Starting a Security Journey
I am a network administrator at a software company in Dallas. I would like to become a consultant for companies, helping them with vulnerable security issues. I was wondering what certification and experience route would be good for me to take.
— August A.
Hey, August! Lucky for you, in the United States, the Department of Defense (DoD) has issued a guideline specifically for those working in information assurance for agencies and contractors of the defense department. This might provide some of the opportunity keys you need to build your own career.
DoD directive 8570.01 sets up a compliance program so that anyone interested in working in the field for agencies and agency contractors has to comply with certain knowledge and reporting requirements. Specifically, they need to pursue certifications according to the type of work they do, and they need to have an on-the-job review on a regular basis, as well as some continuing education and training requirement.
There are potentially 400,000 jobs affected by this requirement, many of which are contract positions.So start small. Directive 8570.01’s Information Assurance Technical table specifies a Level I (general computing environment) technician needs to have one of these certifications: A+, Network+, Systems Security Certified Practitioner (SSCP) or TruSecure ICSA Computer Security Associate (TICSA).
As a practical matter, you probably have the knowledge of A+ or Network+. If you do not have either of those certifications, I would recommend the Network+, as it provides the basic networking knowledge that will be key to building your security skill set.
At Level II (advanced computing or network environment) lies Security+, which I strongly recommend because the process of studying for the exam ensures an individual has a strong, broad basis in each of the content areas that make up physical and IT security. Once you have Security+, you need to build additional experience, as well as study some of the deeper certifications in the industry. In particular, Security Certified Network Professional (SCNP) and SSCP come to mind.
Wayne has brought up excellent points: Work on building on your current experience and certifications. CompTIA’s Security+ is a great place to start. So, let’s look at trying to get some experience to put the certification knowledge into practice.
You mentioned that you’re already a network administrator. Depending on your current company, you might have a separate department dealing with network security, or perhaps security is one of your responsibilities.
If you do have a separate IT security department, I would approach your line manager or supervisor to arrange some job shadowing or job placement. Not only will this ease you into the world of IT security, but this route also has the bonus of increasing your job satisfaction and giving your company the ability to use you when it is short on IT security staff.
If it is the latter, and IT security does form part of your job role, I would recommend starting to implement some of your new knowledge gained from the certification program(s). Remember to never just implement a new setting into a live environment — try it out first on a test network. If you don’t have one, create one. This would not only let you test the security settings but also let you test other possibilities that aren’t related to security such as remote application deployment.
If these two options are unavailable to you, and you find it hard to find alternative paid work, you still have the option of volunteering. Although this isn’t everyone’s cup of tea, you might find it useful in the future.
Wayne Anderson is a highly certified system engineer course developer for Avanade, a global Microsoft consultancy. Ken Wagner is an IT network manager and part-time IT lecturer in the United Kingdom. He has lived in the United States, Asia and Europe. To pose a question to Ken and Wayne, send an e-mail to DearTechie@certmag.com.