Career advice needed

Hi guys,
I'd like to ask you about your ideas, which certs / related knowledge should I acquire in the coming year(s).

My background: 8 years in IT, including 6 years in IT audit in about 15 countries on two continents. CISA, CISSP and recently CWNA, next month I'm planning to pass Network+. Next month I'm changing to a IT security consulting company, where I'll have an opportunity to teach and work for other companies.

My future plans: to work as a consultant and trainer, in middle to long term maybe to become self employed. I'd like to keep balance between teaching and consulting, not to focus on one of them.

My ideas: to make MCSE Security and MCP. Maybe CTT+, but I will be working primarily in non-english speaking countries. Btw. I like using certs for setting learning goals i.e. I'm planning Network+ to motivate myself to learn more on networks.

What would you add to it? What are your ideas? Many thanks in advance for your help.

Find more posts tagged with

Comments

sprkymrk

Net+ should be a piece of cake for you. I would pick either the MS or Cisco route and focus on one or the other until you master it. You could do the CCNA and 70-290/291 for starters and then see which one is more to your liking. If you are going to teach you may want to become certified that way as well (MCT for example).

mwgood

CCNA, then CCSP?

seccie

thanks SparkyMark,

I was recently talking to a friend from Learning Center and she suggested the same like you, i.e. either M$ till MCT or Cisco till Cisco trainer. In her opinion these two enjoy the biggest demand on the training market.

From which path is it easier to acquire new skills / certs? It seems to me that the Cisco path gives more usable ideas about networks and security, so I can use these skills for pentests, auditing FWs or learning Checkpoint, if I need to. M$ seems a bit like learning the world "the Redmond way". Is it true, or am I unjust?

seccie

thanks Mwgood,
is it another vote for the Cisco path and against the M$ path?

mwgood

seccie wrote:

thanks Mwgood,
is it another vote for the Cisco path and against the M$ path?

Yes. Of course, you have to weigh our "votes" against your own career path, but in my experience, since MS is more ubiquitous, it is also valued less - Cisco is more difficult (broadly), and more (generally) highly regarded.

I'm suggesting CCSP due to your security background, and CCNA to help get you there.

seccie

Mwgood,
what is the Cisco's counterpart to MCT? Is it CCAI?

keatron

seccie wrote:

Mwgood,
what is the Cisco's counterpart to MCT? Is it CCAI?

CCI

JDMurray

With your experience in IT auditing, it would seem that computer forensics would be the logical path for you. You can use this specialization to set yourself apart from all the other IT people who already have the CCNA/CCSP or MSCE. And with forensics experience, you can work in IT or with law enforcement.

Computer forensics certs include:

GIAC Certified Forensic Analyst (GCFA)
http://www.giac.org/certifications/security/gcfa.php

Certified Information Forensics Investigator (CIFI)
http://www.certmag.com/articles/templates/cmag_webonly.asp?articleid=589&zoneid=41

Certified Forensic Computer Examiner (CFCE)
Certified Electronic Evidence Collection Specialist (CEECS)
http://www.iacis.com/iacisv2/pages/certification.php

Computer Hacking Forensic Investigator (CHFI)
http://www.eccouncil.org/CHFI.htm

keatron

seccie wrote:

Hi guys,
I'd like to ask you about your ideas, which certs / related knowledge should I acquire in the coming year(s).

My background: 8 years in IT, including 6 years in IT audit in about 15 countries on two continents. CISA, CISSP and recently CWNA, next month I'm planning to pass Network+. Next month I'm changing to a IT security consulting company, where I'll have an opportunity to teach and work for other companies.

My future plans: to work as a consultant and trainer, in middle to long term maybe to become self employed. I'd like to keep balance between teaching and consulting, not to focus on one of them.

My ideas: to make MCSE Security and MCP. Maybe CTT+, but I will be working primarily in non-english speaking countries. Btw. I like using certs for setting learning goals i.e. I'm planning Network+ to motivate myself to learn more on networks.

What would you add to it? What are your ideas? Many thanks in advance for your help.

