Technical cert option in lieu of CISSP?

CISSP seems to be the de facto standard for high level security certs. I've looked over some of the material it covers, and a lot of it has to do with policies, procedures, standards, and other high level abstractions that my brain has trouble with. Is there another option a security professional could pursue that's more technical in nature, but that would allow said individual to pursue similar jobs that a CISSP-certified individual would pursue?

Find more posts tagged with

Comments

Danielm7

What area of security? There are respected / technical SANS certs for some blue team side, the OSCP or higher for the red team. Although most of them are as hard or much harder than the CISSP it likely still won't have the HR awareness factor that the CISSP has.

paul78

It kinda depends on what your perception of what a technical security means or a role that a CISSP would pursue.

The most highly technical security people that I know that grew up from software engineering backgrounds do not typically carry any certifications. These would be folks that develop security software, perform code reviews, malware research, etc.

Some of the pent-testers that I know carry OSCP and OSCE. A couple of incident managers carry GCIH. I also know a few secops folks who focus mostly on perimeter security that carry CCNP's. I recall that a few forensics folks had certifications that I didn't recognize because that's not my area of interest.

Mike7

Besides OSCP and OSCE, can try GIAC GSE.

NetworkNewb

packetphilter wrote: »

I've looked over some of the material it covers, and a lot of it has to do with policies, procedures, standards, and other high level abstractions that my brain has trouble with.

Yea, who likes to deal with these things in security anyways.

PC509

Well, besides the policies, procedures, standards, what else does the CISSP teach?

Other high level abstractions?

Well, yea. Of course the other high level abstractions.

Like others have said, the OSCP and other 'technical' ones that fit your expertise. However, the things listed above are a huge part of security, even if it is the more 'dry' stuff.

TechGromit

packetphilter wrote: »

CISSP seems to be the de facto standard for high level security certs.

It’s the most recognized, it’s the ultimate check box for HR when they are looking for something in security, but your right it really doesn’t teach much technical wise. Many people go out and get a CISSP first, and that may get you in the door to get an interview, but without technical expertise as well, it’s going to be a short interview. While it’s my eventual to get goal to get a CISSP, I’m building a list of technical certifications first. SANS and GIAC certifications are the ultimate in technical security training and certifications, but there are more affordable options as well, Security+, OSCP, CEH, etc. I would concentrate on getting a few technical certifications under you belt before getting the CISSP. Then the CISSP will serve you better in the long run.

NetworkNewb

TechGromit wrote: »

I would concentrate on getting a few technical certifications under you belt before getting the CISSP. Then the CISSP will serve you better in the long run.

Since there is the experience requirement, people "should" have those technical certs before the CISSP already. Think it is a little weird when I see someone with just the CISSP.

MitM

TechGromit wrote: »

It’s the most recognized, it’s the ultimate check box for HR when they are looking for something in security, but your right it really doesn’t teach much technical wise. Many people go out and get a CISSP first, and that may get you in the door to get an interview, but without technical expertise as well, it’s going to be a short interview. While it’s my eventual to get goal to get a CISSP, I’m building a list of technical certifications first. SANS and GIAC certifications are the ultimate in technical security training and certifications, but there are more affordable options as well, Security+, OSCP, CEH, etc. I would concentrate on getting a few technical certifications under you belt before getting the CISSP. Then the CISSP will serve you better in the long run.

I like this response a lot. Personally, I have CISSP on my list of certs to complete this year, but at the same time, I feel making a personal investment in a SANS course might be the better option and ROI for me. It's just so expensive.

If I do decide to go for CISSP first, I wouldn't even try to look for a new position once I pass the exam. I want that technical knowledge.

mbarrett

CISSP wasn't meant to be a great technical challenge, as others point out. It's also not an entry-level cert, or something you should be pursuing on the way towards a technical role. Most technical people who get this are senior lead/technical manager types looking to boost their credentials heading into work that has a broader scope in the security realm. If your idea of broader scope means gaining technical expertise in several technical aspects, then CISSP is probably not for you at this point in your career.

renacido

The best cert to get is the one best suited to your current or next role.

There is only one role that the CISSP is really suited for and that is Security Manager. The only people who really need CISSP are those experienced security pros who want that job.

The "HR filter" for CISSP is hugely exaggerated on this board. I spent over 10 years doing cyber security for a living before I got the CISSP and by then I didn't need to study for it. That's kind of how it should be for that exam IMO. That's why it has an experience and endorsement requirement BTW.

