.

Career X-roads

<<

Cyberecce

Newbie
Newbie

Posts: 5

Joined: Mon Oct 08, 2012 8:23 am

Post Mon Oct 08, 2012 8:49 am

Career X-roads

Hi EH Members,

This is my first post after I have been lurking and reading this forum for a number of years.

I was hoping to get some input from you folk or guidance or just your opinion on my dilemma.

I have been working in IT for over 12 years now, approx 6 in Infosec (defensive). I am 31 years old and feel as though I have reached xroads. My current role involves operational, project and integration technical work in defensive security across various vendor products. I hold various technical vendor certifications but lack any formal education ie. bachelors, masters ect. I do however have the extra experience in years from not attending Uni which does count.

Now I have three challenges and will try my best to describe and outline them as best possible in number format. All three borders very closely to one another and making a concrete decision on one will simplify the others.

1. Now at the point where I feel I need to either, focus and specialise more in tech infosec ie. offensive security or bridge the gap between tech and business and transition into a Sec Solutions Architect type role. I know these are very different paths, I do have very keen interest in offensive security which drives that thought however when I think 5-10 years ahead and take my age into consideration I contemplate the SecSA path.

2. Education or rather 'resume marketing'. Like I mentioned I do not have any formal education and it feels like a monkey on my back. But on the flip side perhaps not that important as I already have a career foundation and experience. Do I persue a bachelors followed by masters in infosec or rather focus on getting say for example cissp followed by oscp and the likes. This also depends on which direction I decide to take in (1).

3. I am currently performing contract work for company x with good working environment and wage, there will be a push in the future to convert to perm which means lower wage. Also career progression at x is somewhat limited but it does have ++++. Currently in talks with company y, still tech position, perm with good wage, challenging environment both technically and politically, will be out of comfort zone compared to x. Now add a cat to the pigeon cage and say company z might be offering a SecSA position, also good wage but different path when comparing tech, defensive and offensive and business ect.

What can you folk recommend or suggest. Any insights into offensive role and your possible opportunities in later years vs SecSA. Also what about performing SecSA as profession but still doing research and offensive work in your spare time. Some many thoughts and so little time to make decisions.

Would appreciate any feedback.

-cyberecce
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Mon Oct 08, 2012 9:07 am

Re: Career X-roads

A few thoughts on both options:

1. the Solutions Architect could be lucrative with the right company. However, they may require at least a BS, unless you have internal contacts at the company. You may also consider an Sales Engineer for a security company. SE's do very well.

2. There are a LOT of offensive security guys in the industry that don't have a college degree. (Some of the best in the field in fact.) The offensive role is obviously highly technical but can lead to things like directing a group of pen testers etc.

Another option to consider, since you're young, is to get into a company that has an education reimbursement benefit and just begin to chip away at your BS to get that "monkey off your back."

If you went the offensive route, you would then have the defensive skills AND operational skills which is a nice blend. You could take that into an SE role or SA role and probably have a little more pull if the job required a degree.

Just a few ideas.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Oct 08, 2012 9:29 am

Re: Career X-roads

cd1zz wrote:2. There are a LOT of offensive security guys in the industry that don't have a college degree. (Some of the best in the field in fact.) The offensive role is obviously highly technical but can lead to things like directing a group of pen testers etc.


I'd fit #2 - never took an hour of college.  (Dunno if I'd rank my self with the 'best', but just saying it's defintely doable.)  Definitely push forward, if it's want you want.  cd1zz's points are good.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Oct 08, 2012 9:57 am

Re: Career X-roads

Welcome to the forums.

I see cd1zz responded while I was typing out my response. +1 to everything he said.

I think something else that you need to keep in mind is that offensive security requires more time dedicated to research, experimentation, etc. outside of normal working hours to truly be good at it. It's one thing to be aware of a vulnerability and mitigate it in some manner, but it's quite another to understand the technical details behind a vulnerability and be able to exploit it successfully. Granted, this is often made easier by exploitation frameworks, but I still think you need a broader and deeper level of knowledge compared to other disciplines within infosec.