It sounds like you're very much where I was about 6 or 7 years ago. I can tell you what has worked for me.

First of all, if you want to start teaching immediately, I would suggest starting with CTT+. Also I'd like to point out that I too had the original dream of splitting consulting and training down the middle, but I've found that a 70% consulting/30% training schedule works better.

Also you already have the CISSP. Any time you teach security, try to always keep that body of knowledge in mind. It will help you keep things in perspective and ensure you relay information to sure students with perspective in mind.

Also, you need to go far beyond what's outlined in your Microsoft instructor kits and other training kits. Students will come to you with real world problems and you'll be expected to at least point them in the right direction. Failure to do this to many times will ruin your credibility. Nobody wants to hear these days "we're sticking strictly to the book".

If you're going to be teaching CISSP material or any material that deals with laws and the like, make sure you keep a very watchful eye legislation in the perspective area you'll be teaching in. Laws are vastly different depending on which part of the country you're in. For example, I'm doing security training in Saudi Arabia this month, so I've been reading their information ministry laws, regulations, and statements for the past few weeks. Always lean to the side of over preparing.

Also going the CTT route before the MCT will be a good idea. Why? Because it's actually a requirement (that or either going to a 3 day train the trainer class for MCT's).

I started similarly to the way you have and I currently own the majority share of my company. Just to give you an idea of what it takes to stay on top, I read on the average about 4 hours per day EVERY DAY. I also spend a great deal of time practicing exploits, labs, and things of that nature (thank you VMWare and Virtual PC), especially during long flights to other countries. I've been known to read entire 1000+ page writings on long flights.

The key is to keep your knowlege bank very fresh. And probably just as important as anything else, spend as much time as possible here. You'll find we're a good group of knowlege loving people. And most people here have no problem sharing with you their experiences or giving you advice.

Good luck and congrats on taking your career to the next level.

Keatron.

seccie

Hi JD,

thanks for your bunch of ideas!

IT auditing in my case means a significant time share spent with SAP R/3 (ERP Software). Good money, big market, but it means more accounting than networks. Even if I'm a MA in business somehow I couldn't develop passion for it, that's why I moved to the IT security.

seccie

Thanks Keatron,
that's a lot of useful tips!

Your point about hands-on knowledge exceeding course curriculum is a clear indicator for networks (e.g. Cisco) and against M$. I prefer to dedicate my life to something what I personally consider interesting.

Different legislation: I do know what you mean. This year I was working in Spanish, Polish and German and it was really an interesting experience.

CTT+: Here in Europe it is (as far as I know) offered in Britain and in English only, and even M$ doesn't expect German MCTs to have it (there is a special course offered instead). German is not my native language and to be sincere I'm a bit puzzled about in which language should I attend the trainer course.

Learning: 4 hours a day? I was sure there is someone learning more than I do - I'll show your post to my wife next time when she complains

And now seriously - what do you learn? I always spend relatively much time for research, what to learn next. If you walked the same path I do now - I'd be happy about some ideas of yours.

keatron

4 hours a day is what I average now. Earlier in my career it was much more than that. I remember times where I'd buy 3 or 4 pizzas, and not leave my computers for 3 or 4 days at a time. Just trying to master certain things. I tell people all the time that infosec is an expensive career. And by expensive I mean the amount of time you have to invest to reach excellence and maintain excellence.

As far as next steps you could go any direction you wish. You could look at C|EH now or any of the forensics programs JD listed above. Consider your CISSP the IT Security equal to a general practitioner MD license. Now you need to look at some specializations. I myself chose penetration testing and forensics. I've training and consultants in both of these areas worldwide. My latest challenge and specialization decision is the CCSP and CCIE /s. I'm giving myself 3 years or so (because I'm also writing a book of my own, and co-authoring a book with another individual, and must continue to run my business in the process). I also have to sit the CWSP and CWAP by June (I promised Devin and Rick). So I pretty much know exactly where most of my time will be focused for the next 5 or 6 years. And I'm working on an action plan for time after that. Now these are just general ideas and a look into how I do things (most of the time anyway). But the real question cannot be avoided as it is inevitable. And it is, where do you feel your true passion is and what is it YOU want to do. I chose Cisco because it's a program I've always respected, and I've got access to hundreds of thousands of dollars worth of Cisco equipment. I chose CWNP because it's a rock solid program and I've developed a very rewarding relationship with some of the staff there. See these are all personal decisions of mine. Where do you see yourself being focused on in 2 years?

