CCNP vs CISSP- need guidance

in SSCP
Hello folks,
This issue has been adamant in my mind, and I need clear guidance on how to have some peace of mind:
I am a network engineer for a telecom company that has 3 years of exp and have a CCNA. I also jumped the gun in my studies and pursued a MBA which is not really paying off. Looking to make a switch but have few issues to consider:
1. Pursuing a CCNP vs CISSP: I do not deal alot with security but understand the basic IPSEC vs GRE and VPN methodologies. I want to penetrate the medical and financial fields but not sure if a network engineer will get me there. I also have a MBA so is CISSP a better route?
2. Many jobs that I looked into CISSP were strictly in audits and security. The knowledge that I possess about routing and switching supplements my current resume. If I get a CISSP, I would have to re-engineer my whole resume.
I am confused about what certification to pursue. CISSP is def a harder one and may supplement my MBA and get me a manager role in the future I desire.
My question is: Will CISSP be a better fit for me since I already have a CCNA and no security cert even though I lack security in essence. How does one get into trustwave and Security engineering when they have decent knowledge of it but lack real-life exp?
Thanks folks
This issue has been adamant in my mind, and I need clear guidance on how to have some peace of mind:
I am a network engineer for a telecom company that has 3 years of exp and have a CCNA. I also jumped the gun in my studies and pursued a MBA which is not really paying off. Looking to make a switch but have few issues to consider:
1. Pursuing a CCNP vs CISSP: I do not deal alot with security but understand the basic IPSEC vs GRE and VPN methodologies. I want to penetrate the medical and financial fields but not sure if a network engineer will get me there. I also have a MBA so is CISSP a better route?
2. Many jobs that I looked into CISSP were strictly in audits and security. The knowledge that I possess about routing and switching supplements my current resume. If I get a CISSP, I would have to re-engineer my whole resume.
I am confused about what certification to pursue. CISSP is def a harder one and may supplement my MBA and get me a manager role in the future I desire.
My question is: Will CISSP be a better fit for me since I already have a CCNA and no security cert even though I lack security in essence. How does one get into trustwave and Security engineering when they have decent knowledge of it but lack real-life exp?
Thanks folks
Comments
Look forward 10 years . Where you want to be ?
CCNP is actual hands on working on firewall/ routers/ switches. If you are techy lover guy , then CCNP / CCIE is better option for you ! But don't stop at CCNP , do CCIE as well .
CISSP is vendor neutral certification . Nothing hands on. You will doing Security Audits / Compliance / governance of the organization where you are working. Your MBA will definitely add value in your resume sooner or after.
Let me share my exp. I am CCNP certified & CisSP passed having 8+ years exp in network sec. Doing configurations on firewalls/routers ,spoiling my weekends in doing IOS upgrades is now no more fun for me. But even after CISSP passed , I am not getting job in Security Audits / Compliance / governance profile. See my thread "Need guidance " to understand situation that you may face after 7-8 years.
Think long term & choose correct path as per your objective. All the best !!!!
Sorry if I hurt you unknowingly !
Someone with marginal security experience jumping right into the CISSP to try to get their first foothold in the security field is equivalent to a Security guy who has never configured a Cisco switch and doesn't yet have CCNA going after CCIE.
Also, passing the exam doesn't make you CISSP. You have to be endorsed as having 5 years of experience in at least 2 of the 8 security domains by a CISSP in good standing and ISC2 will review your application and make a decision as to whether or not you qualify.
I see a lot of guys looking at this cert as the gateway into security but it is not.
I know some of this phenomenon is due to HR being unfamiliar with security certs and only knowing about CISSP but trust me, if you have Jack squat for security experience having CISSP just means you have $600 less in your wallet than you should.
So tell me do you think knowing how to configure a firewall is the benchmark for being a qualified security pro? So by your logic the CISM and any other of the dozen or so security certs that don't test on firewall config are all entry-level? By your logic the CCNA:S is a higher level security cert than CISSP or CISM.
As The Dude would say, "well that's just like your opinion man."
As I said wrath of members here but I guess it is lot softer than expected but who knows when flood gates open.
