So many people seem to want to do Security certs?

fmitawaps

One thing I have noticed here is that from reading the posts, it seems like so many people are rushing to get security certs. I don't see the appeal.

Yes, I know that all companies need some sort of security for their networks, of course, but that doesn't mean everyone has to get it. One security zealot ought to be enough to oversee what a company has set up, while the rest of the CCNAs and CCNPs tend to things like creating and managing the networks on which everything runs. Even in my CCNA studies and training videos for Routing & Switching, I see sections on port security and sticky macs, it's just not the entire focus of the course.

I guess different people prefer different things. I for one want no part of Voice, Cloud, or Collaboration, although I guess I'll have to know a little about it just for general knowledge. It just seems like we are heading for a time when everyone has security certs, then it's hard for any of them to stand out. Just like over the last 10-15 years when so many college students wanted to be lawyers, and now if you pick up a Yellow Pages (back when we had them, anyhow), there are dozens of pages of lawyers to choose from.

TheFORCE

You need to read some more on security to understand that is not a one man job. You need people with experience, people with training and people that have put many hours trying to secure the organization. Not just the network, the network is only part of the organization. Security is not only about technical controls. It's more than that. Because it is a huge area to cover, you cant have 1 or 2 or 3 people doing security in an organization, you need teams that specialize on specific parts of security. Read some of the NIST special publications to understand what real security is. It's not an easy task to complete without the right and proper resources.

TechGuru80

Basically, a technology professional who knows nothing or very little about security, isn't that helpful to an organization. People like infosec certifications because they either want a change of pace, or they want to have that additional knowledge. Depending on the size of organization, you might find yourself doing many aspects of IT....or you might need to submit configurations with best practices (which includes infosec).

Additionally, if everybody is getting infosec certs in addition to other certifications...don't you think you are at a disadvantage to not have them? There are so many areas of IT these days...the days of having one knowledge area are gone, and you must focus or at least have knowledge of several...especially with tight budgets.

One extra tidbit...with a CCNA you have very basic knowledge of infosec configuration and not any knowledge of types of attacks other than very elementary explanations. To be honest, what you learn is so minimal, you couldn't serve much purpose from a security standpoint...afterall that is why they made the additional certification.

iBrokeIT

fmitawaps wrote: »

One security zealot ought to be enough to oversee what a company has set up

Sounds to me like you have never been in a complex environment with lots of critical data and systems to secure while being under regulations like PCI, SOX, HIPAA, GAMP ect...

fmitawaps wrote: »

it seems like so many people are rushing to get security certs. I don't see the appeal.

Jobs, lots of well paying jobs for experienced professionals is the reason. I guess not everyone likes money. One CISO I was recently talking to said their budget for training is increasing while the rest of IT's in decreasing. In case you haven't seen the news in the last few years there is a huge demand for security professional at the time systems/network operations are being sent over seas to companies like Cognizant.

Your "head in the sand" approach to security is the mentality that is leading to so many companies to be on the front page of the news for another data breach.

Pre-merger our $1 Billion company had exactly one Network Engineer that handled everything Cisco from ASAs to CUCM to the traditional R&S. Being a one trick R&S pony isn't going to get you very far especially with your attitude towards security.

cyberguypr

iBrokeIT took the words out of my mouth. The "zealot" comment basically sums up your myopic point of view. I often have to deal with the repercussions of IT professionals not having a basic security mindset. Most of the time the issue could've been avoided if the person was introduced to at least Security+ level training. Unfortunately this is not happening and as a result there's a ton of systems administrators, DBAs, developers, etc. that engage in risky and down right irresponsible practices that jeopardize the security and stability of their respective environments.

Security is hot, period. Given the visibility attacks are getting nowadays, companies are realizing they need to step up their game and enhance their security capabilities. That is a clear example of the driving force between the droves of people getting security certs.

Danielm7

I agree with everyone above, you're grossly oversimplifying the whole situation. When I have a server group, a networking group and a desktop group who feels like they don't have to know anything about security because they have a "security person" it's a recipe for disaster.

