Security+ -> MCSE -> CISSP ?

bcairnsbcairns Member Posts: 280
Hello

Going to sit for the CompTIA Security+ exam in a few days.

Obviously I have a LONG road ahead if I were to go after a CISSP, but was wondering what path should I take tward a CISSP.

I plan on getting an MCSE with Security and then MCPD and MCITP (I am a network admin and lead programmer)....most of those certs have little to do with CISSP - any info would be great.

Comments

  • keatronkeatron Member Posts: 1,213 ■■■■■■□□□□
    After MCSE, If it were one of my employees it would be MCSE>MCSE:Security>C|EH> (either a couple of SANS certs or SSCP), then CISSP.

    However, if you want to go a cheaper route, insert something a little higher level that's specifically seurity related between MCSE and CISSP. You'll thank me later. icon_wink.gif
  • bcairnsbcairns Member Posts: 280
    keatron wrote:
    After MCSE, If it were one of my employees it would be MCSE>MCSE:Security>C|EH> (either a couple of SANS certs or SSCP), then CISSP.

    However, if you want to go a cheaper route, insert something a little higher level that's specifically seurity related between MCSE and CISSP. You'll thank me later. icon_wink.gif

    Thanks !
  • WebmasterWebmaster Admin Posts: 10,292 Admin
    keatron wrote:
    You'll thank me later. icon_wink.gif
    bcairns wrote:
    Thanks !

    Amazing! Ok, what's next week's winning lottery numbers? ;)
  • bcairnsbcairns Member Posts: 280
    Webmaster wrote:
    keatron wrote:
    You'll thank me later. icon_wink.gif
    bcairns wrote:
    Thanks !

    Amazing! Ok, what's next week's winning lottery numbers? ;)


    grabs a pencil and awaits the loto numbers...
  • keatronkeatron Member Posts: 1,213 ■■■■■■□□□□
    and the winning number is

    20-5-3-8-5-24-1-13-19

    Guess what that is? :D
  • bcairnsbcairns Member Posts: 280
    keatron wrote:
    and the winning number is

    20-5-3-8-5-24-1-13-19

    Guess what that is? :D

    LIES !!!!!!!!!!!!!!!!!!!!
  • agustinchernitskyagustinchernitsky Member Posts: 299
    What about CISM??

    Yes, I agree, MSCE, MSCE: Security... then CISM or CISSP or SSCP.

    any of the three or all of them!
  • WebmasterWebmaster Admin Posts: 10,292 Admin
    bcairns wrote:
    keatron wrote:
    and the winning number is

    20-5-3-8-5-24-1-13-19

    Guess what that is? :D

    LIES !!!!!!!!!!!!!!!!!!!!

    icon_eek.gif On the very contrary :D

    I was expecting I need to shift everything at least one position ;)
  • bcairnsbcairns Member Posts: 280
    Passed Security+ with an 803 and starting on my path to MCSE tomarrow.

    Hope to bump into you fellows again in the future and wish me luck.
  • oldbamboooldbamboo Member Posts: 7 ■□□□□□□□□□
    Hi,
    Just my two cents. I'm currently going for CISSP, and i've noticed that a large part of the body of knowledge is very general and was covered significantly by certain parts of the MCSE (NT4!) (especially the Networking Essentials and TCP IP over MS modules) that I got some years ago. So, I would say the MCSE can be a good thing to go for. In fact, the reason I ended up in security was that the MCSE modules gave me the expertise to do some rudimentary penetration testing for a consultancy.
    On the other hand, while a rock solid understanding of networking is CRITICAL for a career in security, most threats now exist at the application level, so any understanding of the basic SDLC's and secure coding would be what I would look for in a security staffer in a big organisation these days.
    In any event, the point is, no-one wants someone who has the basic security theory without the sharp edge on some facet of technology: My experience is those guys just get bullshitted by the people they are trying to police, so keep your hardcore MCSE on the rails mate!
    "Lovely Stuff" - Shakin' Stevens
  • JDMurrayJDMurray Admin Posts: 13,025 Admin
    Webmaster wrote:
    I was expecting I need to shift everything at least one position ;)
    Or at least rot13. icon_wink.gif
  • daisycuterdaisycuter Member Posts: 2 ■□□□□□□□□□
    When you all say your going for your CISSP what do you mean? I thought there was an application process - having more than 4 years experience, a degree / qualifications, written application and then finally sitting a 6 hour multiple choice exam.

    Can you let me know because this exam is on my to do list. What are the pre-requisites and whats the process?

