5

For example i have seen countless speachess by the UK goverment on how likely a cyber attack is, if so why do they not offer more incentives for new security professionals.

I find it frustrating as a graduate that my road into InfoSec has been so hard, yet the goverment says there are not enough security professionals. Is there a specific reason for this?

NOTE: I have a BSc in Computer Science that was focused around the foundations of security. I can pretty much get into any other field as most provide further training. Yet even though I am a moldable graduate, its near to impossible to get my foot in the door in any security field, due to my lack of experience.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Lunar
  • 223
  • 2
  • 6

7 Answers7

5

In tackling your points separately:

  • There is a very active initiative, sponsored by the British government specifically to get young people into the security industry: https://cybersecuritychallenge.org.uk/

  • Organisations are crying out for hires at all levels, from new graduates to experienced professionals. The job boards are full of them. So are you looking in the right places? People hiring include the Big 4 accountancy firms (EY, PwC, KMPG, Deloitte) Pen Test companies and boutiques, as well as end user organisations such as banks.

If you are being turned down for roles, have you had your CV assessed? I often find new graduates have CV's which are very academic - and that turns off many employers.

Are you a member of IISP, ISACA, ISSA or ISC2? Joining one of these is a useful addition to your CV at your stage.

Have you looked at courses? Or getting a cert like CISSP? These will help get you past the HR firewall.

Look at the other questions tagged for more info.

I give quite a few talks to universities on career planning. One of my recent ones at Napier University in Edinburgh was videoed as part of an IISP event.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • Good Post, i have seen these security challenges before, i think they are great for attracting attention to the field, but the likelihood of actually winning one? As for jobs, i have applied and not even got passed HR as i have no commercial experience, these included entry level jobs. My point is, security is so important, yet so much harder to get into, for example i received 3 job offers within 2 weeks as a software developer. I feel the industry may be loosing quality technical professionals to other industries (such as myself :D) – Lunar Aug 10 '12 at 12:24
  • @Lunar As a developer, you are a cog in the machine, and easily replaceable. As security, you have more responsibility. – schroeder Aug 10 '12 at 15:49
4

In the security field there is an infinite amount of attack vectors. I can target any user, any system, any software. I may not be able to crack into all of them but the potential is there. Because of that there is no direct course or curriculum for becoming a security expert. Usually the successful defender is someone who simply knows more about a system then the attacker, and vice-versa. So thats why they recognize the threat of cyber attacks, but realize there is no exact method for making someone an expert at every technical field.

Chris Frazier
  • 795
  • 5
  • 6
4

OP, you said you have knowledge on the 'foundations of security', then it really sounds like you just need to get your hands dirty and explore all the information freely available online. I decided to learn about security a few months ago and I'm still overwhelmed by all the content I've found so far.

Here is a particularly good blog post on how to get started: http://pentest.cryptocity.net/careers/

Trynity
  • 176
  • 5
3

Politicians are adept at talking about problems without doing anything about them. Cyber security is a subject that they can all rally behind and shout about, and then "look to industry" to solve. In the end they'll do the usual UK government procedure which is to spend loads of money on external consultants on badly-conceived, poorly led, and ultimately unsuccessful projects.

If you want to get into security you're going to have to work on it yourself. There's a vast amount of self-study and certifications you can get without any formal training, and with very little actual experience. Concentrate on getting an entry-level security certification like an SSCP or a Security+ and work your way up from there. These will get you a job, and the job will get you the experience you need to get better jobs. Learn about risk management and business processes around security so you can not look like an idiot in an interview.

Sure, it would be nice to have a program that would help fund new security professionals, but it's a Tory government which is cutting absolutely everything and doesn't know the definition of investment. Nothing is free, you'll have to work for it.

GdD
  • 17,291
  • 2
  • 41
  • 63
  • +1 for the completely correct observations about ridiculous government spending, but -1 for not really giving any options for OP to look into. – Polynomial Aug 09 '12 at 14:40
2

An article just came across Hacker News today about this exact subject. Here's the rub:

There have been quite a few stories about the dearth of security skills. Among them are quite a few commenters crying, "Bollocks! They won't hire us."

Can both things be true? Can there be a scarcity of infosec skills that coincides with a lack of entry-level jobs?

Oh, yes. Here's the problem: There's nothing whatsoever "entry level" about security.

I recommend starting off in a more traditional IT field, especially Networking, Sys. Admin., or similar. There you can seek to focus on the security portions of those fields, and in the mean time practice the more saucy parts of the trade, like pen testing, on your own time. Seek opportunities to collaborate with the security team of wherever you end up and make connections, or even help participate in an assessment.

Brian Krebs has been running a series of interviews with infosec heavy hitters on how to break into the industry. A common theme there has been that almost none of these people started off in a "security" job but found their way there because of a real passion for it.

queso
  • 288
  • 1
  • 4
1

For most people, focusing on information security is something someone else does, which is exactly the problem.

People assume that security is handled by the "security people" and all will be well as long as we can find the right security people and the security people do their jobs.

But as long as PHP programmers continue to build SQL injection opportunities, and as long as users continue to use "12345" as their VPN password and click "Yes" to every dialog box without reading it, and as long as managers continue to purchase "integrated turn-key solutions" based solely on the number of bullet points in the ad copy, then it will continue to not matter how many security professionals there are or how well they're trained.

Solving the security crisis by training and hiring security professionals is like solving the obesity epidemic by training and hiring nutritionalists.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • Almost every programmer I met in London who knows OO considers himself security aware, and he is not interested in anything above main() and below print(). – Andrew Smith Aug 09 '12 at 19:59
  • @AndrewSmith every driver I know considers himself to be safer than average. But his own opinion isn't enough to impress an employer. – tylerl Aug 09 '12 at 20:08
0

What do you mean by hard? Security is a dynamic field to be in, it's impossible to know everything (whether you like it or not). What counts is what area(s) you're proficient in. If security was easy, everyone would be in it. Only the dedicated and persistent survive in this field, the ones that can't do this major in business :P

Jordan
  • 9
  • 1