Becoming an IT Security consultant

Feelgood

Hi guys,

I have been working in IT for around 13 years now predominately in
IBM mainframe systems. I am hoping to move away from this over the next
2-3 years into IT security.

Does anyone here work as an IT security consultant and if so what is the best way to get your foot in the door.
I know CISSP, CISA etc are commonly asked for, though I don't know how to achieve these without some experience
in the IT security field. Are there any other recommended certifications or courses that might help me land a junior security role?.

Cheers.

Keyzer

Does the company you work for have an information security division?
Are there any projects you could work on with a security aspect involved?

syklops

Feelgood wrote: »

Hi guys,

I have been working in IT for around 13 years now predominately in
IBM mainframe systems. I am hoping to move away from this over the next
2-3 years into IT security.

Does anyone here work as an IT security consultant and if so what is the best way to get your foot in the door.
I know CISSP, CISA etc are commonly asked for, though I don't know how to achieve these without some experience
in the IT security field. Are there any other recommended certifications or courses that might help me land a junior security role?.

Cheers.

You won't actually, let me rephrase that, you shouldn't get a CISSP without 5 years of IT Security experience. 2-3 years in a security related role is usually enough to get your foot in the door, but the CISSPs credibility has been diluted a bit by so many people who have it who don't know their arse from their elbow and who got the certification by spending $$$ or having their employer spend $$$.

Is there a specific area of Security you want to work in? Its a very large area.

As another poster asked are there any security related projects you can work on. Remember stuff like patch management falls under the umbrella of security, and change management and control falls under the umbrella of compliance. You probably have a few years experience in some security-oriented areas already.

If I was you, I would:

pick your area of expertise and involve yourself in it
identify other areas where you are knowledgeable
Identify potential employers
????
Profit.

robbok

I work in IT Security , virtually all ads for IT security roles will look for a CISSP, ( the value of it is debatable but thats not the issue here, I am simply stating what is asked for in virtually every ad) it is quite a broad based and difficult exam but with your background in IT you should find it OK.
There is a lot of stuff in it to learn though and there are no shortcuts.
Actually gaining the qualification is the first part , you would then need to prove you have 5 years of full time work experience in two of the 10 domains, you might already have this from your experience with mainframes and you would need a CISSP known to you to attest to this.
If you haven't got the experience then the SSCP (also from ISC2) is an entry level qualification from ISC2 , I don't know anything about that but it seems like a good introduction
If you go on the infosec forums there is endless debates on the value or otherwise of certifications, some are more technical than others and the value of them will depend on which area of IT Sec you want to specialize in , e.g pen testing or application security.
There is such an alphabet soup of certifications that in all honesty I don't think most employers or HR departments can really keep up. Find an area that interests you and research the courses etc for that, I wouldn't rush to pay for many courses either, there is a huge amount of educational material available for free on the web , e.g check out OWASP
Good luck in your future endeavours