Any help with my career?

PUNISH

I have been a long time visitor of this site and the information members provide is invaluable. I am trying to make the next big step in my career and was hoping that some of you could give me some insight as to what choice(s) I should make.

I am looking at making the jump in the next year into a higher level ISSM job or even CISO of an organization.

Background:

• I am 31 and have the role of information systems security manager/officer for my organization.
• I have only about 4 years experience in IT and about 10-12 in industrial, personnel and physical security
• I have CISSP and security +
• Have appropriate clearances
• BS in Aeronautics/AS in Information Technology/ AS in Avionics Systems

Plan: My plan is to obtain a few certs to strengthen my resume and overall ISSM/ISSO experience. I played with the idea of CEH, but I ultimately think that if I can get the CISM and CISA added to my resume it would round my experience out for the next step. I also played around with the idea of the masters, but at this point I don't see it is an absolute requirement as much as I see certs.

While I enjoy playing around with the pen side of security, I just don't agree that the future is as bright in pen testing as it is in GRC work so I would like to stay GRC.

Any advice on what educational path would strengthen my resume for the next step in my security career?

RoyalRaven

PUNISH wrote: »

I am looking at making the jump in the next year into a higher level ISSM job or even CISO of an organization.

Based on this, the following would be ideas to consider (btw, I'm not in management, but have paid attention to what it will likely take and may go that route at some point):

- Time and experience in IT. It will come if you stick to the work. Just remember...an oak tree wasn't large at the beginning Never stop growing and learning what makes IT work.

- Confidence. You need to be confident with regard to anything that comes up as you move up. I would put soft skills: negotiations, handling stress, mentoring, leadership skills, communication all up near the top of your priorities. Consider what may be some of your weaker areas and study or train on those items. Better return-on-investment than just another cert.

- Leadership. This is the key aspect of moving up to CISO level. You need to excel in your leadership ability way, way more than any technical skill. People need to be motivated to follow your ideas and trust that you're going in the right direction. Also find ways to learn new management experiences - write policies, lead a committee, initiate a new project or idea, etc. (taking initiative goes a long way)

- Grad-level degree (MS or PhD) - your competition/peer-level will likely have these and in some industries they can be deal-breaker based on backgrounds. Much harder to get than certs, but once you have it, you have it for life. I will never regret getting a MS degree myself. It will always keep doors open for advancement and it may give me an edge over competition!

- CISM would likely provide more alignment to CISO work than CISA, unless you're in/plan to work in an audit/GRC-heavy organization, then the CISA would be good. From many folks I know in ISACA who are deeply vested in GRC, they get both certs.

- CEH or more technical-related certs will have less return-on-investment to meet your original goal. If you're not going to touch some of the items on a day-to-day basis, may be better to have a general understanding of the technology than expert-level. Put trust into people who are experts in each area. Free your ability to spend significantly more time on the larger/wider issues and not be held up by the day-to-day operational work. (don't ignore the day-to-day, just plan to spend more time on strategical and tactical items)

- ITIL or framework-related activities are good (don't just study one...plan to know the ins-and-outs of multiple frameworks).

Certainly way more than just that...so pay attention to jobs that look like ones you want to pursue in the future if you're not immediately ready to go. Study the requirements and use them to build your goals. I'd worry less about certs and more about what gaps/areas that might help you align best to the future roles...and address those.

goatama

Just curious, but how'd you get the CISSP with only 4 years IT experience? :

jcundiff

His BS degree waves one year of the 5 year requirement.

And for the original poster, if you are planning on staying on the GRC side of the house consider the CRISC and CGEIT and then CISM. I dont see the benefit to adding the CISA to your resume at this point, as it is primarily an audit cert and adds no value over the CISSP (in my opinion). CRISC is a hot cert right now (Risk and Information Security Controls) and CGEIT is targeting your GRC field.

This was my plans after CISSP, I have taken the CRISC and waiting for my scores, CGEIT would be next but I moved from GRC to a Threat Intelligence role. I am currently reevaluating my cert path with the move.

You may also want to consider Archer ( one of the top GRC Application suites) certification as well

TechGuru80

jcundiff wrote: »

His BS degree waves one year of the 5 year requirement.

How exactly is a "BS in Aeronautics" relevant enough to waive one year of Information Security experience? If I had to guess...it was because of Security+.

OP...are you trying to stay government? That could impact your decision...but anyways:
-CISM
-CAP...NIST SP knowledge is good wherever you are since it is filled with best practices.
-ISSMP...to go along with your CISSP
-CRISC
-CGEIT

Additionally, what does your experience entail? Even though operating system and networking certifications are more technical than a CISO would be dealing with day-to-day, the knowledge is pretty useful. You could also work on your management skills...effective leadership, resource management, PROJECT MANAGEMENT.

Consider this around the idea of a masters...the business experience you have is probably somewhat limited due to your degrees. A CISO or high level manager has to have a pretty good understanding (not expert level) of how businesses operate and how this impacts that on the bottom line. At some point an MBA, or even classes in business could help you get a better understanding. The higher you get in an organization...the less it is about the technology, and the more it is about managing the business...there are many more factors than just the ALE, SLE, ARO, etc.

jcundiff

TechGuru80 wrote: »

How exactly is a "BS in Aeronautics" relevant enough to waive one year of Information Security experience? If I had to guess...it was because of Security+.

From ISC(2) web site "Candidates can substitute a maximum of one year of direct full-time security professional work experience described above if they have a four-year college degree or regional equivalent"

4 year degree can be in any field... Only information security requirement is

"or an advanced degree in information security from the U.S. National Center of Academic Excellence in Information Assurance Education (CAE/IAE"

either way the BS and Security + is more than enough to meet the one year waiver

and excellent points on the business side of the house, NIST and project management.