Security certification - starting point

araczek

Hi,

Yes, I read the sticky. I have been a System Administrator for the Government for 16+ years. My
job is not exclusively security but we do a LOT of Information Assurance work. We just recently worked
on and achieved network acceditation (which, I know is basically server hardening).

Being as I have been an administrator for so long I want to specialize in some IT area. VMware, Storage
and Cisco along with security were my area's of interest. I just had new requirements for my job and I
had to do Security+, which I just passed. I am also WAY behind in MS certifications (I am MCSE on NT 4!).
So was thinking of security. Just don't think I have the experience according to the 10 domains. Not sure
if I am reading this right but it seems to me I CAN'T pursue this. What then would be my next step in getting
an industry accepted security credential?

Which brings me to the question that I see people here taking the CISSP so I assume they all have the
experience and the CISSP credential or are they associates? CISSP is a great achievement, power to the
people that passed.

But basically what would be a good next step?

demonfurbie

the cissp can be very intimidating

i would suggest looking at a giac or a eccouncil cert before going cissp

onesaint

I am somewhat in the same situation, moving to refine my focus after being a systems admin for a while (same interests, VM, Sec, SAN, R&S). I'm under the impression you'd do well to go for either the C|EH or the SSCP next. Those are both the next steps in security. The C|EH meets the DOD Directive 8570 for some incident handling classifications, I believe, but is an expensive cert unless your employer picks up the check. The SSCP is the precursor to the CISSP and covers much of the same material as I understand it, but is not quite as intimidating. One of the avenues is to take the SSCP then the CISSP as you will have become familiar with much of the information from your SSCP studies.

JDMurray

Go for the CISSP and forget the CEH. If you want 8570.01 value, the Security+ with the CISSP are your best bang for the buck. Go straight for the CISSP if you already have the professional work experience. Go the Security+ -> SSCP -> CISSP route if you either: 1) don't yet have the required experience or 2) just want to take your time learning as much as you can about Information Security. Go for the GSEC afterwards if you like very technically-oriented InfoSec certs.

Bl8ckr0uter

If you have been doing C&A work and have 16 years of legit, progressive experience than blowing through CISSP, SSCP and Sec+ should be no problem for you. I would take them in the reverse order I listed and knock them out within 4-6 months.

rwmidl

Realistically CISSP + SSCP is at least 6 months or more of prep + test time (I know here ISC(2) only schedules about twice a year). With 16 years experience I'd do Sec+ then jump to CISSP.

ptilsen

I think OP's concern is that CISSP experience requirements pretty much state you have to have five years of professional experience within one of those domains. But it sounds to me like his experience would apply and he would be eligible.

Darril

I'd encourage you to go to ISC2s website (https://www.isc2.org/cib/default.aspx) and download the current SSCP and CISSP CIBs and review them. For the SSCP, you only need to meet the experience requirements in one of the seven domains, and for the CISSP, you only need to meet the requirements in two of the ten domains. With 16 years of system administrator experience in IT I'm betting you meet the experience requirements, but you need to look at the domains to verify it.

I agree with others that have posted here that Security+, SSCP, and then CISSP is a good progression for learning the concepts and they all build on each other. You can skip the SSCP and go straight for the CISSP. However, you'll find the SSCP material directly applies to the CISSP certification and is easier. If you take and pass the SSCP, you'll get a good understanding of the ISC2 process, get some confidence, and have a lot of knowledge that will directly help you with the CISSP certification.

HTH,

Darril Gibson
Security Blog

advanex1

rwmidl wrote: »

Realistically CISSP + SSCP is at least 6 months or more of prep + test time (I know here ISC(2) only schedules about twice a year). With 16 years experience I'd do Sec+ then jump to CISSP.

6 months is a lot of time. We've had quite a few come straight out of school, read the book in two weeks and pass the CISSP exam. I'm not saying everyone can do it this way, but we've had a lot of success with our guys.

JDMurray

ptilsen wrote: »

I think OP's concern is that CISSP experience requirements pretty much state you have to have five years of professional experience within one of those domains. But it sounds to me like his experience would apply and he would be eligible.

It's five years of verifiable work experience in at least two of the CISSP CBK domains. Having a 4-year degree, or having a specific cert (such as the Security+), will lower that requirement to four years of work experience. This is one of the benefits of getting the Security+ or SSCP is to people newer to InfoSec work.

advanex1 wrote: »

6 months is a lot of time. We've had quite a few come straight out of school, read the book in two weeks and pass the CISSP exam. I'm not saying everyone can do it this way, but we've had a lot of success with our guys.

Anyone can take the CISSP exam at anytime. Anyone's grandmother can take the CISSP exam right now. Having the required work experience is only necessary for achieving full CISSP certification and is not as a requirement for sitting for the CISSP exam itself. This is actually true for a lot of professional cert exams.