After the CISSP?

NavyIT

Well, it's been less than 12 hours since I passed, but I'm always looking for the next step to take. What did you guys do after passing the exam? What else is out there that would benefit me at this point? I know some people think the CISSP is the end-all-be-all, but I hope it's not.

redz

It depends what you want to do. Your career path dictates the next step. The CISSP is just a stepping stone - it's the checkbox that everyone seems to have for security personnel.

What are you trying to end up doing, or what are you already doing?

Like a certain technology? Get tech-specific certs. Like hacking? CEH followed by OSCP would be my next move. Is forensics your cup of tea? Then a CHFI. Project management? Get a PMP.

It's hard to choose after getting the CISSP, honestly, unless you already have a path planned out. I would say, without any real direction my next move would be a CISM. It's still technology agnostic, widely desired, and gives you time to figure out where you want to end up.

JDMurray

The certs you get are determined by your IT career path. Where are you headed now, or where do you want to be in five years career-wise?

NavyIT

I'm not really sure where I'm headed now. I am still Active Duty so when I get out in a couple of months, my main focus is just making sure I get a job, period. I think I'll end up working for the DoD and I would like to be involved in the C&A process for various military installations/commands.

paul78

I don't really have any advice since I don't know what C&A means - but I just wanted to congratulate you on passing the CISSP exam. I enjoyed reading your progress in the other thread. Well done -

JDMurray

With the CCNA:Sec and CISSP you are a good candidate for NOC work and then moving into a proper InfoSec department. Head for the (new) MCSE if you'd prefer system admin work. There are still a lot of private sector companies that work with the DoD (*cough* Verizon *cough*) looking to hire recent veterans too.

NavyIT

Thanks, paul. C&A is Certification and Accreditation.

JD, I'm not sure if a NOC is where I really want to be, although I don't really know everything that goes on in one. I know that I don't want a job too heavy in networking. I know I have the certs, but since taking on my current role as IA Officer and studying for and earning my CISSP, I know I want to do something more in-line with specifically security. Like vulnerability assessments, policy writing, etc.

paul78

If Certification and Accreditation is an audit, compliance, or risk management type function, perhaps you may want to explore the ISACA certifications. You can find more information at www.isaca.org.

NavyIT

I was looking into those. The CISA looks like something I might be interested in. The only problem I see with that is I don't see job postings asking for it in my area.

paul78

The ISACA body of knowledge is fairly well respected and well-known in IT audit, security, and risk management. Perhaps, you might want to consider it anyways. Most of the people in management that I know that work in audit and risk hold ISACA certifications.

Jake007

Mike,

CONGRATS to you,i know you were worried and concerned about passing, WELL YOU DID IT, i am glad we were able to assist you and keep you motivated. now its your job to pass that knowledge onto the next person. So what are your plans next? they didnt make you re-enlist to get the Cert?

NavyIT

No, there is not a re-enlistment requirement.. you just have to have a certain amount of time left on your contract. But, the CISSP is considered an IA Workforce certification so those requirements are watered down. I think they will pretty much approve anything you send at them, I've used the Navy for every cert I have (8 now) and have never been turned down. They also say if you fail, they will not fund it a second time, but a guy on my ship failed Security+ twice and they still funded it a THIRD time... so I don't think those rules are very concrete. At this point, I'm just looking forward to getting out and finding a job where I don't have to be gone all of the time and can raise my family.. together with my wife instead of being a part-time husband and father.

JoJoCal19

NavyIT wrote: »

I was looking into those. The CISA looks like something I might be interested in. The only problem I see with that is I don't see job postings asking for it in my area.

What?

If you're still in Mayport, I just searched Indeed.com for CISA in Jacksonville and got 65 job listing results.

NavyIT

I'm most likely going to move back home to Charleston, SC after I separate. 4 jobs pop up there.

RanMic

Whoooo hooooo! South Cackalacky! My home!

I would say to consider the GS route (2210) beacuse there are a ton of IA spots popping up daily on my searches. IA is one of those areas though that people love to hate you....LOL. Our IA group is not bad all though. I'm 2210 (sysadmin) buy have considered IA on many occations just to change it up a bit. Plus you could apply your AD time to retirement. Either way though Civilian or GS, Charleston should give you some options.

redz

NavyIT wrote: »

I think I'll end up working for the DoD and I would like to be involved in the C&A process

CISSP & OE cert covers you IAT levels required for C&A, so you're good there. Get a Bachelor's, it raises your bill rate if you go defense contractor (EDIT: After stalking your LI, you have one). Getting a CAP would be good, some places are starting to look for them (especially with DIACAP retiring and moving to DIARMF, the NIST knowledge will give you a leg up). The CNSS classes are pretty useful, too, but I don't think you can self-study for those.

Depending on which branch you want to work with (I'm guessing Navy (EDIT: I realize this is a long shot)), you should look up their requirements to be a Validator.

USMC is a few years experience, USMC Cybersecurity Assessment Methodology, USMC MCCAST for Validators, Security+, CNSS 4015 & 4016 E or above, and an operating environment cert. Cybersecurity Assessment Methodology is a hard course to get in to, but they'll waive it if you have a C|EH. MCCAST for Validators is equally difficult to get into, but if you decide you want it drop me a PM and I can try to pull some strings. I have a few friends who teach that class.

