Security+ -> MCSE -> CISSP ?

bcairns

Hello

Going to sit for the CompTIA Security+ exam in a few days.

Obviously I have a LONG road ahead if I were to go after a CISSP, but was wondering what path should I take tward a CISSP.

I plan on getting an MCSE with Security and then MCPD and MCITP (I am a network admin and lead programmer)....most of those certs have little to do with CISSP - any info would be great.

keatron

After MCSE, If it were one of my employees it would be MCSE>MCSE:Security>C|EH> (either a couple of SANS certs or SSCP), then CISSP.

However, if you want to go a cheaper route, insert something a little higher level that's specifically seurity related between MCSE and CISSP. You'll thank me later.

bcairns

keatron wrote:

After MCSE, If it were one of my employees it would be MCSE>MCSE:Security>C|EH> (either a couple of SANS certs or SSCP), then CISSP.

However, if you want to go a cheaper route, insert something a little higher level that's specifically seurity related between MCSE and CISSP. You'll thank me later.

Thanks !

Webmaster

keatron wrote:

You'll thank me later.

bcairns wrote:

Thanks !

Amazing! Ok, what's next week's winning lottery numbers?

bcairns

Webmaster wrote:

keatron wrote:

You'll thank me later.

bcairns wrote:

Thanks !

Amazing! Ok, what's next week's winning lottery numbers?

grabs a pencil and awaits the loto numbers...

keatron

and the winning number is

20-5-3-8-5-24-1-13-19

Guess what that is?

bcairns

keatron wrote:

and the winning number is

20-5-3-8-5-24-1-13-19

Guess what that is?

LIES !!!!!!!!!!!!!!!!!!!!

agustinchernitsky

What about CISM??

Yes, I agree, MSCE, MSCE: Security... then CISM or CISSP or SSCP.

any of the three or all of them!

Webmaster

bcairns wrote:

keatron wrote:

and the winning number is

20-5-3-8-5-24-1-13-19

Guess what that is?

LIES !!!!!!!!!!!!!!!!!!!!

On the very contrary

I was expecting I need to shift everything at least one position

bcairns

Passed Security+ with an 803 and starting on my path to MCSE tomarrow.

Hope to bump into you fellows again in the future and wish me luck.

oldbamboo

Hi,
Just my two cents. I'm currently going for CISSP, and i've noticed that a large part of the body of knowledge is very general and was covered significantly by certain parts of the MCSE (NT4!) (especially the Networking Essentials and TCP IP over MS modules) that I got some years ago. So, I would say the MCSE can be a good thing to go for. In fact, the reason I ended up in security was that the MCSE modules gave me the expertise to do some rudimentary penetration testing for a consultancy.
On the other hand, while a rock solid understanding of networking is CRITICAL for a career in security, most threats now exist at the application level, so any understanding of the basic SDLC's and secure coding would be what I would look for in a security staffer in a big organisation these days.
In any event, the point is, no-one wants someone who has the basic security theory without the sharp edge on some facet of technology: My experience is those guys just get bullshitted by the people they are trying to police, so keep your hardcore MCSE on the rails mate!

JDMurray

Webmaster wrote:

I was expecting I need to shift everything at least one position

Or at least rot13.

daisycuter

When you all say your going for your CISSP what do you mean? I thought there was an application process - having more than 4 years experience, a degree / qualifications, written application and then finally sitting a 6 hour multiple choice exam.

Can you let me know because this exam is on my to do list. What are the pre-requisites and whats the process?

Thanks...

JDMurray

oldbamboo wrote:

any understanding of the basic SDLC's and secure coding would be what I would look for in a security staffer in a big organisation these days.

This is what I'm hoping to make use of with my software engineering experience. It is unlikely that I will ever have enough hands-on, server room IT experience to qualify me to get the MCSE or CCNA/NP/SP certs, so I need to find a path into an InfoSec career from the software perspective. I really like the software security stuff they do at Cigital and I'd personally like to move in that direction.