    Thanks...
    Next: CCSE, CPTS, +S, CCSP, CISSP, ITIL
  • JDMurrayJDMurray Admin Posts: 13,025 Admin
    oldbamboo wrote:
    any understanding of the basic SDLC's and secure coding would be what I would look for in a security staffer in a big organisation these days.
    This is what I'm hoping to make use of with my software engineering experience. It is unlikely that I will ever have enough hands-on, server room IT experience to qualify me to get the MCSE or CCNA/NP/SP certs, so I need to find a path into an InfoSec career from the software perspective. I really like the software security stuff they do at Cigital and I'd personally like to move in that direction.
  • JDMurrayJDMurray Admin Posts: 13,025 Admin
    daisycuter wrote:
    What are the pre-requisites and whats the process?
    The CISSP applicant requirements are here.
  • JDMurrayJDMurray Admin Posts: 13,025 Admin
    Hey keatron, I was reading the page at the link in my previous post and I noticed no mention of needing to be sponsored by a CISSP-certified person as a requirement for the CISSP certification. Am I mistaken in assuming that sponsorship is a requirement, or has this page at the (ISC)2's site just not been updated?
  • mengo17mengo17 Member Posts: 100 ■■■□□□□□□□
    I was thinking:

    Sec+ > CEH > MCSA > MSCE > MSCE: Sec > CISSP.

    Should I do MCSE before CEH?
  • daisycuterdaisycuter Member Posts: 2 ■□□□□□□□□□
    Yep - ok so I know what the website says but can we hear from some CISSPs out there? What was the process you used for applying and sitting this exam?
    Next: CCSE, CPTS, +S, CCSP, CISSP, ITIL
  • oldbamboooldbamboo Member Posts: 7 ■□□□□□□□□□
    mengo17 wrote:
    I was thinking:

    Sec+ > CEH > MCSA > MSCE > MSCE: Sec > CISSP.

    Should I do MCSE before CEH?

    To be honest mate, thats impossible to answer. The question is what do you want to be doing as a career? Lately I'm seeing a demand for infrastructure and software architects in the security field. Those are hard earned skills that pay (I'm talking about the contract market now).
    If it helps, I got an MCSE, read up on security, then applied for a position in one of the Big 4. At the time I also had about five years exp in IT support, culminating in Proliant servers. When I got my break at a big 4 firm I had:

    MCSE NT4 (electives of TCP/IP and MS Proxy Server),
    Network+,
    Compaq Accredited Systems Engineer.

    I also had a little early background study in journalism, so I could lay claim to being able to write to a certain standard. Basically, I got a suit and a haircut, and turned up to the three interviews hungrier than anyone else. They interviewed 60 people but I got the role.
    The point I'm trying to make is that the Big four are a good target. Most of their IT audit staffers are finance accountants. They have genuine and ongoing difficulty:

    a. obtaining good techies
    b. that are presentable enough for their client base.

    If you can jump that initial hurdle, you'll be working inside a big organisation with excellent mentoring, superb, company only technical documentation, and all the development you could ask for. At that point, alot of the concerns you have about all those quals will just melt away, trust me! Your cv will open a hell of a lot of doors.
    Hope this helps. Also, I'd be keen to hear what other info sec pro's have to offer by way of useful career development info?
    "Lovely Stuff" - Shakin' Stevens
  • drakhan2002drakhan2002 Member Posts: 111
    mengo17 wrote:
    I was thinking:

    Sec+ > CEH > MCSA > MSCE > MSCE: Sec > CISSP.

    Should I do MCSE before CEH?

    I don't think you really need any of the Microsoft certs if you want to be in Information Security. I work at a Fortune 500 bank, one of the largest in the U.S. - most have the CISSP, CISA, or CISM (or a combination). Microsoft is just not a requirement for information security; the MCSE's are the server guys.

    In a smaller organization, if you're required to wear many hats, then it might be more applicable to have the MCSE, along with the CISSP.

    How much experience do you have in the IS space? What are your career goals? Do you want to work in a small company or a big company? I think you first need to get very clear about what your objectives are before you can make goals.

    The path you have would probably make you a great network admin...or maybe a operations person. If I were hiring (at my current company), I would think you're too technical and not business enough for information security. The IT industry itself is changing - it is no longer the best techie that gets ahead...it is the best "versitalist" that gets ahead. You need business skills and technical skills. In my organization, we hire people skills first, because believe me, we can train you on the technology.

