What next ?

Well, I passed my first exam SSCP, way back in Jan. Before going for the paper I had read on this site a members experience about the exam itself. I always wanted to join the site but I've been busy.

I've cleared SSCP, CISSP and CISA this year. I was planning to CISM this June but I somehow decided to sit for CISA. Anyway thanks to God I did pass.

My question and the subject of this thread starts from here:

What next ? I am planning to sit for CISM this december. But I want to know if it's worth it. I mean post CISSP and CISA is it still advisable to do CISM. I'm new into the job arena. I graduated 2 years back and I really will be streaching my funds if I go for CISM, however if it's worth it there is no question about it. I am planning to register before 19th of this month which is the deadline for early registration (that was i'll have some money).

So what do you guys think ? Is it worth it to go for CISM ? or should i do something else ? I am planning to sit for GCIH and later GIAC gold but this will be before december (if everthing works out good). I am actually streaching my finances because i had to give CISSP twice (i scored 691) in the first go

However please let me know if my current certification path is good or could it be better. I'm 23 and I have 2 years of work experience all into core security.

is SSCP>CISSP>CISA>CISM (GCIH > GIAC GOLD [optional because of finances]) okay ?

Or is there a better alternative path ?

Find more posts tagged with

Comments

Your path is really good. I don't know what kind of security work you do, so it helps if you tell us details about your work experience.

Only catch is, I recommend you back up your certifications with experience.

Welcome to the forum, you are definitely a good add to TechExams. I'm interested to know your studying strategies and experience.

Welcome to Tech Exams

How'd you write CISSP with only 2 years experience.

You can write CISSP without the stipulated 5 years minimum work experience. If you pass you get the ISC2 Associate of CISSP status. You need to get 5 years of work experience within 6 years of the date of passing the exam.

There are waiver available for 5 year work experience.

Read more about it here :
CISSP Education & Certification

(ISC)² Security Transcends Technology

(ISC)² Security Transcends Technology

Parth wrote: »

You can write CISSP without the stipulated 5 years minimum work experience. If you pass you get the ISC2 Associate of CISSP status. You need to get 5 years of work experience within 6 years of the date of passing the exam.

There are waiver available for 5 year work experience.

Read more about it here :
CISSP Education & Certification

(ISC)² Security Transcends Technology

(ISC)² Security Transcends Technology

I didn't need a link just asking because you didn't put much info in your first post.
As a hiring manager I'd say you have to many management level exams without the practical experience to back it up. While i would probably bring you in for an interview I'd grill you much harder than other candidates on things not found in a CBK. And to be fair I probably wouldn't hire you simply for the fact that you're so young and senior positions "usually" are best served by more mature people. SANS exams would lend more credibility to you being sufficently trained at a senior level if you don't have the resume experience to back it up. A CISSP position usually requires the cert and 8+ years diversified experience across a range of jobs.

Hope I havn't offended you in any way. Every IT person has the same story of having some older idiot do less work while getting paid more

As far as my study strategy goes;

For SSCP - I purchased the SSCP Official CBK guide + testout online (surprising but i didn't know what else to do, didn't have guidance of members of a forum like this

)

For CISSP - I purchased the official CISSP CBK + shon harris cissp guide 4th edition. I would strongly suggest anyone AGAINST BUYING SHON HARRIS VID'S (any version platinum / gold whatever. That will be the worst thing you can do ! No good Video's.. However her book is really good and gives lot of knowledge.
I must have given 5-6 weeks for the exam. I gave it in April then May

Okay now for both CISSP and SSCP these are conceptual exams hence don't expect them to ask question's right out of the book. To be frank i got around 2 question's that were *almost* right out of the book. All the answers in the exam are similar but only one will stand true in the situation. I would suggest going through question's before giving the exam. For all those who want to pass the exams through ****** please note that CISSP and SSCP are suppose to help excel your carreer. I am confident that no one can pass through **** but if someone does please understand you've just cheated yourself.

I didn't go through them but CBTNUGGETS are good in context of knowledge gathering.

Lastly for CISA - This was sort of covered in CISSP / SSCP. Only 2 domains were new in a way however much easy then CISSP and SSCP. The catch is the cost of the official notebooks here they cost around 160 USD for a non-member !

I have gone through CISM material once (video's) and it seems rather non-technical exam. Not AT ALL TECHNICALLY DEEP !

About my current work -

I work as a Sr. Executive Information Systems Security Analyst. with a Telecom company here (largest

).. I do plan to move on though

Thanks for welcoming me to the gang mate ..

