To my knowledge there is no formal way to get experience on security tools other than on the job. You can build your own labs, spending heaps of money because security tools and the systems to operate them are costly. Also, these tools need good-sized bandwidth, which can be very expensive, for you to analyze the data. Security University classes promote hands-on security training with security tools and instructors that are security practitioners to provide an opportunity to touch, install, analyze and build security tools into a current network infrastructure, but SU cannot provide real-world experience either. There's "bring your laptop" class training as well -- those classes are limited to what your laptop can do. (They may be less costly and more available locally.) You'll get to install (instructor led) freeware security tools like Snort (IDS) and a few Linux firewalls and more. If you're really interested in information security, sift the Web for free tools to download and play in your mini lab.
Look for a "low-pay" security or network opportunity to gain experience. In return for low pay, ask them to provide training classes (in writing) with a certification for you. Do you have Microsoft's MSCE or Cisco's security certification CCNIE? Both certifications can be done in your town at local training facilities and look good on your resume. Whatever you do, be honest about your experience and tell your future boss you're classroom trained.
Yes, the "age old" need experience to get the job -- or the job you can get does not provide a security-related opportunity -- is hard. You need to be creative. Sell yourself! Find a security-minded company that you want to work for. Tell them you're willing to do what it takes to become an information-security professional. There are many excellent companies looking for the highly-motivated individual. Plan your information security career by the opportunity you can create for yourself.
For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Link: Infosec Training, Careers and Events
IT Career Expert Tip: Negotiating salary -- do you dare?
IT Career Expert Tip: Leveraging recruiters
This was first published in April 2003