Career Advice Tuesday: Just Starting Out
August 31, 2010
Mike & Lee,
I have been working as a Software Tester for the last five years an am a QA Manager in our company. I recently graduated with an Information Security degree and would like to enter the field. My problem like many of my fellow graduates is that we lack the experience in the field. I have read from other security professionals via Linkedin that the field is over saturated; yet you read that the Government is in need of individuals in these fields.
I have a family so it’s not practical for me to take an internship or a position that pays lower then I currently make. I know that employers look for certifications such as the CISSP and Security+ as requirements to even be interviewed. As you guys are aware CISSP requires have several years of experience before you can qualify to take it. The Security+ does not and I am working on this now.
What can a new college grad in my similar situation do to enter the field? What career and skill set guidance can you give individuals like myself?
Newbie, Inexperienced, and Desperate.
This is definitely a tough one, as you’re in a bit of a bind – you don’t have any experience in the field, so you can’t get a well-paying job. Yet, you can’t take a low-paying job so as to build up the experience.
It’s a classic double-bind.
You already have the information security theory background with your degree, so added certification isn’t the key here. People aren’t going to look at you and say “oh, he has a 4-year degree, but he didn’t pass a 3-hour multiple choice test, so he’s useless”. Your key here isn’t background knowledge or certification, it’s practical knowledge and daily application.
So, here’s the way out of the situation: you need to find a way to get security experience WITHIN your current job. Given your field, this shouln’t be too hard to do: in your spare time, start looking in to merging security and QA. Look in to bringing more security process and security results to your current role, even if it’s just spare-time stuff. Spend more time with whoever is in charge of secure coding and development security within your organization – if there isn’t anybody, perhaps you can even become that person within your current organization.
Here’s the thing – don’t fall in to the trap of thinking you have to go get more certifications. You can get skills and experience where you are with a little bit of extra work and effort that will be likely much more productive than studying for another test.
As Lee always says, “the best job you can get is the one you already have.”
Mike & Lee