CCNP vs CISSP- need guidance

musclegenesis

Hello folks,
This issue has been adamant in my mind, and I need clear guidance on how to have some peace of mind:

I am a network engineer for a telecom company that has 3 years of exp and have a CCNA. I also jumped the gun in my studies and pursued a MBA which is not really paying off. Looking to make a switch but have few issues to consider:

1. Pursuing a CCNP vs CISSP: I do not deal alot with security but understand the basic IPSEC vs GRE and VPN methodologies. I want to penetrate the medical and financial fields but not sure if a network engineer will get me there. I also have a MBA so is CISSP a better route?

2. Many jobs that I looked into CISSP were strictly in audits and security. The knowledge that I possess about routing and switching supplements my current resume. If I get a CISSP, I would have to re-engineer my whole resume.

I am confused about what certification to pursue. CISSP is def a harder one and may supplement my MBA and get me a manager role in the future I desire.

My question is: Will CISSP be a better fit for me since I already have a CCNA and no security cert even though I lack security in essence. How does one get into trustwave and Security engineering when they have decent knowledge of it but lack real-life exp?

Thanks folks

kvponkshe

Hi,

Look forward 10 years . Where you want to be ?

CCNP is actual hands on working on firewall/ routers/ switches. If you are techy lover guy , then CCNP / CCIE is better option for you ! But don't stop at CCNP , do CCIE as well .

CISSP is vendor neutral certification . Nothing hands on. You will doing Security Audits / Compliance / governance of the organization where you are working. Your MBA will definitely add value in your resume sooner or after.

Let me share my exp. I am CCNP certified & CisSP passed having 8+ years exp in network sec. Doing configurations on firewalls/routers ,spoiling my weekends in doing IOS upgrades is now no more fun for me. But even after CISSP passed , I am not getting job in Security Audits / Compliance / governance profile. See my thread "Need guidance " to understand situation that you may face after 7-8 years.

Think long term & choose correct path as per your objective. All the best !!!!
Sorry if I hurt you unknowingly !

renacido

Repeat after me: CISSP is NOT an entry-level security certification.

Someone with marginal security experience jumping right into the CISSP to try to get their first foothold in the security field is equivalent to a Security guy who has never configured a Cisco switch and doesn't yet have CCNA going after CCIE.

Also, passing the exam doesn't make you CISSP. You have to be endorsed as having 5 years of experience in at least 2 of the 8 security domains by a CISSP in good standing and ISC2 will review your application and make a decision as to whether or not you qualify.

I see a lot of guys looking at this cert as the gateway into security but it is not.

I know some of this phenomenon is due to HR being unfamiliar with security certs and only knowing about CISSP but trust me, if you have Jack squat for security experience having CISSP just means you have $600 less in your wallet than you should.

!nf0s3cure

I disagree...CISSP is an entry level to lower mid level certification but covering a lot of areas within the IT domain...not just security....simple example...with a CISSP you may not know how to configure a firewall..you will know where to put it or what types there are..that is the limit you need for the certification...nothing more....so it is sitting at lower levels knowledge for most of domains without going into too much depth..mile wide inch deep or so they say..now time for me to sit back and get the wrath of CISSP members here....I'll be one soon...hopefully...

renacido

You consider a management cert that REQUIRES 5 years full time experience in the field "entry-level"? Ok we definitely disagree on the definition of entry-level.

So tell me do you think knowing how to configure a firewall is the benchmark for being a qualified security pro? So by your logic the CISM and any other of the dozen or so security certs that don't test on firewall config are all entry-level? By your logic the CCNA:S is a higher level security cert than CISSP or CISM.

As The Dude would say, "well that's just like your opinion man."

NovaHax

I tend to agree with !nf0s3cure to a large extent. The common description of CISSP is that its "an inch deep but a mile wide." And this is a pretty accurate description. There is no depth of knowledge required to pass CISSP, just a massive breadth of knowledge. It doesn't take a skilled professional to pass that exam. You just have to be decent at taking tests and be familiar with the concepts. I know a lot of pretty worthless CISSPs and don't personally hold the cert in very high regard. But unfortunately, its necessary to get past the HR filter for a lot of InfoSec jobs, so its still important to have.

renacido

I agree that it's broad and not very technical and that because HR dumbasses don't know better they ask list CISSP as a qualification for everything security. My point is that CISSP is a management cert not a technician cert. That's why it has the experience req and is so broad. Unless you have worked as a Security Manager you may not understand this role. A SOC Manager or CISO should not be the guy editing your firewall configs. Or monitoring SIEM alerts or analyzing IPS logs. They have to understand these things and be able to guide and make decisions concerning these things but no management cert should test someone on how to configure a CISCO ASA or Palo Alto firewall because the sec mgr or CISO has other **** to do that their junior guys are not qualified or given the authority to do.

