Next milestone... ??

hoccniki

Hi guys, I am struggling with the next certification that I would like to get. I have been in the infosec field (as security consultant) for 4 years now. I have passed the CISA last year and CISSP this year, both in one go by self studying. I am not a very technical person. Although some of my projects do involve technical stuff, I mostly delegate the penetration tests and technical assessment stuff to colleagues or subordinates, and mainly focusing on the strategy, policies and framework. I can understand their attack plans and the results but I seldom conduct the actual test by myself. In my CISA exam, I can score over 750 for IT security and nearly 700 for other portions, but I can only get a merely 470 in the network domain.

I was thinking what kind of certification I should get this year:

CEH - I'm afraid it is too technical for me
ITILv3 - sometimes I need to do IT process reengineering for my clients also
PMP - management stuff that I might need to get hold of
ISO27001 auditor
Incident Handling and Forensics Investigation related certificate - Sometimes I might come up with projects that involves incident handling management, and my company got forensics investigation branch. I am familiar with the really basic stuff (eg. cloning hard drives/some simple work done using X-Ways Forensics, XRY/cellebrite experience)

anymore suggestions? I am not sure which one I should do first......

the_Grinch

Since you are managing a team I think PMP is the way to go.

JDMurray

Do you participate in InfoSec management? If so, it sounds like the CISM is your next move. If you've been doing risk management strategies for 3+ years then the CRISC is something you should look at too.

paul78

I would agree with JD, based on your description, I would advocate ITIL and CISM. Unless you are actually a project manager, I wouldn't bother with PMP unless you happen to be interested in project management.

If you deal with privacy topics of a regulatory, legal, or audit nature (you mentioned CISA), you may want to consider the CIPP.

blaker00

Go get a CCNA. I know it's a technical exam but it will be well worth it in the end.

hoccniki

I always got a feeling that CISM is kinda overlapping with CISSP.... is that the case?

I've asked my boss the other day and he suggested me to go for ITIL and ISO27001 auditor. But at the same time my colleagues said they seldom use their ISO27001 qualification..........

JDMurray

CISSP is suppose to be good prep for the CISM, but they are very different exams. Along with the CISA, they are certianly perceived as complementary.

UnixGuy

hoccniki wrote: »

I have been in the infosec field (as security consultant) for 4 years now. I have passed the CISA last year and CISSP this year, both in one go by self studying. I am not a very technical person. Although some of my projects do involve technical stuff, I mostly delegate the penetration tests and technical assessment stuff to colleagues or subordinates, and mainly focusing on the strategy, policies and framework. I can understand their attack plans and the results but I seldom conduct the actual test by myself. In my CISA exam, I can score over 750 for IT security and nearly 700 for other portions, but I can only get a merely 470 in the network domain.


..

Sorry to be off-topic here, but I'm VERY interested in your job duties.

Can you please explain your job to me and explain the kind of background needed to perform it?

I'm interested in InfoSec management, and I have good background in system administration/storage/virtualization/programming/hardware...etc.


What's the pathway for that? InfoSec analyst ==> InfoSec manager ??

paul78

UnixGuy wrote: »

What's the pathway for that?

Just my 2 cents - as I recall, you have a pretty broad technical background. In infosec, I come across people with 2 types of background. One that is purely technical and two that is purely administrative.

The non-technical folks typically start their careers either as information system auditors or audit management (folks that deal with auditors) or as analyst supporting various ITSM functions.

The technical folks typically start their infosec careers in pretty much any IT discipline you can imagine - software engineering, systems administration, networking, etc.

Most of the successful infosec managers that I encounter usually have a very broad array of skills but will usually specialize in a few areas. Interestingly enough those areas correspond pretty closely to the ISC2 and ISACA domains. I would categorize infosec managers in these areas:

Governance
Risk management and compliance
Program development and management
Operations
Incident management
SDLC and Architecture
Physical security

UnixGuy

Thanks Paul, that's very helpful!

So how do you think people with technical background can progress into an InfoSec management role? Maybe InfoSec analyst job would be a stepping stone? or a PenTester ?

paul78

Yes absolutely. It's just a different path and may lead to diferrent functions. IMO, folks with very broad technical skills make better infosec managers (especiality software engineering, my personal bias), the exception may be people who have network backgrounds that may manage network security ops. But my experience is that network experience tends to be too narrow.

It largely depends on what aspect of infosec you like. What is your background? Are you already in IT management?

Network pentest testing is one place to start if you have a network background. But my opinion is that network pentesting is a pretty comodotized skill and from a risk perspective, I would rather invest in app pentesting. If you have a software engineering background, that's one place to start, ornsecure SDLC support. Server harderning is another if you have sysadmin background.

You may have read that N2IT just got an infosec management job, a service desk providing access control mangement. So thats also one place to look into if you are interested.

I guess I am sort of rambling but depending on your qualifications, there may be more roles out there than you may expect. It does depend also on what you like to do.

UnixGuy

Interesting points.

No my role right now is far from management, it's a sysadmin role, but security is big part of it (system hardening, patching,..etc).

I have programming background from university (think 10,000+ lines of codes), but I've never really worked as a full-time programmer.


I'm just thinking loud, because I don't want to be a sysadmin all my life. At some point I want to make the jump to management, preferably InfoSec management.

paul78

There is no better time than the present if you have enough background experience what areas of infosec do you find interesting?

Do you work for a large enough corporation where you could look internally?

UnixGuy

you are right, maybe I need to finish the damn CISSP and start looking. I do have a good background experience. I completely agree with you, no time better than the present


I'm leaving my employer soon, so looking internally is out of the question. Let's see, maybe my next job will be in sys admin, but not for too long.

I didn't work in InfoSec yet, but I prefer management and policy for now.