Ask Lesley: From Ops to DFIR, a Tough Transition


I am having the hardest time getting my foot in the door in an investigative role. I have spent almost 4 years at the same job, in the same role, and cannot find a way to transition out of the operations side of the house. I went into operations with the intent of doing the dirty work and putting in my time to show I was reliable and willing to work. I wanted to parlay that into a role that better suits my way of thinking. Well, after numerous management changes, all the sweat equity and work I put forth is now lost in the various changes in management that have taken place and I am just another security engineer working in operations.

How do I make that leap to threat hunting or forensics? My workload is not relevant to that kind of work so I am missing the experience that every single one of those jobs requires. How do you get a job that requires experience when you cannot get that experience without that job? I’ve been warned about getting too much alphabet soup in certifications, that it can actually be a strike against you if you have too many. I’m so frustrated that I am still in the same position I was 4 years ago. That the certifications I worked to get just before getting this job and the resulting skills I learned in them are no longer fresh in my mind as the job I have does not utilize any of those skills.

I’m back to looking for a job that I have most of what they are looking for but not enough to get a second look. What advice do you have for folks that are in my position. There are hundreds of thousands of roles open in security but it is still so hard to get a foot in the door. Thanks,

– A Frustrated Tech

Dear Frustrated Tech,

I’m concerned about the organization you are currently working at. Here are the main reasons why:

  • It sounds like you are not having healthy, constructive conversations about your career goals and career path with your management, and you note a lot of management changes disrupting this.
  • They do not consider threat hunting a part of security operations. This indicates a maturity issue or a “ticket farm” culture. Threat hunting should already be part of your responsibilities after four years, or you have sincere problems as an organization with proper automation of repetitive tasks.

My first inclination is that it is time to start seeking employment elsewhere. However, you do have some responsibilities to fulfill if you have not done so already:

  • At your next performance review or 1:1, have a candid discussion with your manager about your expectations, goals, and performance. Try to get a clear answer on paper about all of those things and a path forward with attainable goals. If they don’t feel you’re ready to move into DFIR, you want to have the performance reasons clearly documented on paper along with their expectations of you to be eligible.Notice how I keep saying “on paper”? You are your only and best career advocate, especially with these constant management changes. Be courteous and tactful, but treat it like you’re going to court.
  • Make an effort to meet requirements for and always apply for job shadowing opportunities and open req’s in the DFIR team, even if you don’t think you’re fully qualified.
  • Seek mentorship in Digital Forensics and/or Incident Response, preferably inside your own organization.

If you have already done these things, then my gut feeling is probably correct that you are either in an organization that is mismanaging junior security operations talent due to program deficiencies, does not have a sufficient training pipeline from junior to senior, or simply has no interest in doing these things as they are only concerned with ticket metrics. At that point, there’s not a lot you can do except “get while the getting is good” and move to a more conducive environment ASAP before your skills and certifications lapse.

I wish you a ton of luck in your career progression,


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s