GAngel wrote: »

I didn't need a link just asking because you didn't put much info in your first post.
As a hiring manager I'd say you have to many management level exams without the practical experience to back it up. While i would probably bring you in for an interview I'd grill you much harder than other candidates on things not found in a CBK. And to be fair I probably wouldn't hire you simply for the fact that you're so young and senior positions "usually" are best served by more mature people. SANS exams would lend more credibility to you being sufficiently trained at a senior level if you don't have the resume experience to back it up. A CISSP position usually requires the cert and 8+ years diversified experience across a range of jobs.

Hope I haven't offended you in any way. Every IT person has the same story of having some older idiot do less work while getting paid more

Oh thats okay..

No problems there.. I am actually happy hearing that.. I've done what I need to do few years down the line right now. That actually gets me an interview, so i guess thats good .. While I do agree that experience nurtures a person I don't agree with the fact that senior position's being reserver only for "experienced" people. That would in a way hold true for managerial position's (to an extent) but for a technical person knowledge is the key and not experience. I am not going to learn anything new being at executive level that I will learn require to be at higher managerial positions. Passing CISSP means the same as before 5 years of experience and after 5 years of experience. I am not saying people at ISC2 are wrong but as far as learning goes it will be the same. Only thing will be that a person with 5 years work experience will have more knowledge about handling large teams or maybe about corporate politics

To sum it up, I'm happy knowing i get an interview. That at least makes me stand out of the crowd

and that to me matters a lot

Oh just to ask you would hire me 6 months down the line knowing I have

CISM, GCIH and GIAC GOLD ? I'm not getting ahead of myself. I'm just asking

Parth wrote: »

Oh just to ask you would hire me 6 months down the line knowing I have

CISM, GCIH and GIAC GOLD ? I'm not getting ahead of myself. I'm just asking

You never know but odds are there would be heavy push back even if I wanted too because through stereotype senior management would see a kid leading an enterprise division. I'm too young for my position as well so you have every chance of getting what you want even earlier.

Team lead with a guaranteed track would probably be where I would view your resume. Motivate the lazy older guys

.

Ah now thats nicer to hear .. Cheera mate

I wonder why couldn’t all those *old farts* predict the economic downfall with all their knowledge and experience ..

Having passed all of those certification exams will do you little good in any job market without the experience to back them up. The ultimate goal is to collect knowledge and experience, not certifications. Certs are only the little trophies on your shelf; they should represented the hard work you've put into yourself and your career, and not serve as only fill for your resume.

Also, you are not actually certified until you have collected the requisite years of experience and passed the endorsement/auditing procedure. To represent yourself as "CISSP certified" when you are not is unethical, so never attempt to represent yourself as something that you are not.

Interesting, so in which country do you work if I may ask ??

I disagree, as you gain more experience you will get to know what it means. To me, knowledge is: training, reading, practicing in LABs, AND facing real world problems. This is ultimate knowledge to me, IMHO.

Now having these certs means that you have good background and you put enough efforts to pass.

If I were you, I will focus on the things I have the chance to get hands-on experience with. For example, If my job is pen testing, then I'd do all relevant pen testing certs, along with long hours in lab testing on those things. This is the best thing to do to me.

But passing those exams is a good achievement.

If your job isn't offering you the practical exposure you want, I recommend you look for a job where you get more and more practical exposure, at least for 5 years....well that if you want a technical job (like myself).

Hmmm.. With all due respect to everyone here, I fail to understand the outlook towards someone who has *passed* these at a younger age. My question was should I make changes to my certification path and / or are they any other certs that someone would recommended.

I never asked or tried to ask if after doing all these certs Microsoft will make me CISO.. Hell no.. My point was and is to see if my certification path is correct or does it need changes, because I’m new into the Job market. My company or for that matter any company here (I’m from India) doesn't offer money or refunds for certifications and all of this comes out of my pocket, which also has to support my family.

I think there are certain points that people might agree too, the fact that I’ve done these certifications at a rather early age does mean a certain if not a considerable advantage to me. If nothing it will show my dedication towards information security career; which is a must if I want a real hardcore information security job.

It will definitely help in its small way (if not a large one) towards progress in my career.

Also passing these certs will at least prove that I have baseline book knowledge which can be used towards real world situations, wouldn’t it ?

JDMurray, buddy with all due respect (again) please don’t take me or my tone wrong. I am sure passing these certs means a bit (or maybe a lot) more than just trophies on anyone’s wall. It does show my dedication towards IS security. Lastly, even trophies on wall have to be earned right ?

