Advice, security/auditor path

mikegmmikegm Member Posts: 12 ■■□□□□□□□□
Hi all.

I would like to start more knowledge and certifications, for what I have been reading in this site, everything depend on the path and background.

First let me summarize my background, I have a bachelor degree in computer science, lot of knowledge in networking, servers, linux administration and many of its services, Cisco router/switches configuration. Since almost 2 years ago I switched to support security projects so I have learned about PCI, SOX.

Second, I'm aiming to be more like a internal auditor and security "manager" or specialist role, no too much of a security admin that apply all the security (however I want to know about it). But work with the auditors, controls, oversee security, risk management, define and update security policies, etc..

I'm a little overwhelmed with all the info I find, I was thinking on the SEC+ to start and get an update on all the new info, refresh some technical info, learn on new attacks, methods, etc. is it a good start?
any other good to start with ?

then what? I was thinking in CISA and CISM but I don't have 5 years or more as auditor or in security.



  • scascscasc Member Posts: 461 ■■■■■■■□□□
    Having worked extensively in the cyber security management, GRC and audit field in my opinion what you should do is get the Cissp to give you that full overview of security. Get a role in this area - I.e. big 4 - and go for CISA and CISM. You can pass exam and wait till you have experience to get the cert. These 3 are main ones. You can also do SANS 507 - GSNA cert which looks at the technical side of auditing - networks, OS, web applications.
    AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia...
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    Do you have the experience to meet the CISSP requirement? If so, skip Security+ and go for the CISSP.

    As far as CISA, there are experience waivers for education so I would see if you qualify for any of those. I would also look at the domains because they aren’t all traditional auditing things and it’s possible you actually have experience the qualifies.

    Look at your company and see if you can get a GRC role, or look outside of your company...but I would try to get at minimum CISSP...preferably CISSP and CISA before you leave because it will be easier to find a role and you can get paid more. I would also start learning about the different frameworks...NIST 800 series and RMF, ISO, COBIT, etc.
  • epl79epl79 Registered Users Posts: 4 ■□□□□□□□□□
    I would do Cobit and the CISSP training, you can take the exam later on
Sign In or Register to comment.