How to pass HR screenings: load up on certs or go back to school?

<<

mallaigh

User avatar

Jr. Member
Jr. Member

Posts: 65

Joined: Fri Jul 16, 2010 12:36 am

Post Sat Sep 11, 2010 7:47 pm

How to pass HR screenings: load up on certs or go back to school?

Apology: I would like to first apologize since I know question is similar in nature to questions that have been asked before.  I have read the similar posts, but I don't feel they answer my question.  As a result, I have decided to "beat a dead horse" in hopes to drum up the answer I'm searching for.

My background: I started working with computers when I was 16 years old and started my own business at the age of 17 fixing computers/networks in SOHO settings.
 
In 2001 I was off to college to study for a BS in CS.  I had tons on my plate during this time (school full-time, work full-time, commuting to school), so I dropped out of school.  In 2006 I went back to school and finished my BA in Political Science/Government (instead of CS) and graduated in June 2009.

While in school, I worked at a computer repair shop.  There, I learned how to preform data recoveries, identify in-the-wild malware (no virus definition to remove it), Windows operating systems (98-7), hardware, networking, some Windows Server stuff, some Mac OSX, and some *nix.

For the last six months I have been working as the Corporate IT person for an internet company on the California Central coast.  We run Windows, Mac, and Linux desktops.  I manage 2 Windows 2003 servers, a VOIP phone system, and 5 switches.  My job is pretty cool, but there was almost no learning curve for me since these are all things I have worked with in the past.  If any thing, it was a lot of shaking off the dust.  

Where I'm going with this: Ultimately, I would like to be a network and server pentester or security engineer.  I want to learn to bypass firewalls and gain access to servers.  Why?  It seems like a job I could never get bored with and would always be challenged.  It sounds fun and totally cool.  I would like to be working at as systems administrator in the next 6-9 months.  From what I have come to understand, the systems administration experience will greatly help when it comes to pentesting similar systems.  When I interviewed for my job there was mention of this being a possibility, but I would rather feel like I have control of my career.  

I have read the posts with similar topics:
http://www.ethicalhacker.net/component/ ... ic,5818.0/
http://www.ethicalhacker.net/component/ ... ic,5825.0/
http://www.infiltrated.net/pentesting101.html

These posts are great, but I don't feel they quite address the question I'm about to ask.

My question (finally): When I'm off day dreaming and looking pentesting jobs, I see a lot of requiring/preferring a BS in CS or Network Security.  I usually see:
12: Education requirements: Bachelor of Arts/Science or equivalent degree in computer science / security or related
area of study
13: Years of experience: eight plus years of experience with a degree/ equivalent experience without a degree will require eleven plus years of experience

Completion of a 4-year degree. Technical focus preferred.


So, would it be recommended/needed to get a BS in CS or Network Security to pass the HR screenings to be able to land a job in InfoSec?  I know / know of Systems Admins, Data Base Admins, and Network Engineers who don't have technical college degrees or degrees at all.  But, when I see things like this, it gets discouraging.  

I have been working on re-learning a lot of the things I fell out of practice with over the years.  I'm also going to start working on my alphabet soup (CCNA Security, LPI, Security+ to start with) to build up some good fundamentals and go from there.  But, what I really want to know is: even if I have a bunch of the most respected InfoSec certifications, will that be enough to help me land a job pentesting networks and servers or in reality is it going to take a second bachelors? I don't really have an issue with racking up some more student loans, and I would just do night/online classes to get the degree (I figure it would take 1.5-2 years).  

I'm open to recommendations and suggestions, and appreciate any and all advice.  

Edit: I'm also hoping to have seriously killed this horse, once and for all.
Last edited by mallaigh on Sat Sep 11, 2010 7:57 pm, edited 1 time in total.
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 379

Joined: Tue Dec 30, 2008 1:53 pm

Post Sun Sep 12, 2010 10:17 am

Re: How to pass HR screenings: load up on certs or go back to school?

I hate to tell you this, but there's really no right or wrong answer here. It all depends on the job requirement that you're talking about. Some HR departments are going to put a higher priority on the degree and therefore will filter out all non-degreed candidates first. On the other hand, some HR departments will place a higher priority on professional experience, and therefore will look at things like certifications more favorably.