Navy has different levels of Validator, and being a MCEN Validator satisfies only their intermediate level (save the two USMC courses; those aren't required). The FQNV requirement is similar, but also requires a Bachelor's in a technical discipline. I don't know the Army or Air Force requirements, but I'm certain you could find them with a little Google action.

Now, validation is effectively auditing, but having it on your resume will help a ton when looking for C&A/SA jobs in their respective branches. Once you're IAT III, which you are, go for validator certs. Once you're a validator, get whatever certs suite your fancy. It depends what position you'd like to hold within the process.

C&A Analyst? Nobody cares. Just get technology agnostic certs at random until you have literally all of them.
ISSE? ISSEP.
ISSO, IAM? CISM.
Validator? See C&A Analyst, but after you get all the technology agnostic certs, get all the technology specific certs.
Person who does nothing but run vulnerability scans and forwards them to people because he or she is a lazy prick? Don't get anything. You don't take pride in your work anyways, why try to get a higher level job to suck at more important stuff?

NavyIT

Wow. Thanks, redz. That's some pretty interesting information. I will have to look into that. It's definitely something I may be interested in. So what credentialing agency provides those certs? Is training required to sit for them? And is the training expensive?

redz

Uh, credentialing agencies... Well:

CISM: ISACA (training not required)
ISSEP: (ISC)2 (training not required)
CNSS 40**: CNSS (Training required I think - Security University's Q/C&A is what I took, covered the four in my cert list, it was very well done. IA2 has an accredited course as well, I believe.)
USMC MCCAST: The USMC C&A team & Conscious Security, Inc are the only two running classes to my knowledge, USMC owns the certification (Training required, ~$2000 commercially, unknown through the C&A team)
USMC CAM: The USMC Blue Team is the only group running this course to my knowledge, and I believe they only give it 1-2x per year (Free if you can find it and actually get into it... Good luck with that though, seriously, your best bet may be to try and be sent to the annual USMC Cyber Security Consortium and sit it there, that's what I did.)
C|EH: EC-Council (training not required, this can fulfill the Cyber Assessment Methodology requirement for USMC Validator)

Honestly, check out the requirements to be a Fully Qualified Navy Validator (FQNV), make a checklist, and start with those (obviously with exception to the 5 year naval systems validation experience requirement).

EDIT: After sitting both IA2 and Security University CNSS courses, the Security University one is more in depth and more difficult. It's also marketed as the only single-week course allowing you to qualify for the 4016A (top level), as opposed to I or E (bottom and mid tiers). I would recommend the SU course for that. I don't know how their other courses are.

NavyIT

Ok, thanks. I was more inquiring about the certs required to become a validator. I think I may go for the CISA next, because after looking at some questions in one of the CISA study guides it looks like a lot of the stuff I learned in my CISSP studies.

MrAgent

Have you thought about moving up to the DC area for work? There are a ton of DoD/Contracting positions up here. I am also a former Navy IT2, and I am actually going back in the reserves as an IT2 as well.

NavyIT

I've talked to my wife about it and I don't think it's for us. We've been there a few times and weren't crazy about it. Plus I feel like I need to make 100k to live in the surrounding area.

MrAgent

With the experience you have now plus the certifications and clearance, its easy to get a job making that around here. Check out indeed.com

redz

There is a SPAWAR branch in Charleston. Look for jobs there. It is, basically, a Navy-owned defense contracting firm. Since the Navy is forcing all contracts through SPAWAR (SPAWAR was failing because it is more expensive and brings less to the table than real defense contracting firms), there will be more jobs there in the very near future.

EDIT: If you do get a job there, take everything anyone says with a grain of salt. They promote out of incompetence because they can't fire. You have been warned.

McGintyDM

NavyIT Congrats!!!! I know you were nervous about it. I passed last week as well! Hardest thing ever.

NavyIT

Good job McGinty! It's a good feeling, right?

redz, I know a few people that work for SPAWAR so I'll be looking into that for sure, but I think the contractor route may be the way to go for me to start with. I had a phone interview today that went well and the first figure they mentioned to me was 70k, so that is great for me and actually more than I was expecting for Charleston.

NavyIT

Well, as expected, my CISA voucher got denied because I don't have enough time-in-service left. I figured that would happen, but tried to slip through the cracks by submitting that voucher. I guess for now I'll just focus on finishing my last classes and hopefully a future employer will help pay for certs.

JoJoCal19

NavyIT wrote: »

Well, as expected, my CISA voucher got denied because I don't have enough time-in-service left. I figured that would happen, but tried to slip through the cracks by submitting that voucher. I guess for now I'll just focus on finishing my last classes and hopefully a future employer will help pay for certs.

Honestly I'd try and pony up the $600 for the exam anyways. The CISA is a hot HR keyword, just do targeted job searches for it, for example on Indeed. It's second only to CISSP in how many hits you'll get. Not sure how much longer you have in but if you take it in December and have it when you get out, especially with the CISSP, you should be golden.