infosec certs for an attorney with no IT experience - any suggestions?

Hi everyone! Longtime lurker who has learned a lot from this forum. Awesome place.

I'm an attorney, Oxford and Berkeley trained, who is looking to blend the two technical aspects of our respected professions. I've come across a lot of lawyers who are "cybersecurity lawyers," but don't have any certs. Not that certs are everything, but they do show a level of competence. My hope is to get some certs so that people I work with, or for, have the general sense that i'm not a poser looking to capitalize on the infosec explosion. Additionally, I want to be able to communicate with infosec professionals and have a common ground of understanding. I'm open to working in IT to gain some experience, but my future in the next 5 months is unpredictable as I go on the job market soon in another state.

Anyways, here is where I am:

I've always been interested in pentesting, so I signed up with Elearnsecurity. I passed the EJPT and i'm signed up for, and working slowly through, the ECPPT course and certification (Elite package so I can take my time and really learn pentesting). My original goal was ECPPT then OSCP, but I don't currently have or foresee having the funds to drop on OSCP plus extensions.
Taking the Sec+ in a week or less. My experience is that this is basic stuff that I mostly already knew. Basically wanted some recognized infosec cert on my resume with my upcoming job search.
Wanting to build off the memorization foundation I was thinking of taking the SSCP in late March (that would give me an associate title). I did a lot of research on CASP, but the performance based questions seem rather complex (plus i'm paying out of pocket with no cushion for failure).

There aren't a lot of certs that don't require experience and that's where i'm coming up against the wall and looking for some advice. Is the SSCP the best idea? I'm feeling that it is and that's the general consensus on these forums, but as an attorney who is looking to show competency with no work experience, is it redundant after the Sec+?

What would you suggest the best certs for an attorney are? I've been around the forums and know the CISSP is the common standard, but doing 4 years of infosec work in a couple of those domains, within the required time constraints may not pan out.

Any input is welcome. I know many of you have worked in IT for years and some of you have worked with lawyers as well. Thanks for your help!!

Find more posts tagged with

Comments

636-555-3226

Same tract as anywhere else to get respect for security. I generally self-promote my post at

http://www.techexams.net/forums/security-certifications/113328-what-information-security-certifications-should-i-get.html

Feel free to post back here with any follow-ups

jeremywatts2005

Why not do Sec+, A+, Net+ then branch into digital forensics like CHFI, EnCe and so on. With you being a lawyer it would make sense and it would be a great fit for you existing skill sets. Transferrable skills that could give you a leg up on any competition should you want to join us in the Digital Forensics world.

tedjames

Have you thought about getting into privacy? I used to work for a CISO who was also an attorney, and he was (still is) very well versed in privacy. I also did some work with another agency's Chief Privacy Officer, and she was an attorney with a very strong security background. If you're interested in privacy, you may want to look at this: https://iapp.org/certify/cipp

Regarding SSCP after Security+, that's what I did. While there is some overlap, I don't feel that they are redundant. It's a step forward. CISSP is also in my plans, and it should be in yours if you plan to work in security. Just know that SSCP requires a year of experience in one of the domains, and CISSP requires five years (four with a degree or approved cert) of experience in two of the domains. Don't let the experience requirement scare you. You can still take and pass the tests and become an Associate of ISC(2) until you gain the appropriate level of experience.

Good luck no matter what you choose to do! And I agree with Jeremywatts2005 regarding forensics. That would be an excellent direction if you are so inclined.

happygoluckyiam

636-555-3226 wrote: »

Same tract as anywhere else to get respect for security. I generally self-promote my post at

http://www.techexams.net/forums/security-certifications/113328-what-information-security-certifications-should-i-get.html

Wow, that is an excellent roadmap. Maybe i'll shoot for CASP after all. The general response on this forum is that the test is pretty ridiculous. Thanks for re-sharing your post. I'm surprised I haven't come across it.