I will never tell anyone that more education is a bad thing, so if you feel like a second bachelor's degree is right for you, go get it! Have you thought of doing a Master's though? I did my master's in Information Systems after doing my Bachelor's in Anthropology. I was able to complete my M.S. in 2 years by loading up on pre-reqs while doing my degree classes. If you started your B.S. in C.S. you likely have a lot of the pre-reqs for Master's classes. You may have to take a couple extra classes, but that's no biggie.

On the flip side, I feel like my certifications have opened up doors that my Master's degree would never have touched, b/c they represent something altogether different than what a degree represents. I place a high value on formal education, but all a degree really shows is that you have self-discipline and that you have a certain level of aptitude for the subject matter. Degrees don't provide you with the day to day technical knowledge that you will use. The argument can be made that certification don't really do this either, and I would agree to a certain extent. But, a lot of HR departments see them that way, and that's really all that matters!

Personally...(and take this for what its worth)...I'd go the certification route first. As I stated before, I believe my certifications have gotten me in more doors than my degree, and right now it is tough to get a job regardless. Certifications are generally less expensive than degrees and are easier overall to get. In my opinion, you will get more bang for your buck through certifications than through the degree. Also, you said that you like your current job enough, so why not stick it out there earning some practical experience and self-studying for your "dream job?"

Really, though, its a personal decision with no right or wrong answers...

Another thing you might want to look at is some threads on resumes. Its amazing how influential the style/content of your resume can have on a job search...

Good luck!
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Sun Sep 12, 2010 11:26 am

Re: How to pass HR screenings: load up on certs or go back to school?

HR is almost always going to throw out a broad list of "we want this" which makes little sense. The person writing up the description often has little true insight as to what the job duties entail. This is why it's "chucklesome" to see things like "Penetration Tester sought: Must have CISSP" What does a CISSP have to do with penetration testing.

My perspective is going to be biased towards most security related descriptions and headhunters are forever sending me these: "Must have a Bachelors, MIS, CISSP" like offers where after speaking to them things change into "well that's really not important." EXPERIENCE EXPERIENCE EXPERIENCE. Period. No degree or cert will ever trump experience and almost all HR people know this. This is why you will often see tidbits like "or relevant experience necessary."

If your company doesn't have a security position there... Make it! Talk to management about the need for security in todays time. Sure you may be adding on work to your plate but the upside is, you can tack it on your resume:

[i]Current company:
  • Responsible for the deployment and configuration of firewalls, IDS, IPS, etc.
  • Responsible for quarterly penetration testing and vulnerability assessments of "X network"


Although it may not be "otherwordly Godlike", it demonstrates you've dealt with security in some capacity which is something that HR types will take note of. Now the age old argument - to certify or to diplomafy. Going through the motions of school is something I've always had an issue with quite frankly because I have years of experience. If I had to go back to school, it wouldn't be for comp*anything. The thought of me going to school for four years in an industry where things change so rapidly would be wasteful. What could I learn in ONE YEAR, that would be worthless by the time it came to implement upon the time I graduate? Whereas *many* certifications are more or less realtime and more up-to-date than the curriculum taught in a University?

I have personally seen far too many individuals sit through four years of college, slack off, drink too much, party hardy, sit around hands folded "yes sir", often passing knowing nothing at the end of the day. Whereas with the certifications, depending on which certs the holder possesses, someone has to take a lot of time and focus EXCLUSIVELY on knowing the content in order to pass. There is the *wink wink* "thou shall have N amount of years of experience before taking this cert" clause many organizations throw into the mix, so technically on the "professional level" certs (CISSP, CISM, CISA, CCNP, whatever professional level cert we're aiming for) someone is not going to pass any one of these exams without some form of focus or dedication. There is no "sit with your hands folded and be the teacher's pet" passing.

Outside of this, again, go back to the "real world" and "right now." University/College routes will teach you a framework/guide which is often outdated and of little use at the end of the day. This is not to say it isn't worth the time, but we're not talking about preparing taxes here or more statically defined topics. We're talking about an industry where one morning it's one thing and the next moment it's entirely different.

