As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/
Options
Mid career transition to infosec
JohnnyCache
Starting DefensePlace at the tableRegistered User regular
Starting DefensePlace at the tableRegistered User regular
A little history about me: I work in the technical side of mining and geology. I don't have a degree. I recently decided to rectify that, and now I'm really being seduced by the (only tangentially related) career field I choose to finish out, my long-stagnant degree in CS/IT/infosec.
Yesterday was one of the brutal days at the ol' salt mines. (they're literal salt mines). I don't know that any job is any better, really. They're all gonna be work, they're all going to have politics. But there's something about working in mining that feels like it dulls me. I just don't believe in it. I don't believe against it, per se. I type this on a plastic computer with rare earth components and all that. But just as there's a difference between eating a single slice of meat and working day in day out in the slaughterhouse, life in the nations's dust bowls has ground on me in ways I can't easily encode. I also honestly just...don't like the places and people. I spend most of my time in Trump's America, and I'm fucking over it.
I do actually believe in a better internet. It destroys me to see the greatest technology since perhaps steel or penicillin destroyed by angle-shooters and outright thieves. Not to mention, I've slowly turned into more and more of a privacy and 4th/1st amendment advocate over the years.
I worked as a content editor/CMS trainer for a short time and I keenly felt the rust on my tech skills. I also felt a lot of interpersonal frustration at not having a degree. I self-sabotaged because I felt like I'd talked my way into a job someone else should have had.
I viewed returning to the mining sector - I work in mining telemetry and instrumentation, doing field measurements - as a slinking retreat. On paper? Not so much. I make decent money, albeit at the cost of a conventionally structured personal life.
I started with this degree on a lark. it was relatively cheap, it filled a gap in my ego - the real, main reason - and it would make me a better management candidate where I am, not to mention easing visa issues and making me more eligible for high paying international trips. It's online, but it's not one of the big for-profits, it's a regionally accredited BS that also delivers a number of IT certs at roughly the cost of community college. It's not MIT, but it's enough to get me through an automated HR filter and to say "yes" with a clean conscience when asked if I have a BS. I'm pretty comfortable with the ROI on the degree program regardless of if I make this transition...a single summer consulting trip to a spanish gold mine I couldn't get a visa before would justify the expense. And also be in spain.
And now? I find myself actually wanting to use this degree if I finish it. The infosec sector was what I was most interested in when I was an undergrad, but at the time specialized curriculum in it was rare and out of reach.
I'm 36. I'll be at least 37 when I finish. Wrenching a career train from track to track at that point seems ... monstrously hard. I've seen people career hunt in their forties during the recession and damn that is grim. that is a grim prospect.
and yet... I don't feel my age. I don't feel conspicuously youthful, but I don't feel the kind of stodgyness that is supposed to set in, either.
I also have a small footprint. No kids, renter, not even a live in SO. 36 a year is all I would really need to live, in all honesty, but I have enough of a professional ego to shoot for a little more.
I wish I could stay I've kept up with IT in the intervening years, but except for day to day practicum - fixing mom's computer, hooking up a new printer at work, etc - I really haven't. I sort of...walled that time off. I was pretty damaged by dropping out of school. I kept up with news of great big hacks and tech generally, but I guess what I am asking, in the discursive fashion of those being and feeling vulnerable, is what do I do to move my career?
Some suggestions I've already received include
Join a local hackerspace (have actually done this, it seemed fun regardless)
Publish work, IE a phone ap or similar
Contribute to an open source project, especially one on git, doubly or triply valuable if it's a submission to metasploit, nagios, or something in that tier.
Leverage industry knowledge in one of the three industries I've worked in with specialized IT:
Casinos, mines, or broadcast.
Finally, most intriguing, but also seemingly most pipe-dreamy: round up some capital and start my own shop, hiring rather than competing with those young, brilliant graduates.
I'd love your thoughts on those suggestions and any other general or specific ones any of you can drop on me, particularly if you work in that field.
