Which CISSP concentration for security consulting role?
I've taken a new consulting job and will be doing the following:
So far I've got MBA, CIA, CRMA, CISA, CISM, CRISC, CISSP, PMP.
Thanks
- Devise cyber security program that supports the organization's strategic goals for C-executives
- Design and review security policies, processes, and procedures
- Conducting security maturity assessments and diagnostics
- Design and implement security operating models
- Design security awareness programs and phishing campaign
- Implement risk management frameworks
So far I've got MBA, CIA, CRMA, CISA, CISM, CRISC, CISSP, PMP.
Thanks
MBA, CIA, CRMA, CISA, CISM, CRISC, CISSP, PMP
Comments
-
Info_Sec_Wannabe Member Posts: 428 ■■■■□□□□□□With your current certifications (and experience), bullets 2 to 6 can be taken care of. However, for the first one, I'm guessing it would overlap with @UnixGuy's other thread (at least IMHO).
https://community.infosecinstitute.com/discussion/138071/resources-to-create-cyber-security-strategy-for-cisos#latestX year plan: (20XX) OSCP [ ], CCSP [ ] -
UnixGuy Mod Posts: 4,570 Mod@Big-JJ : I held a few jobs similar to the you're describing! I do not believe the CISSP is the most helpful resource here (having said that, I do not hold CISSP so I could be wrong..).For Security maturity assessments, you're better off learning frameworks such as NIST for example. If you work for a consulting firm, they'll have templates and stuff they said for previous engagements that you can leverage (you will also learn consultant speak heh).I think ISACA might be more relevant. I do not like way ISACA charges for membership, renewals, exams, and cert fees. I hold CISM and CRISC, both are kind of relevant. CISA is good for people new to audit or more junior staff.For the consulting, you can do really well and progress without any cert. The certs are 'nice to have'. You need to get good at running workshops with clients, analyse data, review programs and give practical advice.People skills <== might be the most important aspect of the job.Depending on the firm you're working with, expect do a lot of Powerpoint and potentially Excel. Certs won't teach you that.Some clients will use CIS 20, ISO27K1, NIST, .etc or a combination of those.Check ISACA NIST assessment free template, download and you can use it, but I'm 90% certain your firm will have a version of that that you can use.Feel free to message me directly, I got really good at the consulting game and quite enjoyed it!
-
SteveLavoie Member Posts: 1,133 ■■■■■■■■■□Big-JJ said:
Any recommendation on which CISSP concentration will be most helpful in doing my job better?
So far I've got MBA, CIA, CRMA, CISA, CISM, CRISC, CISSP, PMP.
Thanks -
shochan Member Posts: 1,013 ■■■■■■■■□□yeah, sounds like you just need to get your hands dirty & learn the job itself. Even if you make mistakes you should learn from those and see what you can improve on.CompTIA A+, Network+, i-Net+, MCP 70-210, CNA v5, Server+, Security+, Cloud+, CySA+, ISC² CC, ISC² SSCP
-
JDMurray Admin Posts: 13,090 AdminWill you be a business consultant for technical C-levels or a technical consultant for business C-levels?
-
Big-JJ Member Posts: 53 ■■■□□□□□□□JDMurray said:Will you be a business consultant for technical C-levels or a technical consultant for business C-levels?MBA, CIA, CRMA, CISA, CISM, CRISC, CISSP, PMP
-
JDMurray Admin Posts: 13,090 AdminIn that case, the MBA with anything on policies and governance will be what you are needing.
-
scasc Member Posts: 465 ■■■■■■■□□□Sounds like the job I do . You have the necessary certs, more about knowing frameworks in detail to then define gaps, risks and roadmaps to improve based on most urgent priorities. Saying that if you really wanted a cert, I would honestly suggest GIAC GSTRT or GSLC. As these touch on the points you mentioned.AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia...
-
csjohnng Member Posts: 38 ■■■□□□□□□□Given your education and certification, you have the enough tooling to go for consulting and approaches the C-level.
Of course, there is no harm to get related CISSP concentrations if you have time and I have provisionally passed the 3rd one yesterday.John
MBA ,C|CISO, CISA, CISM, CGEIT, CRISC, CDPSE, CISSP/ISSAP/ISSEP/ISSMP, CCSP, CSSLP, CASP+, Linux +, TOGAF 9; AWS Certified Security – Specialty, Amazon Web Services Solutions Architect Associate -
egrizzly Member Posts: 533 ■■■■■□□□□□@Big-JJ
To answer your question directly the ISSAP is the one you want. It satisfies the bullet points you have listed and then some. As others pointed out though, you really do not need it in practice as the CISSP, CRISC, and CISA certs have already covered that knowledgebase. To get practical experience just print out some business cards, visit a few business networking events, and market your fees as low as you can without seeming too weird.
To add to my reply, know that your only knowledge-gap is knowing how the frameworks work at high-level and close-up. All the bullet points you mention there have already been answered thoroughly by the availability of the various industry-standard frameworks. Here's a formula to determine which framework to use:
1.) What kind of company is it (e.g. healthcare, marketing, finance, oil & gas, etc)
2.) What are the People, Process, and Technologies they use to accomplish their business goals?
From the two questions above you can then decide which frameworks to assign in designing the companies cybersecurity program. E.g. assuming it's a Pharmacy, well their #1 would be Healthcare. Their #2 would basically include:- a corporate network (NIST-CSF)
- people that work with healthcare data (HIPAA)
- credit cards to process customer orders ( PCI-DSS)
We can do another example. Let's do a Marketing company that produces fliers for other businesses. Well, #1, the type of company would be Marketing, obviously. Their #2:- People that use internet-connected computers everyday (NIST-CSF)
- A corporate network (NIST-CSF)
- Computers that produce graphics, video, etc ( NIST-CSF)
To provide more relevant info, there was a very helpful thread previously discussed here where @scasc
basically provided a good link for the various frameworks and how to understand and use them when faced with a task such as yours. The link is right here >>> https://www.frankkim.net/blog/how-to-make-sense-of-cybersecurity-frameworks
Well, hope this all works out for you. Have fun with it, and the best of luck.
B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+ -
AverageJoe Member Posts: 316 ■■■■□□□□□□I agree with those who say no need for additional certs. You've already got plenty and should have a good understanding of most of those topic areas as is, and the fact that you already landed this role should stand as confirmation unless there was some condition that you'd gain "the appropriate certification" or something similar.
That said, I'd consider the CISSP-ISSMP and CISSP-ISSEP as good possibilities. I've always heard the ISSMP is along the same lines as the CISM you already have, so that may be the easier cert to earn with the ISSEP probably being the one you'd learn more from. Just my guess, though, as I do not have either. -
balance Member Posts: 244 ■■■■■□□□□□I wouldn't go after any other certs . You have more than enough .