JDMurray

daisycuter wrote:

What are the pre-requisites and whats the process?

The CISSP applicant requirements are here.

JDMurray

Hey keatron, I was reading the page at the link in my previous post and I noticed no mention of needing to be sponsored by a CISSP-certified person as a requirement for the CISSP certification. Am I mistaken in assuming that sponsorship is a requirement, or has this page at the (ISC)2's site just not been updated?

mengo17

I was thinking:

Sec+ > CEH > MCSA > MSCE > MSCE: Sec > CISSP.

Should I do MCSE before CEH?

daisycuter

Yep - ok so I know what the website says but can we hear from some CISSPs out there? What was the process you used for applying and sitting this exam?

oldbamboo

mengo17 wrote:

I was thinking:

Sec+ > CEH > MCSA > MSCE > MSCE: Sec > CISSP.

Should I do MCSE before CEH?

To be honest mate, thats impossible to answer. The question is what do you want to be doing as a career? Lately I'm seeing a demand for infrastructure and software architects in the security field. Those are hard earned skills that pay (I'm talking about the contract market now).
If it helps, I got an MCSE, read up on security, then applied for a position in one of the Big 4. At the time I also had about five years exp in IT support, culminating in Proliant servers. When I got my break at a big 4 firm I had:

MCSE NT4 (electives of TCP/IP and MS Proxy Server),
Network+,
Compaq Accredited Systems Engineer.

I also had a little early background study in journalism, so I could lay claim to being able to write to a certain standard. Basically, I got a suit and a haircut, and turned up to the three interviews hungrier than anyone else. They interviewed 60 people but I got the role.
The point I'm trying to make is that the Big four are a good target. Most of their IT audit staffers are finance accountants. They have genuine and ongoing difficulty:

a. obtaining good techies
b. that are presentable enough for their client base.

If you can jump that initial hurdle, you'll be working inside a big organisation with excellent mentoring, superb, company only technical documentation, and all the development you could ask for. At that point, alot of the concerns you have about all those quals will just melt away, trust me! Your cv will open a hell of a lot of doors.
Hope this helps. Also, I'd be keen to hear what other info sec pro's have to offer by way of useful career development info?

drakhan2002

mengo17 wrote:

I was thinking:

Sec+ > CEH > MCSA > MSCE > MSCE: Sec > CISSP.

Should I do MCSE before CEH?

I don't think you really need any of the Microsoft certs if you want to be in Information Security. I work at a Fortune 500 bank, one of the largest in the U.S. - most have the CISSP, CISA, or CISM (or a combination). Microsoft is just not a requirement for information security; the MCSE's are the server guys.

In a smaller organization, if you're required to wear many hats, then it might be more applicable to have the MCSE, along with the CISSP.

How much experience do you have in the IS space? What are your career goals? Do you want to work in a small company or a big company? I think you first need to get very clear about what your objectives are before you can make goals.

The path you have would probably make you a great network admin...or maybe a operations person. If I were hiring (at my current company), I would think you're too technical and not business enough for information security. The IT industry itself is changing - it is no longer the best techie that gets ahead...it is the best "versitalist" that gets ahead. You need business skills and technical skills. In my organization, we hire people skills first, because believe me, we can train you on the technology.

Don't get me wrong, operations and network admins are needed. They just are not the high paying, high promotion type jobs they were even a few years ago. If your goal is to be the best techie, please don't let me discourage you - go for it! You'll still make a decent wage...

Just my two cents.

JDMurray

drakhan2002 wrote:

I don't think you really need any of the Microsoft certs if you want to be in Information Security.