TheFORCE

Maybe reading the below thread will put it in a better perspective why organizations should have more than one person doing the work.

http://www.techexams.net/forums/jobs-degrees/117157-feeling-overworked-underpaid-short-long-story.html

The other thing is, if you go with your mentality that you don't care about VOIP or collaboration or cloud then you will had a very big disadvantage over those that do care. IT is not a static field, it's a field where you have to embrace the technology, evolve or go the way of the dinosaurs.

636-555-3226

Security touches every part of the business, not just the InfoSec dept, and not just IT. I push for one person in every IT division here (help desk, next-level support, network, programmers, etc) to go through at least one security cert training class and some divisions (like network or programming) to go through 2 or 3 training classes. We also hold regular, open "whats going on" in the world in terms of information security for the rest of the organization since i can't send every single employee to a cert training class, but I can teach them what's going on out there and why it impacts not only their company but also themselves.

And, no, the people don't have to go through a "certification" security training course, but how many valuable security-training courses do you see nowadays that don't involve some kind of certification? Some with SANS, but otherwise they're very few and far between. Besides, if you're going to learn about something, why not test your knowledge with a test and maybe something to boost your career at the same time?

E Double U

fmitawaps wrote: »

One security zealot ought to be enough to oversee what a company has set up, while the rest of the CCNAs and CCNPs tend to things like creating and managing the networks on which everything runs. Even in my CCNA studies and training videos for Routing & Switching, I see sections on port security and sticky macs, it's just not the entire focus of the course.

It just seems like we are heading for a time when everyone has security certs, then it's hard for any of them to stand out. .

My Cisco studies didn't give me a high level overview of security or teach me about incident handling, but my SANS and ISC2 studies did. Cisco is a vendor that has vendor specific certifications where the focus is...wait for it...that vendor's equipment. Going for the CCNA/P helped me with routers, switches, ASA, IPS, and ACS, but not vulnerability scanners, MDM, IDM, web/email filters, and more.

I like that we're heading for a time when everyone has security certs so my experience will make me stand out.

JustFred

I'm loving the replies. Great work explaining things guys.

danny069

You mean there are other certs out there other than security ones?

Russ5813

I've recently transitioned from a career in military/law enforcement to IT, so my long-term goals revolve around InfoSec. I certainly don't feel like I'm jumping on any bandwagon-- I enjoy security concepts and it feels natural for someone with my experience. Once I finish ITIL-F and Net+, I'll be looking for more security-oriented training. If there's ever an oversaturation, I'm confident I'll still find my niche

[Deleted User]

Wait what's security? you mean my password is the word password? Best password ever!!

jeremywatts2005

Aww young Padawan you must see that we no longer live in the 80's. We are in a digital age of interconnected systems. These systems require security to protect from the evil malware and Sith hackers. You too much embrace the security side to help us in our fight against the Imperial Empire and defeat the loathsome Sith Hackers and evil malware. Seriously though I do not see any position out there without some security sprinkled in. Embrace it love it accept it this is Cyber

renacido

Two thoughts:

1. Please tell all your friends how lame security certs are. That way we security zealots keep getting paid so well, thank you.

2. One security zealot is enough for an organization? Sounds like what they must have said before at Sony, the IRS, Target, Home Depot, Chase Bank, OPM, Ashley Madison, or one of the 100's of other places that have been in the headlines lately for a hugely expensive and crippling security breach. Of course those companies might have changed their tune since then.

Mike7

Agreed with the points.

Another reason is the impact of cloud computing on IT landscape.

I see companies moving their on-premises infra to IaaS providers such as AWS, Azure and Google, and productivity apps to Google Apps and Office365. Just last month, I discovered that Windows 10 can join Azure AD instead of a local DC (domain controller). We are already seeing companies with just an internet connection, few or no local servers, employees accessing their apps and data in the cloud, and with MSPs providing all IT services.
What we have left in IT are the management, audit and information security roles.

And @iBrokeIT says it out for me.

iBrokeIT wrote: »

One CISO I was recently talking to said their budget for training is increasing while the rest of IT's in decreasing. In case you haven't seen the news in the last few years there is a huge demand for security professional at the time systems/network operations are being sent over seas to companies like Cognizant.