JDMurray

keatron wrote:

And by expensive I mean the amount of time you have to invest to reach excellence and maintain excellence.

keatron, this reminds me of a phrase I just read in a posting on an academic Web board about the proper attitude for attending a Ph.D. program:

Academia is not a destination, its the beginning of a lifetime commitment to learning and creating knowledge.

You've certianly made InfoSec a "lifetime commitment." You're quite a role model in this regard, right up there with Harold Tipton, Richard Bejtlich, and Charles Cresson Wood. You've only published fewer books than they have.

seccie

okay guys,

thanks for all the ideas. Especially I like the pizza-and-computers-long-evenings combination. It's better to learn something you like and make a living from it, than to spend time in the office, doing the same things long long years.

Before becoming a superguru

I see that there are essential skills I have to acquire. It might be Cisco if I enjoy the CCNA and have access to Cisco equipment without buying it all by myself. It must be in short or long run the CTT+ if I intend to be a trainer.

That's something to start with. Thanks a lot!

keatron

I was recently doing a lecture for a group of managers for a large credit card company. One of them asked me where the heck did I find the time to keep up with all the stuff we were talking about during that week. I asked him what was his favorite things to do. He said golf, fish, and read history books. I told him that imagine if all he did was golf, fish, and read history books and got paid lots of money to do it. I told him that's what I do. The things I love to do are hack, train, and read security writings, and that's what I do all the time. And I have a good bit of flexibility as to when I do which one. The point? We always find time to do the things we really WANT to do.

seccie

Keatron,
what has in your case triggered the decision about becoming self employed? You've done it because you've had prospective customers, or was something else more important?

keatron

It has always been a goal of mine. I'd planning the launch of my company for almost 10 years before I actually started it. So it was not a last minute decision. The biggest factor was just personal satisfaction and endeavor more than anything else. Again, you can always find time to do what you WANT to do. And when human beings (not just me but any human being) are truely committed and focused on something, there's not much that is able to stand in our way.

tibul

keatron wrote:

there's not much that is able to stand in our way.

Yeah thats the best way to think, anybody can do just about anything if they really want it and put the effort in.

Namco

I FEEL LIKE A DROP IN THE OCEAN WHEN I LOOK AT YOU GUYS

sprkymrk

Namco wrote:

I FEEL LIKE A DROP IN THE OCEAN WHEN I LOOK AT YOU GUYS

Then try to remember that that little drop has all the same chemicals in it that the rest of the ocean has.

RATTLERMAN

Namco wrote:

I FEEL LIKE A DROP IN THE OCEAN WHEN I LOOK AT YOU GUYS

I feel the same way but it motivates me to get better at what I do

keatron

We're all drops. That we can't control, but what we can control is how big of a "ripple" (read impact) we're going to make. And the beauty of it is, your drip drop continues as long as you're on this planet. So your drops today should generate more impact than they did 2 years ago. A good example is Mikej, he started with his Cisco certs 2 years ago, now he's sitting the CCIE Security lab Monday. That's a prime example of going from a drop in the ocean to a big splash. It's not just us moderators either. Just look around and do a search on some of the forum members here. You can see that most people here have made steady progress. It might be in the form of certs, it might be in job promotions, or it might just be in the quality of their posts, but the point is progress. This is the very essence of techexams.net and one reason you certainly WILL NOT find another technical forum that begins to come close. Just hang around guys. Here's some things to think about.

Some of the stuff that Johan is getting ready to push out is no less than amazing.

Mike will most likely pass the CCIE lab next week.

I'm starting the CCIE track currently, and I think there's about 7 to 10 others starting it as well.

