Security+ certified, where to next?

MacGuffin

I saw some internal job postings at a company I just started working for. I took the job I have in the hope I could move up quickly into a job more fitting of my interests and skills. One job of interest is a network security position. A line in the job requirements states:

Certifications such as CISSP, SSCP, GSEC, GCFW, GCIA, GCIH, GCWN, GCUX are a plus.

As of right now I have Network+, Security+, and CCENT certifications. I have training lined up for VCP5, CCNA, CCNA-voice, CCNA-security, and some sort of Microsoft server certification. I talked to the recruiter about the position and he says that they will likely start interviewing for this security engineer position in the spring.

The question is, if I am to get this job which of the listed certifications is the "best" one to try for? The training I listed above is flexible, I can likely trade one cert for another if I can convince the powers that be that it'd be in my best interest to do so. The powers that be are in this case the US Department of Veteran Affairs. They paid for gobs of training in the last year and it appears they will do so again this year so long as I can show it will lead to gainful employment.

Right now that list of certifications in the job description is just a bunch of alphabet soup. I'm asking if anyone would be willing to help an old soldier try to make some sense out of it. Preference will be given to those certifications that I can use for continuing education points for my existing certifications.

Thanks all.

leizaR

I'd just like to say something about one of the mentioned certifications. I know the SSCP from ISC(2), according to CompTIA's page CompTIA Continuing Education Program (if you expand the Security+ section) would renew your Security+ & Network+ certifications, I've also heard the SSCP is part of the U.S. DOD 8570 Directive for Technical Level 1 & 2 certifications where the A+ & Net+ are also mentioned, so this means it could be like a next step from your Sec+ if you were looking to just get a certification in that met one of the requirements.

I'm not sure of the others mentioned either but here is a link to the 8570 Directive from the ISC(2) site, kinda gives you an idea of how the SSCP is viewed in contrast to some of the certs you have. https://www.isc2.org/uploadedImages/%28ISC%292_Public_Content/Community/DoD%20Fact%20Sheet.gif

YFZblu

So here are my initial thoughts on the cert list above:
CISSP - Five year requirement to become an official CISSP, it can be bumped down to four years for various reasons; your Security+ being one of them. You can however become an 'Associate of ISC2' if you pass the CISSP exam without the requisite experience and is still impressive on a resume'. I don't know your background, but if you do not have experience working in InfoSec this is not a realistic goal to accomplish within the next few months. Not even close, honestly. This is a difficult exam and not something for the entry level InfoSec candidate.

SSCP: Another ISC2 certification with prerequisite experience involved. The InfoSec experience required to officially hold that certification is one year minimum. I assume you can also pass this exam without the experience and become an 'Associate' at that level.

We can lump the GIAC certifications into one for this reason alone: Cost. Official GIAC exam materials are distributed by the SANS Institute and their training costs thousands of dollars. You can of course challenge the exam yourself without their training, IIRC the exam challenge itself costs $1,000 if you go that route.

So the above looks sort of bleak - I know everyone's path is different; that being said I would still like to share my method for pushing through the process. Long story short I completed the Security+, CCNA, and CCNA: Security which laid a nice foundation. I then applied for and was accepted into the Work Study program with the SANS Institute. For an 80% discount I was able to work a SANS event, attend a conference (GSEC), receive the official exam study material, and also received an exam challenge free of charge. Adding the SANS education to my resume is one of the major reasons I got my first job in security. Have the mindset of security and have the passion for it and eventually someone may take a chance.

As far as the certifications above I believe SSCP is probably the most achievable certification for someone in your position considering the study materials are easier to come by yet not as vast as the CISSP. Good luck.

MacGuffin

YFZblu wrote: »

I don't know your background

Let's see if I can strike a balance between filling in some of the details and boring everyone with my life's story.

I have a BS in Computer Engineering. I took some graduate level courses on information security in an aborted attempt at a graduate degree. I did some computer support while in college and after college. I was a verification engineer for five years, verifying digital circuits used in communications equipment. This position required knowledge on ethernet networks, internet protocols, cryptography, communications theory, and how to keep a secret.

Despite my understanding of secure communications I had some difficulty with the Security+ material since a large portion of it seemed to focus on rote memorization. I spent many years trying not to clutter my head with such readily available information such as the key lengths of a given cryptographic algorithm, or what port numbers belonged to which protocol. Given the short time I had to cram such information into my head I was pleasantly surprised I passed the Security+ exam on the first attempt.

Doing some research I found only the CISSP course is offered in the area. Granted, I did not do an exhaustive search but if I am to take any formal training towards a certification it would have to be offered by an institution that the VA has a relationship with for me to take it any time soon.

This brings up another aspect of this search for the next step on the road to becoming a security engineer. I need to be able to find the required training, and the place to take the required exams. Where should I be looking for places that offer these things?

bobloblaw

You can get the CISSP. Net+ and Sec+ are great builders. You should basically be able to skim the Network/telco/some cryptography sections and know a lot already.

With what you know, I'm not sure I'd take the course. A book along with some quizzers and you should be good. Keep your $2-4k (unless someone else is going to pay of course).

One piece of advice - don't get bogged down when reading the book. When it gets to straight memorization, move on. You can tighten that up before you sit for the test. It's pretty broad.

