My roadmap... Here I go!

silalaval

Hi All,

Apologies for another post on requesting advise on Certification. I hope I´m in the right place for this.

I´ve worked in IT for over 15 years and achieved some good experience and certifications along my career.

So far I have:

ITIL Foundations
Prince Practitioner
MSCSE 2003 (old I know)
CCNP : Expired a month ago
CISA

My path was:
Service Desk support (2^nd/3^rd line) for about 4 years
IT consultant for 4 years dealing mostly with Exchange and Windows servers, Migratin domains, etc
IT consultant running IT assesments / audits for SMBs 2 years
IT Team leader of a major Tech company reponsible for VMWARE, Exchange, Networking, Firewalls, Bluecoat, Wi-fi, telephny, projects and Internal Security (60% hands-on /40% management).
Team Manager for a Business support team on an ISP


Although I had the CCNP cert I´ve decided to let it go because I didn´t feel ready to take the new exam. I´ve done a bit of work with mostly switches and never managed to do CCNP level work so most of the stuff on the CCNP I´ve had studied and worked hard, I forgot because I didn´t get my hands "dirty" as often as I wished at the time.. Another reason was that, lately, I was only being offered CCNP related roles and I don´t want to troubleshoot networks and failing circuits. Companies and Recruiters just love "CCNP" on a CV.

I now want to pursue a more Consultancy and project/management oriented role and keep my CISA alive. I find Security and auditingfascinating but from a architecture / management / project perspective, not so much from a "Hacker" and fire-fighting perspective.

My plan now is to:

-Build my tech skills on security

• Learn Linux and penetration testing. Udemy Courses, a few good book I bought
• Refresh my Cisco Knowledge: I´ll be going through my INE Course (CCNP and CCIE material)- I still love Cisco networking and it´s absolutely necessary
• Intro to Python (Udemy and a book)

-Certifications I´m thinking about for the tech skills
- ISACA CSX practitioner
- CYSA+ or Security+: I Need your input here J

Maybe here, with the Certs and the tech knowledge I might jump into the job market and see what I can get on a security role.

After this I plan on getting the more non-technical part done. (Juicy bit and my goal)
ISO/IEC 2002
CISSP
CISM


So, 4 months (Full time) for the tech skills and the rest to apply it and prepare for CISSP and then CISM

I´m taking a gap year for this and I will be doing this full time. Thats a lot of study and lab time. Then I want to focus more on the project and managemet part and move away from the fire-fighting and troubleshooting part.
My goal is to work my way to Security auditing and/ or management role.
I´ve even considered a 6 month bootcampon the subject. See: www.Secureset.com The ideia is to fill my gap hands-on part (penetration testing, Linux, etc) but not necessarely to make a living out of it. I´ve managed technical teams and I know from experience that you need technical experience to be competent as a manager or run a project.

Do you think this is a credible plan? Any inputs will be highly appreciated.
I feel I need to do this in a structured way as it´s quite easy to get a job and before you know it, you´re being asked to look into technologies you don´t want to support any longer like Exchange, VMware etc. Quite a few jobs are traps in disguise.. before you know it, a year has passed, you dont like what you do and you´ve spent time working on a technology you don´t want to pursue in the future because "the business needed it"

Thanks in advance.
S.

TheFORCE

Project management and project managers in general dont deal directly with the infrastructure and don't make changes to the environment. You are focusing on all technical skills and not project management skills. So you are kinda contradicting yourself there. Have you looked at PMP? Thats project management.

silalaval

Hi,

When I say project management I mean putting solutions in place by (re-)designing solutions, upgrades, process etc...

I had lots of this in my career where someone would approach me and say "oh, this needs to in place in a few days or weeks.. congratulations, you´re it

I know that in an ideal world, there should be a project team, a team to implement and another to support... Most companies save money by allocating that to the most experienced guy(s).

I want to be able to manage and audit the infra-structure and be able to pinpoint the problems, recommend policies or solution, not necessarly applying patches myself...

As for project management, I have Prince 2 Practitioner level and I think its enough for my needs...

LonerVamp

silalaval wrote: »

My plan now is to:

-Build my tech skills on security

• Learn Linux and penetration testing. Udemy Courses, a few good book I bought
• Refresh my Cisco Knowledge: I´ll be going through my INE Course (CCNP and CCIE material)- I still love Cisco networking and it´s absolutely necessary
• Intro to Python (Udemy and a book)

-Certifications I´m thinking about for the tech skills
- ISACA CSX practitioner
- CYSA+ or Security+: I Need your input here J

Maybe here, with the Certs and the tech knowledge I might jump into the job market and see what I can get on a security role.

After this I plan on getting the more non-technical part done. (Juicy bit and my goal)
ISO/IEC 2002
CISSP
CISM


So, 4 months (Full time) for the tech skills and the rest to apply it and prepare for CISSP and then CISM

I´m taking a gap year for this and I will be doing this full time. Thats a lot of study and lab time. Then I want to focus more on the project and managemet part and move away from the fire-fighting and troubleshooting part.
My goal is to work my way to Security auditing and/ or management role.
I´ve even considered a 6 month bootcampon the subject. See: www.Secureset.com The ideia is to fill my gap hands-on part (penetration testing, Linux, etc) but not necessarely to make a living out of it. I´ve managed technical teams and I know from experience that you need technical experience to be competent as a manager or run a project.

