Hi everyone,

I've been the Systems Administrator for a small company since 2006, and I'm trying to make the transition from Systems Administrator to Security Analyst, and was hoping to get some insight to see if what I'm doing it right, or if there's anything I can be doing better.

Being the only tech professional for a small company has it good points and bad points.
On the good side:

• I'm involved with every piece of technology that comes through here.
• I've learned to adapt quickly and learn new technologies very rapidly.
• I have a basic knowledge of a wide variety of systems.

On the bad side:

• I don't have any help.
• I'm not an expert on any one of the technologies I deal with.
• I don't have any experience in a larger corporation.

I haven't had much to do with security for a long time, as I typically don't get to use it at my current job. That being said, I realized at a security competition that I attended last week, that my passion still lies in security. I can't remember a time that I've been more excited and motivated. This can even be seen with my activity in this forum. I was very active around the time I got my CEH, back in 2008, but it died off. I've become active again in the past couple of months, while preparing for this competition.

I'm now active in many local groups, including a Linux Users Group, InfraGard, ISSA, ISACA, 2600, and Def Con groups. I'm planning on doing my first presentation at the Linux Users Group next month. My goal is to become very active in the local community, presenting as much as possible (focusing on quality, not quantity). I'm hoping that this will open some doors for me and help me get into a Jr Security Analyst position, or something similar.

I've had a really difficult time trying to find a security related job in my area, but I know I need to keep expanding my network and hopefully get some good recommendations once people in the community are familiar with my work. I know it's going to still take a long time, but I wanted to see if anyone had some insight for me, or if this is a bad approach. I know I eventually need to finish at least my AA, and I'm planning on studying for the CISSP soon. I hear that CISSP is slightly less in depth than CEH, can anyone confirm or deny that?

Thanks in advance everyone, this is a fantastic community that I'm proud to be a part of.

I was sort of in your boat.  For the last 10 years I spent much of my time as a Sys Admin.  Even as a consultant for 5+ years I still mainly focused on Sys Admin duties with the ability to branch out in other areas.  As you have seen Sys Admins can easily move into a Security role by being able to focus on more security related areas - AV, Patching, Perimeter security etc...  As you also know, Info Sec is a very general area, there are many branches from Security Engineers who build and ensure the systems are configured correctly and hardened properly to Pentration testers who try to break those systems.  Then you have branches that involve a bit more knowledge in coding like exploit writing/analysis, malwware analysis and reverse engineering.  And as you know there are soooo many cool areas to focus in but each requires its own skillset.

The question for you, what industry is your current company in?  Does it need to be compliant with any standards?  PCI, HIPAA or SOX?  If so see if you can get them to allow you to focus more in that direction and build a new role for yourself, meanwhile you can try to bring in additional help.  If they won't go for that, then your only other option is to look for a new opportunity.  Depending on your location, this can prove difficult or very easy.  

While I was consulting, the last year or so I focused more on security and was able to do more vulnerability assessments.  Eventually I saw an opportunity for a Network Security Admin.  Most of the requirements were heavily related to what I did as a consultant.  Backups, Symantec AV, IPS, Firewall configurations etc...  So I reworked my resume thanks to a recruiter and made it reflect my 10 years of experience so I didn't have to worry too much about the alphabet game.  What you will need to show is the ability to adapt and learn which sounds like you can.  Then just go for a job.  You also may need to relocate depending on where you live now.  Some markets just don't have the demand but Security is now on the minds of even small businesses.  What SMBs can't do is afford the really experienced guys.  

If you like who you work for, and want to give them a chance, work at showing them they need in-house security.  Do a vulnerability assessment of the current environment.  Show them the findings and the risks.  If anything you get some vulnerability testing experience.  

What about internships? Has anybody has experience being/recruiting an intern in the information security industry?