1. Get the Job
  2. Get Ahead
  3. Office Life
  4. Work-Life Balance
  5. Home Office
We are here for your business - COVID-19 resources >
Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.
Build Your Career Get Ahead

Preparing for a Career in IT Security & Penetration Testing

cybersecurity smb guide
Credit: wk1003mike/Shutterstock

With technology degrees and interests in IT governance, Windows Server technologies, and penetration testing, Animesh, a job candidate fresh out of school in the booming Melbourne job market faces an embarrassment of riches. All he has to do is settle on a course of action, and follow it, and the rest should come along both nicely and naturally. Ed recommends a number of training and certification options that will ultimately lead to a career in security and penetration testing.

Dear Animesh:

Your academic background is strong and compelling, so I have to believe you are in a good position in the overall job market, both from an employability and an opportunity perspective. I will cheerfully confess that I know next to nothing about the details of the Australian job market, in Melbourne or elsewhere, so you'll want to take my recommendations with the proverbial grain of salt.

Given your interest in ITIL, I'd suggest going after the ITIL v3 Foundations immediately; it's not terribly demanding, nor is it especially expensive or difficult. This will help you decide if you like the ITIL arena enough to continue playing inside it for a while. If you do, you'll want to pursue the Intermediate Level credentials as soon as you complete foundations, probably with more emphasis on the Service Capability items (Operational Support and Analysis; Planning, Protection, and Optimization; Release, Control, and Validation; and Service Offerings and Agreements) rather than the more typical Lifecycle topics (see the Intermediate Level page for more information, and pointers to individual elements).

Given your Microsoft interests, I'd suggest aiming beyond the MCSA: Windows Server 2012 to one or more of the MCSE items, particularly Server Infrastructure, Private Cloud, or Business Intelligence. Any or all of these can't help but make you more attractive to prospective employers. This will also give you good opportunities to cultivate your knowledge of PowerShell and/or VB Scripting (though it looks like PowerShell is probably a more productive career booster than VB Scripting, in my opinion). Furthermore, your experience with Active Directory gives you a nice platform to build on, particularly if your responsibilities run toward working with group policies and managing production environments using same (particularly if you get into automating Group Policy Objects (GPO) based controls and software deployments).

There two areas will get you off to a good start, but to move on to information security, and specifically, penetration testing, you'll need to look beyond ITIL and Windows.

You'll find excellent penetration testing credentials through SANS/GIAC (www.giac.org) or through the EC-Council and their Licensed Penetration Tester (LPT) credential. I'm not aware that these credentials focus exclusively on Linux, but it is certainly possible to add such a focus to your studies and hands-on work when you're pursuing the subject matter and related certifications, so I see no particular issues with you chasing this topic and Linux at the same time. That said, it's a big switch from Windows, so you will have to learn a lot of new material to really turn yourself into a good Linux pen-testing professional. But with sufficient time and effort, I am confident you could do so.

There is also the Certified Penetration Tester (CPT) credential from the Information Assurance Certification Review Board (IACRB), which focuses not only on pen testing methodologies, but also on vulnerability identification, network reconnaissance techniques and different network protocol attacks. The cert also covers both Window and Unix/Linux exploits and wireless security flaws, which are becoming more important in today's networks. The Infosec Institute offers CPT training, but there are plenty of other study materials in this area available.

Thanks again for posting your questionnaire response. I hope my answers have been worth the wait, and encourage you to follow up with me with further issues or questions you may wish to lay before me. Best of luck in planning your next career moves, and in bringing them to fruition.

Ed Tittel

Ed is a 30-year-plus veteran of the computing industry, who has worked as a programmer, a technical manager, a classroom instructor, a network consultant and a technical evangelist for companies that include Burroughs, Schlumberger, Novell, IBM/Tivoli and NetQoS. He has written and blogged for numerous publications, including Tom's Hardware, and is the author of over 140 computing books with a special emphasis on information security, Web markup languages and development tools, and Windows operating systems.