The point  I'm trying to make is that if you're not genuinely interested in the material and treat it like a hobby, you're probably going to feel like you're working all the time and become overwhelmed (I guess you could alternatively just be a mediocre pen tester that relies on automated tools for everything as well). If you don't have any significant experience on the offensive side of the fence, register for PWB/OSCP and dive in. That's probably the closest experience you'll get to the real thing. $1000 and a few months of your time is a minimal investment when it comes to deciding which career path you'll be on for the next years/decades.

With the experience you have, the lack of a degree is probably not going to hold you back for a lot of positions. Experience seems to trump degrees and certifications over time. Granted, being strong in all three areas would obviously be ideal. I don't have a degree, and I know many others that don't. However, I think the fact that I have one in-progress helps fill that void to some extent.

Although, depending on how high up the food chain you plan to go, you may find the lack of a degree to be a limiting factor. It probably won't be necessary for a pen testing position, but senior management is a different story. You may want to look at a school such as WGU if you're looking to remedy that situation quickly. It seems to have avoided the stigma commonly associated with online schools, and it appears to be generally well-respected overall. You may also be able to earn some credit based on your existing certifications, and can work at your own pace.

You should do the CISSP regardless of what path you choose. It will open doors no matter what type of position you have. Even if it may not be directly applicable to your current/desired position (i.e. pen testing), you may find yourself in a position where your clients require anyone who works with them to have a CISSP.

Finally, if you find yourself in a position where you're going on to a masters, consider an MBA instead of an MSIS if your goal is still to bridge the technical/business gap. With your experience, you'll probably have limited returns in terms of actual education from an MSIS, and you'd still be in a position where all your credentials are strictly IT and infosec.

Edit: Oh, Hayabusa also responded before I could finish. That's what I get for making breakfast mid-post...
The day you stop learning is the day you start becoming obsolete.
<<

Cyberecce

Newbie
Newbie

Posts: 5

Joined: Mon Oct 08, 2012 8:23 am

Post Mon Oct 08, 2012 5:44 pm

Re: Career X-roads

Thanks cd1zz, hayabusa, ajohnson for taking the time to respond.

To clarify I think where I am at is at the decision point between SecSA and Offensive. Question is which would be the best way to accurately  distinguish which area I am more interested and passionate about?

Would it be a good idea to say for example enrol for the OSCP which would give me a realistic idea? I am accustomed to VA and perform these weekly as part of my job using both automated and non-means. However big difference between VA and Pentests as you all know.

I agree with you ajohnson ie. cissp and booked my exam for Dec'12 last week already. I sat the cissp in 2007 and just failed with score of 640 so this monkey has also been sitting on my back for a number of years.

As for formal education I also agree with you all in that it may be a requirement the higher you move up the food chain, interesti thought ie. MSIS and MBA, I will investigate this further. What about a bachelors in a total different line, like financial or accounting or criminology, would this perhaps assist in infosec 10 to 20 years from now, what are your thoughts?

Then onto my current urgency of making a decision from the opportunities at hand. Do I stay put at x or give y a go or wait for something from y...
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Mon Oct 08, 2012 6:44 pm

Re: Career X-roads

If you're going to do a bachelor's get it in IT/CS unless you feel compelled to do something else.  Some employers are picky enough to want a directly applicable degree.  Do you have any college credits now?  If not, look for a community college where you can pick up your lower division requirements cheaply.  Don't pay an expensive private school thousands of dollars to take English 101 unless money isn't an issue for you.

At the MS level, you could go technical (IT/CS again) or get an MBA depending on what you want to do.  If you're looking for a CISO or CIO spot eventually, get the MBA.  If you want to stay technical or maybe do some lower-level management, get the technical MS.

Should you get a degree at all?  I don't know.

I'm was in a similar spot and I decided to go back to school two years ago.  I'm finishing my BS in IT in two months.  I'm also 31 and have worked in IT since I was 17. 

There are a lot of ways to stay in the field and make good money without a degree, but it's a much harder road.  I work in higher ed and have some interest in staying in that area or possibly working for the federal government so the degree is a hard requirement for me.  Colleges and public employers usually have rigid hiring requirements so you'll get rejected for a lot of those jobs without the hiring committee ever seeing your application.  Some companies are more flexible, especially if they are small, but many aren't. 

