Work Experience vs Certification Pursuit

Chitownjedi

Hi all,

I am in a very interesting predicament, that I have not been before. In my new IT Security Analyst position, (and one of the reason's I went back to this former employer because, well, they are chaotic) I've been given the opportunity to touch 10-15 security tools, some of which are in our Proof of Concept phase. and some of which are in production.

I am also tasked with Creating Security Controls, Policies, Procedures, and Processes, as well as monitoring, investigating, re-mediating.

I am able to work with IPS/IDS, Malware software like Cybereason, stealth bits auditor and interceptor for monitoring pre-authentication attempts, brute force, breached passwords, sideways movement, all the while being able to create our Procedures for how to use these tools. We are also heavily involved with Securing PHI, and under review for SOC2 certification, with HIPPA to follow again in a few months and HiTrust. There is literally soo much to do with so little time that when I get off, I am having difficulty putting time to pursuing the SSCP, because I can actually do things and grow hands on experience versus the text book knowledge that going through the SCCP would provide.

I will open up some time as I do want to get my SSCP and CISSP before the end of this year, however I am wondering if pushing those back and just doing more hands on work when i'm "off the clock" would be best for my growth. I definitely know my job would appreciate it. We are creating our Security Architecture from the ground up, from access controls, hardening, application requirements, and we haven't even touched end user group policy and techniques to combat rogue software and potentially unwanted programs (our users have local admin rights ) It's more a political battle to get those things put in place.. however just wondering what everyone thinks

Nightflier101BL

I'm in the exact same predicament as you are. I'm getting ready to start a new job where I'm going to have my hands on a ton of stuff and starting to build a good amount of experience. I was working on my CCNP but just won't have much time to work on it between the new job and school. I've decided to just focus my attention on mastering the job roles and push back the CCNP for a bit. I'll still be looking over some of the material, but just not exam-focused until down the road a bit. The experience on the job will compliment the cert knowledge.

Work experience will always be more valuable that the cert when viewed side by side. However, the cert is designed to compliment and validate the work experience you already have. If you have the time to do the cert, do it. However, you're not wasting time or hurting yourself in any way by pushing it back in exchanged for more work experience/focus. You're still building on what's most important, which will benefit you down the road.

tpatt100

I found that the CISSP would have probably been much easier if I had attempted it when I was in a position with several years experience writing policies and procedures. When I was strictly a security analyst a lot of the managerial type questions were alien to me.

Once you have a firm grasp and experience with the policy/procedure side of security you will probably find studying for the CISSP much easier. I would focus on learning all the stuff for your new role instead of studying for a managerial type cert. I know a lot of managers and HR types use the CISSP as a screener cert but I found it helped me more as an auditor now a days than it did as a security analyst.

powerfool

I think your ambition is great, but I also think you are potentially oversubscribing yourself to your own detriment. If you have every intention of completing the CISSP, I would simply forego the SSCP, especially if you are going to attempt to pull them off in the same year. They are expensive exams that have nerve-racking experiences associated with them, and you probably won't get any benefit from these together... and you will have double maintenance fees.

If you want something that complements the CISSP, I'd go for a different certification, like something from ISACA or the SANS Institute. It will diversify you a bit more and if you are going to be doing additional fees, at least they would be to different organizations.

When I did my CISSP, I was also in a tight situation where I had started a new job, but it was a job requirement to get it within six months. I read the first few chapters of the two most widely used CISSP books (the AIO from Shon Harris [RIP], and the one from ISC2). After that, I just spent time thinking about for for the next two months... how does this thing I am doing apply, what domain is it in, what jargon is associated, how does it fit into the CIA triad, etc.). Then, at the end of month 3 on the job, I went to a Training Camp bootcamp and sat the exam on the Sunday after the training (proctor setup by Training Camp). Not everyone has that sort of luxury, but it was covered by work, else I would have self-studied.

Chitownjedi

I would go for CISSP if I could however the experience issue is a grave concern:

• For holding an additional credential on the (ISC)² approved list belowValid experience includes information systems security-related work performed as a practitioner, auditor, consultant, investigator, or instructor that requires information security knowledge and involves the direct application of that knowledge. The five years of experience must be the equivalent of actual full-time information security work (not just information security responsibilities for a five-year period); this requirement is cumulative, however, and may have been accrued over a much longer period of time.

I have had lots of security responsibilities in my previous roles, however other than my job as a Test Center Administrator where my jobs was to ensure testers were not cheating on test, (There were policies and procedures for that, as well as requiring testers to use two factors for identification, Signatures/ID's and biometrics.) I am very concerned that I will not be able to hold the official title. I do have criteria to get 1 year knocked off, but since I didn't have an official title as a security person before this one.. makes me think just getting SSCP would be best bet for now

beads

SSCP is more technical, hands on in nature and held by roughly 3% of ISC(2) holders of the more than 110,000 members world wide. So no shame there. With both your techical and go slow approach having both credentials will give you a huge boost in credibility in the long run. Really, I have read resume's that include recent college grads with no other work experience. Recent emigres with completely fabricated employment histories suddenly turned security "professionals" and my favorite. The guy working as an assistant manager at the GAP who is now a "CISSP"

First and foremost keep your position as that's what is paying the bills today and giving you the opportunity to learn some pretty cool stuff. Love CyberReason for one. Other pieces you simply need to use RL in order to really get comfortable with NMAP, any flavor of Metasploit, Qualysis... I can go on and on. Like getting certified in EnCase without having performed a real case - another no, no.

Ease up on the gas a bit and enjoy the ride, bumpy as it may be. If your going to be in the same position for a while suck up all the security goodness you can and apply what your learning to what the book is telling you to study. They may not always agree. Particularly, on the hands on stuff.

Enjoy!

- b/eads