Especially if you intend to only work in IBM/Linux/Cisco shops, but then other MCSE-equivalent certs become necessary for IT people. I can see auditors not needing an MCSE or CCSP, but the "trolls in the trenches" certainly will.

jasav32

That is excellent advice drakhan! I have been a frequent visitor to this site and it has been a treasure trove of information so far. Like oldbamboo, I have a degree in Journalism, working an IT Service Desk and have a keen interest in the security field. It's great to hear this up-to-date report on the security industry and requirements for others interested in this type of career. Thanks for all the input.

keatron

jdmurray wrote:

Hey keatron, I was reading the page at the link in my previous post and I noticed no mention of needing to be sponsored by a CISSP-certified person as a requirement for the CISSP certification. Am I mistaken in assuming that sponsorship is a requirement, or has this page at the (ISC)2's site just not been updated?

JD. Your link points to the application to sit the exam. The application to actually get the certification is different. That's where the endorsement is required. The certification process is a two part process. 1. apply to take the exam and pass it (if you're allowed to take it). 2. apply for the certification after successfully passing the exam.

keatron

drakhan2002 wrote:

mengo17 wrote:

I was thinking:

Sec+ > CEH > MCSA > MSCE > MSCE: Sec > CISSP.

Should I do MCSE before CEH?

I don't think you really need any of the Microsoft certs if you want to be in Information Security. I work at a Fortune 500 bank, one of the largest in the U.S. - most have the CISSP, CISA, or CISM (or a combination). Microsoft is just not a requirement for information security; the MCSE's are the server guys.

In a smaller organization, if you're required to wear many hats, then it might be more applicable to have the MCSE, along with the CISSP.

How much experience do you have in the IS space? What are your career goals? Do you want to work in a small company or a big company? I think you first need to get very clear about what your objectives are before you can make goals.

The path you have would probably make you a great network admin...or maybe a operations person. If I were hiring (at my current company), I would think you're too technical and not business enough for information security. The IT industry itself is changing - it is no longer the best techie that gets ahead...it is the best "versitalist" that gets ahead. You need business skills and technical skills. In my organization, we hire people skills first, because believe me, we can train you on the technology.

Don't get me wrong, operations and network admins are needed. They just are not the high paying, high promotion type jobs they were even a few years ago. If your goal is to be the best techie, please don't let me discourage you - go for it! You'll still make a decent wage...

Just my two cents.

Your environment dictates that you your infosec people have management skills first. A lot of my clients (pen testing) are banks. In a large company such as yours, most people have very specific and defined job roles. I'm certainly not saying MCSE or any other certification is an official requirement for the CISSP, I just recommend it. You don't have to be able to read or speak fluent english to take american literature either, but you'll certainly get a lot more out of it if you can. I poke holes in written security policies every day because the people creating the policies often have no idea what happens when those policies are retro-fitted to a technical control for enforcement (group policy for example).

JDMurray

keatron wrote:

JD. Your link points to the application to sit the exam. The application to actually get the certification is different. That's where the endorsement is required.

Ah, you are quite correct! Here's the correct link that lists both the CISSP examination and certification requirements. Thanks dude!

Ahriakin

Nice to see they give some credit for other certifications, what's odd though is no mention of Cisco Certs. How can an MCSA or Security+ (not mocking them as I've done and respect them) be counted and not a CCSP? Beeezaaarrr.

mengo17

oldbamboo and drakhan2002, thanks for the advice and comments.

My goal is to be an information security person. I want to know about the managerial side and tech side. I have little experience in info sec. I am trying to get my foot on an infosec job. I have a degree (FAU) in MIS with concentration in infosec and will start my masters in infosec (NOVA Southeastern university) in the midle of the year. My experience is as a Oracle Sys Admin (Oracle Financials) for a F500 company and as a Systems Analyst at a medium size company now supporting a Informix DB on UNIX envirn. We are in a big project to move this to SQL Server 05 / Win. I speak English, Spanish and Potuguese. My goal is to first get a infosec job and to have that I have to know about the tech side first. That is why I am sitting for the Sec+ before june and will start the masters in infosec right after that. Do i want to work for a big company? YES. Will the big company hire me to an infosec position if I do not have experience enough in that field ? Just academic. And that is why I came up with that path of certs. What do u recommend me to do after my Sec+ ? Remember that I will be starting the masters in infosec right after that.

drakhan2002

mengo17 wrote:

oldbamboo and drakhan2002, thanks for the advice and comments.