Yesterday was one of the brutal days at the ol' salt mines. (they're literal salt mines). I don't know that any job is any better, really. They're all gonna be work, they're all going to have politics. But there's something about working in mining that feels like it dulls me. I just don't believe in it. I don't believe against it, per se. I type this on a plastic computer with rare earth components and all that. But just as there's a difference between eating a single slice of meat and working day in day out in the slaughterhouse, life in the nations's dust bowls has ground on me in ways I can't easily encode. I also honestly just...don't like the places and people. I spend most of my time in Trump's America, and I'm fucking over it.
I do actually believe in a better internet. It destroys me to see the greatest technology since perhaps steel or penicillin destroyed by angle-shooters and outright thieves. Not to mention, I've slowly turned into more and more of a privacy and 4th/1st amendment advocate over the years.
I worked as a content editor/CMS trainer for a short time and I keenly felt the rust on my tech skills. I also felt a lot of interpersonal frustration at not having a degree. I self-sabotaged because I felt like I'd talked my way into a job someone else should have had.
I viewed returning to the mining sector - I work in mining telemetry and instrumentation, doing field measurements - as a slinking retreat. On paper? Not so much. I make decent money, albeit at the cost of a conventionally structured personal life.
I started with this degree on a lark. it was relatively cheap, it filled a gap in my ego - the real, main reason - and it would make me a better management candidate where I am, not to mention easing visa issues and making me more eligible for high paying international trips. It's online, but it's not one of the big for-profits, it's a regionally accredited BS that also delivers a number of IT certs at roughly the cost of community college. It's not MIT, but it's enough to get me through an automated HR filter and to say "yes" with a clean conscience when asked if I have a BS. I'm pretty comfortable with the ROI on the degree program regardless of if I make this transition...a single summer consulting trip to a spanish gold mine I couldn't get a visa before would justify the expense. And also be in spain.
And now? I find myself actually wanting to use this degree if I finish it. The infosec sector was what I was most interested in when I was an undergrad, but at the time specialized curriculum in it was rare and out of reach.
I'm 36. I'll be at least 37 when I finish. Wrenching a career train from track to track at that point seems ... monstrously hard. I've seen people career hunt in their forties during the recession and damn that is grim. that is a grim prospect.
and yet... I don't feel my age. I don't feel conspicuously youthful, but I don't feel the kind of stodgyness that is supposed to set in, either.
I also have a small footprint. No kids, renter, not even a live in SO. 36 a year is all I would really need to live, in all honesty, but I have enough of a professional ego to shoot for a little more.
I wish I could stay I've kept up with IT in the intervening years, but except for day to day practicum - fixing mom's computer, hooking up a new printer at work, etc - I really haven't. I sort of...walled that time off. I was pretty damaged by dropping out of school. I kept up with news of great big hacks and tech generally, but I guess what I am asking, in the discursive fashion of those being and feeling vulnerable, is what do I do to move my career?
Some suggestions I've already received include
Join a local hackerspace (have actually done this, it seemed fun regardless)
Publish work, IE a phone ap or similar
Contribute to an open source project, especially one on git, doubly or triply valuable if it's a submission to metasploit, nagios, or something in that tier.
Leverage industry knowledge in one of the three industries I've worked in with specialized IT:
Casinos, mines, or broadcast.
Finally, most intriguing, but also seemingly most pipe-dreamy: round up some capital and start my own shop, hiring rather than competing with those young, brilliant graduates.
I'd love your thoughts on those suggestions and any other general or specific ones any of you can drop on me, particularly if you work in that field.
+1
Posts
1) You will need to get some kind of certification (at first a general one, and later a more specialized cert). You should probably start this process before you begin to change careers.
2) Most every path in IT that doesn't start from knowing/being friends with a hiring manager begins with phone (or local) tech support. It almost doesn't matter which specialization you are going for, things start with low level tech support. If you have any issues being on the phone with idiots all day, it's best to work them out.
3) You will quickly see that advancement out of tech support positions is needed and requires a specialty. It's needed because people that do it for too long (more than a few years) are seen as people who can't do anything more, and all other IT jobs require that you pick something specific and get a certification for it.