We currently have 3 (I think) very active CISSP's on board.

We have a host of MCSE's on board who are also very active and popping at the seams with knowledge (check the Microsoft forums).

JDMurray (CWNP Mod) is one of those guys who knows something about everything IT related.

This place is going to be rockin like never before. And we can all continue to improve our "drop quality" The key is to not disappear once you think you have "made it". I'm busier now than I've ever been in my life, but I have a strong commitment to helping out here as much as possible (I caught myself putting a client on hold to finish answering a post here the other day

)

jkstech

yes, this place is VERY influential to my career and is pretty much my main "IT forum"

i very rarely go to the microsoft forums, I do read on the CWNP forums and other info sec forums, but techexams is my bread and butter, i've become a much better IT professional since I found this place (back after completing A+) and have used the info I gain from the users to help me continue in my cert path as well as practical advice on interviewing and how to handle yourself in interpersonal relationships as a IT pro

in short, I will NEVER leave this place and hope to one day become someone who has alot to offer those needing help.

kmcnees

seccie wrote:

Hi JD,

thanks for your bunch of ideas!

IT auditing in my case means a significant time share spent with SAP R/3 (ERP Software). Good money, big market, but it means more accounting than networks. Even if I'm a MA in business somehow I couldn't develop passion for it, that's why I moved to the IT security.

When you did IT auditing (SAP R/3), I'm just curious who you did it for? Were you an internal or external?

OK - my two cents. Sounds like you have an excellent background but I'm not sure I would recomend you pull the plug on your IT Auditing. You couldn't "develop passion for it". Hmmm. Yes, I kind of know what you're talking about but there is definitely something to be said for a person that is "expert" in a particular field. Sounds like you are (or were) well on your way.

I used to head up cyber security for one of the Federal agencies. I couldn't get passionate about that because they (budget folks and top politicos) never really wanted to fund security. They just want to give you enough so you can say yeah we put up a firewall, yeah we're canning spam on our email servers, yeah we got our sytems C&Aed. But really, IMHO, they never really bought into the whole Security thing. I mean, it takes a monumental screw up like VA looking plain-text files on a bunch of vets before "they" get interested in security.

As far as "what to learn next" - I'll throw you a curve ball. Ever consider learning an object oriented programming language? I'm playing around with Java now (former object pascal coder) and I kind of like it. Eventually everything security has to come "code". Who best to code it? I don't know if I'll stay interested in it, but it's something I'm playing with. Also - you might want to consider picking up your CAP from ISC2. Certification and Accreditation Professionals are becoming more and more important. You have a strong enough background - with a little reading you could probably pick up this cert - and its only going to become more and more important.

Good luck!

seccie

Hi kmcnees,

about SAP R/3 - I was an internal in 2000-2005 (full five years), I shared the time between SAP and security. I realized that to become a good external SAP consultant you need to really focus on it. You cannot be jack-of-all-trades and a SAP guru. Soo I would have to stick to it, and I don't like SAP. I like security, I like networks, but - sorry, SAP is boring. I can learn about security and have fun, if I learn SAP - no fun at all.

Programming - I used to code in C++. It was better than SAP, but the fun factor was still to low for me.

You see, I'm a difficult case. It's very important for me that I truly enjoy my job. Just after my studies I was prepared to perform boring tasks for good money. Now I adopt the "no-money-principle". Activities which I would perform without getting paid for it (like learning about security, teaching about things I find interesting, consulting, etc.) - are good candidates to become a vocation (they pass the no-money-test). If my hobby had been say drinking beer or watching x-rated films, I probably would have to do something else for my living. But I like IT security (and diet coke instead of beer). Is it not a sign from above?

drakhan2002

This is one of the best threads I've read on these forums. The positive vibes this thread contains...the inspiration...the stories...they advice...WOW! Any way to have a "best of the boards" forums or have this stickied?

Thanks to everyone who has added input to this thread - I felt so motivated after reading it!!!!

keatron

Sticky it is.

shednik

drakhan2002 wrote:

This is one of the best threads I've read on these forums. The positive vibes this thread contains...the inspiration...the stories...they advice...WOW! Any way to have a "best of the boards" forums or have this stickied?

