Security Watch

Getting Into Security

Advice for pursuing a security career straight from the graduation line.

• By Greg Neilson
• 10/20/2005

Greg: I've recently completed my bachelor’s degree in Computing & Information Systems as well as my Net+ cert, and I’ve just begun studying for the MSCE cert, which I had originally planned to follow up with a series of Cisco certs in a couple years (following the security path). I don't have much experience — I’ve only worked with Novell and Windows 2000 Active Directory as an end user for the past three years.

My career goals are to become, first, a network engineer and then a security specialist eventually working on forensic investigations of computer-related crimes. My lack of real-world experience begs the same question as in your article "After MCSE: What next?" on the CertCities.com site.

So, as a future security professional, is it worth pursuing both vendor (Microsoft and Cisco) certifications, or should I instead focus on a particular field and gather relevant industry experience?
— Taurean

Taurean, Thanks for your question. I think your plans to move into networking and security make a lot of sense. Since you are just starting out in your career, there’s obviously a long journey ahead of you to master these fields. However, with hard work and ambition, I have no doubt that this is achievable.

Your last paragraph suggests a choice between experience and certification, and I must say that I don't necessarily see it the same way. Provided that you choose a certification program that’s relevant to your career, then, certainly, I believe that both can be complementary. (Otherwise, with so little free time available outside of work as it is, one would question the value of completing a cert). For example, a certification can provide a structured learning path or alternatively reinforce your knowledge, depending on the stage in your career. The value of the certification is not the piece of paper itself but the knowledge you gain along the way.

Therefore, I definitely see value in completing the Cisco certification path you’re considering. Whether you should also complete the Microsoft certifications as well really depends on what role you have today and what skills you need for it. It could take up to a year to complete your MCSE via self-study and would require a significant investment of your time to complete. You need to decide whether you’ll get sufficient return from that investment based on your career plans for the next couple of years, or whether you should proceed directly on the Cisco path.

As for moving onto forensic investigations, this goal may be quite some years away from now, so I think it may be best for now to concentrate on your initial goals — which, in themselves may take many years to achieve. One of the things you’ll learn in your security training is good practice in evidence handling, and I expect that as you progress in your career you’ll find yourself getting more involved in investigations that can lead to legal action.

I recently came across this online profile of Laura Chappell, one of the giants in this field and thought you might find this of interest in better understanding this type of work.