On the downside, a degree may mean taking on a lot of debt if you don't have a tuition reimbursement plan available to you.  I'm paying my own way and I'm going to have debt so I need to move into a higher paying job in the near future or my family is going to have to tighten our belts.  In this economy, that's not a fun spot to be in.
BS in IT, CISSP, MS in IS Management (in progress)
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Oct 08, 2012 7:20 pm

Re: Career X-roads

I'd do a dedicated 60-90 days in the PWB/OSCP labs and take a stab at the exam if I were you. Compared to vulnerability assessments, penetration testing is a significantly more arduous technical activity. On the other hand, successfully owning a system is more rewarding than successfully applying a patch. Hard work has its rewards ;)

The nice thing about PWB/OSCP is that they force you to go out of your way to research and experiment, deal with serious time constraints (on the exam), and write quality reports. You can load up BackTrack and knock around a few vulnerable VMs in a home lab, but that's not going to mimic the real-world experience that you need to be evaluating.

In terms of degrees, I think the focus of your undergrad is not as important considering the amount of experience you have and assuming you'd go on to a graduate degree. I'll have a psychology degree if I ever finish it, and I've met CIOs that have done something like a theology BA prior to pursuing their MBA.

However, I don't see why you'd go out of your to get a degree that's not directly related to what you're doing (unless you're already near the end of such a program). If a potential employer saw you were pursuing something like finance, he or she may assume you're only doing IT until you finish your degree and can move into that field. You may find people closing doors on you because they assume you won't be around very long.

You should pursue whatever you feel is most applicable at the moment. I wouldn't worry too much about how relevant something will be a decade or two from now. Things change so fast that most of what you learn, aside from core/fundamental concepts, will likely be largely irrelevant after that much time, regardless of what discipline you choose. You'll see that the most successful people never stop learning and keep up with change. The ones who see X certification or Y degree as a stopping point are the ones that get left behind.
The day you stop learning is the day you start becoming obsolete.
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Mon Oct 08, 2012 9:01 pm

Re: Career X-roads

As far as your choice between SecSA or Offensive Security.  First ask yourself, what do you like doing more?  Fixing things or breaking things?  If you are a fixer/builder then you may want to stick to the path of SecSA.  If you like to break things, then on to the roll of the pen tester. 

Now I think, if you want to truly be great at the SecSA role, then learning more about how to break things will only add to your arsenal as a SecSA.  Training in Offensive Security will give you a deeper understanding on how attacks are carried out.  You can then take that information and use it toward your architecture projects.  Besides defense is hard, and we need more able body engineers to build us better solutions or help us use the stuff we already have (which is my personal mantra).

As for the degree, well ajohnson is right. If you want to go for a senior management position some day, you will probably need that degree and if you can get a position that will pay for, then that will be a bonus.  Depending on if I plan to stay at my current job, I may consider their education program and get a masters in IS.  If you have a good amount of job experience, there are some programs that will use that toward credit and may not require you to take all those underclassmen requirements like history and such.

Good luck with whatever you choose and keep us posted on your endeavors.  Welcome to the boards!
Certs: GCWN
(@)Dewser
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Mon Oct 08, 2012 9:19 pm

Re: Career X-roads

Take ajohnson's idea of trying out PWB. If you "get the bug" and cant stop working on it, you'll probably love the offensive side for awhile. If you dont absolutely love it, its probably not for you. This offensive side has to be more of a "jobby" instead of just a job to keep up with everything.
<<

Cyberecce

Newbie
Newbie

Posts: 5

Joined: Mon Oct 08, 2012 8:23 am

Post Tue Oct 09, 2012 8:02 pm

Re: Career X-roads

Thank you all for the input.

I will update my post once I have made my decision ie. direction and my plan forward.

Couple things I am considering;

- Complete CISSP regardless
- OSCP regardless
- Formal education depending on decision
<<

Cyberecce

Newbie
Newbie

Posts: 5

Joined: Mon Oct 08, 2012 8:23 am

Post Thu Jan 03, 2013 4:33 am

Re: Career X-roads

Gday All,

Happy new year and all the best for 2013 to all the EH members.

Just an update on my post it's been almost three months since my post and I have procrastinated ever since and been sitting on the wire so to speak without any movement.

What did happen is I turned down the one permanent offer I had on the table and as such pretty much burned that bridge even though it was not my intention. I am still performing contracting work as before for the same organization and my contract is still good for another 5 or so months.