Do you think this is a credible plan? Any inputs will be highly appreciated.
I feel I need to do this in a structured way as it´s quite easy to get a job and before you know it, you´re being asked to look into technologies you don´t want to support any longer like Exchange, VMware etc. Quite a few jobs are traps in disguise.. before you know it, a year has passed, you dont like what you do and you´ve spent time working on a technology you don´t want to pursue in the future because "the business needed it"

Thanks in advance.
S.

Off the bat, I like your experience and history. This is a great foundation for success in moving over to security!

I think your first order of business is to continue to work on figuring out what you want to do, what's available in your area, and what jobs you'd shoot for. With your background, you should be able to make a case for audit/security admin/security manager, and even security architect pretty quickly.

You've mentioned a few times about managing implementation projects and pen testing and auditing. The latter two often overlap, but neither of those really overlap a ton with the former.

Next, I firmly believe if you want to be a pen tester to any degree, you're going to have to be comfortable with Linux. And I'm not necessarily talking about Ubuntu where you just use the desktop GUI environment, but more something like a Linux+ level or RHCSA/LFCSE prep work (exam not necessary). I also agree strongly with your choice to learn Python. I'd even include PowerShell as very useful for you.

I'm not really familiar with the ISACA CSX or the CompTia CySA+. They both sound like equivalents to the CCNA Cyber Ops course where you're gaining the cert that will allow you to be a SOC tier 1/2 analyst type (fire fighters!). That's fine, but I imagine you should start beyond that already, imo. Security+ should be easy for you, as well, but can be a great starting point when studying for the CISSP (plenty of overlap there, at least back when I took them both). Feel free to get any of those, but I would imagine you should shoot a bit higher, like CISM/CISA from ISACA or shoot right into the CISSP from ISC2.

If the pen testing, hands-on route really is something you want, I'd suggest getting on board with looking at the OSCP in your free time. This will give you an idea of whether you like this at all or not. CEH, while derided for its poor grammar, past ethical choices, and low bar of entry, is still recognized commonly and can also be a starting point if you have the time and don't mind spending that money. I personally would suggest passing on it, but to each their own.

Otherwise, for auditing and such, you're looking in the right place for CISA/CISM, I believe. I don't have either, but they seem to be the standard.

If you have the money, SANS courses are top notch.

Lastly, let's be honest here. Much like any IT discipline, getting job experience and landing a job is still the best thing you can do. I think it's admirable that you can take some time off and devote to studying, and if you can and want to, you should, but landing that first security job and starting to get hands-on experience day-to-day will almost always be a better proposition as long as you still pursue those certs and learning on your own as well.

silalaval

LonerVamp wrote: »

Off the bat, I like your experience and history. This is a great foundation for success in moving over to security!

I think your first order of business is to continue to work on figuring out what you want to do, what's available in your area, and what jobs you'd shoot for. With your background, you should be able to make a case for audit/security admin/security manager, and even security architect pretty quickly.

You've mentioned a few times about managing implementation projects and pen testing and auditing. The latter two often overlap, but neither of those really overlap a ton with the former.

Next, I firmly believe if you want to be a pen tester to any degree, you're going to have to be comfortable with Linux. And I'm not necessarily talking about Ubuntu where you just use the desktop GUI environment, but more something like a Linux+ level or RHCSA/LFCSE prep work (exam not necessary). I also agree strongly with your choice to learn Python. I'd even include PowerShell as very useful for you.

I'm not really familiar with the ISACA CSX or the CompTia CySA+. They both sound like equivalents to the CCNA Cyber Ops course where you're gaining the cert that will allow you to be a SOC tier 1/2 analyst type (fire fighters!). That's fine, but I imagine you should start beyond that already, imo. Security+ should be easy for you, as well, but can be a great starting point when studying for the CISSP (plenty of overlap there, at least back when I took them both). Feel free to get any of those, but I would imagine you should shoot a bit higher, like CISM/CISA from ISACA or shoot right into the CISSP from ISC2.

If the pen testing, hands-on route really is something you want, I'd suggest getting on board with looking at the OSCP in your free time. This will give you an idea of whether you like this at all or not. CEH, while derided for its poor grammar, past ethical choices, and low bar of entry, is still recognized commonly and can also be a starting point if you have the time and don't mind spending that money. I personally would suggest passing on it, but to each their own.

Otherwise, for auditing and such, you're looking in the right place for CISA/CISM, I believe. I don't have either, but they seem to be the standard.

If you have the money, SANS courses are top notch.

Lastly, let's be honest here. Much like any IT discipline, getting job experience and landing a job is still the best thing you can do. I think it's admirable that you can take some time off and devote to studying, and if you can and want to, you should, but landing that first security job and starting to get hands-on experience day-to-day will almost always be a better proposition as long as you still pursue those certs and learning on your own as well.

Excellent post. Many thanks for taking the time to do this. I´m already CISA and I was quite proud when I passed the first time! This is one of the reasons I am saying goodbye to purely tech/troubleshooting roles.. They consume my time, don´t pay that well and when you realize, another year went down the drain.

Linux is definitely a priority. I´ve been sticking to Fedora as its Red Hat close and from experience, Red Hat kicks ass on the enterprise level. I have a laptop running 100% on Fedora, not poisoned by Dual boot. I also have a CentOS VM to break as I please.

I will learn more Powershell if I have to but I find it a complete mess... I like to call it powershit. I still have nightmares with the Exchange 2013 servers I supported 3 years ago... I remember once that I had a technical call with a Microsoft 3rd line engineer and even him was struggling to get the PS commands right! It´s a nightmare I´m not looking forward to live again.

deitz11

@silalaval I know this post is lil bit old, but how are you doing now on your road map? Did you managed to take CISA related job?