Parth wrote: »

Hmmm.. With all due respect to everyone here, I fail to understand the outlook towards someone who has *passed* these at a younger age.

No one has said anything about "age." It's practical work experience that counts, not age.

Parth wrote: »

My question was should I make changes to my certification path and / or are they any other certs that someone would recommended.

Information Security is a vast subject field, and your certification path will depend on what type of InfoSec career path you want to follow. Your certification path now puts you on the InfoSec auditor path with an emphasis on management. Is this what you want for yourself in your career? You haven't yet stated what area(s) of InfoSec you want to work in.

Parth wrote: »

I think there are certain points that people might agree too, the fact that I’ve done these certifications at a rather early age does mean a certain if not a considerable advantage to me.

Once again, this is not about age. You've got to get that chip off your shoulder, or your poor impression of your younger self will only hold you back in the beginning your career.

Parth wrote: »

Also passing these certs will at least prove that I have baseline book knowledge which can be used towards real world situations, wouldn’t it ?

Not for professional certifications. Many certs are awarded simply for passing exams. The professional certifications you seek also attempt to assure that the cert holder has other professional qualities beyond book knowledge. Simply passing these exams means you get an A-grade for stuffing information into your head, but it doesn't mean you are yet an experienced InfoSec professional, which is far more important to employers than certifications.

Parth wrote: »

Lastly, even trophies on wall have to be earned right ?

You just hit the nail on the head. The "trophies" of professional InfoSec certification must be earned first through work experience and second by passing certification exams. You are doing just the opposite. Passing the cert exams first before having the experience will not get you any long-lasting career opportunities. You walk into an interview with the trifecta of CISSP/CISA/CISM and there will be enormous expectations placed on you that you can't meet. Seeing this happen first-hand will be an experience for you in itself.

JDMurray wrote: »

You just hit the nail on the head. The "trophies" of professional InfoSec certification must be earned first through work experience and second by passing certification exams. You are doing just the opposite. Passing the cert exams first before having the experience will not get you any long-lasting career opportunities. You walk into an interview with the trifecta of CISSP/CISA/CISM and there will be enormous expectations placed on you that you can't meet. Seeing this happen first-hand will be an experience for you in itself.

I definitely agree with that.

CISM has the M for Management; so right now does your position allow you to manage people?

Moreover, your title position "Sr. Executive Information Systems Security Analyst", is this for real? How can one be a Senior Executive in the biggest telecom company of India after just 2 years of experience?

Well.. It's true.. Why would I lie ? Anyway I started off as IT Executive for an entire city (Mumbai, Maharashtra, India. if you must know) for the same company. 2 years and passing few certs later and fighting enough with senior management (odds) I've finally been promoted to Sr. Executive Information Security Analyst. I did lot of incident handling as well as I helped entire company migrate from (at that time) HIPS solution to our new HIPS solution. This was the incident that led to the promotion since I found solution for a problem that didn't let the AV survive with our legacy software

This is about my life and doing certs with money I earn so saying anything except what is the fact would hurt me only.

Anyway to come back to the topic my current KRA involves handling overall security for a group company. From incident handling to regular audits. I am in charge of it all. I have team of 4 people as of now under me. But there are lots of other teams I interact with (fragmented workforce).

Since doing technical certs is what is recommend I'll be signing up for GCIH. This has always been a cert on my list but I can't afford the learning and challenge fees. So any assistance with learning material or other tips will help.

Thanks for the help.
Parth

Parth wrote: »

Since doing technical certs is what is recommend I'll be signing up for GCIH. This has always been a cert on my list but I can't afford the learning and challenge fees. So any assistance with learning material or other tips will help.

As you are already a manager, wouldn't you consider it more appropriate for you to hire an experienced incident handler and delegate that work to him/her?

We'll I am a Sr. Executive not manager and anyway you don't find many GCIH's in India (I've never personally looked out though).

More importantly, this was for me and my growth. I am a commerce graduate which gives me a managerial background. That was the reason I went to CISA first post CISSP. Here your college degree matters much more than certification's you've done. It's very hard for someone to take in a commerce graduate as a InfoSec guy. Hence i spent lot of money early on doing certs only to get accepted.

I've missed on few job opportunities, personally i don't like where I am. To give you an idea, entire company has only 2 CISSP's and 1 Associate of ISC2 towards CISSP. Security in India isn't that large yet. No one *actually* cares. Even though we have very high Internet penetration to home level, very few people use online anything. Ignorance is a bliss here. Reason I was going to stretch myself (financially) and go for GCIH and GIAC gold later on was to get accepted.

