Answer the question
In order to leave comments, you need to log in
How to develop security?
Hello! I am an information security specialist by education. But the situation has developed in such a way that it is very difficult for me to find a job due to a lack of skills.
Now I work in a small company that seems to provide information security services, but in reality, my colleagues and I just work as technical support, sit on calls and provide assistance to clients with DallasLock, vipnet, and a couple more of this kind of software systems. Moreover, the help is quite banal - enable / disable, remove / reinstall. No deep settings. Obviously, this is not all that an information security specialist should do, but this is the company's policy, and the management does not plan to change anything.
I want to become a cooler information security specialist and get a job, if possible, in a more reputable company. At my current job, I asked and even demanded my bosses to give me more complex tasks many times, I said that I wanted to develop as a specialist. The authorities only feed breakfast, and I realized long ago that I should sit in this office on calls until retirement, unless I find another job. But I also don't want to fight openly.
Prior to that, I worked for about six months as an information security design engineer in one organization of the Gazprom family. There, my colleagues and I just stupidly corrected the documentation by copy-paste, and I didn’t learn anything useful for a career as an information security specialist.
The reality turned out to be that I receive a lot of invitations to interviews, but after the interviews, one refusal after another follows, there are no offers at all. The fact is that most vacancies in information security require the skills of a system administrator, I have never had the opportunity to administer anything at my places of work. I didn’t have a chance to work with linux either, only Laba did it at the university.
They also ask about more serious things related to security, such as setting up security policies, working with DLP, IDS, WAF, investigating incidents, selecting information security tools for customers. None of this had to be done. And, in principle, no one at my current job does this. Despite the fact that I am ready to study and go, for a start, to a lower position such as a junior assistant to the system administrator, I still get only refusals.
Please advise how to overcome this vicious circle of lack of skills and decent work? What exactly to study in the framework of self-development? If at the moment there is no opportunity to acquire these skills at work.
Thank you in advance.
Answer the question
In order to leave comments, you need to log in
As an option, you can start with the public sector, where there is now a wild shortage of personnel, especially in terms of technical areas (I know firsthand). There you will take part in the investigation of information security incidents, and study DLP systems, and gain AD administration skills (if desired), and, importantly, study a bunch of regulations in the direction.
From pluses - it is a lot of directions in which it is possible to develop; lack of strict requirements for education (staff shortage makes itself felt); if you are "lucky" you will also master related areas, such as administration of telecom equipment and the general principles of TCP / IP; and one of the main advantages is a real opportunity to get training at the expense of the organization with obtaining the appropriate "crusts".
Of the minuses - a lot of work for not the most worthy reward; admission to GT with all the consequences; and... bureaucracy, lots of bureaucracy.
As a springboard and a kind of "sandbox" for exploring everything of interest - it's the very thing.
Well, you should start with the fact that the concept of "security" is very different depending on the size of the office and the presence of a separate information security unit there.
In small offices, there is no information security at all, as such - it is usually a local admin (or a couple of admins - it is unlikely that there are more)
In slightly larger offices - as a rule, one information security specialist, whose functionality can vary greatly depending on his position in the SDS, work experience and credibility :)
In large offices, where there are entire departments or even departments of information security, there are specialists in this and specialists in this ...
Only a person who has the opportunity to work in an office like CFT can afford to be an information security specialist and not know Linux, otherwise - nothing. Well, how will you control the admins if you do not know their work? :)
In addition, as a rule, IB does not take people from the street - I have already said more than once that IB creates rules, so it usually does not obey them, so they simply won’t take anyone there.
Go to government agencies - there is a real shortage of competent personnel (alas, I have come across ...). There is little money, but a lot of work ;) In addition, usually the information security specialist is also distinguished by the presence of useful acquaintances :) and in the civil service it is just the right place to get them.
You are engaged in the so-called "paper" security, and you go to interviews with people involved in practical security. There are few points of contact in these areas.
Practical computer security, from my standpoint
, has three main areas encapsulated within each other:
unauthorized access to minimize the amount of data that can be stolen. This also includes access control and tracking, event logging, etc.
Infrastructure security implies knowledge of devices and operating systems at the system administrator level, shallow knowledge of programming languages and tools for working with programs written in them.
2. Application security: secure development (SSDLC) and audit (and penetration testing) of desktop / server / mobile / web applications and systems, network interaction, search, analysis and exploitation of vulnerabilities.
This item requires a deep knowledge of the technologies and programming languages being audited, an understanding of threats and protection methods.
3. Security of end devices: security audit of the hardware and software components of manufactured computers/phones/embedded devices, their processors and support kit from the processor developer, applied protection technologies (hardware and software).
A specialist in this profile should know the assembler of the architecture under study, understand the features of the low-level operation of the equipment.
Please advise how to overcome this vicious circle of lack of skills and decent work? What exactly to study in the framework of self-development?
Okay, wait a minute, no one answers until I finish reading the question.
UPD: that's it, I've read it, so I'm answering questions.
If you do not have a specialized education, then this is immediately -90% to the chance to get a job as a security guard. Alas and ah, but information security is a sphere where they won’t even look at you without a “crust”.
And this means the following: try with all your might to move from technical support to local security guards. Shake your bosses, make contact with the management of the OIB, track vacancies. At the same time, you read all the sources related to the potential job.
If you go to the security guards, then this experience will be automatically credited to you instead of a diploma.
That's all.
I would recommend that you first try to get a job as an assistant to the system administrator. You are doing something like this right now. Yes, you need to improve your knowledge and skills. Books / Video courses / Practice to help you.
Look at the vacancies of sysadmin assistants, pull up your knowledge / skills in this direction.
Over time, from a junior sysadmin, you can grow into an admin and only then strive for security.
Good afternoon!
If you know that there is a hole in your knowledge, then try to patch it up. There are a lot of books, courses (including leaked ones), there are videos on youtube.
Know how to receive information, process and work with it. One of the life hacks is to see what is required now in the labor market and try to master this information on your own + try to put it into practice on your PC. After that, initially discuss it with HR and show your knowledge at the interview.
They take you not because of lack of experience, as such, but in principle because of the lack of knowledge in those things that are required.
Try to get this knowledge yourself + try it in practice (again, your PC will help).
After that, I would advise you to try to take internships (the same GROUP IB, as an example).
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question