Advanced Certification Guidance

bokos

Hello,

Long time visitor of these forums. Over the years, I've gained some great knowledge from everyone here. This is my absolute go-to place to look for my next opportunity for technology-related certification. Today, I come to you guys (and gals) with an issue that has really been throwing me for a loop. This issue is where I go next with respect to security certification. For the first time, I feel like I've run into a wall and really unsure of what my next certification should be.

I currently hold valid certifications in the following: CISSP, CISA, CISM, CCSK, CIPM (IAPP), and CIPT (IAPP). I'm very interested in the security management and privacy practices of organizations. I've never been a huge fan of vendor certifications (i.e. Microsoft and Cisco) as I like to have a "broad" scope when approaching these certifications and prefer not to be tied to a vendor, even if they have a strong market share. Furthermore, I recognize that EC-Council, specifically CEH, has a strong marketing budget and appear in the DoD certification matrix. However, I'm uncomfortable with how, over the years, they've approached their certification practices.

So, to those who stumble upon my thread, Please help me. Where should I be looking next?

Thank you.

NotHackingYou

What is your formal education background?

bokos

B.S. Information Technology and M.S. Information Systems

bokos

Allow me to communicate some of what's been on my mind...

Microsoft: Didn't see anything of interest. I don't believe it's beneficial to go after their MSCA/MSCE designations.

Cisco: Didn't see anything of interest. They, of course, have their security concentration, but I don't think that would compliment what I have thus far.

ISACA: Only two certifications left in their portfolio (CRISC, CGEIT). These may work. Little frustrating that they still do their exams on paper and only twice a year.

(ISC)2: Don't believe CSSLP will do much for me. Same goes for CAP. There are the CISSP concentration and the CCSP.

SANS: These are off limits for now, unfortunately. Great material, great certifications, however I'm on my own at the moment with respect to paying for exam fees. These are super expensive.

NotHackingYou

I was thinking the same thing. What about some of the GIAC ones? GIAC Information Security Management Certifications

Edit: Nevermind, skipped over the GIAC/SANS part.

bokos

CarlSaiyed,

Thanks for the responses thus far.

Little bit of a draft list for me --

ISACA - CGEIT, CRISC
(ISC)2 - ISSAP, ISSEP, ISSMP
IAPP - CIPP/E, CIPP/C

TechGuru80

What about a project management certification? Since there isn't really any technical certifications you can go for since you want to stay neutral...something like PMP would round you out.

OctalDump

Have you got anything in the ISO 20000, Cobit or Resilia? I think there's also someone offering ISO 27000 series certifications.

I think that fluency in multiple frameworks like these, beyond what you just pick up along the way, could be very useful at the higher, more abstract level you seem to prefer.

The CRISC also seems like an obvious choice, and there are others aimed more at CISO level. There's also the new ISC2 CCSP, which seems like an obvious bandwagon to jump on. It seems to be the first serious Cloud Security certification available.

bryanthetechie

Have you thought of teaching community college or CISSP prep courses instead of pursuing another cert? I've always felt that teaching experience on a resume looks great. You have a great set of certs and education, and this sounds like a solid step for building greater authority in your field.

bokos

TechGuru80,

Thank you for your guidance. I've actually thought about getting the PMP certification, on and off, for many years. At one point I had an approved application in PMI's system and had purchased Rita Mulcahy's book to start preparation. Upon further reflection, I felt it was a very heavy non-technology certification to have for a security guy. Also reading some of the book, the material was extremely boring and dry to me. I actually enjoy reading technology and security materials, but when I got to project management text, it put me to sleep.

OctalDump,

Thank you for your guidance. Do you have some framework certifications in mind? When one looks at job postings, you see the typical "CISSP, CISM, etc. required," but the line below usually talks about COBIT, FISMA, or the NIST 800 series. I agree with CRISC. I think that could be a great one to add to the list. CCSP also looks very interesting but is a new release. Not a lot of training materials out there. Definitely on my radar, though. Do you have any other CISO-level certifications in mind?

Bryanthetechie,

Thank you for your guidance. This is actually a great suggestion. I was reading some materials by Chuck Easttom and ended up on his website looking at his CV. He has a bunch of certifications and work experience. What really stood out, however, was his teaching experience both in a formal university setting but also courses online and bootcamps.


I slept on it a bit and adjusted my draft certification list above slightly. Took off IAPP certifications and tightened up ISACA/(ISC)2. Now I have...

ISACA - CRISC
(ISC)2 - ISSAP, ISSMP

bokos

I'd also like to expand the scope of this slightly. I'm also very open to well respected, well priced certificate programs offered by universities. I think it's a great pairing to formal degrees.

TechGuru80

bokos wrote: »

TechGuru80,

Thank you for your guidance. I've actually thought about getting the PMP certification, on and off, for many years. At one point I had an approved application in PMI's system and had purchased Rita Mulcahy's book to start preparation. Upon further reflection, I felt it was a very heavy non-technology certification to have for a security guy. Also reading some of the book, the material was extremely boring and dry to me. I actually enjoy reading technology and security materials, but when I got to project management text, it put me to sleep.

Ready for some tough love? If you like management of anything related to technology, you have to be able to lead and manage projects. Small, medium, large size projects are a major part of the job. Need a huge configuration rollout...implementing new infrastructure...auditing compliance of your organization...these can all be considered projects. It's boring I get it but you are missing a chunk to make you well rounded. A manager who cannot lead projects is worthless. Think about it...if you hate project management but have a certification in it you will be ahead of those who hate it and have nothing to show...might help you for a job or interview later. You could do something like Project+...fairly basic and doesn't require a lot of crazy dedication.

stryder144

While this might be a bit basic for you, you might want to consider MIT's Cybersecurity: Technology, Application and Policy certificate. It will give you a bit of a name drop (it is MIT after all) without costing a ton of money ($595).

adrenaline19

Write and submit a paper to a big conference. Saying you were a presenter at Defcon, BlackHat, etc. goes a lot further than a basic certificate.