After Security+...

Mharner

As I've googled entry level certifications over the last 3-4 months, I've often found myself reading great input on this forum, so I joined. I'll turn 60 in a few weeks, and my resume needs some modern credentials. In a pause from 30 years of Systems Engineering, looking to re-start. I have background in land mobile wireless, and general communications systems design, mostly for government. I decided to get some modern credentials, Network+ and Security+ have been a good fit so far I think. I used Cybrary, Professor Messer and Pearson materials and did pretty good. As I'm researching next steps, once again I'm here scanning posts for clues. I was just looking at CISSP discussions (mostly from 200. Not sure I'm up to committing 4 years to a cert at this point, however, I suspect that I might be able to qualify with existing work experience which involved architecture for proposals, working systems, very limited computer room hours (VMS!), think Visio, not router command lines. Thanks for reading this far!

So, I'm looking for some training/certification that yields the most resume juice for the months spent. Any ideas are appreciated. What a great forum you have here!

Remedymp

You could try Comptia CASP or SSCP.

Mharner

Thanks for the input. Could you tell me how is relevant work experience evaluated by the ISC? Who looks at what to decide, and when does this evaluation occur, before or after testing? Looking up SSCP led me to CISSP. Other threads suggest that SSCP and CASP are roughly equivalent to Security+?

Danielm7

Relevant work experience has to be paid and map to the 8 domains for the CISSP. You'll then need a current CISSP or ISC2 to validate that as well. The evaluation occurs after the exam. You can take it without any experience really but then you'd be an "Associate of ISC2" which I don't think anyone in HR even knows what that means. You then have a time window to get all the rest of your needed experience so you can be upgraded to a full one.

Tongy

Mharner wrote: »

Thanks for the input. Could you tell me how is relevant work experience evaluated by the ISC? Who looks at what to decide, and when does this evaluation occur, before or after testing? Looking up SSCP led me to CISSP. Other threads suggest that SSCP and CASP are roughly equivalent to Security+?

CASP and Security+ are from the same vendor so it's unlikely that it'll be equivalent. I'd put SSCP and CASP in a similar bracket, Security+ is more basic.

gncsmith

I agree with Tongy, the CASP (CompTIA Advanced Security Practitioner) and the SSCP (Systems Security Certified Practitioner) are both, for the most part, equal and are in between the Sec+ and CISSP (more managerial in nature).

Sec+ is recommended for those with 1 year + in security, CASP and SSCP are 5+ (although the SSCP only requires 1 year+ documented experience), and the CISSP is 5-10 years with a minimum of 5+ years documented.

NetworkNewb

gncsmith wrote: »

Sec+ is recommended for those with 1 year + in security, CASP and SSCP are 5+ (although the SSCP only requires 1 year+ documented experience), and the CISSP is 5-10 years with a minimum of 5+ years documented.

Just curious where did you get those recommend numbers from? First time I ever heard someone should wait 5 years to take the SSCP.

Also, I don't think a person should need any Security experience for the Sec+. Its an entry level cert and good info for someone looking to get more into Security.

Mharner

I'm thinking that I'll purchase study materials and start on the CSSIP - Associate, and I'm posting that info in case somebody responds to tell me why I'm not understanding something. My thinking is based on the chart DoD 8570.01-M, Table AP3.T2. DoD Approved Baseline Certifications attached at bottom. It shows CSSIP in almost every box of the matrix, and crucially for me, in all instances but one it shows CSSIP-Associate. To me, that means the -Associate is recognized and valuable and much more important than a CASP or SSCP. By the way , the sample tests I've perused for CSSIP seem to be more Security+, maybe class 301 instead of class 101. Any thoughts are appreciated.




https://www.isc2.org/uploadedfiles/(isc)2_public_content/community/government/government_local-state-federal.pdf

bpenn

Mharner wrote: »

I'm thinking that I'll purchase study materials and start on the CSSIP - Associate, and I'm posting that info in case somebody responds to tell me why I'm not understanding something. My thinking is based on the chart DoD 8570.01-M, Table AP3.T2. DoD Approved Baseline Certifications attached at bottom. It shows CSSIP in almost every box of the matrix, and crucially for me, in all instances but one it shows CSSIP-Associate. To me, that means the -Associate is recognized and valuable and much more important than a CASP or SSCP. By the way , the sample tests I've perused for CSSIP seem to be more Security+, maybe class 301 instead of class 101. Any thoughts are appreciated.




https://www.isc2.org/uploadedfiles/(isc)2_public_content/community/government/government_local-state-federal.pdf

Well, if you are going by 8570, then the CISSP is a great investment and will nail both your IAT and IAM requirements. You could probably leverage some of the systems engineering experience to meet the 4 year requirement (since you have Security+). Did you manage firewalls, perform port security, access control, physical security, etc? You may be able to justify it to get endorsed.

Make sure you do eventually get endorsed because the Associate level doesn't do jack for you in job hunting.