    Don't get me wrong, operations and network admins are needed. They just are not the high paying, high promotion type jobs they were even a few years ago. If your goal is to be the best techie, please don't let me discourage you - go for it! You'll still make a decent wage...

    Just my two cents.
    It's not the moments of pleasure, it's the hours of pursuit...
  • JDMurrayJDMurray Admin Posts: 13,025 Admin
    I don't think you really need any of the Microsoft certs if you want to be in Information Security.
    Especially if you intend to only work in IBM/Linux/Cisco shops, but then other MCSE-equivalent certs become necessary for IT people. I can see auditors not needing an MCSE or CCSP, but the "trolls in the trenches" certainly will.
  • jasav32jasav32 Member Posts: 2 ■□□□□□□□□□
    That is excellent advice drakhan! I have been a frequent visitor to this site and it has been a treasure trove of information so far. Like oldbamboo, I have a degree in Journalism, working an IT Service Desk and have a keen interest in the security field. It's great to hear this up-to-date report on the security industry and requirements for others interested in this type of career. Thanks for all the input.
  • keatronkeatron Member Posts: 1,213 ■■■■■■□□□□
    jdmurray wrote:
    Hey keatron, I was reading the page at the link in my previous post and I noticed no mention of needing to be sponsored by a CISSP-certified person as a requirement for the CISSP certification. Am I mistaken in assuming that sponsorship is a requirement, or has this page at the (ISC)2's site just not been updated?

    JD. Your link points to the application to sit the exam. The application to actually get the certification is different. That's where the endorsement is required. The certification process is a two part process. 1. apply to take the exam and pass it (if you're allowed to take it). 2. apply for the certification after successfully passing the exam.
  • keatronkeatron Member Posts: 1,213 ■■■■■■□□□□
    mengo17 wrote:
    I was thinking:

    Sec+ > CEH > MCSA > MSCE > MSCE: Sec > CISSP.

    Should I do MCSE before CEH?

    I don't think you really need any of the Microsoft certs if you want to be in Information Security. I work at a Fortune 500 bank, one of the largest in the U.S. - most have the CISSP, CISA, or CISM (or a combination). Microsoft is just not a requirement for information security; the MCSE's are the server guys.

    In a smaller organization, if you're required to wear many hats, then it might be more applicable to have the MCSE, along with the CISSP.

    How much experience do you have in the IS space? What are your career goals? Do you want to work in a small company or a big company? I think you first need to get very clear about what your objectives are before you can make goals.

    The path you have would probably make you a great network admin...or maybe a operations person. If I were hiring (at my current company), I would think you're too technical and not business enough for information security. The IT industry itself is changing - it is no longer the best techie that gets ahead...it is the best "versitalist" that gets ahead. You need business skills and technical skills. In my organization, we hire people skills first, because believe me, we can train you on the technology.

    Don't get me wrong, operations and network admins are needed. They just are not the high paying, high promotion type jobs they were even a few years ago. If your goal is to be the best techie, please don't let me discourage you - go for it! You'll still make a decent wage...

    Just my two cents.

    Your environment dictates that you your infosec people have management skills first. A lot of my clients (pen testing) are banks. In a large company such as yours, most people have very specific and defined job roles. I'm certainly not saying MCSE or any other certification is an official requirement for the CISSP, I just recommend it. You don't have to be able to read or speak fluent english to take american literature either, but you'll certainly get a lot more out of it if you can. I poke holes in written security policies every day because the people creating the policies often have no idea what happens when those policies are retro-fitted to a technical control for enforcement (group policy for example).
  • JDMurrayJDMurray Admin Posts: 13,025 Admin
    keatron wrote:
    JD. Your link points to the application to sit the exam. The application to actually get the certification is different. That's where the endorsement is required.
    Ah, you are quite correct! Here's the correct link that lists both the CISSP examination and certification requirements. Thanks dude!
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Nice to see they give some credit for other certifications, what's odd though is no mention of Cisco Certs. How can an MCSA or Security+ (not mocking them as I've done and respect them) be counted and not a CCSP? Beeezaaarrr.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • mengo17mengo17 Member Posts: 100 ■■■□□□□□□□
    oldbamboo and drakhan2002, thanks for the advice and comments.