Personally, I'd take the time to focus on understanding security based topics such as COBIT, ISO27001, OSSTMM, NIST documentation where at the end of the day, most of your education is highly targeted to the real world and not theoretical. I would also take the initiative to help create security in my current environment if there was no security practice in play. 1) You get managers to see you're taking initiatives 2) You get managers to see the dangers of NOT having security and they will understand the benefits of saving money from avoiding a compromise, virus outbreak, etc. 3) If you WERE allowed to create a security program, you would get to follow what you've learn (OSSTMM, COBIT, etc.) and understand things at your own pace - in a real world environment
<<

mallaigh

User avatar

Jr. Member
Jr. Member

Posts: 65

Joined: Fri Jul 16, 2010 12:36 am

Post Mon Sep 13, 2010 1:50 am

Re: How to pass HR screenings: load up on certs or go back to school?

Thanks for the awesome responses ziggy and sil.  I think you both said what I needed to hear and your opinions are greatly appreciated and respected.

ziggy_567 wrote:I will never tell anyone that more education is a bad thing, so if you feel like a second bachelor's degree is right for you, go get it! Have you thought of doing a Master's though? I did my master's in Information Systems after doing my Bachelor's in Anthropology.


Glad to know I'm not the only one here with a social science degree  ;).  I actually was looking at the MS in IS programs (obviously not here in California).  Are those more geared toward management types or do they cover the technical side too?  Either way it would probably be a good program, especially when it comes to getting your resume to pop up when some HR clerk does a data base query.

ziggy_567 wrote:Personally...(and take this for what its worth)...I'd go the certification route first. As I stated before, I believe my certifications have gotten me in more doors than my degree, and right now it is tough to get a job regardless. Certifications are generally less expensive than degrees and are easier overall to get. In my opinion, you will get more bang for your buck through certifications than through the degree. Also, you said that you like your current job enough, so why not stick it out there earning some practical experience and self-studying for your "dream job?"


That is what I was thinking of doing, but those job posts kept making me second guess myself.  I guess hearing some one else say it is what I needed, thanks.  

sil wrote:If your company doesn't have a security position there... Make it! Talk to management about the need for security in todays time. Sure you may be adding on work to your plate but the upside is, you can tack it on your resume:


There isn't a security position, and that sounds like a really good idea.  One of our systems admins punched a whole in the firewall to make something work and then said to me, "we shouldn't need that exception, but it works now" *face to desk*.  I found out our QA department doesn't actually do any web app testing, and the QA manager said I could do some web app testing (with my bosses approval).  I think I should take him up on that, experience pentesting is experience pentesting, right?  It could also lead to other opportunities within the company I would think.  

I had a similar experience to what you describe.  In two years of school (studying CS), we studied more coding/computing theory than application of technique.  In those two years our assignments were to program the same things (linked lists, tress, hash tables) and study they theory behind what was happening and how to make code more efficient.  A lot of the theoretical/efficiency things I found intuitive, but I wanted apply and study real world application of the techniques.  As a result, I switched majors.

sil wrote:Personally, I'd take the time to focus on understanding security based topics such as COBIT, ISO27001, OSSTMM, NIST documentation where at the end of the day, most of your education is highly targeted to the real world and not theoretical. I would also take the initiative to help create security in my current environment if there was no security practice in play. 1) You get managers to see you're taking initiatives 2) You get managers to see the dangers of NOT having security and they will understand the benefits of saving money from avoiding a compromise, virus outbreak, etc. 3) If you WERE allowed to create a security program, you would get to follow what you've learn (OSSTMM, COBIT, etc.) and understand things at your own pace - in a real world environment


I really like this.  Like I said, there aren't security focused positions.  A lot of times, I get the impression people are trying to keep things running more than worrying about the possibility of being compromised.  When I started, a lot of users had to disable components of their AV to be able to do their job.  When it came time to renew our AV subscription, I convinced my management to switch to a different protection (saving the company about $1500 and adding features likes HIPS which our old protection hadn't implemented yet).  To think of it, I already have the ball rolling and I just need to run with it.  

sil and ziggy_567, I owe you one and I greatly appreciate it.  
Last edited by mallaigh on Mon Sep 13, 2010 1:53 am, edited 1 time in total.
<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Mon Sep 13, 2010 1:09 pm

Re: How to pass HR screenings: load up on certs or go back to school?

