How can I do cool non-cleared computer security work?
March 27, 2007 10:44 AM   Subscribe

Help me figure out how I can do really cool computer security stuff for a living. The catch: it can't be work for the NSA or Justice Department or anything that requires a security clearance.

A little background on me: I'm 24, I have a BS in computer science from one of the NSA centers of excellence and was involved in the "Cybercorps" Scholarship for Service program, and I live and work in DC. A part of this scholarship is federal service doing information assurance (IA) work for two years after graduation. That's fine: I've been working with the DOD for the past 18 months or so, and have 6 months left to fulfill my obligation to the government.

There are two problems with my situation. The first is that I hate my current job. It has nothing to do with IA and there's absolutely no chance that it will. The only reason I'm here is to fulfill the remainder of my service obligation. The second is that I'm having real problems getting a security clearance. I haven't been flat-out denied (yet), but they denied my interim secret clearance and I've been stuck in adjudication for the past 3 months. In addition, I'm pretty sure that I've had TS/SCI clearances denied from the NSA in the past, although I haven't FOIA'd the information to find out exactly why I was considered ineligible for the conditional job offers. I assume that this all stems from a period from around from 18-20 where I smoked pot frequently, plus extensive foreign travel and having lived abroad during my teenage years. If my secret clearance is denied, I'll be fired from my current job, which, to be honest, I would not mind too much.

So while I'm qualified professionally to work for the feds doing security work, they don't trust me. I'm cool with that, but I'm still interested in doing security stuff for a living. So my questions to the hive mind are:

1. Where and in what industries can I find cutting-edge computer security work? (People have suggested financial in NYC to me. I am not yet sure I want to leave DC, but I'm open to moving.)
2. How can I land an entry-level computer security job in one of these industries when I've spent the last 2 years putzing around doing stuff not related to the field I'm interested in?
3. What further work experience would be useful to prepare for this sort of a career? (I have experience with Linux and other free OSs but I haven't used this professionally in the past few years. It's a little under 11 years of hobbyist experience, but I have been paid to be a sysadmin before, and I wouldn't mind doing it again. Bonus: what sort of a career track can a sysadmin expect?)

Any other advice would be appreciated.

You can contact me via Thanks.
posted by anonymous to Work & Money (15 answers total) 7 users marked this as a favorite
Getting a CISSP cert would help, for starters.
posted by cmonkey at 11:00 AM on March 27, 2007

It would help to know what you define as "cool" about working in computer security. If it's policy and the systems that surround/enforce policy, you might try for a job at a consulting firm that handles security and compliance systems (I refer to Sarbox as "the 21st-century TVA")

Examples of such firms: IBM, Accenture, EDS
posted by dammitjim at 11:12 AM on March 27, 2007

a CISA or a CISM would be a good addition to a CISSP.

And make sure you have at least some knowledge of the multitude of security related acronyms that are required these days (ISO 17799, GLBA, etc.)

Consider getting a master's in something complementary to the job you want.
posted by Tacos Are Pretty Great at 11:16 AM on March 27, 2007

you shouldn't give up on getting a clearance just yet. the job market for people who got through the SSBI is insanely good and salaries are easily double of what you can make without them. are you sure you didn't even get through the NACLC?

past recreational drug use does no longer have to exclude you from getting cleared (though perhaps it might from TS or Q) but deception sure as hell will. if you haven't been entirely truthful, expect that to be coming back to haunt you.

this sounds like a question you should post on security clearance-specific job boards. you know, and so on.

a bunch of people there probably have been in similar situations and can advise you better than most of us here.
posted by krautland at 11:21 AM on March 27, 2007

I will be attending SANSFIRE 2007 in DC this summer, I'm very much looking forward to it. From what I've heard, there is a lot of "cool" security stuff that goes on there, in addition to the 59 infosec courses being offered. Should be a great networking opportunity as well. Too bad it's very expensive and your current contract is ending soon. Lots of government-centric activities will be going on.

Things like SAS70 and SOX are creating a lot of crossover opportunity between finance and security. So maybe you could check out somewhere like KPMG or other accounting/audit firms to see what they are offering?

