Becoming a Computer Security Analyst

CptFalcon

[H]ard|Gawd
Joined
Dec 13, 2006
Messages
2,012
Hello all,

I'm trying to find out what path I should take on becoming a security analyst.

Right now I have my associates degree as a microcomputer specialist from Elgin Community College and have transferred to Northeastern Illinois University to pursue my Bachelor's degree.

I've also enrolled in their computer science program with a concentration in computer security.

So my question is, what certifications will I need to get a job in a few years as a security analyst?

I'm working toward getting my CCNA and I'm wondering whether I should get the CompTIA Security + cert and then get a CCNP cert.

If anyone can shed some light on this, it would be greatly appreciated.

Thank you.
 
Computer Security is a big field. Any idea what you would want to specialize in?

I graduated with a BS in Computer Science and an MS in Enterprise computing. I took a jack-of-all-trades approach to picking my classes but focused on ones related to security. It got me great exposure into the field as a whole and helped me narrow down parts that I did like and wanted to pursue further (Penetration Testing and Digital Forensics). It also helped me identify which branches I wanted to run screaming from.

Industry standard cert for Information Security is the CISSP, may want to look into that.
 
Computer Security is a big field. Any idea what you would want to specialize in?

I graduated with a BS in Computer Science and an MS in Enterprise computing. I took a jack-of-all-trades approach to picking my classes but focused on ones related to security. It got me great exposure into the field as a whole and helped me narrow down parts that I did like and wanted to pursue further (Penetration Testing and Digital Forensics). It also helped me identify which branches I wanted to run screaming from.

Industry standard cert for Information Security is the CISSP, may want to look into that.

I've been exposed to computer forensics, I've already taken two semesters of classes related to that at the community college.

I'm just trying to see what the general consensus is as to what certifications and how many years of experience I need in either network security or computer security.

I'm just looking to plan out my career before I complete the core curriculum at Northeastern.
 
Last edited:
The CISSP is the "gold standard" cert for the IT security business. It requires a bunch of actual experience to get certified. The test is about 2 miles wide and two inches deep and is more aimed at the technical side of things (which is likely your trajectory based upon Comp Sci being your focus). There's also a compliance side of security that is a totally different career (the path that I took with a Computer Information Systems and Accounting degree).

It would probably do you the most good to start going to IT security industry meetings in your area to network with professionals to figure out what they do and if it is something you want to do. I would suggest looking for your local ISSA chapter, join (as a student, it is cheap), and go to the meetings.
 
So, from a few days of research I've managed to lookup, it seems that I will need to get a job doing desktop support or network support in order to get a job being a security analyst.

Does this seem to be in line with how others are getting into this field?
 
Well first of all, I'd like to ask: What do you envision a 'Computer Security Analyst' actually doing? Just to see what your perspective is, and what your expectations are...
 
If you think that getting a job doing support is going to help you in security, you should probably be in a different field or figure out what you want to do.. People who are in almost any type of security job now did probably start in support but mostly because the field is reasonably nascent and their roles changed.

Regardless, you haven't even defined the scope of the question.

I want to do security!!!!!11oneone

Physical? Network? Intellectual Property? Fraud? Any of the other types that I am not thinking of because no coffee?
 
I don't mean to sound like a dick.... But that CCNA is going to be worthless in IT security, it holds no value to security teams or people. It's a dumb certification that anyone can get, and if you are going in to IT security you are going to be expected to already know or assumed to know the information you would find there anyways. IT security people do not function in the same way the general IT crowd does or management. I'd skip the CCNA or anything that has to do with ethical hacking... etc. Offensive Security has some decent things.

You need to also figure out what you want to do in IT security you can be defense or offense and its basically the difference between wanting to be the person viewing logs all day and finding patterns or being the person in the field attacking, testing, breaking, and fixing. Plus writing huge ass reports :D I do the offense work, it's far more rewarding to me and it pays ridiculously well when I do contract work.