Thanks Jeremywatts2005 for your input as well. I previously brushed off forensics as being cost prohibitive and not completely in alignment with my interest in pentesting. You are absolutely right though - digitial forensics + attorney make a great mix. Maybe one day I will join you in that world! Your recommendation about the Comptia trifecta is one i've thought about, but I don't feel these certs present the infosec knowledge that i'm trying to project as a professional. Plus, the cost and self-study would basically equal the time and money for CASP.

tedjames, I have heard of the CIPP and am a member of IAPP. The problem with them is that the exam is $550 and the study materials are terrible. I've heard the exam is very detailed oriented and extremely broad at the same time, so knowing all of privacy law and getting only one shot, is pretty daunting (although they lowered their retake price to $375 since I last visited their certification page). With that said, the CIPP is definitely in my future as it shows some competency in privacy law. As to your advice as Associate level, that would be the outcome of my SSCP, so that's one thing i'm concerned about.

Thank you all for taking the time to help me out. I really appreciate it.

McxRisley

In my personal opinion I wouldn't bother with the SSCP after the Sec+. There is a lot of overlap and some of the controls and methodologies they teach for the SSCP are way outdated. The CISSP is held in high regard for those seeking a MANAGEMENT path in InfoSec. The CASP is MUCH MUCH more technical cert and test. I took and passed the CASP recently and I'm here to tell you that if you don't work in InfoSec and have a broad knowledge on different operating systems, configuring them, in-depth understanding of networking devices and how to configure them, and in-depth understanding of authentication protocols then you will have a VERY hard time passing that test. As you stated earlier you know that the questions are performance based which means you need to know the ins and outs of every topic being tested. It would be a very tough test to pass without having worked in the InfoSec field for awhile. I would recommend the CISSP for you since you don't have any InfoSec experience and the CISSP has 0 simulation questions(which is another plus) and it has more questions which allows more room for missed questions. Good luck to you on your journey!

BlackBeret

I'm late to the game but if it helps our lawyers have CISSP (I'm sure they found a way to justify themselves to meet the experience criteria for some of the domains), and Certified Information Privacy Professional (CIPP). I've never heard of the latter but it's on all of their email signatures so it must mean something to someone.

Gess

I'm working this from the opposite side. I'm a CISSP taking the LSAT in three weeks.

the_Grinch

First, I applaud you for taking the initiative and actually learning about security. I work with a lot of lawyers, who's time is limited, and would never attempt to learn about my side of the house. Some take my advice verbatim, others throw their own spin to it and its to their determent.

I find you have a pretty solid plan and would not change anything you are currently working on. I drew up a training plan for our attorney's that I believe might prove useful to you, albeit the one course appears to be more geared to the US laws:

SANS 301 - Intro to Information Security - https://www.sans.org/course/intro-information-security - You could skip this since you have the eJPT and will have the Security+

SANS 523 - Law of Data Security and Investigations - https://www.sans.org/course/law-data-security-investigations - Might be mostly based on US Laws (though PCI is PCI) but I still believe it could be useful. I have a lawyer friend who does not practice law, but works on incident response and investigations. He's run the gauntlet of SANS courses and is actually pretty solid on the technical end. Plus he has the added benefit of being able to review technical contracts and deal with cyber insurance along with compliance (HIPAA, PCI, etc).

Privacy Certs - I agree with tedjames Privacy is definitely a growing sector that needs people with legal training

Good luck!

happygoluckyiam

Hi everyone, thanks again for all your thoughts and advice. I do really appreciate it.

Just wanted to give a heads up. I took the CIPP/US course and passed. The exam was pretty difficult due to the complexity of the questions (some fact patterns were applied to multiple questions), lack of training materials, and broad subject matter. With that said, it did help me in finding a job - I was hired to do risk management work at a hospital.

For the future, I will steer clear of CASP (thanks for the heads up), working on the ECCPT (update of the entire program launches 6/21/16), then OSCP, then to CISSP. My job only approves one training/conference a year, so OSCP will keep me busy while I earn the work experience needed for the CISSP.

Gess, Good luck on the LSAT. If you have any questions, let me know.

the_Grinch

Congrats!! In my Cyber Crimes class we had a speaker who talked about the serious need for "cyber" attorneys and that the CIPP was the cert to get.

Gess

happygoluckyiam wrote: »

Gess, Good luck on the LSAT. If you have any questions, let me know.

Took it on the 6th, waiting for my score.

Thanks, best of luck to you as well.