Pardon me while I throw a fly in the ointment.  My response won't hold a candle to Sil's (as usual, awesome post Sil), but I have to say that depending on the job you want there IS a right answer.  If you are looking for a federal government job or a job working as a contractor to the federal government, get a four year degree (I see that you have a BA so you are probably okay).  The feds love a four year degree.  I don't know what it is, but they see it as important.  Because feds approve contracts coming in the door, contractors like to say X% of my people have 4 year degrees.  It's part of the game (I'm writing this as much for people interested in your question as for you since you already have a degree).  The actual major doesn't matter much.  Underwater basket weaving is okay.  Order of preference goes BA in anything->BS in something->BS in something relevant->MA->MS in something->MS in something relevant.

After a degree, your first cert should make you DoD 8570 compliant.  This is the second (or sometimes the first) thing contractors put in their bid package and the second thing fed job screeners check for. 

After that, get some experience.  It's a sad state of affairs, but that's the way it is.  I've been dealing with it continuously since 1995 and I consistently have a hard time finding the most qualified candidate since HR sends me people who pass screening (based on the fairly arbitrary criteria above).

Bottom line, go get Security+ or CISSP (associate since you don't have the experience) or anything else on the DoD 8570 matrix.  More than anything else you can do (for the level of effort) it gives you the biggest boost in employability.
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 379

Joined: Tue Dec 30, 2008 1:53 pm

Post Mon Sep 13, 2010 3:36 pm

Re: How to pass HR screenings: load up on certs or go back to school?

@former33t

Its not just the feds that prefer 4-year degrees. I worked for an Engineering firm a few years back that basically put a glass ceiling on all non-degreed employees. A college grad could come in making more than a non-degreed employee with 10 years experience! It all goes back to, "It depends."
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Mon Sep 13, 2010 5:54 pm

Re: How to pass HR screenings: load up on certs or go back to school?

@ziggy,

That's unfortunate.  I understand it when its the feds doing it (I stopped trying to explain any craziness years ago).  When its the private sector, I lose a little of my hope in humanity...
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Sep 13, 2010 9:23 pm

Re: How to pass HR screenings: load up on certs or go back to school?

I wanted to piggy back on what Sil said about job descriptions.  Quite often, they are indeed written by those who don't understand the position.  I also see quite a few instances of very targeted, but almost impossible list of qualifications obviously written by those you would be reporting to directly.  I have done this myself, not realizing it.  Quite often, you will see technical managers throw everything, including the kitchen sink, into the job description, hoping to land the perfect candidate.  However, most are willing to sacrifice at least some items from their wish list. 
~~~~~~~~~~~~~~
Ketchup
<<

mallaigh

User avatar

Jr. Member
Jr. Member

Posts: 65

Joined: Fri Jul 16, 2010 12:36 am

Post Tue Sep 14, 2010 1:44 am

Re: How to pass HR screenings: load up on certs or go back to school?

Thanks for the great responses former33t and Ketchup.  I would say everyone has brought up valid point in helping me figure this out (and hopefully other readers). 

former33t wrote:Bottom line, go get Security+ or CISSP (associate since you don't have the experience) or anything else on the DoD 8570 matrix.


Sounds like a good idea.  Like I said, I plan on CCNA Security, LPI, and Security+ to start, and then maybe go for C|EH (because of the 8570 thing) and CISSP.  I would think SSCP then CISSP, but CISSP seems to get the name recognition.  Some of my fundamentals are a little rusty/out of date so I wanted to go back and bring those up to par.  Thats why I thought CCNA and LPI sounded like a good idea, plus I was studying for CCNA a long time ago and don't even remember why I stopped. 

Return to Career Central

Who is online

Users browsing this forum: No registered users and 1 guest

cron
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software