So You Want to Get into DFIR? Private Sector Edition

So you’ve decided that public sector is just not for you. Nothing wrong with that! We just need to work on getting you ready for different suits. This is a different animal all together! If you have a love for white collar issues, you’ll see there is no end to the work you can do. If you love threat hunting, this will be a joy!

What am I going to work? 

This is going to be entirely dependent on your company and most likely location as well. However, a good indication will be how involved the digital forensics is within the Legal entity of said company. You could be working things like HR complaints. You could be working complex white collar crime cases. At the very least, you’ll most likely be working intellectual property (IP) theft. All three are very important and will range in how much of an operations tempo you’ll have by working this stuff. I personally have found a newfound enjoyment with working white collar issues for some odd reason. It must just be that I was just done looking at evil images!

How do I get a job in it? 

Again, I caveat. There is a lot in play here. And my experience is probably more against the grain than what many would see. However, I would tell folks to move cautiously with trying to get into these roles. For some companies, this may be really easy to get into. Others, almost impossible on anyone with entry level experience. And that is what I am trying to address this as. Those who have a 2 page resume with loads of certs and degrees and experience don’t need my help getting a job.

If you are just coming out of college with minimal IT experience (like official IT experience, not helping grandma get her computer set up), I would almost solicit folks to take a role on a SOC instead or Legal IT at first. While I would always take on someone junior level to work with me and mentor them, it is a hard sell to most legal operations to have someone who could be roasted in a deposition or court based on minimal experience. If you can find a junior role doing this, I would just solicit you to make sure the job isn’t eDiscovery in nature (aka, just email) or button monkey (aka, just push a button and let someone else look at the output). To me, that doesn’t seem fun — and this is a job you’re going to for 40+ hours a week!

Now if you go the SOC route, I think you’ll gain some useful experience if you really want to put the IR in DFIR. You’ll understand what hardware/software are in place at the company and can help make sure it is working like it should be. Additionally, if the company is small enough — this probably one of the best ways to get your foot in the door to build up a forensics position anyways! You’ll probably see these jobs posted as “Security Analyst.” It isn’t official unless analyst is in the name.

The Job Postings

Caveat as well, you’re experience may differ. I cannot foresee every company in the world. BUT. What I can provide is insight to hopefully make you the best candidate.

Things you’ll just need to have. 4-year degree in some facet of IT. That can be IT Management, “Cyber Security”, Information Security, etc. The big thing here is employers are going to wanna know that you have more advanced understanding of technology outside of “put this button and get email.”

Certifications are iffy in my opinion. Namely because HR doesn’t know what to have and hiring managers just copy and paste. But yes, things like CISSP are always going to be a “shoe in” for any IT application since it is predominately the only thing I swear HR employees know for IT certs. Another issue with certs is they tend to not be very cheap. Even as a big advocate for SANS, I cannot demand someone pay out of pocket for the cost of the courses. With that being said, seeing things like GCFE, GCFA, GCIH, GNFA, etc, are going to be intriguing to me. Namely because I know how difficult those tests are. However, if this is for entry level type forensics, if I see the CCE I am more likely to get these folks into an interview. I do not agree with how up-to-date the material is, but there are forensic techniques and processes there that are still very relevant. Hopefully in due time, they’ll update and I can start really championing this cert again.

The CFCE is another one if I see I’ll probably jump for joy. But it also isn’t cheap to take and the process is pretty painful as well. I’m not really expecting many out of college to be taking this.

Job Experience

Optimally having some semblance of IT Security or Legal knowledge is going to go the furthest. You want to establish to the hiring manager that you can do the job without hand holding and are not scared of lawyers. This can be anything from just blog reading to formal education.

Personally, that is it! Private Sector has some great opportunities to it. You’ll find the jobs probably pretty rare, but even if you get into IT Security within a company I think you’ll be able to pivot to doing Digital Forensics if that is your jam. Many just do not know how much money can be saved by keeping this role within the company as opposed to seeking 3rd party.