!nf0s3cure

@ renacido.

As I said wrath of members here but I guess it is lot softer than expected but who knows when flood gates open.

I also said entry to mid level. Next, 5 years experience can be a misguiding statement, as others have said just sitting for 5 years in some roles does not make you a good security professional if you just meet the criteria, what makes you justify the 5 years is, if you have learnt something. CISSP exam can in no way assure that you cannot pass it if you just crammed the stuff and someone who is poor at taking exams but excellent at their work may fail it several times and it is by no means a reflection on their ability to do IT security work. For very long time I have expressed my disappointment at the Cryptography testing in the exam because it was testing on skills that I guess are required by less than 1% of the IT workforce and yet it was one of the major domains and had more questions in the test than penetration testing a issue that is hitting the world like no ones business.

I know taking a CISCO certification is much harder than CISSP as it requires you to have actual hands on skills and it is very hard to bluff your way through it. It is human nature and you have just got wrapped around in the 5 years statement. I see that you are a CEH, would you agree that it is hard to cram your way through that certification as well. As for monitoring alerts on a SIEM if you use Splunk (free plug to a good but expensive product) you are very easily in control and I do not see a reason why a security manager who has risen though the ranks and experience cannot drive it. In fact if a security manager cannot drive it in 10 minutes of OJT the organisation needs to look at that persons skill set again! Big statement but very close to truth. I have used other SIEM products but they could be a completely different story.

So as a general question what do you think a person who passed CISSP with 5 years experience should be able to do? Again not meaning to disappointing you but there are lot of 'Fresh' CISSP's who do not seem to have a handle on 'Oh $h!T what do we do here situations'.

I am not a CISSP yet and neither I claim to be an expert at many things but there are some part of IT security where I consider myself well versed. Nothing wrong with that. I do that job day in day out and have my moments of stop and think but it does not mean a person with a CISSP is any better!

As you said it is mostly a HR promoted issue but then there are some smart people I know who have also taken up the certification to hit the HR search engines and nothing more.

Any way good topic and discussion lets carry it on till I get my CISSP and then I will switch sides

renacido

!nf0s3cure (cool alias by the way, consider changing the e at the end to a 3 though)

I'm not a CISSP yet either, I'm in exam results limbo having tested during the psychometric analysis window. But I have 23 years IT experience, 9 years doing infosec as a primary duty, and got hired in a job that "must have CISSP" over 26 other candidates. So yeah, the CISSP is not the cats's a$$ as proof of your ability to do a job.

My point is if you are really a Sec Mgr you have technicians to edit your configs on your firewalls and you have analysts and incident handlers to look at your SIEM and your IPS, HIDS, audit logs, etc. If you are the one doing that as the Sec Mgr or CISO there are probably higher-level tasks you are probably not doing.

Regardless of what CISSP actually means, it is intended to mean that you can fulfill a security management role, not a technician role. A CCNA may be enough to configure a firewall but the risk-vulnerability assessment, hygiene and hardening, security testing, event monitoring and response, etc should be driven by a guy who knows the stuff in the CISSP exam, not just the CCNA exam.

Good discussion.

!nf0s3cure

100th post...Yay.....never thought I would last this long but there are too many sticky people around here;)

I see what you are proposing but there are smaller environments where you could be a 1 man/person army! So I agree with you but still hold my line, but lets help the guy with his question first. Because right now it looks like this:

Question in mind+head to techexams=more confusion=back to square one+headache

So as it has been said one is a hands on type of certification other is managerial kind of certification, so make your choice if you want to head down the management path or you are still young to sit on a command line and bash codes or scripts! Not showing my age here but I have had my days of scripting now I have young kiddies working for me that do that work. Some amazing minds and big brains....so see where you are in you IT life cycle and decide....