Mharner

Great answer, that's what I looking for. Over 30 years I've done so many different things, many of which have the possibility of qualifying I think. I did 2 years in Software Quality Assurance, checking code, etc. I've been the guy reloading tapes into the down VAX cluster at 2AM, sweating it because the major city's bus fleet will not get schedules downloaded by 4AM. I've designed HMI SW for a major company. But, security was not a discipline then, and if I could find anyone who worked with me from those periods to attest, they sure as hell won't be ISC certified.

Really, I don't expect to be an IT Manager or Technician. I expect to get back into Systems Engineering/Project Engineering doing proposals and implementations. I want to show that I actually do have some modern training in technology that is relevant today to a very young person filtering my resume. I think that Network Security is probably still a growth industry.

gncsmith

NetworkNewb wrote: »

Just curious where did you get those recommend numbers from? First time I ever heard someone should wait 5 years to take the SSCP.

Also, I don't think a person should need any Security experience for the Sec+. Its an entry level cert and good info for someone looking to get more into Security.

Right off the vendors website's although I was wrong on the Sec+, it's 2 years recommended experience.

Sec+ Link to Comptia



Recommended Experience
CompTIA Network+ and two years of experience in IT administration with a security focus



SSCP Link

For the SSCP certification, a candidate is required to have a minimum of 1 year of cumulative paid full-time work experience in one or more of the 7 domains of theSSCP CBK. If you do not have the required experience, you may still sit for the exam and become an Associate of (ISC)² until you have gained the required experience.

Though they do not specifically say you must have 5 years, it's a cert targeting those with at least 1 year experience but since it's equivalent (Practitioner based) I've read elsewhere the audience is for 3-5 years of experience. More than that and people have the experience for CISSP, less than that and they may not have the foundation for the practical foundation for the exam.

CASP Link
CompTIA Advanced Security Practitioner (CASP) meets the growing demand for advanced IT security in the enterprise. Recommended for IT professionals with at least 5 years of experience, CASP certifies critical thinking and judgment across a broad spectrum of security disciplines and requires candidates to implement clear solutions in complex environments.

Remedymp

There is also Exin's Information Security Foundation cert is available as well. Slots itself beneath the Security+ IIRC.

ChaseBenfield

Hey Mharner,

I agree you should qualify for CISSP.

To become a CISSP you must:
A) Sit for and pass the exam
Have 5 years paid working experience in at least 2 of the 8 security domains. A year waiver for Bachelors...
C) Get sponsored by a CISSP that will vouch for your experience or have ISC2 sponsor you.

If you read the CISSP CBK you see how wide the subject matter is. As a Systems Engineer I am sure you have at the very least required experience in Security Engineering (Domain 3: Implement and manage an engineering lifecycle using security design principles), Communications and Network Security (Domain 4: Apply secure design principles to network architecture), and Software Development Security (Domain 8: Understand and apply security in the software development life cycle). Probably Security Operations also. And keep in mind you only need 2 of the domains. There are another 4 besides the ones I just mentioned. Visio is fine. Domain 8 is basically an overview of systems engineering (SDLC, change management, CASE tools, risk analysis, etc..).

I also noticed you mentioned DoD 8570-M baseline compliance. With the exception of IAM Level III, the CASP will cover all the areas the CISSP does. Keep in mind though that will only be relevant to Government positions because the CASP is nothing in comparison to the CISSP and employers know that. CompTIA intentionally crafted the CASP to cover areas required for DoD 8570 so they could make money that was otherwise going to ISC2.

The CISSP is respect, and I am sure you are qualified. Take a look at the 8 domains. Hope that helps.

Mharner

Thanks for the great advice and encouragement, very cool. Well, I passed the CISSP exam last week. So, from my initial post prior to starting it took two months of studying pretty much every day. I used CISSP Official Study Guide 7th edition by Stewart, and Live Lessons CISSP Complete Video Course by Sari Greene. Read every page watched every video and took 2 pads of notes.I like having a video source and a text source for contrast. Video is easy to watch but you can't thumb through or search. I updated my resume and the response has been strikingly different, so the CISSP-Associate was well worth it.

An opportunity that has popped up is for an ISSE, and I see that there is a CISSP-ISSE concentration. Does anybody have an opinion of the effort to add this concentration compared to getting the initial CISSP? Could it be knocked out in a couple of weeks maybe? I see the test is 3 hours opposed to the 6 hour CISSP exam.

wayne_wonder

Have you put Cissp associate on your resume ? Be careful because if I'm correct someone will verify this though you can't put it on there unless it's the full Cissp? Maybe you an be creative in what you out though. Again don't quote me on that

Congrats though btw

Mharner

Good point Wayne. I've put the following on my resume, "CISSP Associate of (ISC)², 03/2016, (ID number)". To misrepresent would be the kiss of death, job-wise. I read the caution from ISC2 not to mislead or infer a full CISSP. I can understand that. I notice that the Associate of ISC2 designation is given for quite a few different ISC2 certifications, and if I enter my ID into their verification systems it only confirms "Associate of ISC2". It seems to me reasonable, and correct, to clarify which domain was tested and passed.