If you want to stay technical, I highly recommend GIAC (SANS) certs, whether you're blue team or red team (they have good pentesting courses too). If that's not in your budget, then there are decent technical certs offered by CompTIA, Offensive Security, and EC-Council.

NetworkNewb

Yea, I'm just getting it cause most jobs I want to go into are asking for it. From my experience from looking at job ads in my area at least. And I look at job ads ALOT to see what they are asking for. Can't say another cert comes very close to being listed as much. I'm not referring to manager positions either.

If anything happened to my job, I definitely want to keep myself as marketable as possible for me and my family's sake. Its just the way it is right now. No matter how much people don't like that fact.

packetphilter

OSCP, as a few mentioned, is one I'm considering. Although I don't think it has near the presence on HR radar that CISSP has. Mostly I just want to stay marketable in the security field as one never knows when their job may go away.

It's not that I don't think the material on CISSP is important--it's just that that kind of material doesn't stick well in my mind. I can look it up on the job if need be, but to memorize thousands of policies and procedures is next to impossible for me. I can read them over and over and my mind won't hold onto them for some reason, I suppose due to lack of interest. Technical knowledge, on the other hand, sticks better for me.

MitM

renacido wrote: »

The best cert to get is the one best suited to your current or next role.

There is only one role that the CISSP is really suited for and that is Security Manager. The only people who really need CISSP are those experienced security pros who want that job.

The "HR filter" for CISSP is hugely exaggerated on this board. I spent over 10 years doing cyber security for a living before I got the CISSP and by then I didn't need to study for it. That's kind of how it should be for that exam IMO. That's why it has an experience and endorsement requirement BTW.

If you want to stay technical, I highly recommend GIAC (SANS) certs, whether you're blue team or red team (they have good pentesting courses too). If that's not in your budget, then there are decent technical certs offered by CompTIA, Offensive Security, and EC-Council.

I'm not sure if its exaggerated, maybe it is, maybe it isn't. I know that the certification is listed on almost every job description I see, as a requirement. I'm not looking at manager roles. That doesn't necessarily mean that if you send the resume you won't get a call from HR. However, in my opinion, it could lower your chances.

TechGromit

renacido wrote: »

The "HR filter" for CISSP is hugely exaggerated on this board.

Can't say I agree, way too many openings ask for a CISSP. It slowly beginning to change, more jobs are asking for tech Certs, like GIAC certs, but search for openings using the keyword CISSP, you get 100+ matches easily, other certs, your lucky to get 10 matches on any one cert.

renacido

TechGromit wrote: »

Can't say I agree, way too many openings ask for a CISSP. It slowly beginning to change, more jobs are asking for tech Certs, like GIAC certs, but search for openings using the keyword CISSP, you get 100+ matches easily, other certs, your lucky to get 10 matches on any one cert.

Do a search for "intrusion analyst" or "IPS/IDS" or "vulnerability management" or "code review" or "Metasploit" and I guarantee you'll find more results than "CISSP".

Skills, experience, and work-related accomplishments/projects get you far more interviews (and jobs) than any certification. Certs are valuable but NOT essential UNLESS you are inexperienced. And the CISSP is NOT for entry level or inexperienced security pros. Period.

Maybe this board is cert obsessed (given that this is a board about certs), but let me say this - certs aren't what get you a job. They aren't the key factor to getting you an interview UNLESS you have little to no work experience.

I say this as someone who was a hiring manager for security departments (much of that time I did NOT yet have a CISSP myself *ahem ahem*).

No hiring manager expects a technical individual contributor role to be filled by a CISSP, and they are the ones who decide who gets an interview and who doesn't - regardless of what the job advertisement says. HR is lazy and uninformed yes, but HR does not select candidates for interviews or hire security people.

MitM

A lot of valid points but HR does not write job descriptions in most cases, they come from the hiring manager.

TechGromit

renacido wrote: »

Do a search for "intrusion analyst" or "IPS/IDS" or "vulnerability management" or "code review" or "Metasploit" and I guarantee you'll find more results than "CISSP".

I accepted your challenge, and I stand corrected. I'll admit doing a job search by keyword and location isn't the most scientific, but there some of the notable results I found.

Washington, DC

Intrusion Analyst 44 positions
IPS/IDS 57 positions
Vulnerability management 337 positions
CISSP 167 positions
GSEC 23 Positions
GCIH 23 Positions
GIAC 102 Positions

New York, NY

IPS/IDS 23 positions
Vulnerability management 159 positions
CISSP 58 positions
GIAC 18 positions

Philadelphia, PA

Vulnerability management 98 positions
CISSP 28 positions

renacido wrote: »

Maybe this board is cert obsessed (given that this is a board about certs), but let me say this - certs aren't what get you a job. They aren't the key factor to getting you an interview UNLESS you have little to no work experience.