......over and nearly out from here.....thanks for the complement on the username......it is a pain to remember though...:)

Keep up the good work.

dave0212

Firstly OP, ultimately the path is defined by career objectives, look at the jobs you want to attain and what they require. Changing job functions can be challenging and usually requires someone to give you that opportunity. I made the switch from Technical to Security by picking up security responsibilities as part of my role, I got heavily involved in ISO27001 and PCI-DSS delivery and it snowballed from there. I would say look forward 2 years rather than 10, what is the immediate benefit, a qualification for the best part wont get you a job, you need to try and attain some experience first and supplement with certification (yes I know this can be hard) if you can, shadow someone who works in the field in your organisation or take ownership of it yourself.

!nf0s3cure wrote: »

I also said entry to mid level

I agree it is mid level, definitely not an expert level.

!nf0s3cure wrote: »

I know taking a CISCO certification is much harder than CISSP as it requires you to have actual hands on skills and it is very hard to bluff your way through it.

Interesting statement as you don't seem to hold either and a little to broad a statement, a CCIE will most definitely be more difficult than CISSP but a CCNA, no it isn't.


The CISSP is a very broad exam and wont make you a specialist in any arena but if you learn the material (not memorise) it does teach you things that allow you to discuss security topics with a wide range of people even if it is at a high level.

Ultimately all certification is a HR driver, no certification guarantees competence, well defined interviews do. I have met many a certified Muppet.

!nf0s3cure

[QUOTE=
Ultimately all certification is a HR driver, no certification guarantees competence, well defined interviews do. I have met many a certified Muppet.[/QUOTE]

This is a statement that has been beaten to death by every knowledgeable professional here...I understand your comment about not having CCNA but I got very lucky and had expert to train or give me OJT on networking products so I never had need to go through the pain of getting piece of paper to say that I could configure or work on a networking device. I must say I was very lucky to work and learn from professionals that could pass information ...mind you teaching is a fine art and it not a knack that every teacher has....

If you keep digging deeper there will be certifications that will be more difficult than any other...but CISSP is seen a difficult one as you need to understand lot of information about most things IT. In the wider IT community people tend to specialise in a certain area or two and then take a career path..but for a DBA to become a IT security professional just by getting past CISSP is a quite a disservice to IT security and will likely produce a professional like one that you have mentioned. Again all of these are my views and I take criticism and discussion in a +ve manner and gain a wider appreciation through this process.

When you got your MCSE for 2000 that was the hot and going thing in those days and you could not be seen working in IT without it. All or most others came to fame a lot later and the scenarios have kept changing ever since...a software comes into limelight and we all rush for it and then there is the next one...and so on..it is a never ending cycle I guess...

dave0212

Completely agree !nf0s3cure

But its true of most certification not just CISSP, even things like CCIE will have unskilled professionals due to dodgy certification practices in areas of the world.

Ultimately always learning, but not necessarily certifying anymore

kiki162

It would help you going both routes.

I would look at getting your CCNP first if you want to stay within the networking arena. You can also get into the CCNP Security, then look at the CISSP. That would complement your certifications, instead of going directly into CISSP. Once you get past CCNP:Security, you'll have a good 5 yrs in anyways for CISSP. If I were you, try getting into doing a little more security work, whether it be IDS/IPS, Firewalls, etc.

renacido

You must understand that within infosec there are a wide range of distinct roles, all of which have associated technical certifications. C|EH/GPEN/OSCP for pentesters and for secops/engineers who do security assessment/hardening; CISA for auditors; E|CSA/GCIH/GCIA for sec analysts/incident response; and so on. You have practical certs for forensics, web/app testing, on and on. I see guys on this board call these "higher-level" than CISSP because CISSP is broad and not deep where the others (and Cisco/JunOS/Microsoft certs) require hands-on skills.

How I define CISSP as a mid-level cert and NOT an entry-level cert is IT IS A SECURITY MANAGEMENT CERT. You don't hire Security Managers (or Senior Security Analysts, SOC Leads, etc) off the street with zero experience! And sorry, if your IT department is one guy, go ahead and call yourself Security Manager but I'm not referring to you here.