You can see this if you look at job postings online that aren't written by HR hacks. They will say something like "5 years WAN experience with Brocade routers and CCNP or equivalent" - getting a job will involve being a great fit for it to begin with, which is something of a chicken-and-egg problem (I solved this myself by getting the certifications for the position I wanted before applying).
Industry knowledge is a good shortcut if you have it. Many people can do helpdesk-level IT, but you can generally avoid some of the technical requirements for positions if they are in the industry you know.
In particular, Casinos are frequently looking for IT people because they are super high turnover; Casinos have a reputation for long hours and low pay and they typically live up to it.
Another thing that I can say is that if you haven't done the job yet yourself, it's super hard to break into being a manager/business owner. I'm not sure how much experience you have already from your post but I think you should get some (current) experience before starting something up.
I have about 7 years experience in bidding and conducting audits, but they're QCs on geophysical processes done with proprietary sensors, not pentests.
Obviously slightly different creatures, lol.
But in terms of client development, outside sales, bidding, billing, etc, yeah, I have a lot of soft skills
I have some help desk experience but it's stagnant...about 8 years old...I have about a year of management and training of CMS authors. Which SHOULD count as help desk. Jesus. I never thought I'd meet a grown ass man who couldn't log in to wordpress but i have in fact met many.
Phone morons literally don't bother me at all. Work in a couple coal mines and your malaise regarding public interface gets coughed right out.
The program i'm in will graduate me with ... at the very least, depending on some options later on - a minimum of an a+, linux+ net+ and sec+...I'll probably have a PWK/OSCP if I take the options I'm looking at, maybe a couple more if I feel like grabbing them on my own.
I'd for sure want to work someplace for at least 18 months before I started my own shop.
I currently live in an area with a LOT of tech sector growth and have no real problem relocating.
I host a podcast about movies.
I'm in a similar situation. I'm miserable in my career and looking for a way to transition out. It's very scary because you have to step away from the comfort zone you've spent so much time and effort developing. But it's just not worth doing something day in and day out that makes you feel like shit. You start to wonder if it was all just a waste of time. But it's not. Everything is a learning experience that helps you grow.
I'm sure if you're passionate enough about it you'll be successful. Best of luck.
Thanks. The weird thing is, I like certain aspects of my job, but there's a weight to ...despoiling shit. Going to some beautiful place and cutting the tops off the mountains. The first part is fun! And I don't actually see the second part, until I drive by a year later.
I host a podcast about movies.
Keep in mind that tech support (in the "I broke my PC/Laptop") sense is going away, as both Windows and PC hardware are simply getting more reliable. What this means is that you're going to need to maintain a larger customer base than you would think.
In fact, that's how I got out of being self-employed; simply finding new customers became a full-time job, and then the only job. It just didn't pay (for me). Of course the mid-atlantic area was terribly saturated for IT at the time.
I host a podcast about movies.
If you're going to jump into that field right away, you're going to need working knowledge (not necessarily certification, although that will help) with mid-level networking and at least high-level *nix server administration. Even if the jump-in/entry level analyst job doesn't require this area of knowledge it will help tremendously.
As for the certs, I'm not sure which is on top at the moment, but you're going to want one of either EC-Council LPT or GIAC GPEN. I'm going to also assume that before you look into those you get the CCISP cert, which isn't super technical (it's mostly memorization/procedure).
I host a podcast about movies.
A big first piece is being in a dedicated IT organization (not Business side), as simply knowing how that works is huge for making moves.
When you say "dedicated IT organization," you mean be in the elbow-deep IT side of the building, not work for someone who only does IT for third parties, right? Just checking my read.
I host a podcast about movies.
Johnny, one of the magic terms if you're looking for job descriptions / recruitment sites is "RCHE". Red Hat Certified Engineer is a tough cert but a lot of job postings for SysEng list it.
This page (Red Hat): https://www.redhat.com/en/services/all-certifications-exams
This page (SuSE): https://training.suse.com/certification/
... will probably give you a bunch of terms you can search on.
