Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

  • matt@infosec.pub
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    I’m not sure if this is the right venue for this question so please let me know if that is the case – happy to ask elsewhere!

    I’ve been in various IT roles for the past 10 years and seem to have gotten stuck in a support capacity. My career goal is to be more of a DevSecOps or Security Engineering role but I honestly can’t get the time of day with an interviewer. I’ve got experience with programming, cloud infrastructure, web application security, and am currently going for my CKA but I don’t have a ton of experience “on paper”. Most of my experience is either me doing things myself to further my knowledge or taking on security things within my current role – for ex. in one support role I did a web application penetration test to make sure there weren’t any gaping holes before we deployed it.

    How can I make sure that I have the right experience down on paper for when I’m applying to roles? Has anyone here “broken out” of a support role into security? What was your experience with it? I also have a lot of interest in doing research work and I know this can dovetail with the two roles I listed above but maybe I need to focus on the core ideas of those roles more?

    • shellsharks@infosec.pubOPM
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      This is what I made this playbook for. This will always vary from hiring team to hiring team but for me I look for practical skills/experience & the desire to learn more. Enthusiasm is easily mastered for interviews but proving your skills is harder. Fortunately, there are lots of ways to demonstrate your capabilities, many of which I talk about in the playbook. I’m not saying it’ll be easy, because for w/e reason this industry still hasn’t figured out how to not gatekeep for one reason or another but I think you’ll make it easier on yourself by focusing on practical, demonstrable skills and documenting them. Hopefully that helps!

      • matt@infosec.pub
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Awesome! I really appreciate your help and will absolutely start going through this and what my resume looks like.

        Also, right?! How is it that in an industry that has a deficit of security personnel in it already is so damn hard to break into?!

  • gamencode@infosec.pub
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    After being a red teamer for nearly 5 years I’m not sure I want to continue doing the job, I feel like I could be amazing at IT but also that it isn’t nearly as glamorous or pays enough.

    I thought about DevOps but that also seems to not interest me enough… Maybe security Researcher? I dunno

    • shellsharks@infosec.pubOPM
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      I’ve found the good $$ is finding just a good ol’ “security engineer” title somewhere (most likely a tech company). If your title is “red teamer” or “pentester” and you’re not at a well-paid boutique consultancy you’re likely being underpaid compared to what you’d get on the engineer track. Where have you applied before/recently? Right now is a frustrating time to job hunt but better now than never, especially if you are bored or disgruntled in your current role. On the “security researcher” front, have you considered (or are you already doing) a blog or something? I’ve found that supplementing my day job with my own research and publishing it has the combined effect of keeping me interested in security in general as well as being good material to share with prospective opportunities.

      • gamencode@infosec.pub
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 year ago

        So the thing is I can’t really be bothered with blogging rn , not sure if I’d make a good blogger cause I usually have small tips and tricks and not full blown posts. Also I’m currently locked in my contract for atleast another 9 months then I’m free to go. What’s the difference between a security engineer and security researcher?

        • shellsharks@infosec.pubOPM
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          I understand the obstacle to blogging. But that’s where micro-blogging comes in! Twitter is out of vogue so I’d say use Mastodon (or similar Fediverse-ey microblogging platform, e.g. Calckey, etc…). You can post all your tiny tips and tricks and other thoughts there rather than having to pull together full-fledged blog posts. This will help you build a portfolio of contributions to the community as well as build a network.

          As for sec eng, vs sec researcher? These are merely titles. A security engineer could certainly be a researcher as well. I’d say you have a lot of “independent” security researchers who day-light as engineers. In some cases you have folks who are researchers as their day job but to get these sorts of roles I would suspect you would need some history of published research (like CVE’s, talks, papers, blogs, etc…).

  • gbrls@infosec.pub
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I have a year of experience as a Red Teamer and I’m taking my first cert now. Not sure which path to take next, I feel like as a Red Teamer I work in a broader set of skills and I sometimes wonder if I’d be better for me if I moved to consulting to focus on honing my offensive skills there, and then maybe come back to other companies to do red teaming.

    • shellsharks@infosec.pubOPM
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      What cert/training are you working on? Red Teaming is kinda niche and requires (think “Taken”), a “special set of skills”. Depending on the program you are currently in and how well they actually support a real internal red team, you may want to invest more time there as it’s not particularly easy to come by. That said, if your growth has stagnated you should absolutely see what else is out there. If it was me, and I was early in my career and didn’t care too much about money in the short term I’d apply for infosec roles in the military, NSA, CIA, etc… You get to do the REAL stuff there and after putting in your time you could easily come back to commercial industry and make a killing.

      • gbrls@infosec.pub
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        it’s the OSWE, and I’m not a US citizen, so I don’t have those options

        • shellsharks@infosec.pubOPM
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          OSWE is a legit training/cert. Good luck! I too am kinda working on it but need to dedicate real time to it one day. As for being non-US, maybe your country has their own version of these things you could look into =). Beyond that, consulting may be your next best bet as youll see lots of environments, work fast-paced and presumably have senior folks you can learn from.

  • Hello@infosec.pub
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Hey, I am looking for a remote information security entry level job/internship. If you know any decent company hiring, or a job portal, please let me know, I would really appreciate it. Most of the jobs on job sites I know are only for US citizens… I can work in any time zone! Thank you!

    • shellsharks@infosec.pubOPM
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Maybe you could have some luck here https://search.flockingbird.social? Also try posting on Mastodon with the #fedihired, #fedihire hashtags. Outside those fedi-ish methods, Linkedin is probably your friend here. It would be cool to have a hiring thread here one day if/when the community has enough eyeballs to support it. Good luck!