Every company needs qualified security professionals these days. I work as a security analyst for a small software company. Small, as in around 300 employees, but we have over 500 clients.
posted by jbiz at 11:30 AM on March 27, 2007

Multinational law firms may need high-level security for in-office and cross-office information sharing. I don't know the specifics, or if it would be cool/fun for you, but worth looking into. (There's also computer forensics work to be done, which they contract out to specialty companies for.)
posted by lorrer at 12:33 PM on March 27, 2007

I've often thought that there'd be a pretty cool tech niche or two in the 'corporate intelligence' realm (esp. in somewhere like DC) but haven't ever followed through on the concept.

(Also, ethics might hamper a successful career in this arena ... most of the stuff I've read makes some of the C.I. folks look pretty shady)
posted by bhance at 12:38 PM on March 27, 2007

Probably not as sexy, but there are some higher-ed institutions that do some pretty interesting stuff with technology (particularly in the research fields).

With your credentials I'm sure some of them would be interested.
posted by purephase at 1:16 PM on March 27, 2007

I'm sure some foreign government's and uh... NGO's would value your experience...

(if I ever had any hope of getting a clearance, it's gone now)

More seriously, why not just go into security private sector?
posted by phrontist at 2:14 PM on March 27, 2007

Start meeting people in the field. Go to security conferences (SANS, Blackhat, RSA) if you can afford it & hacker cons (Defcon, HOPE, CanSecWest) if you can't. Go to local security interest meetings like the ones sponsored in several cities by Matasano Security. Get involved in online security forums at SecurityFocus. Network, make contacts, show off your talent & let people know you're available.
posted by scalefree at 7:25 PM on March 27, 2007

I expect law firms to be dramatically ramping up their IA efforts. DC is lousy with law firms, but I don't know if the cultural shift required for them to understand their need for IA beyond the feel-good level is happening fast enough to help your job search.

So basically, they've got money out the wazoo and they need you, but they may not know it yet. I say it's worth seeing if you can figure out which firms have a forward-looking attitude regarding IA and presenting your self to them.
posted by NortonDC at 7:45 PM on March 27, 2007

fyi - my friend's security clearance through the navy took somewhere around 2 years i believe, but he finally got it. If a clearance is important to you, don't give up so easily.
posted by efalk at 12:27 AM on March 28, 2007

Drat, you just missed Schmoocon which would have been a great place to network (no pun intended). I have a ton of friends who do this kind of work, and basically you do need a clearance for any "fun" security work, even if you work for a contractor.

If you're not married to DC, there's always the googe.
posted by frecklefaerie at 9:27 AM on March 28, 2007

As someone with a decade of experience in it who never tried for clearance I disagree that it's a requirement for the security field or even government work. I won't deny that it opens up a range of opportunities, but it's far from a requirement.
posted by scalefree at 11:55 AM on March 28, 2007

Follow-up from the OP:

First off, thanks to everyone who posted here. I appreciate your input.

I suppose I should've been clearer when I wrote the initial post: I'm asking this for contingency planning in case my clearance doesn't go through. That's why I stipulated that I was looking for things outside of (federal) government work -- everything I'm aware of requires a security clearance. I'm a civil servant now, and for reasons of my own, I'm emphatically not interested in becoming a contractor, so it's civil service (not military) or private sector work -- nothing in-between. It looks like it's about time to roll up my sleeves and do some good, old-fashioned networking.

Re: the drugs, I admitted everything on both my SF-86 and to the investigator in person. Including that Ambien that my dad gave me on a long flight to help me sleep, because it's technically prescription drug abuse, even if it's not recreational. During the interview, the investigator didn't delve into anything other than drug use.

krautland: I probably should've mentioned this, but other than the self-admitted drug use, I have a clean record. I've never been arrested or even ticketed for speeding. So I don't see why I wouldn't have passed the ANACI (I'm a civil servant, not a contractor) for anything other than drugs. But I don't really know.

Aside to frecklefaerie: although I didn't attend Schmoocon, I did attend their Saturday night mixer at Adams Mill with a bunch of friends who work in the field and who attended the con. This question is actually a direct result of a conversation I had with one of them, and I would've explored it in more depth with them, but I had to leave to see a friend's band on U St. I suppose if you can social engineer your way into a security conference open bar, it's fair game :)
posted by jessamyn at 3:44 PM on March 28, 2007

« Older I am about to own a Mac for the first time in 25...   |   How do I make Google Reader and work... Newer »
This thread is closed to new comments.