Frustrated in deciding on what security cert to get...!

So I have been reading a bunch of threads on here on the many different security certs. I have read some insightful posts - and I keep on jumping back and forth on what cert I should be going for.
I currently have my A+/Network+/Linux+/Security+ and my Linux Professional Institute Certification Level 1 (LPIC-1). I have an Associates Degree in IT-Networking. I am currently taking classes part time to finish up my Bachelors Degree in the same thing (should be done in 2 years). I have been working in a diverse network operations center for the last five years (not a specific security focus).
I have always enjoyed the area of IT security and I have recently made the decision to specialize my career in it.
The problem I am having is I can't decide on what cert to go for. I want a cert that is worth studying for, help solidify my security knowledge, land me a security job, and will help propel my career to some better paying positions. But it seems like most (if not all) the certs require several years of experience specifically in security (CEH) or 5 years and your first born son (CISSP.)
It feels like I am stuck in a "chicken and the egg" scenario...
I am sitting on the fence about Certified Ethical Hacker (CEH), Certified Information Systems Security Professional (CISSP), or the Offensive Security Certified Professional (OSCP). My employer will pay for any training and the certificate IF I pass.
I want to help my company build up their security posture, identify areas needing improvement, and mitigate risks by implementing systems/policies/countermeasures. I foresee an even and good blend of managerial/pentest/tech work (such as implementing IPS), etc.
Help?
I currently have my A+/Network+/Linux+/Security+ and my Linux Professional Institute Certification Level 1 (LPIC-1). I have an Associates Degree in IT-Networking. I am currently taking classes part time to finish up my Bachelors Degree in the same thing (should be done in 2 years). I have been working in a diverse network operations center for the last five years (not a specific security focus).
I have always enjoyed the area of IT security and I have recently made the decision to specialize my career in it.
The problem I am having is I can't decide on what cert to go for. I want a cert that is worth studying for, help solidify my security knowledge, land me a security job, and will help propel my career to some better paying positions. But it seems like most (if not all) the certs require several years of experience specifically in security (CEH) or 5 years and your first born son (CISSP.)
It feels like I am stuck in a "chicken and the egg" scenario...
I am sitting on the fence about Certified Ethical Hacker (CEH), Certified Information Systems Security Professional (CISSP), or the Offensive Security Certified Professional (OSCP). My employer will pay for any training and the certificate IF I pass.
I want to help my company build up their security posture, identify areas needing improvement, and mitigate risks by implementing systems/policies/countermeasures. I foresee an even and good blend of managerial/pentest/tech work (such as implementing IPS), etc.
Help?
Comments
Honestly, having done all three...you'll get a lot more out of that one that CEH or CISSP anyways.
This. I have learned more and had much more fun so far with OSCP then with cissp.
Also, since you have sec+, you only need 4 years for CISSP, and you can take and pass the test without the experience, you just can't get the full CISSP endorsement until you meet the experience requirement. Depending on what your duties are currently, some of your time might count toward that requirement.
If you have a degree, one of those years is waived.
I guess my big question is which cert... not nessairly the requirements of the tests. What are employers looking for. What is the better cert.
What is the better cert? OSCP.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
In the security field always will be the chicken and egg.....
Just begin with something, nothing is prefect. If you begin with OSCP you will feel that you need to know more of this and that. And it is the same for CEH because it is to wide.....
It is your personal IPS to stop the attack.
I don't agree with either of these statements. CISSP is a very good cert, and if you actually know everything that is included in those 10 domains, you will make a hell of a security professional. OSCP is a completely different kind of cert. But I wouldn't say that either is better. Though there is something to be said for hands-on examination.
And company's that are looking for PenTesters specifically, generally know what they are looking for and will be more likely to give an OSCP the time of day, compared to a CISSP.
Hrmm.
I did a quick term search on Dice.com and monster.com
Dice:
OSCP: 38 results
CEH: 137
CISSP: 1306 results
Monster:
OSCP: 21
CEH: 43
CISSP: 749
Is this just a HR thing not listing OSCP/CEH on job postings... Or do these people really want to see the CISSP?
CISSP is a defensive posture while OSCP is a offensive posture (I suppose technically you can throw CEH in this category also). Based on what you said I think CISSP would be a better ROI for you since you want to guard your company. If you wanted to work for a firm that tests other organizations security posture I would say OSCP.
Ultimately you need to pursue a cert based on the job you want to do (because that is the knowledge you will need) not chase a cert based on what people think is better.
Realest ish I ever read on this board!!! That's a line I wish everybody on this site would take to heart. Please post this in the Cisco forum, lol!
I would think that learning the tactics that hackers use to compromise systems - would be the best way to learn how to prevent them from doing it. The best offense is the best defense egh?
Good point though...
I was just about to purchase the "Penetration Testing with Kali Linux (PWK)" online training for $800 - as that is a prerequisite before taking the OSCP.... Now you got me doubting myself again.
I feel like a tennis ball.
You need to understand that there is more to information Security than guarding an organization against attackers. What about disaster recovery and business continuity? If an attacker is successful the organization is dependent upon returning to normal business as soon as possible. Is an offensive approach going to provide that?
https://www.cool.navy.mil/ia_documents/ia_iat_flow.htm
https://www.cool.navy.mil/ia_documents/ia_cnd_flow.htm
My pen-testing path so far is;
BS information security --> Security+ ---> CEH (currently here) ---> SSCP ---> one or multiple (OSCP | GWAPT | GPEN | eWPT | eCPPT)---> CISSP
If you're more focused on being offensive and technical I'm finding web app is the way. That means learning Python, C, Bash, Ruby, etc.. seems to have a very promising career outlook, and job security aspect. Not too many doing this route. I'm finding most companies don't need basic pen testers, because they can just do it themselves, or pay a small company $1200 to do a basic pen test. Dice.com shows only 16 jobs for pen tester. Web app shows 19,608. So I'm going all out web app.
If you're more focused on all around security and want to be a ISO or even just a Sr. Security person then plan on working towards getting a CISSP + MSIS and MBA... In the next few years im sure it will be PhD's because things never seem to be enough. I see so many people having to get ABC soup just to stay in their positions. Where as a programmer, web developer/tester just has to stay well versed on programming.
Security+ ---> SSCP ---> CISSP
CEH ---> one or multiple (OSCP | GWAPT | GPEN | eWPT | eCPPT)
How about being a WebApps pentester? That a very specialized field that very much in demand by all organizations with a deep, online presence. You also get to show customers why an IPS, WAF, and SSL aren't going to solve all of their Website hacking problems, and how proper software design and coding is how to prevent new vulnerabilities from sneaking in to their systems.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
A) It is real world practical knowledge test. Its just not a brain **** test where you read a bunch of books and regurgitate seemingly superficial information.