What next after CISSP?

Sheiko37 · July 2015

I've searched the forum but hoping to have some tailored input from the experienced users here.

I have 5 years in information security, that's all been with one company on one team doing what can be best described as vulnerability analysis. The role is only semi-technical, we have to know what we're looking at with the data we receive but there's no server access, we don't do any of the "hands on" work. To add to this I have no bachelors degree in computing, so my practical experience is lacking.

The strongest domains for me in the CISSP were security operations and risk management, which is also what I most enjoy. I'm much more concerned with the content of my next certification rather than industry recognition.

I'm looking at ISACA certifications but I think that's getting ahead of myself. The CEH I hear horrible opinions on, plus the costs and compulsory course are off-putting. GIAC is daunting, there's about 20 different infosec certifications. The eJPT looks good, actually has a practical component, but I've only heard of eLearnSecurity today and can't really find much information on this certification.

InfoTech92 · July 2015

Sheiko37 wrote: »

I've searched the forum but hoping to have some tailored input from the experienced users here.

I have 5 years in information security, that's all been with one company on one team doing what can be best described as vulnerability analysis. The role is only semi-technical, we have to know what we're looking at with the data we receive but there's no server access, we don't do any of the "hands on" work. To add to this I have no bachelors degree in computing, so my practical experience is lacking.

The strongest domains for me in the CISSP were security operations and risk management, which is also what I most enjoy. I'm much more concerned with the content of my next certification rather than industry recognition.

I'm looking at ISACA certifications but I think that's getting ahead of myself. The CEH I hear horrible opinions on, plus the costs and compulsory course are off-putting. GIAC is daunting, there's about 20 different infosec certifications. The eJPT looks good, actually has a practical component, but I've only heard of eLearnSecurity today and can't really find much information on this certification.

What about some SAN certs?

SaSkiller · July 2015

InfoTech, GIAC is SANS, well effectively it is.

In any case the answer is all over the forums. It depends on what OP's goals are. What does OP want to do? If you want to be a pentester, there are a million certs to get you there, and no there is nothing wrong with the modern CEH A lot of the **** talking is a result of old exams and the company is shitty, but the fact of the mater is the material is relevant and useful as you move forward.

Look at jobs that you may want in the future, the good ones will tell you what certs employers are looking for for that position.

GIAC exams are mostly straightforward. The material is there, you have to study it and understand it.

InfoTech92 · July 2015

SaSkiller wrote: »

InfoTech, GIAC is SANS, well effectively it is.

In any case the answer is all over the forums. It depends on what OP's goals are. What does OP want to do? If you want to be a pentester, there are a million certs to get you there, and no there is nothing wrong with the modern CEH A lot of the **** talking is a result of old exams and the company is shitty, but the fact of the mater is the material is relevant and useful as you move forward.

Look at jobs that you may want in the future, the good ones will tell you what certs employers are looking for for that position.

GIAC exams are mostly straightforward. The material is there, you have to study it and understand it.

Aren't there multiple SANS certs?

E Double U · July 2015

InfoTech92 wrote: »

Aren't there multiple SANS certs?

Oh yeah List of GIAC Information and Cyber Security Certifications

Sheiko37 · July 2015

I'm interested in management, operations, policy, etc., and the area I'm looking to manage/lead/influence/(learn) is around vulnerabilities, compliance, auditing, etc.

I hope that gives you an general idea and doesn't come off as just a random list of security words.

I have the typical catch 22 though that to get into management you need experience or qualifications, and to get the certifications (CISSP-ISSMP, CISM) you require the years of experience.

NetworkNewb · July 2015

How bout a Masters degree in Information Assurance?

BlackBeret · July 2015

If you can afford it than I can't say enough good things about the SANS courses and GIAC certs. There are a lot of them, but that's a good thing depending on how comfortable you are with things and what you want to learn. In reality the CISSP is the top of the chain for the compliance and risk management type of things you're talking about. If you're trying to get your hands dirty with the technical side of the house the SANS 504/GCIH is a good place to learn get technical, learn some incident response, and the "why's" behind why things are done a certain way.

Also, eLearnSecurity is newer, but the training I've done with them has been very good, and you mentioned you wanted to focus on content rather than recognition. eJPT is very entry level for pentesting. If you've spent 5 years doing vulnerability analysis and want to get more involved with penetration testing I would go at least for the PTP from eLearnSecurity, GPEN from SANS, or if you really want a challenge with a practical component OSCP from Offensive security tends to be regarded as the best pentesting training available.

UnixGuy · July 2015

CISA/CISM if you're interested in the governance/management/risk side of things. For technical stuff, I'd go with SANS.

What next after CISSP?

Comments