Like, opinions here at the forum (i say it with respect) people find it hard to hire someone who has 2 years experience (won't say 23, but it's the fact in India at least) at a good post (good = 6 figure salary).

Anyway, I would appreciate any help towards GCIH cert since their fee's is something I can't afford.

I don't know the details of the SANS GCIH class, but incident handling (and computer forensics) certifications and classes are based exclusively on the rules and policies of the United States legal system. Much of forensics and incident handling involves knowing how to collect and preserve evidence, work with legal and law enforcement authorities, and give testimony in a US court. I suppose that forensicis classes in the UK are more likely to have legal information closer to the legal system of India (assuming the courts in India even admit computer forensics evidence).

SANS also has self-study and mentoring options for its certifications. You can even take SANS cert exams without taking the workshops, but they're pretty difficult to pass without having (at least) read through the offical course materials.

Thanks for the reply JD..

Lol.. Our legal system is primitive.. SANS exams are different from other InfoSec exams. They are more bit-byte level up exams. I cannot go for the hand on session. Even the self study courses are really expensive.. I am sure.. but it's going to have to wait sadly. I don't get refunds for the cert exams I've passed or something..

Anyway thanks again..

Ah well.. I went through the thread couple of times (i wasn't really okay with the entire experience thing, not that i disagree completely; but for some odd reason just couldn't accept the same *old* thinking)

I read on couple of blogs and websites of how CISSP's and CISM's are all considered not so technical or challenging. While I do agree to an extent (a rather slim one because I had a hard time in the exam, maybe i'm not used to such types of questions and all since here we have something straight out of the book) anyway I couldn't afford GIAC certs but I still want to make it out there so i've decided to take CCIE - Security. There is no way i can afford the LAB but i've signed up for the written next month (28th to be precise). I would be giving CISM in december. I'll give lab exam sometime next year but just to answer the question i started

What next ? - It's CCIE - Security (written) ..

Take care and have a nice time ahead.

Parth wrote: »

Ah well.. I went through the thread couple of times (i wasn't really okay with the entire experience thing, not that i disagree completely; but for some odd reason just couldn't accept the same *old* thinking)

I read on couple of blogs and websites of how CISSP's and CISM's are all considered not so technical or challenging. While I do agree to an extent (a rather slim one because I had a hard time in the exam, maybe i'm not used to such types of questions and all since here we have something straight out of the book) anyway I couldn't afford GIAC certs but I still want to make it out there so i've decided to take CCIE - Security. There is no way i can afford the LAB but i've signed up for the written next month (28th to be precise). I would be giving CISM in december. I'll give lab exam sometime next year but just to answer the question i started

What next ? - It's CCIE - Security (written) ..

Take care and have a nice time ahead.

I'm not getting you you're going from management level exams to one of the hardest technical exams without any real prior knowledge??

Or have you already worked the cisco track.

To be honest CCIE exam is for *acceptance*. It's discouraging at times to find the same opinions mentioned here, offline. I've done so many exams just to stand out and *probably* make a statement proving you don't need 10 years of work experience to be at the top. There is no substitute for *practical, real world experience*. But at the same time if you aren't going to let me work at that level how do you expect me to gain the experience ?

I have graduated as a management student. I've done CISSP and other top level certs with one purpose of excelling, thats it. In my 2 years of working here i've worked on highest level of incidents and worked with top guys forming, auditing and rewriting policies..

CISSP is like jack of all and master of none. CISA is for audit and CISM is for management. I think CCIE will fill in technical side of the story. It sounds (and maybe, *just* maybe) is desperate attempt at things but to be honest, there are guys who at young age are really (and i mean *really*) good at certain things, if i'm suppose to wait like everyone else till i earn 5 years of work experience (or more) before given a chance to prove or work at higher grade - whats the use ?. And i'm sure CCIE will help in my ultimate goal to become a CISO

I just want to stand out. thats it. Pure passion maybe.

PS: I hope at this point i don't sound a complete moron.

PPS: I've not done the cisco track (CCNA, CCNP).. But i've in course of my investigations and checking policies worked hours on cisco routers and switches. I have not worked on PIX specific interface but i'm really good at creating rule sets and stuff. Good with networking too..

Parth wrote: »

To be honest CCIE exam is for *acceptance*. It's discouraging at times to find the same opinions mentioned here, offline. I've done so many exams just to stand out and *probably* make a statement proving you don't need 10 years of work experience to be at the top. There is no substitute for *practical, real world experience*. But at the same time if you aren't going to let me work at that level how do you expect me to gain the experience ?