I also said entry to mid level. Next, 5 years experience can be a misguiding statement, as others have said just sitting for 5 years in some roles does not make you a good security professional if you just meet the criteria, what makes you justify the 5 years is, if you have learnt something. CISSP exam can in no way assure that you cannot pass it if you just crammed the stuff and someone who is poor at taking exams but excellent at their work may fail it several times and it is by no means a reflection on their ability to do IT security work. For very long time I have expressed my disappointment at the Cryptography testing in the exam because it was testing on skills that I guess are required by less than 1% of the IT workforce and yet it was one of the major domains and had more questions in the test than penetration testing a issue that is hitting the world like no ones business.
I know taking a CISCO certification is much harder than CISSP as it requires you to have actual hands on skills and it is very hard to bluff your way through it. It is human nature and you have just got wrapped around in the 5 years statement. I see that you are a CEH, would you agree that it is hard to cram your way through that certification as well. As for monitoring alerts on a SIEM if you use Splunk (free plug to a good but expensive product) you are very easily in control and I do not see a reason why a security manager who has risen though the ranks and experience cannot drive it. In fact if a security manager cannot drive it in 10 minutes of OJT the organisation needs to look at that persons skill set again! Big statement but very close to truth. I have used other SIEM products but they could be a completely different story.
So as a general question what do you think a person who passed CISSP with 5 years experience should be able to do? Again not meaning to disappointing you but there are lot of 'Fresh' CISSP's who do not seem to have a handle on 'Oh $h!T what do we do here situations'.
I am not a CISSP yet and neither I claim to be an expert at many things but there are some part of IT security where I consider myself well versed. Nothing wrong with that. I do that job day in day out and have my moments of stop and think but it does not mean a person with a CISSP is any better!
As you said it is mostly a HR promoted issue but then there are some smart people I know who have also taken up the certification to hit the HR search engines and nothing more.
Any way good topic and discussion lets carry it on till I get my CISSP and then I will switch sides
I'm not a CISSP yet either, I'm in exam results limbo having tested during the psychometric analysis window. But I have 23 years IT experience, 9 years doing infosec as a primary duty, and got hired in a job that "must have CISSP" over 26 other candidates. So yeah, the CISSP is not the cats's a$$ as proof of your ability to do a job.
My point is if you are really a Sec Mgr you have technicians to edit your configs on your firewalls and you have analysts and incident handlers to look at your SIEM and your IPS, HIDS, audit logs, etc. If you are the one doing that as the Sec Mgr or CISO there are probably higher-level tasks you are probably not doing.
Regardless of what CISSP actually means, it is intended to mean that you can fulfill a security management role, not a technician role. A CCNA may be enough to configure a firewall but the risk-vulnerability assessment, hygiene and hardening, security testing, event monitoring and response, etc should be driven by a guy who knows the stuff in the CISSP exam, not just the CCNA exam.
Good discussion.
I see what you are proposing but there are smaller environments where you could be a 1 man/person army! So I agree with you but still hold my line, but lets help the guy with his question first. Because right now it looks like this:
Question in mind+head to techexams=more confusion=back to square one+headache
So as it has been said one is a hands on type of certification other is managerial kind of certification, so make your choice if you want to head down the management path or you are still young to sit on a command line and bash codes or scripts! Not showing my age here but I have had my days of scripting now I have young kiddies working for me that do that work. Some amazing minds and big brains....so see where you are in you IT life cycle and decide....
......over and nearly out from here.....thanks for the complement on the username......it is a pain to remember though...:)
Keep up the good work.
I agree it is mid level, definitely not an expert level.
Interesting statement as you don't seem to hold either and a little to broad a statement, a CCIE will most definitely be more difficult than CISSP but a CCNA, no it isn't.
The CISSP is a very broad exam and wont make you a specialist in any arena but if you learn the material (not memorise) it does teach you things that allow you to discuss security topics with a wide range of people even if it is at a high level.
Ultimately all certification is a HR driver, no certification guarantees competence, well defined interviews do. I have met many a certified Muppet.
Working on
Learning Python and OSCP
Ultimately all certification is a HR driver, no certification guarantees competence, well defined interviews do. I have met many a certified Muppet.[/QUOTE]
This is a statement that has been beaten to death by every knowledgeable professional here...I understand your comment about not having CCNA but I got very lucky and had expert to train or give me OJT on networking products so I never had need to go through the pain of getting piece of paper to say that I could configure or work on a networking device. I must say I was very lucky to work and learn from professionals that could pass information ...mind you teaching is a fine art and it not a knack that every teacher has....
