Which security cert to start with?

First a bit of background - I work as a s/w QA, so do have some knowledge.
I would like to switch my career to Cybersecurity.

Currently working on Security+ cert, as it is the most recognized, and also cheapest to pay out of my pocket

Am I doing it right guys? Please provide your valuable suggestions.

Thanks

Find more posts tagged with

Comments

scaredoftests

What are you interested in, then go on from there. OR some people get certs because the job they applied for, requires one (like for my present job I had to get a MTA) I needed a Security + as well, but I already had that.

akany

Hi Scaredoftests,
Do you know if it's okay to take Comptia Security + anytime soon even though the released date was over two years ago? I'm interested in taking the exam, but I was wondering what will happen if it is retired in the coming year. Any thoughts will be helpful.

Thanks!

mzx380

Don't mean to hijack but I would also like to know what is the best one to start with. I've been in IT for years and wanted more clarification if I should go for CISSP or CASP

scaredoftests

Go to their website (CompTia) and look around. I doubt it would be retired, but updated.

shochan

mzx380 wrote: »

Don't mean to hijack but I would also like to know what is the best one to start with. I've been in IT for years and wanted more clarification if I should go for CISSP or CASP

From what I read on here (TE), CISSP is for private sector jobs & CASP for gov't jobs...

cyberguypr

Where did you red such a thing? Both certs are on DoD 8570 and are also valid in the private sector.

beads

First define what it is you want to do in "security". Its such a broad field that its hard to define without some reference as to what it is you are qualified to do with Q and A. Are your background skills in development, DBA or infrastructure? GRC? Forensics? We could go on for quite awhile but it quickly becomes a game of 20 questions, to be frank.

CISSP or CASP? The former is widely known and accepted though proves little practical knowledge. Later being more of a market reaction to the CISSP's limitations of being an "inch deep and a mile wide". Widely respected within the field but doesn't have the recognition (yet) in the marketplace. CASP is getting there but hasn't caught fire, yet. I hope it does but for now its still up and coming.

- b/eads

mzx380

My strategy has been to cover a wide breadth of technology so I'm looking for a certificate that will round out my resume as more of an IT generalist even though background to this point has been more with infrastructure. Since I've been in IT for a while, I figure I would go for the CISSP beginning Q4 next year but I wanted more info to clarify the application process.

Hope that helps
Thanks beads

beads

@mzx380;

Eventually, everyone starts to specialize or cannibalize. What I mean is that people who try to stay JOAT too long either end up locked up in a loony bin or spread so thin that they become a millimeter deep and five miles wide - no depth whatsoever.

My main skill set is DFIR (Digital Forensics Incident Response) and Infrastructure architecture. Covering both red and blue team sides of the security coin. My secondary skill set revolves around risk management in various different forms using modeling. The other 20 or so security skills I am fully aware of and try to keep somewhat on top of but hardly an expert. See above statement on cannibalizing, myself, my time or my sanity. Simply put I already work about 70 hours a week with much of my downtime learning a new tool or technique related above and can't get through it all.

Last night I setup a new malware lab, my third separate lab so I could integrate some outputs into 'R' statistical analysis and modeling. Its rough but I am getting some interesting new insights into what I suspect are more than three different APTs attacking my VIPs/client. Cool as all get out but attribution is very, very tricky. Also very specialized and few people are willing to pay for the effort.

I see people say they JOAT and I do to a certain amount but specialization is key to long term survivability in this field. That's what people like to skirt around on this board. Many don't know what they want to do when they grow up.

Usually, takes some time before people figure the whole thing out. Others depend on whatever opportunities arise to determine their career paths.

- b/eads

JoJoCal19

beads wrote: »

I see people say they JOAT and I do to a certain amount but specialization is key to long term survivability in this field. That's what people like to skirt around on this board. Many don't know what they want to do when they grow up.

Usually, takes some time before people figure the whole thing out. Others depend on whatever opportunities arise to determine their career paths.

Ugh. This. I myself have been dealing with a combination of not knowing what I want to specialize in AND certain opportunities presenting themselves that have broadened my experience and knowledge. My problem has been that I've been good at GRC but like technical security and have done that too. Now I find myself doing security problem management which isn't in either domain, actually utilizes technical knowledge and GRC knowledge.

OctalDump

This is a no brainer. Get Security+ (don't worry about updates to the exam, it doesn't affect the certifications validity). It's broad and well recognised. It gives a good base of knowledge, even if you decide against an Info Sec career.

It will give you exposure to the field and hopefully give an idea of possible paths.

The other common "generalist" Info Sec certifications are GSEC, CASP and CISSP. The last two assume/require years of work experience.

I find the CompTIA roadmap to be a useful guide. It's not scripture, and opinions vary a lot about it. But it works as a good overview.

The GIAC roadmap is useful as a guide to possible specialities. It's GIAC specific, so it's more useful to think of it as "they offer certification in this field, therefor this field is a potential area of interest".