Hello! My name is Mike and I am an infosec engineer with 10+ years experience. I’ve worked in GRC, Vulnerability Management, PenTesting & AppSec. I have 17 SANS certs (I have a serious problem) and I’m also an infosec community enthusiast and creator/mod for /c/cybersecurity. AMA!
I don’t think there’s some minimum XP (in terms of YoE) bar to hit. You just need to be able to demonstrate your practical XP in some manner. Some people get this through work in IT/cyber, others through academics and others still through personal projects and doing things at home. There is a TON of self-teaching options these days through online trainings, CTFs, cons, meet-ups, etc… And lots of ways to document and market your experience and know-how (blogs, social media, podcast, etc…). Personally, I suggest learning a bit of coding, some cloud XP, start a small blog or post about what you’re learning on a micro-blogging platform and network network network.
As for your current place of employment, having a VERY legacy environment can actually be somewhat good for security as it may be “easier” in some respects to find misconfigurations and Vulns. Does your company have any security resources? If not, try to volunteer to help in that area, if they do, introduce yourself and ask to shadow/help/learn from them.
I see. I will have to document my progress and remind myself the company isn’t actually financing this. I should start by creating a blog.
Haven’t personally talked to the IT dep yet - I am in a small dev team for internal webapps and the last time we contacted them was because of printer problems, hah. Will try contacting them once I feel ready.
Thank you for the insights. Sorry I took too long to respond.