Dear CertMag is a weekly feature that addresses common questions about certification and related IT issues. Have a question? Send an e-mail to editor (at) certmag (dot) com.
Dear CertMag: I’ve been using and messing with computers since junior high school. I tried college for a couple of years, but it just doesn’t work for me. I just got my A+ through CompTIA. I like figuring out security problems. I think I’d like white hat hacking. Where should I go from here? There seem to be a lot of different security certs. A friend told me I’d be better off just teaching myself a couple of programming languages and taking a learn-by-doing approach. What do you think? What’s my next step?
— Jem Skerrit, Fort Wayne, Ind.
Information security is a great area of focus; the demand for security professionals will only become more intense as the amount of information (and number of systems that consume it) continue to proliferate throughout our society. One of the core principles in working for the “white side” is that you have to understand the “dark side” in security. I am certainly not espousing getting involved in illicit activities, but rather, looking at the best of the security professionals out there, there is an entire section of experience and work with information platforms to bridge the gap between academic interest and employable professional.
The A+ credential is a foundational element that essentially tells an employer you can do basic tech support. Your first step is to start building your portfolio of experience in the computer field. Ask potential employers (or your current employer) about how the career model allows you to specialize in a given field of IT. Many organizations that are broader than small businesses have some way to “move up” from the A+ type support function into other areas like administration, security, etc. At a minimum, you need to attain some experience at the administration level in order to have an applicable base of experience that can be leveraged to start building the security framework on top of.
As a professional who left college early myself, I can tell you that today’s information technology industry is not the same one that the security folks who I learned from came up in. I was fortunate enough to work with folks who started out in BBS days, and stayed relevant applying collective experience in the broader security world to things like industrial SCADA systems, and transactional processing.
Those same professionals — separated from the decade or two of experience they can now bring to employers — would probably require a good deal of luck to get an entry level position and connect with the security roles that would leverage their skills. Whether we like it or not, the burden of experience that one has to bring to an employer to overcome a lack of degree is higher than ever — if you aren’t simply screened out in a resume submission for not listing an educational requirement of the job posting.
The game plan, then, becomes about experience. By all means, study in your spare time. If you can manage to do so along the way, start putting aside money for training. Offerings from SANS are some of my favorites to get the core foundation that one needs in security. Security is a hot skill, and quality training (even foundational training) is not inexpensive! (ISC)2 accredited courses aligned to the SSCP certification are probably a reasonable lower-cost alternative.
One piece of advice: Pure penetration testing jobs are relatively few and far between. They require experience and a certain degree of talent. You may find analysis, forensics, or intrusion detection as easier career paths to pursue.