If you keep digging deeper there will be certifications that will be more difficult than any other...but CISSP is seen a difficult one as you need to understand lot of information about most things IT. In the wider IT community people tend to specialise in a certain area or two and then take a career path..but for a DBA to become a IT security professional just by getting past CISSP is a quite a disservice to IT security and will likely produce a professional like one that you have mentioned. Again all of these are my views and I take criticism and discussion in a +ve manner and gain a wider appreciation through this process.
When you got your MCSE for 2000 that was the hot and going thing in those days and you could not be seen working in IT without it. All or most others came to fame a lot later and the scenarios have kept changing ever since...a software comes into limelight and we all rush for it and then there is the next one...and so on..it is a never ending cycle I guess...
But its true of most certification not just CISSP, even things like CCIE will have unskilled professionals due to dodgy certification practices in areas of the world.
Ultimately always learning, but not necessarily certifying anymore
Working on
Learning Python and OSCP
I would look at getting your CCNP first if you want to stay within the networking arena. You can also get into the CCNP Security, then look at the CISSP. That would complement your certifications, instead of going directly into CISSP. Once you get past CCNP:Security, you'll have a good 5 yrs in anyways for CISSP. If I were you, try getting into doing a little more security work, whether it be IDS/IPS, Firewalls, etc.
How I define CISSP as a mid-level cert and NOT an entry-level cert is IT IS A SECURITY MANAGEMENT CERT. You don't hire Security Managers (or Senior Security Analysts, SOC Leads, etc) off the street with zero experience! And sorry, if your IT department is one guy, go ahead and call yourself Security Manager but I'm not referring to you here.
The reason CISSP is so broad and requres 5 years experience is it is INTENDED to signify that you have the knowledge and experience of a seasoned security practitioner (not a novice!) who can **MANAGE** a company's security program and/or department. YES it's mostly for HR and hiring managers but for good reason! They want to avoid NEGLIGENT HIRES - hiring people who can bullshit their way through interviews but then fall on their faces when they are put in the hot seat. THIS is why when people call CISSP "entry level" it gets my Irish up! When underqualified people get this cert it undermines not only the value of the cert but they undermine the hiring process. Would you want to be passed over for a job to a paper-only CISSP who merely memorized some study guide and got his buddy to invent some tall tales of security experience to get him the cert? Do you want to work with guys who aren't security pros they just saw that CISSPs make 6-figures and say "me too!!"? I don't!
The true ENTRY-LEVEL infosec certs are Sec+, SSCP and GSEC. They are general security practitioner certs, aimed at covering all the fundamentals, but not nearly as demanding or managerial-judgement-oriented as CISSP.
Please just STOP calling CISSP entry-level and STOP telling total newbs to sit this exam. You shouldn't be even working full-time infosec without previous IT experience to begin with, let alone applying for a mid-level infosec job. Sorry but "fake it 'til you make it" has NO PLACE IN SECURITY. Rant over (for now).
Interesting discussion , As a holder of both let me add my 2 cents ( CISSP is in endorsement )
I agree with the earlier discussions that CISSP is NOT an entry level cert and it’s NOT a totally technical cert either.As others have clearly written the differentiation let me give a real time example
I work for a Fortune 10 company primarily dealing in global cards and payments with More than 1 lakh employees and billions in revenue , In fact one of the partners to contribute to PCI
I had a job opening to work on PGP , I was just a networking guy then and PGP was very new to me.I attended the interview and I was truthful , My interview was mostly on how I manage to secure links and how I deal with internal , external partners and how I deal with stressful situations.My manager saw something in me ( Later talks ) and recruited for the position but NOT because he knew I would perform well in a PGP world.This is how I ventured into Information security , For some reason the project never kicked off ( Management buy off ) but I was offered to help the existing key management team.This is when I learnt Crypto , Although I was not allowed to touch the Crypto operations , I had an opportunity to see how everything works on a bird view.As luck would have it , my Director got approval for a key management solution for which he was looking for team members and I became a full time member.