Re: "Dedicated IT" - Consultancy (3rd party) IT organizations tend to be bottom-heavy because those are the kind of people that are more easily billable and have a lower salary. Not to say you can't find good jobs there, but they will tend to pay less and have more limited advancement. A better place to look for a learning IT position would be a company of >1000 people, where they have a separate IT department with its own area/building. Of course YMMV, this is just my personal take on it from 20 years in IT.
In large corps you'll generally see a divide between "business" and "IT", often for separation of duties purposes. IT are the people who do the development, technical system work and support as well as look at the security side from a technical perspective. The business are the people who say "I need something that does X" and validates that items meet the needs of sales/operations etc.
Some orgs (such as mine) has an additional layer of Business Systems folks who sit on the business side (in some companies the IT side) and translate user needs into items more digestible for a technical audience.
In smaller companies the roles will be more blended, but for pure InfoSec, you're likely looking at Fortune 500 or 1000 companies that have specific needs relative to customer contracts, RFP's, general security practices and SarbOx.
Infosec is weird though, because in most places an entry level position would be a mid-level position in a different facet of IT as far as skills required.
If I could start over absent poverty/the recession/homelessness I would get a CE degree and work as a developer for a while.
Whatever path you take, start networking now. IIRC you're in SLC? There doesn't look like there's a citysec meetup, but it looks like you got a DC group among other things. Actually I think they had a big party last year at DEF CON so it should be pretty active: https://twitter.com/UtahSec
Get on Twitter and start following some people, it is largely how people stay in touch.
If there's any possible way you can make it to Vegas for BSides LV/DEF CON do so. If you're willing/able to volunteer for a few shifts at BSides they'll even give you a (shared) room for a few nights. It's a fantastic way to get to know a bunch of people really fast, and you get to provide a service to the community. If you're interested I can put you in touch with the organizers.
Full disclosure I've been working in Infosec exclusively since the end of 2010. Been volunteering with BSides for almost as long.
When you slice security less broadly like that = appsec, etc, what are the options and how do you break them down? Why is appsec the right answer? I'm not questioning that it is, I'm curious as to the thought process vs other subdivisions of security
I host a podcast about movies.
Appsec is what it sounds like, anything to do with software. The most available and probably easiest entry point is webappsec. In general it just requires a lot more finesse because of how many permutations software can take.
In my experience netsec is much more tool assisted. There's a lot more network.and sysadmin dudes wanting to do this than developers wanting to do security. It pays less, if you're a consultant (which you will more than likely be as a pentester) you will travel a lot more to really boring places whereas many if not most appsec engagements are remote.
In general appsec will be an easier entry point because of the demand, and if you are able to take a couple years to work someplace as a developer first that'll get you past a lot of douchebag tech bros that demand everybody in an organization codes no matter how little sense it makes. Even when I was working full time as an application pentester the amount of time I spent coding vs. reading code, modifying code, or just jamming out a shitty little script to automate a form submission is extremely negligible, and they really aren't the same skills. I am a shit developer. I am a pretty okay pentester even though it hasn't been my thing for a couple years.
These are obviously broad generalizations, if you are top talent in any area you'll make $TEXAS. I am not and don't really have a desire to be.
But you know, I'll always TAKE more if possible...
Is bsides/defcon/blackhat a go to all you can thing or is one seen as an alternative to the other?
I host a podcast about movies.
Before we go too deep, I work in infosec, for a large and well renowned organization, and I am a manager. Hopefully I don't write confusing bullshit, but i'm looking at this from multiple perspectives. Forgive me if I dawdle.
IMHO, Infosec is broken down into 3 domains, roughly. Applied Infosec, Research Infosec, and Red Team Infosec.