I completely agree with your position. Certifications will not get you a job, but what they can help you do is get you passed the HR filter. If the hiring manager never gets to see your resume because HR tossed your resume in the garbage, it really doesn't matter how much experience you have now does it. While it's true some smaller operations the hiring manager is the person who sees all the applicants, in larger organizations, it's almost always the HR department to first sees the applications and only forwards an applicant to the hiring manager if they think they will fill the requirements.

renacido wrote: »

Certs are valuable but NOT essential UNLESS you are inexperienced.

I think anyone works in a government position that requires DoDD 8570 would disagree. they are in fact essential for keeping there jobs, experienced or not.

yoba222

I totally agree that CISSP is really a management cert and I was poised to post from this point of view. I also wanted to post on how very specialized a cert like OSCP is and that only pentesters should bother with that one.

I don't know though. A search for "OSCP" yields far too may job postings that include CISSP in the same sentence as CEH. Those two are nowhere even in the same league. Job ads are out of touch with reality these days. If ever in my life I **** a cert it may be that stupid CEH that just won't go away.

jelevated

CISSP is different things to different organizations. Some don't even know what it is, some mandate it for infosec management positions, some require it of all senior technical staff working on critical security related systems. CISSP can be used as a gatekeeper for a variety of roles. Certified individuals may not know everything about every thing, every firewall command, or even how to perform malware analysis, but they have atleast some understanding of what is presented in the CBK (or atleast they did, at one point) and some organizations like to see this base knowledge. Regardless, Security Analysts and Security Systems Engineers are encouraged to earn the CISSP by ISC2 themselves.

What some of you are forgetting is that there is an actual CISSP Concentration that focuses on management , the CISSP-ISSMP. If the the CISSP is for managers only, why the need for deep specialization?

The CISSP-ISSMP credential contains deep managerial elements, such as project management, risk management, setting up and delivering a security awareness program, and managing a business continuity planning program. An ISSMPestablishes, presents, and governs information security programs demonstrating management and leadership skills. Typically the ISSMP certification holder or candidate will construct the framework of the information security department and define the means of supporting the group internally. ISSMPs have a far more well-rounded and complete comprehension of information security than other popular management credentials.

As I write this, I realize that there are simply far too many CISSPs walking around in my neck of the woods and will probably "upgrade" to the ISSMP

mbarrett

HR filters have always been exaggerated. For as long as I can remember, there have been job ads asking for the sky, and the reality is usually that they will take whoever is close to that. HR departments have a way of asking for 5 years of xxx skillset, when the thing they are asking for has only been around for 2-3 years.
Who knows, maybe there's that rare "unicorn" applicant who has all the things they ask for, but who would rather not make six-figures somewhere else...

NetworkNewb

renacido wrote: »

Do a search for "intrusion analyst" or "IPS/IDS" or "vulnerability management" or "code review" or "Metasploit" and I guarantee you'll find more results than "CISSP".

Skills, experience, and work-related accomplishments/projects get you far more interviews (and jobs) than any certification. Certs are valuable but NOT essential UNLESS you are inexperienced. And the CISSP is NOT for entry level or inexperienced security pros. Period.

Maybe this board is cert obsessed (given that this is a board about certs), but let me say this - certs aren't what get you a job. They aren't the key factor to getting you an interview UNLESS you have little to no work experience.

All this is well and true and no one is going disagree with these facts. It just that when jobs do ask for certs, CISSP is most likely gonna be one of those in the list. I honestly don't even know what cert I want to go for after I get my CISSP and just plan on working on some programming skills for awhile. (probably Master's degree)

Since the OP was asking about what cert to go for, I stand by CISSP probably being the best for his ROI. Of course getting expertise, skills and experience in whatever specialization he wants to focus on will help him out 100x more in the interview and actually getting the job though. But he wasn't asking what will help him out the most, he asked about certs.

shimasensei

CISSP is enterprise / organizational security from a management standpoint. Hence the emphasis on the frameworks, regulations, policies and laws. Believe it or not, this is just as important as technical proficiency. But I do get your point, the technical part is more fun than theory / abstractions. In my experience, true satisfaction comes when I can connect the dots between theory and the technical expertise.