computer programming, and who has a BS degree outside of computers but has realized that security is where their heart lies.

I love programming.  I began with DOS/Basic in the mid-90s, and worked my way through: Pascal, C, Matlab, VBA, Fortran, and bash (linux basic), though I have only used VBA and bash in work as an engineer.  So no IT experience and no Computer Science degree (actually its Physics but that is not helpful to me), though I am pursuing a Masters in IT with a Security emphasis.  I understand computers very well with A+ certification, and I have heard recommendations about CISSP, Security+ (some question this one), Network+, and EC (Ethical Hacker).  I understand the basics of malware and network mechanics with the different communication layers.  I have a CEH review guide, a Hacking for dummies book, and an Operating Systems Security book which I am studying at the moment.

Now I need to understand what to do, so I can focus my efforts and make a difference.  Certifications require experience, but the right jobs require certification and experience.  What should I do and what kind of timetable am I looking at for each step?  Thank you very much in advance.

I have read many threads but none of them address the situation (or remotely similar situation) of being completely new to the entire IT field by experience, well-versed in computer IT and programming by personal study, private work, and interest, let alone working with a degree and experience in a very different, but still technical field.  Also, I am looking for specific time lines as a specific guide.  For instance, beginning with a recommendation of steps 1 and 2 concurrently for 6-12 months and 12 months respectively; where the steps are identified and requirements are noted for commencing each step.  I have looked far and wide to find only bits and pieces of this information not compiled together into useful and understandable form as a guide.

CEH by EC-Council may be said a beginner certification, but I know it requires 2 years of experience and Security+ (DeFino, 2010, p. xviii) for the self study program; otherwise the official course program (pricey) is required.

When are CISSP or OSCP for me?  When and for what jobs are they helpful?

How do I build my own lab and practice there and what does that mean exactly?  Is that just running Wireshark and other programs on other networks on my home computer, and if so how does that help my application?  How do I find these local groups of which you speak?  What roles, if any more, should they play in my career, beyond networking and interesting technical discussions?

Applications to job offerings which sounds interesting for me have met a dead wall, so some suggestions would be useful here.  Jobs like network engineer, sysadmin etc., usually require 3-10 years of experience and never give me feedback, let alone rejection letters, on my application.  But going these other directions implies that I know how to make them best fit into my plan to advance my career as a hacker/IT security pro, but at this moment I do not know how.

More advice needed, please.

DeFino. (2010). Official CEH Review Guide.  p. xviii

With no experience and no IT degree [yet], you're probably looking at entry-level support positions: helpdesk, desktop support, jr. Sys/Net Admin (and others similar). Yeah, it might be a lower position than you'd like, but it's getting your foot in the door and gaining you some experience. Once you're in, you can show off your other knowledge and skills and work on that promotion.

It wouldn't hurt to have a couple of the entry-level certifications as soon as you're ready. You mentioned the A+, it'd probably help to grab a Network+ and a Security+ as well. It sounds like you have that knowledge, now you just need to have something that proves you know it. Without any experience, certifications are your way of displaying what you know. Having that combination should certainly get you into an entry position and having the Security+ will set you on a good path for a security career.

As for a timeline, you're probably looking at being in an entry-level spot anywhere from 6 months to 2 years. This will give you time to get the experience needed to move up as a Network Admin, System Admin or possibly into some sort of security role. If you have any particular interest in a certain area, it wouldn't hurt to go get a GIAC certification while you're gaining your experience.

The CISSP requires 5 years of security experience - so you've got some time on this one but this is probably going to be something you'll want to focus on down the road. It will certainly help you out once you have that Masters in IT [security] and probably set you up for a management position (at which point most of your technical stuff will go out the window anyway). I believe your degree will knock off a year (maybe 2) from that requirement - check the ISC2 site for details.

It's an interesting situation, I'm sure some others will have some advice for you as well.

Oh, and welcome to the site

BillV

Couple of questions for you.
Where do you live?
Where are you getting your MS from?
Are you an on-campus or online student?
Are you required to take cert tests as part of grade?
Does your school require you to do an internship?
Does your school have a career center?
Do you have time to volunteer?

As simple as the ?'s are they will go a long way to deciding what you should do and how you could go about it.