Career Advice Tuesday: Job Now or Job Later?
July 14, 2009
It must be the end of the school year – Lee and I have been inundated with questions about starting out in the infosec field. (Aside: have you sent in a question yet? You could win admission to Defcon.) And I must say, we’re actually pretty excited to see all of these future information security leaders out there chomping at the bit to get in to the industry.
I wanted to answer a question from one of those future leaders this morning:
“I recently graduated college with a bachelors in Computer Science. I have very little InfoSec experience (Attended a couple cons, read several blogs etc., but nothing real), but I’m interested in the field. Should I go for some training, or try for an entry level job right away?
I’m going to answer this as simply as possible: there is absolutely no substitute for experience, especially early in your career. You are far better to go out and get a job that lets you put your hands on technology on a daily basis for the purpose of helping a real organization than you are doing another training class or certification. Not that there’s anything wrong with certification, but you need real-world experience early in your career.
This brings up another dilemma: it is sometimes hard to break in to the field in this economy. To that end, feel free to broaden your scope. Not all of the jobs in your career need to have “security” in the title. In my career, I have worked as a programmer for a while and a system administrator for a couple of years. That experience in my background gave me insight into the problems that our IT users and coders face, and made me a far more well-rounded security professional than I might have been if my first job was in a security operations center and every job after had “security” in the title.
What is most important in the first part of your career is to acquire as much diverse experience as possible. I have always believed that the first five years of your information security career should involve learning as much as possible about as many parts of the field as you can: penetration testing, architecture, policy writing, technical operations, incident response, etc. And if you have to (or want to): coding, system administration, database administration, project management and other IT disciplines.
In short: while training is great, nothing beats hands-on experience.
Posted by mmurray | Filed Under Career Advice Tuesday