    My goal is to be an information security person. I want to know about the managerial side and tech side. I have little experience in info sec. I am trying to get my foot on an infosec job. I have a degree (FAU) in MIS with concentration in infosec and will start my masters in infosec (NOVA Southeastern university) in the midle of the year. My experience is as a Oracle Sys Admin (Oracle Financials) for a F500 company and as a Systems Analyst at a medium size company now supporting a Informix DB on UNIX envirn. We are in a big project to move this to SQL Server 05 / Win. I speak English, Spanish and Potuguese. My goal is to first get a infosec job and to have that I have to know about the tech side first. That is why I am sitting for the Sec+ before june and will start the masters in infosec right after that. Do i want to work for a big company? YES. Will the big company hire me to an infosec position if I do not have experience enough in that field ? Just academic. And that is why I came up with that path of certs. What do u recommend me to do after my Sec+ ? Remember that I will be starting the masters in infosec right after that.
  • drakhan2002drakhan2002 Member Posts: 111
    mengo17 wrote:
    oldbamboo and drakhan2002, thanks for the advice and comments.

    My goal is to be an information security person. I want to know about the managerial side and tech side. I have little experience in info sec. I am trying to get my foot on an infosec job. I have a degree (FAU) in MIS with concentration in infosec and will start my masters in infosec (NOVA Southeastern university) in the midle of the year. My experience is as a Oracle Sys Admin (Oracle Financials) for a F500 company and as a Systems Analyst at a medium size company now supporting a Informix DB on UNIX envirn. We are in a big project to move this to SQL Server 05 / Win. I speak English, Spanish and Potuguese. My goal is to first get a infosec job and to have that I have to know about the tech side first. That is why I am sitting for the Sec+ before june and will start the masters in infosec right after that. Do i want to work for a big company? YES. Will the big company hire me to an infosec position if I do not have experience enough in that field ? Just academic. And that is why I came up with that path of certs. What do u recommend me to do after my Sec+ ? Remember that I will be starting the masters in infosec right after that.

    Every path to any given field is different. I don't anyone can give you a clear roadmap that will guarentee a position in infosec. In my case, I started with the networking side of the house, performing network admin, project management. I sought out projects that had a "security element" to them. I then decided that this technique (in and of itself) was not going to get me where I needed to be - I needed to show some dedication to the field. I started graduate school. Then and this was important - I took one of the managers in infosec out to lunch to pick her brain about how to get in the field. Luckily for me, she had 2 opportunities within the department. Because you work for Fortune 500 company, you have a lot more flexibility - if it is anything like mine, then you have probably 8 or 9 functional managers that make up the infosec department - take them all to lunch. Pick all their brains...network. I can't stress that enough - the people element is key. You may not fit an open position now, but I'll bet they will remember the persisent guy who keeps sending them an email every other month asking if there are any jobs available.

    I think getting your Sec+ is awesome. That shows you are committing to this field. Find other ways to expand your experience if that's where you are weak. Join a local 2600 club...join ISACA...do a free security audit of your churches computer system....something...anything that can give you experience. Heck, call your neighbors and tell them you'll install an AV program and anti-spyware on their machines; find some freeware (then put this information on your resume as an "independent consultant"). Education, certs, etc. are all great ways to show, at the very least, you are interested in bettering your professional skill set. You're a KNOWLEDGE WORKER - ALWAYS get education, certs, etc...never stop.

    With your lanugage abilities, look at larger international firms - P&G hires people like you all the time. People with lanuage and tech skills are a great combination. This will likely help you get to the management side much quicker, if that is your desire.

    It all starts with a goal, which you now have - a management job with a large F500 company in the infosec group. Now that you have the goal, you have to make objective...or markers that will help you achieve that goal. What are some objectives? Sec+ (why? because it shows commitment to field), Masters (same), need experience (volunteer, help neighbors, etc.), network (to get your name known to people who hire), etc. There are a bunch more, but that's a start.

    Good luck!
    It's not the moments of pleasure, it's the hours of pursuit...
  • oldbamboooldbamboo Member Posts: 7 ■□□□□□□□□□
    Will the big company hire me to an infosec position if I do not have experience enough in that field ? Just academic. And that is why I came up with that path of certs. What do u recommend me to do after my Sec+

    I would go for CISSP or CISA (or both) after Sec+. I'm not sure that you would even need the MsC? I dont have a degree. Going back to my prior post, there is a big demand for IT auditors right now. The trick for me was to get off the cert path and into an environment that sees you as an asset to be developed. Big 4 are not renowned technologists, but they are the experts in managing business processes, and they have trouble getting good staff for their info sec streams.
    Drakkans tips are worth their weight in gold too.
    Finally, a friend of mine has a security job going 1 mile from my house, paying £600 per day, but I cant do it because I know Eff all about Oracle. Hope that cheers you up!
    "Lovely Stuff" - Shakin' Stevens
Sign In or Register to comment.