Hey guys,

I've read a couple dozen articles and forum pages online about computer security career paths. Pretty much 90% of all the pages stated that it's best to start out as a network administrator, which would usually require a person to sit as a help desk technician for some prolonged period of time.

Is there any other "ordinary" route? Or is there usually a "structured" career path to becoming a information security professional?

@jimjohnson23

In asking this, what would you define as an "ordinary" route?  Do you not feel that knowledge gained as a network admin (or even helpdesk) would not be of added value in security?

While you might get lucky enough to find somewhere that'll hire you or start you directly in security, you'll usually find that the folks, who are even remotely 'active' and well-versed in security, are those who have seen and worked in standard IT roles.  You get a feel for users, networking, problem remediation, etc, that just going straight from a security course or book, very likely, will NOT teach you.

I think the vast majority of us on here (maybe not all of us, but the majority,) who are regular posters and stay involved, will tell you we've all been down the admin road, previously.  It's experience that, while sometimes, during the process, you feel is wasting time, eventually, you'll come to  realize is invaluable to getting a TRUE understanding of the underlying concepts and things you'll come across, as you grow into security roles.

That's my opinion, for what it's worth.  

Edit - fully in agreement with tturner, too, who was posting as I was typing.

I'm a Network Application Engineer right now, but over the past five years or so I've moved from help desk (~1yr) to server admin, business/systems analyst, application developer, and network engineer, though not all of those had associated titles.  I've done security related tasks in all of them and having security principles in mind helps the decision making at any stage.

I guess it really depends on what you want to do with security, which is a huge question.  I still don't know where my diverse background will take me, but I'm thankful for every bit of it.

Thanks for taking my question seriously, guys. I was afraid that I'd get criticism for asking such a basic question.


I'm all about paying my dues (despite the fact that I'd be 26 by the time I graduate ... 2 yrs in military and 2yrs in non-tech job). If I have two years left until I graduate, do you think that I'd be able to do my time in the trenches at a Help Desk Level I before graduating? I really want to start at Level II at the least after graduating...



I don't believe I'll be that one "lucky" guy to get hired straight into a security job. Just not gonna happen - skills would be insufficient, and, I also believe these jobs ought to be viewed as a privilege.

But speaking of things that courses and books cannot teach you, is it a waste of time for me to take two pre-requisite math courses just to take some network security courses? I mean, I already have Calculus sequence down, but the "security" courses that I want to register for require a sequence of analytical and mathematical courses. Would I be better-off just doing self-study for security/hacking skills? I ask, because I'm sorta questioning the practical importance of mathematics in a security career.

But if you say that I should "understand" how computers work, would the following courses be relevant?

1.) Compilers
2.) Verification/QA Testing
3.) Database Application Development (A sequel to a comprehensive database course).

Or am I better-off using this time on self-studying directly relevant material (personal projects, security concepts, hacking, etc.)?

-----

If I REALLY put my heart into it, how long would it take for me to climb my way up to a network administrator position? I understand the answer to this question is always "it depends", but I'm just seeking a rough approximation - as in "Help Desk I/II - X years" ---> "Help Desk III - X years" ---> ? ---> Network Admin ---> Profit.

Hm, i never did anything of that. I went straight from university to being a security consultant. I studied my butt off the first two years and taking it a little slower now, focussing more on getting work experience. Cant wait to pick up another learning experience, but as you can see, it is doable. remember that you will need a solid base to start with, i got networking, databases and more in school (even a little security!).

I know a few people out of college who did security work right away, but they were all-stars and were already focusing on hacking/pentesting while still attending university. Some were doing CCDC or Defcon CTF, others were doing projects on heuristic IDS or other security tool development.

If your major is directly related then it is more possible, if it is not then... sysadmin, dev, etc, all while trying to gobble up sec related projects will get you to a sec career quickly.

Well, "it depends." The good thing about that answer, is that the variable it depends on is you. You are in control, just as other people have responded and as you appear to understand.

Everyone's path is going to be different. Some people enjoy building web applications and do that work for a while before they decide to focus on security. Others enjoy networking. And then, there are some that just want to jump right into security. This isn't a problem but it takes a lot of passion and effort on your side to properly prepare yourself if you want to bypass other positions.

I first started in IT as a temporary employee for 2 months. My role was to unpack desktops, plug them in, and make a configuration or two. They also tasked me with troubleshooting and fixing all of their broken desktops. Keep in mind, I went into that position with no experience and just a high school diploma. All I could say at the interview was "I enjoy working with computers. I fix them for family and friends all the time. I build websites and run a web server at my house. And I want to go further." Part of what I was interested in off the bat was security, and taught myself CEH-type stuff (basic skills, how hacking worked, how to use trojans, etc.).

After my 2 months was complete, I called back to ask if I could use them as a reference. They instead offered me a full-time position as a helpdesk technician. I learned a lot in that role. I showed my boss I was interested in security and earned my CEH about 6 months later. That's when I started getting security-related projects. After about 1.5 years, I was promoted to network administrator (my role didn't change much but I was the one responsible for security at that point).

So that's the path I started off on. Like I said though, everyone takes a different way to get there, and you are the one that controls it.

BillV

Thanks for the info guys. I"ll pay my dues. But I'm having second thoughts once again about the hell desk... I'm seriously thinking about paying my dues through the databases or web development route + self study with home test lab + networking at conferences. It'll probably take longer, but it'll give better financial security for both myself and the family I'll be starting with my fiance. I'd better start teaming up with profs to do some security research..