Thanks to everyone who has added input to this thread - I felt so motivated after reading it!!!!

I have to agree this is a phenomenal thread that anyone pursuing an InfoSec related career should read. Never a dull post when reading something by keatron

seccie

Hello everybody,
I'm glad to have started such a popular thread and I would like to give you some feedback after I tried to use these ideas in real life. I hope it will be a word of warning (or encouragement) for those looking for career advice.

In Jan 2007 I became an IT Sec consultant. I realized pretty quickly that success depends on two skills:
1. Either you are a very technical expert (pen tests, firewalls, networks), or
2. You are a skilled salesman and communicator.

(If your computer skills are limited to "writing emails, sending emails, receiving emails" but you are a superb salesperson, you can sell many consulting days to clients and become a well paid local hero.)

Another basic skill is being a native speaker. Clients cannot evaluate your work (they lack specific knowledge), so they either count pages of your report or check your syntax / punctuation to see if your service is worth its price. It's common to see 70 pages of report which could be 5 pages long and not give less information.
In either case you need to be a native speaker, otherwise you produce report pages slower or of worse language quality than your colleagues.

The black belt of consulting is called "deescalation". It's the ultimate skill and it means that you can deal with angry client and make him calm. In corporate environment it's enough to be right and to be able to defend your position (e.g. by argumentation or proof). But in consulting an angry client can walk away to a competitor just to have the last word. If your employer loses a client and you can be somehow blamed for it you may be in trouble - depending on your employer.

Be aware that consultants are used as change agents, i.e. you deliver rationale to fire someone. This someone is your deadly enemy and dreams of showing that you are an incompetent a**hole. And you can't be competent of every single system the client uses.

There is one misunderstanding worth mentioning. When I started to work as a consultant I hoped to LEARN new things. The problem is - when you learn, you don't bill. If there is an assignment where you could learn, probably someone else gets it, who already has knowledge to solve the problem and bill for it.

Now, back to my story. I know the rules now, in 2007 I didn't know them. After about 5 months I knew that something goes terribly wrong and that my skills are in huge mismatch with job requirements. After 10 months (Oct/Nov 2007) I really sorrowed the job change, I knew it will end in a disaster but I decided to stay till the end of 2008 (to be there 2 years, and not to ruin my resume). End of April 2008 I started looking for new job in the city. That was really hard! Toxic work environment changes totally the way you think and behave, you don't have patience, you just dream of being able to go away, have long holidays and never see the place again. You have a real problem to get out of the bed in the morning. Unfortunately the interviewers see it and it's a no-no (and they are right - you are unable to perform). Finding a new job is an uphill battle. After my third interview I learned to give the right answers to recurring questions (really by heart) and in Dec 2008 I was able to leave that "bad" job for a new, corporate one.

So to sum up what went wrong and my advice to you guys:
- if you are not a native speaker - the game is skewed against you - leave it,
- if you have some certifications it's not enough. Become a Cisco God or learn to sell, that are two working paths (simplified, but you get what I mean),
- if you are salesperson type you don't need profound technical knowledge. Everybody will kiss your hands for making successful sales,
- if you are a "geek" type be a genius geek or leave it,
- if you want to learn new things, consider another jobs. Learning at home after 12h of office work is not an option either,
- consulting job is tougher and in many cases less paid than corporate jobs. Be really sure you want this kind of job before you switch.

A word about my future plans. I stick to my boring office job, and enjoy its predictability. Last two years I learned a lot about investing (my M.A. was in business, so I didn't start from level zero) and improved my saving for an early retirement (I'm 35). I dropped my certifications (maintenance fees, CPEs and training are costs) and used this money for investments. Without my certifications I wouldn't be able to get where I am in terms of job, but now they can't push me forwards anymore.

I hope to have helped someone with this (loooong) story

seccie

veritas_libertas

Thanks for the fascinating and very relevant post that you added to this already great thread. I'm glad to hear things got better for you.