I held off saying anything at first, to see if anyone had anything more useful than my own experience. (Also because I would also have been tempted to mention the typing. I reckoned you were being informal on these boards, but you
must do better in job applications/etc, if it's not actually the deliberate sloppiness I had assumed...)
I've just been supervising (well, sort of) a couple of guys who are here to get experience with computers. One of them "hasn't really got any qualifications, but thought, about three months ago, that I'd like to get into computing...", to only slightly paraphrase what he actually told me. Wrong approach. I can't actually see him going too far. So the fact that you're thinking about the long-term is good, but don't just do it because you just recently took interest in the idea of Penetration Testing. In fact, I think that's a rather narrow target. (Says I, who has such a broad target across the whole IT industry that I often (although not in Job Interviews!) state that I'm a "Jack of all trades, Master of none"... Consider that the opposite of your problem.)
You almost certainly cannot jump straight into penetration testing, or computer security in general. Well, there is possibly the approach of becoming a black-hat hacker/cracker, by your own efforts (not just downloading script-kiddie tools of the "helps-U-hack" variety, but actually listening and learning to 'those' kind of people), getting a reputation then finding some legitimate place that'd want to take you on as a Poacher Turned Gamekeeper type. But there are a number of problems with that, starting with the fact that I'm not too keen on the idea of encouraging that practice and certainly including that a number of Security/AV/etc companies publicly state that they won't reward those kind of people. Still, there
are those who have Come In From The Cold, publicly or otherwise.
A more legitimate way would be to go first into a general entry-level IT role. Check the job adverts for what employers like, for that. Qualifications for MCSE, Cisco, A+/N+/S+, etc, would be useful, and would also get you prepped for the Security side of things even if they're not entirely security-targeted themselves. (Knowing the principles of TCP/IP Protocols will help if you ever end up checking network activity, or even trawling through something like a set of captured wireless traffic logs, etc, etc...)
You probably won't get the opportunity to head straight for network security. And "I'd like to try to break systems" doesn't sound like the kind of thing I'd put a positive note on if I was anywhere near a job interview panel... (YMMV.) But if you show aptitude, the opportunities may arise.
Plus you may find you have aptitudes in another area. e.g. developing in-house Intranet applications, Disaster Recovery planning or just being the best darn front-line support person that there's ever been[1].
Also (and this is something I've neglected) you get yourself a decent income (and/or contacts) to support your 'messing about' in your chosen speciality. Getting yourself actual routers and machines for your own private sandbox. You might even be able to take old equipment off of your employers hands (with permission, of course) to get your practice. Cheaper than getting new stuff, more reliable than getting them 2nd-hand off of a random eBay seller. (Your social life/familial relationships may suffer if you go about this with
too much exuberance, so always keep perspective, and don't get too far ahead of yourself, or you end up with a lot of junk hanging around and all you get to be is a pack-rat... I should know...
)
Keep an eye on your goal, but be flexible. (Not as flexible as I've been, though as really should have specialised more over my career so far, and not flitted around as much as I have...)
I have no doubt that there are people who have had a more arrow-like trajectory into such a job, but the job market and opportunities for advancement are changing all the time. (At one point, getting into Games Programming started by making BASIC programs, swapping the cassettes at fairs, and getting noticed as a games maker in your own right, these days you often need University education to get considered for modern-day positions in a programming team at one of the Big Name companies. Although there are still a few, like Toady, who are probably getting kudos by their more-or-less individual effort, the known Top Guns of the current professions are as likely to be nameless to the average player as the 3rd Make-up Assistant of any mainstream film is to the average film-goer.) My own experience, apart from being not exactly the most appropriate guideline, may not even bear much resemblence to the track you would have to set out upon. More than two decades in, my list of qualifications actually look far less impressive than I would like, considering the experience I've accumulated in the industry. For a long time I've thought that I really need to get that sorted. And for that reason alone I might have disqualified myself from giving any advice, but as others don't seem to be forthcoming, you're welcome to the above advice. If only to consider and reject it, pursuing someone else's method.
Though the big thing in the UK (and probably elsewhere, but I don't know for sure), is that a lot of skilled jobs have been/are being culled from the recent financial turbulence and current/imminent 'cost cutting' measures by the government, so you'll find that there are quite a few experienced people out there trying to grab even the jobs that the less experienced ones might be going after, so yet another reason not to be too picky about your particular point of entry into the career. (It also means that I've seen bottom-level (i.e. script-driven, call-centre based) 1st-Line Support positions advertised with University degrees in "Computing or a similar subject" as a pre-requisite!!!)
Oh, and I've in the past checked out GCHQ as a possible employer[2], as an idle aside, and their prospective employee information pages made for interesting reading...
Ah... Muz, you posted while I was composing and editing. You're right about the glamour. (Although I was sort of known as "The King Of Anti-Virus" in a previous job, most of what I did was behind-the-scenes in the "if I hadn't done anything,
then you would have known" sort of sense...) And the administrative parts (e.g. making sure the latest rolling updates have gone out to all machines at your site/worldwide) might be personally gratifying, but are a lot like "solving the Y2K problem"... Nobody (other than the guys in Berlin you had to interupt to get them to give you appropriate server access) notices that no planes are falling out of the sky, even after you pulled an all-nighter to counter Melissa/CodeRed/whatever... And sometimes, when (metaphorical) planes do fall out of the sky, everyone looks at you wondering if you shouldn't have stopped it. (As it happens, nothing particularly horrible happened to this particular firm that comes to mind for the ten years I was there, but even I don't know how much my efforts might have helped in that result... They did have problems after I left, but nothing that I could have stopped happening, or due to my departure so not really relevant to this particular ramble.)
Also, Muz, before you sya anything, yes, I know my communication skills also need working on.
[1] And, what's more, like the job... personally, that's something I'm reasonably fond of, as long as it's not the likes of "the general public" via a call-centre, as I like to know the people I'm helping out, when I'm doing a support role. If nothing else, because I don't tend to rattle off
quite so much when I'm not trying to second-guess every possible level of knowledge the guy at the other end of the phone has about his own problem...
[2] I could say "and if I told you I now worked for them, I'd have to kill you...", but there would be other people to do that for me, anyway...
Author
Topic: Education for Job in Computer Security (Read 861 times)