This affects the livelihood of those doing system/network roles.
Cybersecurity is a hot and IMHO people with good system/network skills make good security practitioners. So I see this as a necessary progression for most of us who have networking and sys admin certifications.

There are other options such as programming, big data analysis and cloud computing; but these are roles that are not easy for a system/network person to get into.

E Double U

fmitawaps wrote: »

. Just like over the last 10-15 years when so many college students wanted to be lawyers, and now if you pick up a Yellow Pages (back when we had them, anyhow), there are dozens of pages of lawyers to choose from.

This is why I switched from law to security. You can never go wrong following trends.

bpenn

Every IT role should be security-conscious, even help desk. Just learning basic concepts on how to resist social engineering tactics and how to indentify possible threats, what do when you are infected, etc could really benefit you and your organization. I think one of the most important security measures is educating your users because they could be the ones that allow someone in that comprises the network.

Defense-in-depth should be present in every organization, in every role to some extent.

jamesleecoleman

I want to get security certs because I'm interested in security. I wanna protect people or things and I'm not into security because it's all supposed to be sexy or anything like that.

NetworkNewb

E Double U wrote: »

This is why I switched from law to security. You can never go wrong following trends.

Right! Who doesn't like being in demand and making a bunch of money?

Also, telling people I'm in IT Security makes me sound pretty cool. I always tell them to reference the movie Swordfish if you want to know what my job is like on a daily basis.

fmitawaps

Thanks all, for pointing out the flaws in my thinking. Maybe I can look into a Security+ or CCNA Security later this year after I finish my current CCNA studies.

But there are some people that I'd like to hear some stories from. People here who are in charge of security for a company, and then you had a security problem. How did that meeting with the bosses go?

I imagine it would start with them saying something like "Dude, dafuq? What the hell are we paying you for if it isn't to keep breaches like this from happening? What happened and how are you going to fix it, and this better never happen again or you'll be going out the door ass-first!".

chrisone

Everyone has that moment where you just realized you should have kept your comments to yourself and to stop posting on the internet because you have a "feeling."

Kiddo this is that moment, we forgive you, but just reevaluate your thought patterns.

markulous

fmitawaps wrote: »

Thanks all, for pointing out the flaws in my thinking. Maybe I can look into a Security+ or CCNA Security later this year after I finish my current CCNA studies.

But there are some people that I'd like to hear some stories from. People here who are in charge of security for a company, and then you had a security problem. How did that meeting with the bosses go?

I imagine it would start with them saying something like "Dude, dafuq? What the hell are we paying you for if it isn't to keep breaches like this from happening? What happened and how are you going to fix it, and this better never happen again or you'll be going out the door ass-first!".

I'd probably say, "Well that's what you get when you only have one security 'zealot' to oversee your multi-million dollar company".

renacido

fmitawaps wrote: »

But there are some people that I'd like to hear some stories from. People here who are in charge of security for a company, and then you had a security problem. How did that meeting with the bosses go?

I imagine it would start with them saying something like "Dude, dafuq? What the hell are we paying you for if it isn't to keep breaches like this from happening? What happened and how are you going to fix it, and this better never happen again or you'll be going out the door ass-first!".

I would start by taking a very deep breath, because they're about to get a diatribe on how I submitted a million proposals, recommendations, risk assessments, vulnerability metrics, change requests, engineering designs, audit findings, incident post-mortems, after-action reports, security controls, and memo after memo after memo addressing the very same security liabilities that led to the breach, which these bosses dismissed because they were either "too expensive", "too disruptive", or "not urgent". Then I would sit down and listen to the chorus of throat-clearing followed by, "give me your proposal along with your requested budget for fixing this."

Then I'd update my resume and linkedin because I refuse to work where I'm ignored and then blamed because they chose to ignore me. An hour later I'd have 5 recruiters blowing up my inbox whose clients are desperate for an experienced security pro, and I calculate how much more money I will ask for at my next job.

That's how that would go.