Applied Infosec: These are your doers. They're Infosec trained sysadmins, developers, Security Operations Center (SOC/NOC) pro's, or they're DFIR all the way. They're hired, or brought in as a MSSP to supplement a service or replace it. However you got there, whatever you do, they're the Blue Team. They might structure under an IT umbrella, but they don't schlep around monitors and answer help desk tickets - they work in lock step with IT to keep bad guys out, and make sure untrained assholes don't open up all the firewall rules to any/any, or commit self inflicted stupid. Keep in mind, this encompasses a vast array of disciplines - from governance, risk, and compliance, to technical appliance installation and setup, and back around. These guys watch logs like a hawk, crack down on malware infections, and make sure that when Billy the Sysadmin wants to soar of the wings of his dreams, the only place he can land is the cold ocean of infosec reality.
Red Team Infosec: These peeps are typically brought in for your pentests, appsec engagements, and legit 'attack' stuff. Sometimes they simply reverse equipment for bug bounties and CVE's, sometimes they go on client sites to test security, sometimes they're brought in to help developers understand security by beating the shit out of them via appsec. They're not necessarily there to be blue team, but the blue team always learns something for your red team guys - some facet of security they're failing in, or need to adjust. By and large, this is the 'sexy' part of infosec. Everyone wants to be a hacker. The hard truth is, to be really good at red teaming, you need to be familiar with a huge variety of tools and techniques, of which, are difficult to pick up in books or youtube videos, and you need seasoning to be hired. I know a lot of guys who live out suitcases who do pentesting for a living - and while it's never boring, it's a lifestyle all on it's own sometimes.
Lastly, Research Infosec: If your company sells a security product, this might be you. You might be putting intelligence into that product to shut down bad guys. You might be QAing specific functions of security devices, or bench-marking several devices. You might be crafting protection for new exploits that are on the tip of the spear, or you might be working for an organization that matches the efficacy of a genre of products. It's all vague sounding, I know, but if you ever get to go RSA Conference, in San Francisco, there are 1500 vendors there pimping their security products, and I assure you, they aren't selling 1500 different things.
Also, the OSCP is a 100% certified ball buster. I work in an office where everyone there practically has one, and it's nothing short of a Mike Tyson breadbasket haymaker in Infosec. It's probably the very top of the game for security certifications, and boy howdy, does it crush souls and dreams. It's very doable, but you'd better have your shit on A Game++ mode. It's no f'n joke. However, if you do have it, then that opens a lot of doors. Only dyed-in-the-wool killers have them, and it's got serious cred. Don't let it be intimidating to you - just make sure you know what you're getting into when you commit to taking it.
As for blackhat/defcon/bsides - each has a role. Blackhat is training with some talks. Defcon is drinking, with infosec mixed in, and bsides is your local talent, and infosec pro's, who have some cool stuff to discuss. All of them have value, but for you, the hacker space, local Infosec meetups, and Bsides conferences are a fantastic investment to network and get started in this business, and don't cost much at all. Maybe a SOC is looking for some entry level talent, or an Appsec firm needs someone to run Burp Suite Pro while the senior guys work on harder exploits for Appsec development. Who knows, until you start asking. Most of the guys n'gals at those meetups are pretty awesome, and always happy to mentor and show stuff. Make friends and hack the planet.
So all of those things may interest you. I'm going to suggest a different tack to you - and let you ask some questions back. You mention mining and casino as a background. Have you given any thought to Industrial Control System security? Do you utilize SCADA products in your industrial job environment? If you combined that with infosec security, you'd be hitting a sweet spot in the hiring landscape right now. If not, don't sweat it - but it's just a thought. If you do, and have, PM me. I know people. Or just PM me in general, i'm here to help mate.
I work around a lot of stuff that's got to involve SCADA but it's not what I'm elbow deep in, I do a very weird mix of stuff.
The red team lifestyle is probably oddly like the geology lifestyle, I'm not really scared of much.
Edit: Looked at some of the OSCP material. It's fascinating, but it's ... down the road a bit.
I host a podcast about movies.
This is a good post and much better thought out then my 20 hours of sleep in the last week fuck this insomnia rambling.
I do want to reiterate that netsec/appsec are usually siloed in larger consultancies. The boutique ones (that aren't shit) usually have a lot more multidisciplinary type people.