I need some more guidance or advise please.

I just had a look again the the OSCP curriculum and I am vary of the time I have left on my contract.

Now lets say I have 5 months of employment left and then potentially need to approach the market what should I do.

1. Use the 5 months and obtain the CISSP (good for marketing)
0r
2. Aim to complete and pass the OSCP exam.

I am considerate of the time limit (5months) and as such doubt (1) and (2) would be obtainable.

With me still leaning towards a more offensive security career which would place me in a better position to find employment.

With my experience would potential employers hire me for a offsec role with only a OSCP?

And then also what are your opinions on doing the OSCP vs self study (up skill) I know OSCP would be more structured in laying the foundation towards offsec career.

Any help and input would be appreciated. I feel so lost and depressed about it all.

Thank you for reading.
Last edited by Cyberecce on Thu Jan 03, 2013 4:35 am, edited 1 time in total.
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Thu Jan 03, 2013 10:54 am

Re: Career X-roads

Do it!!


Do it all. Use today and tomorrow to get your brain, your current contract job and everything you need settled in order to get started Saturday morning. Have a nice meal Friday night as your celebratory meal on the start of your new life. Don't go out. Don't stay up late. Get a good night's sleep and get up Saturday with a purpose of a thought locked in your head that this is it. This is your time.

As for planning, which exam are you most prepared to pass right now? Do that first, update your resume and let that good felling sink in. Use the new updated resume with a new cert and also be sure to add to your resume that the second is in the works. Get it out there to start the wheels turning immediately for new job prospects. Even better if you can pick the company of your dreams, find out what they have available, and market yourself to that company and that specific job. Be the one in charge of your career. Don't just take what is available. Go get what you want.

Have another celebratory dinner, take a couple-day break, then the next step is to make your plan to finish the second. Stick to it. You're more than halfway there.

Stick around EH-Net, let us know your plans and how you're proceeding. Trust me... we're all here for you and will push you when you need the extra energy.

But make no mistake. This is YOUR decision. After all, it is YOUR life.

Do it!!


People say life is short. It's not. If you focus on accomplishing something every minute of every day, you'd be amazed at what can be done. Even if a minute is spent resting your brain or going to the bathroom, it's a minute planned with purpose for a positive outcome. Belive it or not, every minute in your life already has purpose. But is it positive? Is it pushing you to be your best? Is it a minute that you let be determined by others or circumstance? Either way it has purpose and you chose it. Now it's time to choose everything based on a positive outcome.

People have made billions in the span of just a few years. That's empirical evidence. Amazing things can be done and will continue to be done. The only question is whether it's you or not.

Do it!!


Don
CISSP, MCSE, CSTA, Security+ SME
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Jan 03, 2013 12:08 pm

Re: Career X-roads

Can I had something?

Don't focus on certifications or courses only to get a job. Do what you LOVE and putting time and efforts will be easy. After a while, you will become very good at it and then, the jobs will come.

I have had many students in my programming classes before that were only there to get a job (I don't mean that's your case by any means!!) and they all did poorly. But I always had one or two per class who really loved it and before you knew it, they were the best in the class. It was so obvious at the end who I would hire...

I have a bachelor degree in computer science and now 5 certifications. But I still spend about 90% of my time working as a Java architect and I am fine with it. I already know that I need more experience in IT security and I am trying hard to do just that. But for me, studying pentesting is like playing an addictive video game: I can't get enough!

So do what you love the most in life and you will become the best at it. Don't do anything just to get a job (appart CISSP  ;D)

And like Don said:

Do it!!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Cyberecce

Newbie
Newbie

Posts: 5

Joined: Mon Oct 08, 2012 8:23 am

Post Thu Jan 03, 2013 7:04 pm

Re: Career X-roads

Thanks for the motivation Don and H1t M0nk3y!

I really appreciate it. 2013 is the year that I need to find my direction and be more positive and results driven.

I have just re-scheduled my CISSP for the 2 April 2013. That gives me more or less 12 weeks of preparation.

I will keep updating my post as I go.

thanks again.
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Thu Jan 03, 2013 7:16 pm

Re: Career X-roads

Excellent!

Don
CISSP, MCSE, CSTA, Security+ SME
Next

Return to Career Central

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software