The reason CISSP is so broad and requres 5 years experience is it is INTENDED to signify that you have the knowledge and experience of a seasoned security practitioner (not a novice!) who can **MANAGE** a company's security program and/or department. YES it's mostly for HR and hiring managers but for good reason! They want to avoid NEGLIGENT HIRES - hiring people who can bullshit their way through interviews but then fall on their faces when they are put in the hot seat. THIS is why when people call CISSP "entry level" it gets my Irish up! When underqualified people get this cert it undermines not only the value of the cert but they undermine the hiring process. Would you want to be passed over for a job to a paper-only CISSP who merely memorized some study guide and got his buddy to invent some tall tales of security experience to get him the cert? Do you want to work with guys who aren't security pros they just saw that CISSPs make 6-figures and say "me too!!"? I don't!

The true ENTRY-LEVEL infosec certs are Sec+, SSCP and GSEC. They are general security practitioner certs, aimed at covering all the fundamentals, but not nearly as demanding or managerial-judgement-oriented as CISSP.

Please just STOP calling CISSP entry-level and STOP telling total newbs to sit this exam. You shouldn't be even working full-time infosec without previous IT experience to begin with, let alone applying for a mid-level infosec job. Sorry but "fake it 'til you make it" has NO PLACE IN SECURITY. Rant over (for now).

musclegenesis

Ah that is frustrating. So you went CCNP-CISSP and still no job offers? I feel that CISSP is highly valued in HR and does not make me dimensional only in networking. I have known many security concepts so that is not an issue.

splash24

Interesting discussion , As a holder of both let me add my 2 cents ( CISSP is in endorsement )

I agree with the earlier discussions that CISSP is NOT an entry level cert and it’s NOT a totally technical cert either.As others have clearly written the differentiation let me give a real time example

I work for a Fortune 10 company primarily dealing in global cards and payments with More than 1 lakh employees and billions in revenue , In fact one of the partners to contribute to PCI

I had a job opening to work on PGP , I was just a networking guy then and PGP was very new to me.I attended the interview and I was truthful , My interview was mostly on how I manage to secure links and how I deal with internal , external partners and how I deal with stressful situations.My manager saw something in me ( Later talks ) and recruited for the position but NOT because he knew I would perform well in a PGP world.This is how I ventured into Information security , For some reason the project never kicked off ( Management buy off ) but I was offered to help the existing key management team.This is when I learnt Crypto , Although I was not allowed to touch the Crypto operations , I had an opportunity to see how everything works on a bird view.As luck would have it , my Director got approval for a key management solution for which he was looking for team members and I became a full time member.

Message : Be best at what you do ( CCNP ) but notice , observe , learn Info Security ( Even it’s through papers , magazines , forums etc., ) There will certainly be an opportunity in future where you have 20+ candidates but only 1 with limited knowledge.I would any day pick a candidate with limited knowledge than to deal with candidates from scratch ( Best scenario still would be getting fully experienced guy but will not fit all scenarios – I am in my hiring tem for the company so I know what I am talking about )

Example for job responsibilities for CCNP vs CISSP :

I closely worked with Network engineering Manager for Crypto solutions ( EAP –TLS , PGP Networking , Key Management Solution deployment etc., ) He was a CCNP and had NIL experience with Info Security.I had seen him risen to the rank of Director and that’s when he unleashed J Anyone in Info security would know how the past 2 years had been , Heartbleed , Ghost and 6 critical patches from MS.Hell , literally hell – You are supposed to remediate the internet facing systems in 24 hours and you get a weeks time to remediate the rest.Let me not touch the critical systems for now.I am talking 26K servers ( Right , 26K which includes physical , virtual , cloud , Openstack , IaaS all environments and all sorts of operating systems )and the Networking Director was given the responsibility to
1.Liase with product vendors and assess the criticality of the vulnerability
2.Oversee the remediation
Trust me I would not want his job.It’s pretty amazing how well he handled the situation.He had to inform the stakeholders every 3 hours ( Call used have 100+ business managers screaming why this outage etc., because they are all about revenue ) Never once I saw him lose his cool.He understood everyones concerns and drafted plans as to how to deal with the situation and needless to say he excelled in his role ( Cannot dive into actual reasons for obvious reasons )

I now see him as Vice President for Security and with a CISSP badge ( I am not sure when he did it ) This post is NOT to justify CISSP’s are powerful , just saying what a manager responsibilities entail.It’s not about fixing the issue , It’s about how you drive things org wide and CISSP is a pretty good cert that teaches you ( NOT the actual exam ) but the journey you take.Understanding layers of networking , communication , flow , which plans , strategy , operations , different business units in your environment etc.,

I know it’s a long post but required to explain my POV.Dont look at CISSP as a cert , If you treat LEARNING with respect , CISSP is the most expensive tool that you have for the purpose.It helps you with a bird eye view , helps you understand what your BOSS is doing and helps you to be the BOSS one day.

splash24

!nf0s3cure wrote: »

@ renacido.