Message : Be best at what you do ( CCNP ) but notice , observe , learn Info Security ( Even it’s through papers , magazines , forums etc., ) There will certainly be an opportunity in future where you have 20+ candidates but only 1 with limited knowledge.I would any day pick a candidate with limited knowledge than to deal with candidates from scratch ( Best scenario still would be getting fully experienced guy but will not fit all scenarios – I am in my hiring tem for the company so I know what I am talking about )
Example for job responsibilities for CCNP vs CISSP :
I closely worked with Network engineering Manager for Crypto solutions ( EAP –TLS , PGP Networking , Key Management Solution deployment etc., ) He was a CCNP and had NIL experience with Info Security.I had seen him risen to the rank of Director and that’s when he unleashed J Anyone in Info security would know how the past 2 years had been , Heartbleed , Ghost and 6 critical patches from MS.Hell , literally hell – You are supposed to remediate the internet facing systems in 24 hours and you get a weeks time to remediate the rest.Let me not touch the critical systems for now.I am talking 26K servers ( Right , 26K which includes physical , virtual , cloud , Openstack , IaaS all environments and all sorts of operating systems )and the Networking Director was given the responsibility to
1.Liase with product vendors and assess the criticality of the vulnerability
2.Oversee the remediation
Trust me I would not want his job.It’s pretty amazing how well he handled the situation.He had to inform the stakeholders every 3 hours ( Call used have 100+ business managers screaming why this outage etc., because they are all about revenue ) Never once I saw him lose his cool.He understood everyones concerns and drafted plans as to how to deal with the situation and needless to say he excelled in his role ( Cannot dive into actual reasons for obvious reasons )
I now see him as Vice President for Security and with a CISSP badge ( I am not sure when he did it ) This post is NOT to justify CISSP’s are powerful , just saying what a manager responsibilities entail.It’s not about fixing the issue , It’s about how you drive things org wide and CISSP is a pretty good cert that teaches you ( NOT the actual exam ) but the journey you take.Understanding layers of networking , communication , flow , which plans , strategy , operations , different business units in your environment etc.,
I know it’s a long post but required to explain my POV.Dont look at CISSP as a cert , If you treat LEARNING with respect , CISSP is the most expensive tool that you have for the purpose.It helps you with a bird eye view , helps you understand what your BOSS is doing and helps you to be the BOSS one day.
i beg to differ on this , Crypto is not just for IT it should be for everyone.I can understand your wrath if CISSP asked for how algorithms work ( Then it's mathematics ) but this is essential in Info sec world.This ALL we do right , protect information and Crypto plays a key role.I know techie people who don't give a damn about digital cert while going to a bank website or Info sec people who have no idea that SHA is broken etc., And everyone now w days uses digital signatures.If CISSP don't understand these concepts who else we can expect this from ? Again , Inch wide and mile deep.We do not need to know how algorithms factor if we are not interested but how basic signing operation or encryption works is certainly common knowledge that CISSP tests.
Agree. Some of more serious security vulnerabilities in recent years involves crypto. Beast, Heart Bleed, Poodle, Logjam are about crypto algorithms weakness. You need to know crypto in order to understand the implications of these vulnerabilities, and know how to fix them.
If you know crypto well enough, you can secure your environment and not be affected by some of these vulnerabilities. For example, we disable SSL 3.0 support early last year since all browsers (except XP) support TLS 1.0 by default. As a result, we were not affected when Poodle was announced late 2014. We also disabled DH ciphers on our web servers before Logjam flagged it as a weakness.
Wow, I guess that is very frustrating. As of now, I went ahead and got my CCNP. However, my research indicates that the money is still in security. CCNA security I think is not enough, so CISSP and being proficient in firewalls should be okay.
Any luck with security jobs yet?
Good luck in your journey.
i do not have a CCNP or CISSP, I have worked in Networking and Security, but I tend to prefer security. Everyone asks me about my CCNA, only a few have asked if I will get a CCNP.
literally every security job is interested in CISSP.
CWTS, then WireShark
Try and read properly before you use wtf ... I cleared CCIE qualification exam and yet to give labs so NOT a CCIE and mentioning CCIE ( QUAL ) and the discussion is not about money i added my 2 cents ..
CWTS, then WireShark
All upper management in my area require CISSP for GRC work. GIAC and some other will work as well, but IMO if you are looking at INFOSEC as a career CISSP is a must.
See post #4 of this thread...