Advise on Infosec Certifications

santhosh93499

Hi everyone, please could anyone provide advise on whether to do MCSA or CCNA:Security along with Security + as MCSE in Security is no longer available, or CCNA:Security along with Security + is enough to get in to Infosec path with some experience.

I'm planning to do MCSA:Server Infrastructure, CCNA:Security, ITIL Foundation and Security +. Thank you all in advance.

NovaHax

There's not really an exact infosec path. All roads lead to rome...its just a question of how you want to get there. In regard to Cisco or Microsoft...Are you more interested in system administration or in TCP/IP routing and switching technologies?

As far as what is required to initally break into InfoSec...its largely going to depend on how good you are at selling yourself, and also on your skills, knowledge, and experience (not necessarily just your certs).

LionelTeo

I always recommend the CEH > GCIH path for a start, but would require a decent amount of hardwork to reach that level. The concepts are very basic, but consider difficult for many entry level. But getting both would raise your a good chance to break into infosec.

beads

Someone broke down all the sub-catagories and task descriptions for IT Security: coming up with 31 separate and unique tasks.

Question lies therein. What do you want to do in IT Security? We have fast approached the day of still being able to refer to ourselves as 'Generalists'. Anyone who does probably doesn't know half of what they think they do. We are increasingly becoming specialized due to not only the nature of the work itself but the volume of information in which to do such work.

Do you have a background in Infrastructure, Development or DBA work? Each of the three main disciplines will align you to various different tracks within IT Security. Developers and DBAs make truly great Pen testers but often fail with risk management for some reason. Infrastructure folks do well starting in audit. Actually most everything we do starts with the common audit process - the other 5 percent is changing the architecture of the business. Weird but true and a topic for another post.

Start there and the board will obviously be happy to share its collective wisdom on the subject.

- b/eads

santhosh93499

Thank you all for your replies. Just started to work as a fresher after completing BS in Computer Science. In my current company where I'm working on Windows server like managing user access permissions and so on in L1 Level, I've got a good chance of switching my track through Internal Job Postings, so for that I need some certifications which will really give me an upper edge over other candidates trying to fill up the spots.
And I dont want to spend money on other certifications which really dont have an impact when other certification combinations do. I want to get in to more technical side of infosec path, so will it be good to do MCSA along with Security + or CCNA:Security with Security + is enough, and also would it be fine to do all 3 certifications like MCSA, CCNA:Security, Security + just to get in to Infosec as an entry level candidate, later I'll do more advanced Infosec certifications to advance my career.

ChickenNuggetz

I think NovaHax has got it right. Certs are only one peice of the puzzle and small one at that. If you're hoping to shift internally to an infosec role, showing initiative and knowledge is the way to go. The certs you've listed could show your initiative but would probably leave questions about your practical level of knowledge as related to infosec.

If I was a hiring manager (and I have been) and was vetting candidates, you know what would show me both initiative and knowledge? Someone who took it upon themselves to build a lab and learn. Break something then put it back together. That's difference between practical knowledge and academic knowledge.

Certs are a great way to validate the experience you already have but I do think it'd be more worth investing your time in acquiring the practical knowledge; so I'd avoid putting the cart before the horse, so to speak.

To circle back to your original question, out of the certs you've listed, here are my thoughts: I'd pick up the Security+. It'll give you a basic foundation to build upon and teaches a lot of fundamental concepts. The other certs are more so geared for systems and network admins respectively, so unless you want to shift into that kind of role, I'm not sure if that's the best use of your time.

Regardless, good luck!

docrice

In infosec, everything builds from fundamentals. As I told some people at work, it doesn't matter if you know every single IOS command on a router or switch; if at the end of the day you don't understand TCP/IP, you fundamentally don't understand networking. Configuring devices without some idea of the behavior of traffic protocols and the bits which make up the carried payload boils down to just being a knowledgeable technician. It's harsh, but that's how I see it.

I know some places emphasize (and judge) based on certs on a resume, but when the rubber hits the road and you have to do the work, it's about understanding how hosts, networks, applications, user behavior, business priorities, and how they all work together as a complete system and seeing the risks. You can get "security certs" all you want, but having the depth in order to be security-effective requires being able to distill down to the basics.

Read through a Security+ book (don't bother with the exam unless this one's really challenging to you). Check out the SANS roadmap poster:

https://www.sans.org/media/security-training/roadmap.pdf

Don't bother thinking about taking SANS classes or getting GIAC certs right now and just think of the path that interests you. It's highly unlikely you're going to master all of them. To be effective in infosec, you need to understand the IT business. Normally people don't directly jump into the security side because doing the work requires a lot of contextual knowledge about how the IT business machine works.

santhosh93499

Thank you all for your Invaluable advice. It made it so clear.