MacGuffin

bobloblaw wrote: »

With what you know, I'm not sure I'd take the course. A book along with some quizzers and you should be good. Keep your $2-4k (unless someone else is going to pay of course).

Someone else will pay for the course, the American taxpayer. If I can make my case to the VA that I can pass the certification exam this year then they will very likely pay for the training and the exam. What is working in my favor is that I have similar training already approved and making a case to swap one course (CCNA-Security) for one of similar difficulty, subject matter, and cost (SSCP? CISSP?) is easily done.

I found that the CISSP course is about the same price as the CCNA-Security course, a bit cheaper even. How does the cost of the exam compare? Who does the testing? Is it fair to say that the CCNA-Security and CISSP certifications cover similar material? Is the material of similar difficulty?

I don't want to focus only on the CISSP but that is where I'm trending since I know a place that is local, and VA approved, that is offering the course.

DoubleNNs

My opinion? Switch out CCNA-Voice for the SSCP (or CISSP). Do CCNA, CCNA-Security, then SSCP. You'll have a grasp on both networking and security. And that seems to be the easiest to obtain path.

wes allen

MacGuffin wrote: »

Is it fair to say that the CCNA-Security and CISSP certifications cover similar material? Is the material of similar difficulty?

CCNA-Sec and CISSP are both security certs, but they are way different from each other. CCNA-Sec is focused on Cisco network security gear only. CISSP is a very broad test on everything from network security to secure software to physical security to legal issues with IT. If the sec+ made your head spin with memorizing some port numbers, then the CISSP is going to be a challenge, as there is a whole lot of stuff to remember. Also, your experence may or may not be accepted for the full CISSP, so you might be looking at Associate of CISSP.

MacGuffin

wes allen wrote: »

CCNA-Sec and CISSP are both security certs, but they are way different from each other. CCNA-Sec is focused on Cisco network security gear only. CISSP is a very broad test on everything from network security to secure software to physical security to legal issues with IT.

Right, the Cisco test will focus more on the "how" while CISSP will be more about the "what" and "why". Perhaps I did not phrase my question well. It's difficult to do so with the medium we're working with here. Perhaps I should focus more on the relative difficulty and costs of the different certifications. It appears the material covered is similar enough that many people group them together, much like how they were in the applicant requirements from the job posting example I gave.

wes allen wrote: »

If the sec+ made your head spin with memorizing some port numbers, then the CISSP is going to be a challenge, as there is a whole lot of stuff to remember. Also, your experence may or may not be accepted for the full CISSP, so you might be looking at Associate of CISSP.

Doing some more research I'm tending to agree with you. Perhaps I should just keep on the CCNA-Security path and/or get the SSCP cert.

Still looking for where I might be able to find training for the certs listed, and where I can go to take the tests. I'll be doing my own searches but I'd appreciate some guidance to help me along.

Thanks to all for your replies.

DoubleNNs

Have you done the self-study route for any of the certs you have now?
You might be able to just get a textbook for cheap and study through the material w/ some labbing- esp for the SSCP I'd assume.

MacGuffin

DoubleNNs wrote: »

Have you done the self-study route for any of the certs you have now?
You might be able to just get a textbook for cheap and study through the material w/ some labbing- esp for the SSCP I'd assume.

I did a training course at New Horizons for each of the certs I have now. (New Horizons Learning Center is national, right? Most people know who they are?) I also had practice tests from Transcnder to gauge my progress.

I took another closer look at the ISC2 and GIAC certifications and I'm still not grasping what it takes to get certified. My recently taking cold medicine might have something to do with the confusion. It appears that getting a certification from GIAC or ISC2 requires more than just taking the test. It looks like I have to take an approved course and get someone to sign off on my experience. Am I understanding this correctly?

To get the SSCP I'd need someone to attest that I have a year of experience in network security. The CISSP has a five year requirement. I didn't look too close at the GIAC tests since I still have not found someone that offers the training and testing.

I'll be writing an e-mail to someone at New Horizons to see what they know about these certifications.

wes allen

For GIAC, SANS is pretty much the only training provider - https://www.sans.org/find-training They also have a well regarded CISSP class as well. There is no work requirement for GIAC, but challenging the tests without the class material is pretty tough.

CISSP requires 5 (or 4 with Sec+, or a few other certs/degree) years of experience within two of the domains. You can take the test, and if you pass, you will receive the associate of CISSP designation until you meet the experience requirement.

I don't know how much New Horizons will be able to help on these, though they may have a CISSP offering. Regardless of which class you do, plan on a fairly significant amount of self study with any of these certs.

MacGuffin

wes allen wrote: »

I don't know how much New Horizons will be able to help on these, though they may have a CISSP offering.

New Horizons does offer the CISSP course. They have SSCP listed as a course they carry but none are shown as scheduled on their website, at least not in their eastern Iowa locations. I suspect they offer these courses when local employers ask for the course, that's what happened with the Security+ class. A group of people came there from the DoD and there was room for me in the class.

Thanks for filling in some of the blanks with your post, that will help a lot in my research. I also wrote New Horizons, given the time of day and that some people get President's Day off work, I don't expect a response until Monday or Tuesday.