Masters vs certificate program vs selfstudy: Cannot decide?

Hello,

Needed advice from all you techs and professionals. I currently have Bachelors in technical management with a concentration in networking, graduated about 8-9 years ago. I have no certificates under my belt, although I have been working as a help desk analyst for the past 6 years. I'm 41 years old and not getting any younger, but I definitely want to get into a more specialized IT field, specifically security is my first choice since I feel it is a very interesting field that is growing. However, I just don't know what to do to get started...should I start off with security + and self study the exam by reading Darryl Gibson book and Messers videos and notes, then start going down the line to study and take the exams of more advanced security certificates. Should I take a certificate program at a online university that offers those 6-12 months IT cybersecurity programs or should I go through a Master degree. I have read that in the IT Field, most employers value certificates more. Also, I wanted to add that my Employer has tuition reimbursement but they only cover up to $5250 for a full year on bachelors/masters/certificate programs and $1000 per year for taking exams such as A+, network +, sec + etc. The cost of university tuition these days are well over 6 grand per year and I don't want to have another student loan to pay. Anyways, I hope I can get some good feedback about my question so It can help me decide what path I should take.

Find more posts tagged with

Comments

asurania

Yea Focus on certification

Phase 1:
I would get Security+ and CISSP out of the way (you will get the associate of ISC2 instead of CISSP till you get the experience) - Those are the HR filter courses.
(CISSP / Associate of ISC2 via CISSP Exam) - is almost mandatory for any security field, so might as well just get it out of the way first.

Phase 2: - https://www.elearnsecurity.com/certification/
Through elearnsecurity I would take the two below courses/certification - They will get you the skills to be job ready, and prep you with the knowledge and skillsets to tackle the OSCP in the next phase.
1. PTS Course - Penetration Testing Student - eJPT Certification
2. PTP Course - Penetration Testing professional - ECPPT Certification

Once you done phase 2, you should be able to start job hunting.

Phase 3 - OSCP Certification - https://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/

- This is pretty much the gold standard of what you need to be in the security field. PTP course you did earlier would have covered most of the material in this course, but this is certification that employers really look at.

CISSP/OSCP Combo - is pretty much the end goal you are aiming for

Phase 4 - If requried - WGU Bachelor/Masters in Cyber security and Information Assurance

You can take the WGU Bachelor or Masters in Cyber security and Information Assurance. If you have a bachelor degree, then you can take the Masters for Fun and to polish of your resume. IF you have no degree, take the Bachelor. for sure, but first get ALL the above done first.

yoba222

1. College reimbursement towards a Masters or even some certs is tempting.
2. Reimbursement should have happened 4 years ago. You've been in help desk for too long and need to start applying elsewhere so you can get into a higher role.
3. College certificate programs are almost completely worthless. There isn't a single job ad on the planet asking for one.

In my opinion you need to start working your resume writing and interviewing skills and this happens by applying for other jobs.

EANx

keeranbri wrote: »

I currently have Bachelors in technical management with a concentration in networking, graduated about 8-9 years ago. I have no certificates under my belt, although I have been working as a help desk analyst for the past 6 years. I'm 41 years old and not getting any younger, but I definitely want to get into a more specialized IT field, specifically security is my first choice since I feel it is a very interesting field that is growing. However, I just don't know what to do to get started...should I start off with security + and self study the exam by reading Darryl Gibson book and Messers videos and notes, then start going down the line to study and take the exams of more advanced security certificates. Should I take a certificate program at a online university that offers those 6-12 months IT cybersecurity programs or should I go through a Master degree. I have read that in the IT Field, most employers value certificates more. Also, I wanted to add that my Employer has tuition reimbursement but they only cover up to $5250 for a full year on bachelors/masters/certificate programs and $1000 per year for taking exams such as A+, network +, sec + etc.

"Security" is very broad, what part of it intrigues you? Those masters degrees in cyber are typically management and compliance/auditing focused and don't mean much if your desire is to be a penetration tester. Everyone benefits from increasing their knowledge about security, you just need to decide how you want it applied; in a theoretical fashion (design or management) or hands-on.

Danielm7

EANx wrote: »

"Security" is very broad, what part of it intrigues you? Those masters degrees in cyber are typically management and compliance/auditing focused and don't mean much if your desire is to be a penetration tester. Everyone benefits from increasing their knowledge about security, you just need to decide how you want it applied; in a theoretical fashion (design or management) or hands-on.

Ah, the often forgotten question of "what do you actually want to do?" Why is security interesting? What part? Just saying it's a growing field isn't going to help you with any kind of desire to learn a field that changes daily sometimes.

To give you an idea why every once in awhile people ask this too often ignored question and assume you mean pen testing... I work at a 10K+ employee company, under "Security" we have teams of auditors, PCI/SOX/General compliance, Identity Access Management, BCP/DR and Cyber and Network Security. The cyber security group is one of the smallest (not including a 3rd party SOC), you know how many dedicated pen testers we have in that group? Zero.

People always assume security = only pentester and it's not at all correct.

If you really want to get into security, figure out what part of security would fit you, start here:

https://tisiphone.net/2015/11/08/starting-an-infosec-career-the-megamix-chapters-4-5/

Note how none of those tell you to work helpdesk then get a cert and start in technical security? You're going to need to learn networking, servers, etc.

TheFORCE

Danielm7 wrote: »

Ah, the often forgotten question of "what do you actually want to do?" Why is security interesting? What part? Just saying it's a growing field isn't going to help you with any kind of desire to learn a field that changes daily sometimes.

To give you an idea why every once in awhile people ask this too often ignored question and assume you mean pen testing... I work at a 10K+ employee company, under "Security" we have teams of auditors, PCI/SOX/General compliance, Identity Access Management, BCP/DR and Cyber and Network Security. The cyber security group is one of the smallest (not including a 3rd party SOC), you know how many dedicated pen testers we have in that group? Zero.

People always assume security = only pentester and it's not at all correct.

If you really want to get into security, figure out what part of security would fit you, start here:

https://tisiphone.net/2015/11/08/starting-an-infosec-career-the-megamix-chapters-4-5/

Note how none of those tell you to work helpdesk then get a cert and start in technical security? You're going to need to learn networking, servers, etc.

Very well put. Most of Security now is based on controls and audit. In fact, the IT departments of various companies do more security implementations that the actual security analysts. IT doesn't want security analysts with domain admin access so they can go and change GPO's or install software any time they want to test stuff.

Most security people are buried in log reviews, control reviews etc. I'm one of them, when internal audit comes knocking asking they want to test xyz quaeterly control and i need to provide them with 10 reports my day is spend collecting the reports and providing the evidence. Security is not only lets hack stuff.

Heck i see organizations now putting third party vendor management and vendor risk assessment under security and the direction of CISO. Somethinf that was not the case 5-10 years ago. And these people are called security whatever and dont do anything related to hardening a system or having access to any of the security tools.