I have graduated as a management student. I've done CISSP and other top level certs with one purpose of excelling, thats it. In my 2 years of working here i've worked on highest level of incidents and worked with top guys forming, auditing and rewriting policies..

CISSP is like jack of all and master of none. CISA is for audit and CISM is for management. I think CCIE will fill in technical side of the story. It sounds (and maybe, *just* maybe) is desperate attempt at things but to be honest, there are guys who at young age are really (and i mean *really*) good at certain things, if i'm suppose to wait like everyone else till i earn 5 years of work experience (or more) before given a chance to prove or work at higher grade - whats the use ?. And i'm sure CCIE will help in my ultimate goal to become a CISO

I just want to stand out. thats it. Pure passion maybe.

PS: I hope at this point i don't sound a complete moron.

PPS: I've not done the cisco track (CCNA, CCNP).. But i've in course of my investigations and checking policies worked hours on cisco routers and switches. I have not worked on PIX specific interface but i'm really good at creating rule sets and stuff. Good with networking too..

I'm just asking because i've never heard of someone successfully passing the CCIE without being heavy into cisco. GL! You should probably blog it as nobody will believe it.

Lol ! Let's see.. Exam is due next month on 28th.. I'm into a BCP project (project lead) till 26th when the project will go under dry run (full interruption test), if it works good; i'll start working from 27th to next month 27th and 28th i'll give the exam..

I really don't know how tough is CCIE (i'm going through threads and other places as i write this) but i'm sure it is possible to pass if anyone would study with dedication for a month.. If i do i'll surely blog about it

(i'll take down my experience in a onenote diary till than).. I'll need to work hard for the lab though, however i'll be taking at least a week's break post CISM in December.. Screw the tension.. i'm just too tired

btw, i hope this question doesn't offend you but would hire me if i were a CCIE and CISM too ?

Parth wrote: »

Lol ! Let's see.. Exam is due next month on 28th.. I'm into a BCP project (project lead) till 26th when the project will go under dry run (full interruption test), if it works good; i'll start working from 27th to next month 27th and 28th i'll give the exam..

I really don't know how tough is CCIE (i'm going through threads and other places as i write this) but i'm sure it is possible to pass if anyone would study with dedication for a month.. If i do i'll surely blog about it (i'll take down my experience in a onenote diary till than).. I'll need to work hard for the lab though, however i'll be taking at least a week's break post CISM in December.. Screw the tension.. i'm just too tired

btw, i hope this question doesn't offend you but would hire me if i were a CCIE and CISM too ?

I'd hire anyone who can prove they're good at what they do.

I'd hire anyone who can prove they're good at what they do.

We said

Thank you.

Parth wrote: »

Ah well.. I went through the thread couple of times (i wasn't really okay with the entire experience thing, not that i disagree completely; but for some odd reason just couldn't accept the same *old* thinking)

I read on couple of blogs and websites of how CISSP's and CISM's are all considered not so technical or challenging. While I do agree to an extent (a rather slim one because I had a hard time in the exam, maybe i'm not used to such types of questions and all since here we have something straight out of the book) anyway I couldn't afford GIAC certs but I still want to make it out there so i've decided to take CCIE - Security. There is no way i can afford the LAB but i've signed up for the written next month (28th to be precise). I would be giving CISM in december. I'll give lab exam sometime next year but just to answer the question i started

What next ? - It's CCIE - Security (written) ..

Take care and have a nice time ahead.

If you are planning to do the CCIE written in security in a month with no previous Cisco certifications or significant networking experience the ride will be very bumpy. Many people who have tried to do this simply resort to ****. I suggest you get yourself on the CCIE forum here and post up a thread if you are serious about trying for it. We have one or two security types on the board.

Turgon I was just going through your's and Ahriakin thread.. I am searching for the books he has mentioned and those in the Cisco's CCIE - security page..

I have general experience in networking.. I've never worked on a firewall through any interface but i've written firewall ruleset's.. So it's just getting adjusted to.. I've worked on cisco routers (not a lot but considerable time).. I'm having really hard time getting any of the book mentioned, so yeah i'm sure its gonna be a bit bumpy; lets see how it goes..

Thanks a lot for the suggestion

. Oh and i've never resorted to ****.. not till now and not in the future.. so no worries there..

I'm a lil surprise about the argument of experience, Mr. hiring manager i bet almost 90% of the persons you interview and hire don't have the experience they put on paper.

Most people go to interviews relying on technical knowledge obtained through studying and practicing lab or prolly a few months experience.

Quick Links