My goal is to be an information security person. I want to know about the managerial side and tech side. I have little experience in info sec. I am trying to get my foot on an infosec job. I have a degree (FAU) in MIS with concentration in infosec and will start my masters in infosec (NOVA Southeastern university) in the midle of the year. My experience is as a Oracle Sys Admin (Oracle Financials) for a F500 company and as a Systems Analyst at a medium size company now supporting a Informix DB on UNIX envirn. We are in a big project to move this to SQL Server 05 / Win. I speak English, Spanish and Potuguese. My goal is to first get a infosec job and to have that I have to know about the tech side first. That is why I am sitting for the Sec+ before june and will start the masters in infosec right after that. Do i want to work for a big company? YES. Will the big company hire me to an infosec position if I do not have experience enough in that field ? Just academic. And that is why I came up with that path of certs. What do u recommend me to do after my Sec+ ? Remember that I will be starting the masters in infosec right after that.

Every path to any given field is different. I don't anyone can give you a clear roadmap that will guarentee a position in infosec. In my case, I started with the networking side of the house, performing network admin, project management. I sought out projects that had a "security element" to them. I then decided that this technique (in and of itself) was not going to get me where I needed to be - I needed to show some dedication to the field. I started graduate school. Then and this was important - I took one of the managers in infosec out to lunch to pick her brain about how to get in the field. Luckily for me, she had 2 opportunities within the department. Because you work for Fortune 500 company, you have a lot more flexibility - if it is anything like mine, then you have probably 8 or 9 functional managers that make up the infosec department - take them all to lunch. Pick all their brains...network. I can't stress that enough - the people element is key. You may not fit an open position now, but I'll bet they will remember the persisent guy who keeps sending them an email every other month asking if there are any jobs available.

I think getting your Sec+ is awesome. That shows you are committing to this field. Find other ways to expand your experience if that's where you are weak. Join a local 2600 club...join ISACA...do a free security audit of your churches computer system....something...anything that can give you experience. Heck, call your neighbors and tell them you'll install an AV program and anti-spyware on their machines; find some freeware (then put this information on your resume as an "independent consultant"). Education, certs, etc. are all great ways to show, at the very least, you are interested in bettering your professional skill set. You're a KNOWLEDGE WORKER - ALWAYS get education, certs, etc...never stop.

With your lanugage abilities, look at larger international firms - P&G hires people like you all the time. People with lanuage and tech skills are a great combination. This will likely help you get to the management side much quicker, if that is your desire.

It all starts with a goal, which you now have - a management job with a large F500 company in the infosec group. Now that you have the goal, you have to make objective...or markers that will help you achieve that goal. What are some objectives? Sec+ (why? because it shows commitment to field), Masters (same), need experience (volunteer, help neighbors, etc.), network (to get your name known to people who hire), etc. There are a bunch more, but that's a start.

Good luck!

oldbamboo

Will the big company hire me to an infosec position if I do not have experience enough in that field ? Just academic. And that is why I came up with that path of certs. What do u recommend me to do after my Sec+

I would go for CISSP or CISA (or both) after Sec+. I'm not sure that you would even need the MsC? I dont have a degree. Going back to my prior post, there is a big demand for IT auditors right now. The trick for me was to get off the cert path and into an environment that sees you as an asset to be developed. Big 4 are not renowned technologists, but they are the experts in managing business processes, and they have trouble getting good staff for their info sec streams.
Drakkans tips are worth their weight in gold too.
Finally, a friend of mine has a security job going 1 mile from my house, paying £600 per day, but I cant do it because I know Eff all about Oracle. Hope that cheers you up!