For very long time I have expressed my disappointment at the Cryptography testing in the exam because it was testing on skills that I guess are required by less than 1% of the IT workforce and yet it was one of the major domains and had more questions in the test than penetration testing a issue that is hitting the world like no ones business.

i beg to differ on this , Crypto is not just for IT it should be for everyone.I can understand your wrath if CISSP asked for how algorithms work ( Then it's mathematics ) but this is essential in Info sec world.This ALL we do right , protect information and Crypto plays a key role.I know techie people who don't give a damn about digital cert while going to a bank website or Info sec people who have no idea that SHA is broken etc., And everyone now w days uses digital signatures.If CISSP don't understand these concepts who else we can expect this from ? Again , Inch wide and mile deep.We do not need to know how algorithms factor if we are not interested but how basic signing operation or encryption works is certainly common knowledge that CISSP tests.

Mike7

splash24 wrote: »

i beg to differ on this , Crypto is not just for IT it should be for everyone

Agree. Some of more serious security vulnerabilities in recent years involves crypto. Beast, Heart Bleed, Poodle, Logjam are about crypto algorithms weakness. You need to know crypto in order to understand the implications of these vulnerabilities, and know how to fix them.


If you know crypto well enough, you can secure your environment and not be affected by some of these vulnerabilities. For example, we disable SSL 3.0 support early last year since all browsers (except XP) support TLS 1.0 by default. As a result, we were not affected when Poodle was announced late 2014. We also disabled DH ciphers on our web servers before Logjam flagged it as a weakness.

musclegenesis

Hi,
Wow, I guess that is very frustrating. As of now, I went ahead and got my CCNP. However, my research indicates that the money is still in security. CCNA security I think is not enough, so CISSP and being proficient in firewalls should be okay.

Any luck with security jobs yet?

hilld

I just attended a Sans Executive Summit in Dallas last month and pretty much all the speakers echoed the following statement. Security is the fastest growing area in IT, there is a projected shortfall in qualified security professionals. With this being said, there is a wide gamut of security related jobs from a analyst/researcher all the way up to a CISO. In between you will find compliance, policies, pen testing, code review, SOC, etc. Pick a field that interests you and become an expert, experts are the ones that make the big bucks. It might take you a while to find the area that you are passionate about.

Good luck in your journey.

Mike-Mike

splash24 must make a boatload of money..... quad CCIE & CISSP & Fortune 10, wtf...


i do not have a CCNP or CISSP, I have worked in Networking and Security, but I tend to prefer security. Everyone asks me about my CCNA, only a few have asked if I will get a CCNP.

literally every security job is interested in CISSP.

splash24

Mike-Mike wrote: »

splash24 must make a boatload of money..... quad CCIE & CISSP & Fortune 10, wtf...

Try and read properly before you use wtf ... I cleared CCIE qualification exam and yet to give labs so NOT a CCIE and mentioning CCIE ( QUAL ) and the discussion is not about money i added my 2 cents ..

Mike-Mike

splash24, it was meant to be complimentary, pretty impressive

colemic

Just to change the direction of the thread again... for those that feel CISSP is a lower-to-middle management cert, what would you consider to be mid-to-high-level cert(s) in this space?

Cyberscum

When did CISSP become an entry to mid level cert?

All upper management in my area require CISSP for GRC work. GIAC and some other will work as well, but IMO if you are looking at INFOSEC as a career CISSP is a must.

splash24

Mike-Mike wrote: »

splash24, it was meant to be complimentary, pretty impressive

Ok , couldn't catch it LOL..

colemic

Cyberscum wrote: »

When did CISSP become an entry to mid level cert?

All upper management in my area require CISSP for GRC work. GIAC and some other will work as well, but IMO if you are looking at INFOSEC as a career CISSP is a must.

See post #4 of this thread...