People are going to flame me for saying certification's are stupid but they are in most instances, anybody who can read and remember information can take most certifications. The CISSP is a little different there is information in this certification that you wouldn't know unless you actually have experienced it. I guess the point I am trying to make is that most IT security folk could give a crap less if you have every certification ever created, you are either good at security or you are not. Lots of those people giving presentation at Defcon that look like homeless hippy folk, they make well in to the six figures and most of them don't have college degree's or certifications of any type.

I will also add in that you should probably forget about having a social life for about the first 3 to 5 years in IT security -- unless you want to be a peon and never do anything fun.
 
Industry standard cert for Information Security is the CISSP, may want to look into that.

As a CISSP holder, the certification is a joke. There is A LOT of material but it is all simple in nature and not hard to understand. It's sad how this certification is held in such high regard in information security. It's supposed to be the premier InfoSec certification but again, the material is braindead easy.
 
As a CISSP holder, the certification is a joke.

Agreed. Unfortunately - a lot of managers in charge of hiring have it as a check box for open positions. These probably aren't people you want to work for though.

*There is nothing worse then explaining basic InfoSec principles/topics to your CISSP holding supervisor. :(
 
I'm not convinced spending years doing desktop or network support is the best way into the field. It is a common career path, but I'm guessing most of those didn't intend on ending up in security. I still think going to your local industry meetings and getting to know people that do this for a living is the way to go. That would give you an easy in for an internship with one or more of them, which translates into the real world experience you need to land the job you want.

Of course, as others have said, security is a very broad field, so its hard to dispense more specific advice...
 
As a CISSP holder, the certification is a joke. There is A LOT of material but it is all simple in nature and not hard to understand. It's sad how this certification is held in such high regard in information security. It's supposed to be the premier InfoSec certification but again, the material is braindead easy.

Maybe but it's pretty much one of the only ones that holds value, and I say this with the most hatred for certs :D

Agreed. Unfortunately - a lot of managers in charge of hiring have it as a check box for open positions. These probably aren't people you want to work for though.

*There is nothing worse then explaining basic InfoSec principles/topics to your CISSP holding supervisor. :(

You can report these people, it takes a lot to keep the cert relevant so they take it pretty seriously when someone is screwing up. Not having these types of people holding them only gives the cert more value as well, so it helps everyone.
 
Agreed. Unfortunately - a lot of managers in charge of hiring have it as a check box for open positions. These probably aren't people you want to work for though.

Unfortunately in the public world, your opinion is null and void without holding a certification.
 
CISSP is very high level knowledge and kind of useless. If you're a practitioner go for SANS/GIAC.
 
You can report these people, it takes a lot to keep the cert relevant so they take it pretty seriously when someone is screwing up. Not having these types of people holding them only gives the cert more value as well, so it helps everyone.

Sure, but for corpo-political reasons, this may be unwise. If your 'CISSP holding supervisor' suspects that it was you, they will probably hold a grudge and try to ruin you. And in the world of at-will employment and all that jazz, there's not really anything to protect you from retaliation.
 
I'm in similar position as the OP. I got my AS degree in Networking and Software Solutions, and now finishing my BS in enterprise security with a minor in Java programming. I don't know where the OP lives, but in my area there are not a lot of very large companies to work for. I have been trying to get in a few places as an analyst for a few different systems that I have experience with. The problem I am finding is most places won't hire outside of the company unless its more of a top level position. It's tough to break in to a company in a higher level position without starting out in a lower position and working your way there.

I think for someone that has years at that position, you might have a better chance to get in on a good position without working the lower rungs of the company, but for a new grad, I don't think its going to happen. Sure you might get the job in a small company, but sometimes there is not a lot of job security working for small places.

I worked for a small tech company for about a year, and teaching at a local community college while I am still working in a hospital to keep active IT experience, but I am still having a hard time finding a position in a company with more than 20 employees. I think as bad as I hate too, I am going to have to man the help desk and work my way up from there.
 