BlackHat/RSA are a waste of money TBH. Unless there's really some sort of training you have to go to it's easy enough to crash the parties for networking, especially at RSA with a free Expo pass. BSides events typically happen alongside a larger event (BSides SF is to RSA what BSides LV is to BlackHat). BSides LV/BlackHat happen right before DEF CON so unless you can't stay for the weekend it really doesn't make sense to go to one and not the other IMO. Also, all Infosec conferences are for drinking.
P.S. SCADA is such bullshit and filled with so many Charlatans right now (including the guy that maneuvered his way into stealing my last job (starting/managing the Infosec program for a medium-ish size company) but didn't understand the difference fucking Public and Private IPs (he didn't understand why he couldn't do an nmap scan to establish our perimeter from inside our network). Jesus. Motherfucker had a PhD and a published book about SCADA but given his extreme ignorance I'm 90% sure guy was a serial plagiarist).
It is hot right now, but I don't know how long that will actually last.
P.P.S. One of the two or three not useless companies with new ideas on the fringes of the RSA show floor I found a couple years back was manufacturing a device you could install inline before any SCADA device where all it did was monitor the voltage consumption, which after setting up a baseline is indicative of not only attacks but also early warning for failures, and other issues with the system. That was pretty fucking sweet, will try to dig up the dude's card later. Name and logo were terrible, believe it was three initials starting and ending with P. If those guys haven't already been acquired by somebody already in the network monitoring/SIEM business they almost certainly will be. It was such a blindingly simple and easy to implement idea.
ICS is one of my domain specialties. The reason I put it out there is that it's very hard to find someone who's touched and worked with industrial control systems, and is also infosec trained. Like, brutally hard, because i'm trying to hire them. Were it the case, it could propel you out of your problem quite easily I would think - but that's if you had the experience, and that's where you wanted to be career wise.
@Giggles_Funsworth
Oh, I know. It is a really big problem but because of the FUD factor and how much media it's gotten the past couple few years it is a natural breeding ground for snake oil salesmen. I definitely know some legit people in that space, but anybody claiming to be a SCADA expert right now gets extra scrutiny from me, like self proclaimed threat privacy, and crypto experts.
Really it's just a problem with the whole industry though, TBH. Why I've been trying to switch from Red Team to Blue. I just wanna have my own little corner I strive to make better, no selling shit to anybody, no just breaking shit without really helping with remediation. If I stumble upon some rad processes that can help people be more proactive that's be cool too.
Unfortunately the job hunt isn't going great this time around. I'm in this awkward spot where I'm technically a senior level employee, by merit of solidly mediocre to good skills in just about everything except for directly working in IR directly or long term dev experience (came at things from a neteng/sysadmin background even though I accidentally appsec'd), but that's only really a hot proposition for smallish orgs that haven't the budget to hire somebody better than me for all the things.
Additionally because of the HR nightmare way things ended and the inordinate amount of really positive initial interviews that have ended in static, I think my last place might be blackballing me. But I can't even prove a wrongful termination suit because in CA communication between employers and the EDD (unemployment people) is considered under administrative privilege which is fucking hilarious considering the HR person from the large network appliance company that acquired us right after I starter's official word on their danged form was that I'd "been disciplined and talked to previously, don't know exact dates" (didn't know them because I wasn't).
I haven't fallen back on pentesting yet because I really liked my last role in the brief amount of time before it went completely to shit, and I became super disillusioned with that shit after a few years of doing it, not to mention getting laid off from two different companies because client's websites fell down while I was doing completely rote parts of my job because they were shit, but $CLIENT is more important than backing up your people when shit falls down from a hella throttled generally considered non-intrusive scan.
Honestly despite fucking loving the community and being fairly involved in putting on a couple BSideses I am so fucking frustrated with the business aspects of the industry right now. I'm probably not in the best space for this thread right now.
I host a podcast about movies.
Pretty sure all jobs are terrible, at least this one I stand to make an impact in the world.