Justin Hall is Director – Security Services for CBTS. In Part 1 of this 3-part series, Justin discusses how a core knowledge of enterprise IT is critical in order to effectively protect networks.
For several years I’ve been going back to my alma mater, the University of Cincinnati, to speak to groups of undergrad and graduate students about the information security industry. My goal is to demystify security and inspire them to consider a career in one of a dozen security disciplines.
Invariably during these talks I am asked a very common question: “How do I get a job in the security industry?” In response, I’ll share my own 20-year story, starting in PC repair and sales, moving to tech support, systems administration, and running an IT department, before jumping into a security career – first as an engineer, architect, and consultant, and then running a security team.
I’ll also share three essentials to successfully landing a security job, which I’m going to cover in this blog series. There’s no single path to the industry, to be sure. In order to develop a foundation that can land an entry-level job and provide an arc to a long-term career, it’s worth looking into these fundamentals.
Core knowledge of enterprise IT
Today, we’ll cover number one: a core knowledge of enterprise IT. This is perhaps a bit obvious – certainly someone needs to be technical and understand how a computer works to survive in security, right?
The depth required goes beyond CPU, RAM, and a hard disk. To effectively protect any company network, one needs to recognize the critical components – servers, workstations, network devices, applications, and security defenses. How do they interact? In what network segments do they typically sit? What products or solutions are commonly used in each of these categories? At a high level, what are the essential configuration best practices for each?
For example: Imagine a network used by a physician’s office. Think about the variety of computing devices in use there: Beyond traditional workstations, multi-function printers, and laptops, you might see connected medical devices, credit-card processing machines, and surveillance cameras. Servers would run authentication systems, file management, accounting and finance, ERP, messaging, and electronic medical record apps. Some may be running from local servers, and some may sit in the cloud. Network devices will include switches, routers, wireless access points, and firewalls.
Now imagine a software company. What types of assets would be the same as the physician’s office? What would be different? How would their IT needs be similar/different? What about a retailer or bank? What happens when you add multiple sites/locations? Imagine scaling up to the size of a multinational conglomerate. Think about the pieces and parts that need to change, duplicate, or scale.
Enterprise IT involves depth and breadth
This scope of understanding is what I mean by “knowing enterprise IT.” There’s a level of depth in addition to the breadth, though. Defending an environment with Windows workstations and servers, for example, means understanding the fundamentals of what makes Windows tick – the filesystem, registry, Group Policy, configuration, and the like.
How does one acquire this knowledge?
- Build it yourself! A home lab is a great place to get hands-on experience with enterprise IT. You could grab an old PC and install free versions of VMware’s vSphere or Microsoft’s HyperV, and deploy eval copies of Windows Server and workstation OS’s, Linux, or a variety of prebuilt VM appliances. Tons of great tutorials exist – I like this one from Paul Braren on building a VMware ESX lab.
- You could also use free or inexpensive tiers of service offered by IaaS providers like AWS, Azure, or DigitalOcean to build VMs quickly, install and configure applications, and build virtual networks.
- If you’re serious about improving your enterprise IT knowledge, and want to invest your time and money, find a local university or online school that offers IT courses or degree programs.
- Finally, take the plunge and find a systems or network administration job. Without a formal education in security, it’s rare to be able to jump right in without doing the so-called “grunt work” needed to acquire real-world experience. A few years building, breaking, and fixing some enterprise networks is sure to cement your ability to operate with comfort in the industry.
Thanks for reading! Stay tuned for part two.
Read more about Security offerings from CBTS. And read this case study to learn how CBTS helped an enterprise client form a security strategy to advance their maturity, increase their risk management capabilities, reduce the attack surface for each business line, and improve their overall corporate security posture.