I'm in similar position as the OP. I got my AS degree in Networking and Software Solutions, and now finishing my BS in enterprise security with a minor in Java programming. I don't know where the OP lives, but in my area there are not a lot of very large companies to work for. I have been trying to get in a few places as an analyst for a few different systems that I have experience with. The problem I am finding is most places won't hire outside of the company unless its more of a top level position. It's tough to break in to a company in a higher level position without starting out in a lower position and working your way there.

I think for someone that has years at that position, you might have a better chance to get in on a good position without working the lower rungs of the company, but for a new grad, I don't think its going to happen. Sure you might get the job in a small company, but sometimes there is not a lot of job security working for small places.

I worked for a small tech company for about a year, and teaching at a local community college while I am still working in a hospital to keep active IT experience, but I am still having a hard time finding a position in a company with more than 20 employees. I think as bad as I hate too, I am going to have to man the help desk and work my way up from there.

I would contend that you're in a vastly different situation than the OP based upon where you live (based on his university declaration, I'm assuming Chicagoland). Quite frankly, you would be better off moving to a more populous area to get your career started. Its going to take you decades to move into the position that you want in such a small city unless you get very lucky with how you play your cards. I still think the better play to get started is to go to ISSA, ISACA or ISC^2 meetings in your area to network with folks that could hire you as an entrylevel grunt (of course, this is far more likely in Chicago than a small town).

I started my career in Atlanta and that worked out quite well for me. I then lived in Winston-Salem, NC for 6 years and saw what you're seeing in your market - virtually no opportunities for security oriented folks. Most of my gigs ended up being travel oriented or teleworking outside the area. I've since moved back to Atlanta and it is more like shooting fish in a barrel here....

Also, I disagree that small companies are less stable than large companies. Both will bankrupt or lay you off at any time that works for them.
 
CISSP is very high level knowledge and kind of useless. If you're a practitioner go for SANS/GIAC.

I've never ever seen a SANS/GIAC cert listed as a 'want' for a security position. I see security director positions ask for a minimum CISSP all the time.
 
I've never ever seen a SANS/GIAC cert listed as a 'want' for a security position. I see security director positions ask for a minimum CISSP all the time.

I've seen SANS/GIAC on a few job postings, but not very many. To me, the SANS/GIAC certs seem more like a money grab for the institute (even though the training is supposed to be good) as you've got to take their multi-thousand dollar course and then re-up it every few years. On the other hand, CISSP just requires a test, experience, a secret handshake and more free-form continuing education.
 
I've never ever seen a SANS/GIAC cert listed as a 'want' for a security position. I see security director positions ask for a minimum CISSP all the time.

I see GIAC more commonly requested from companies that take security seriously like Fireeye, DreamWorks, Sony, banks, etc. Just flip through the training materials for both and see the difference. CISSP is a lot of broad memorization of terminology that's better suited for a sales role whereas GIAC is actual implementation knowledge. I'd favor the person with GIAC in an interview.
 
I've never ever seen a SANS/GIAC cert listed as a 'want' for a security position. I see security director positions ask for a minimum CISSP all the time.

I see SANS/GIAC all the time. It really is for "practitioners"; the people who are going to be doing the actual IR/forensics/analysis side of work. These certs (and the training that goes with them) will teach you the things you need to know to be effective at IR/security analysis/etc. As someone else mentioned, most of the companies that take security seriously (any legit security service, large orgs with mature security groups, etc) are going to be looking for people with SANS certs.

Security direction positions are an entirely different ball game. You don't need to know how to extract network packets out of memory to be an effective security director, as an example. That's why most places are looking for someone with a high-level and broad understanding of all that security is which, unfortunately, is usually measured by whether or not they have a CISSP.
 
If you're going to college, see if you can get an internship with a company working with the infosec team. I'm supervising 4 interns currently at my company and we're giving them tons of great experience and plan to hire them if we get permanent openings before their time with us is done. Great way to get experience and break into this side of the field.

Nothing wrong starting out in the support side of the field, but I would try to move quickly if so. Spend as little time in hell desk / desktop as possible and move over to the networking side of things. You can soak up some great knowledge there and put it to good use when you move to the security side of the field, depending on what section of infosec you're interested in of course.
 
Back
Top