+1 on the font change, not just you Mick
On Wed, Sep 8, 2010 at 11:34 AM, Robin Wood <[email protected]> wrote: > On 8 September 2010 13:28, Josh Little <[email protected]> wrote: >> So, I've been trying to leave my job of 11 years for a dedicated security >> position and have had little luck. I've had one set of interviews, where I >> was passed on for what may have been team personality issues - no big deal, >> these things happen. But I can't keep but wonder if there is something I'm >> missing - well, I know there are things missing, I just don't know how big a >> deal they are. What advice would you guys give me, given the following: >> >> - I've got some 13-14 years IT experience, with 11 of that being in the >> enterprise sector in the advertising industry. The experience is across the >> board - helpdesk, operations, network & infrastructure administration, >> security, and web application work. The past 4-5 years I have tried to >> specialize as best I could in security, while also being required to perform >> the tasks of a network administrator, network engineer, voice engineer, and >> "digital/web guy". Our entire network operations team is only 5 guys for an >> entire multi-site enterprise operation, so I cannot just work in one area. >> This is the main reason why I am looking to leave - the breadth of work >> experience has been helpful in doing the security work, but I want to be a >> dedicated security person, not an NA that also kinda does security. Also, >> our operation (and our industry in general) is not terribly concerned with >> security for cultural reasons. We have very little management buy-in for >> security initiatives. Even after incidents occur, management may be >> concerned for a month or so before slowly ignoring the controls put in place >> to help prevent another incident. >> >> - I've "concentrated" on intrusion detection, network analysis, incident >> response, and web app testing. This has mostly been out of necessity, as >> these have been the areas most needed at my current job. I've dabbled in >> other areas of security, but these are the ones that I get the most exposure >> to. My skills are, I believe, decent but not awesome. They are decent enough >> that I can reliably find compromises, explain why the machine is to me >> considered compromised, find the source of the compromise, and determine to >> some level how it came to be that way. I obviously don't know if I am >> missing anything - I may just be able to find the bottom rung of owned >> machines. There in lies problem number two - I have no one to compare myself >> to or learn from. The security program at my current place of work was >> developed pretty much by me and no one else there has a strong security >> background beyond the basic security concepts. I listen to PDC and most of >> the other security podcasts and have no trouble following along and taking >> what is said and applying it back into my own organization, so I know I'm >> not just a clueless n00b, but I have no benchmark by which to compare >> myself. I've signed up to the Security Mentors program, both as a mentor and >> a mentee, but have heard nothing back from them. There are a couple local >> groups that meet - one is attached somehow to U of M in Ann Arbor (40 >> minutes away) and meets on a college students schedule. I'm looking into the >> local Infraguard chapter. >> >> - I have no certifications or special training. Everything I know I've >> either learned on the job or taught myself. My job will not pay for security >> training for me and I've found the cost of most training to be outside my >> budget in the past. Would you consider this to be a big minus? If so, where >> would you suggest I start? I'm not looking to spend a year + taking classes >> and earning certs, mainly because I don't have the time or money to do so, >> but if there was one, possibly two classes to take what would you suggest? >> >> I think I've got a lot going for me. I've gathered a good sense of business, >> something that a lot of younger security guys don't have. My skills are >> good, though just how good I'm not sure. I'm at the "strong" part of my >> career (I'm 35), but I just want to make sure I take it in the right >> direction. It's now time for me to make that next step, but I'm not really >> sure if I'm in the position to do so. Let me know what you guys think. > > Get into the community, write a blog, create some tools, do some > research and publish a paper. Keep at that and get a name for yourself > while you are waiting, then when you go for an interview you'll be > able to show you have an interest beyond just more money. And if you > don't know where to start pick an area you are interested in and look > at that. Get into it and ask questions then maybe write up the answers > and publish on a blog. If you've had to ask them then other people > will have had to as well. > > As for training there are loads of videos, slide decks and other free > stuff out there. Download the last Shmoocon/Toorcon/Defcon videos and > watch those. IronGeek does loads of free training videos on his site. > Again, if you get an interview you can mention the things you've seen, > something as simple as "yes, I saw X do that on a Y con video" would > mark you out from someone who was putting effort in. > > Robin > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
