Practical use of Cissp

slinuxuzer · August 2008

Ok, I have been reading alot about the Cissp. I have recently finished my Mcse. I feel like security is my strongest suite.

I am wanting to get more into security analyst / compliance with like Ernest and young Audits. I have 5 years on the job experience I have been doing mostly network administration, but have dealt with preparing for Audits, designing logical access controls, backup security and physical security.

My question is to anyone who is a cissp or anyone who feels they know.

How valuable is this cert in the real world?

How lilkely is it to get me into a security analyst role?

How hard is it to make the kind's of experience I have had map over to the professional experience requirment?

How hard is this cert / what kind of time and study effort can I expect to be needed?

JDMurray · August 2008

slinuxuzer wrote:

How valuable is this cert in the real world?

If you mean valuable for employment opportunities, go to dice.com and search on the keyword "CISSP". Count the number of employers looking for people with the CISSP cert.

slinuxuzer wrote:

How lilkely is it to get me into a security analyst role?

By itself? Zero chance. You also need the complementary education and experience that a prospective employers are looking for. The CISSP cert is complementary to the other things on your resume and not the sure ticket to a great job.

slinuxuzer wrote:

How hard is it to make the kind's of experience I have had map over to the professional experience requirment?

I would need to see your resume to determine that. Do you have it posted on LinkedIn.com?

slinuxuzer wrote:

How hard is this cert / what kind of time and study effort can I expect to be needed?

Only you can answer that question accurately. Go to a book store and look through the Shon Harris CISSP All-in-One book and see how much of the material you already know. Also, be realistic with how well you study and learn that type of material.

slinuxuzer · August 2008

Slinuxuzer's resume

JD Thanks for your reply. Would you mind taking a look at my resume and give me your honest opinion if it is worth it for me to pursue Cissp at this time. One thing that isn't on my resume that I need to update is at magna and my consulting jobs I dealt with Audit compliance for Ernest and Young Audits, I also performed and documented a couple of vulnerabiltiy assesments.

The other expereince I am hoping to make over to Cissp is, at every job I have been at I have been invoved (by involved I mean heavily not on the sidlelines watching, but doing) with Ad, group design's, managing file servers, developing change management policy's. Plus there are few other things, I feel like I have the Job experience, I am just not sure how Granular I would need to be when documenting this to ISC2? Also as far as security goes Like I said I feel like this is my strongest skill, I would say on 1 - 10 I am 7.5 or 8.

Thanks for your help man.

Education
Texas State Technical College
Computer Systems; Networking Technology 2003

Marshall High School
Diploma Awarded, May 2002

Employment History
Advanced Business Solutions, 2003-2005
Network Consultant
• Troubleshoot Proprietary software: Timeslips, peachtree, Verities, Prodocs, and quickbooks
• Windows administration. Dhcp, Dns, Rras, Vpn, Server 2000 & 2003, Terminal Server, Active Directory.
• Provided end to end solutions for clients from sales to post installation maintenance
• On call 24/7 for over One-hundred and twenty clients
• Designed hardware and software solutions to client specifications. Servers, Switches, routers and vpn appliances
• Hp hardware experience: Printers, Scanners, Copiers, Plotters.
• Highly experienced with network protocols.
• Cabling experience Cat5 & Coax

Magna International, 2005-Present
Network Administrator
• Performed daily maintenance of Sql 2000 databases
• Supported custom solutions for Automotive manufacturing and sequencing
• Collaborated with software vendors to design custom applications for a manufacturing environment
• Attended daily Staff meetings to coordinate with department managers
• Designed and implemented process to comply with sox compliance: Disaster recovery, Active Directory and file access audits.
• Maintenance of custom Erp and Mes systems provided by datanational
• General Network administration duites include: Server maintenance, Symantec backup exec, robotic tape library, enterprise anti virus solution, Ghost imaging, and various other software packages
• Responsible for maintaining high availability of critical systems: databases, routers, switches and servers
• Performed and documented vulnerability assessments.

Tech Contract Experience

Project lead for Webex: Dallas, Tx
• Installed 300 windows xp workstations
• Commissioned ten servers
• Data Migration
• Managed and Directed Two Technicians

Senior Tech for Vetconnect: Carthage, Tx
• Provided turnkey solutions for veterinarian offices throughout east Texas

New Edge Networks Dsl Installation
• Synchronized Various routers: Sdsl, Adsl, Idsl
• Installed Category 5 cable from demarc locations to internal offices
• Cooperated with Sbc Techs Concerning Sbc hardware and circuits
• Point of Contact for any End user issues

Special Skills
• Computer Security Expert

Certifications
• Comptia A+ Certification
• Comptia Network+ Certification
• MCSE 2003
Comptie Security+ Certification

dynamik · August 2008

Remember, you can still become an (ISC)2 associate if you pass the exam but don't meet the experience requirements. It's good for six years, and you'll only need four years of experience since your certs will take a year off the five year requirement. I'd say go for it if you think you can fulfill the requirements within six years. Plus, the associate might open some doors for you, so you can get the experience you need.

LarryDaMan · August 2008

Go for it, dynamik gives good advice...

Check out cccure.org also, a plethora of CISSP information and links exist there.

My brain is slightly on fire from studying this weekend, but I am enjoying it so far.

I almost took my Shon Harris AIO book with me to the Washington Nationals game on Sunday, but at 1100+ pages, it is not very travel friendly.

RTmarc · August 2008

I'd say you have the experience or on the verge of having that requirement satisfied. Remember, you only need four years of experience with a degree or qualifying certification; which your MCSE meets. Based on what I see with you experience from the resume you posted - as long as you are being honest about your duties - I think you are ok on experience. All of that depends on whether or not you had an actual hand in the development and implementation of DR or AV, etc. of if you only supported the end-users.

JDMurray · August 2008

slinuxuzer, if I were you I'd consider starting your journey towards the CISSP right now. With your MSCE you will only need four years of InfoSec experience, plus another person with an (ISC)2 certification person to endorse you. It looks like you have near the experience on your resume you need.

What I suggest is that you make a list of the 10 domains of the CISSP CBK, describe what you have done and how many years of experience you have in each domain. The CISSP requires that your InfoSec experience comes from at least two of these domains. Make sure you factor in the extra experience you will have because you won't be taking the exam for 6-12 months. This will clearly show if you have the four years of necessary experience or not. You will need to do this anyway for the online CISSP exam enrollment form, and it will help your endorser evaluate you as well.

slinuxuzer · August 2008

Thanks for the info Jd. The reason I am looking at this is, i am at a new postion right now in network administartion, very similar to my last job, well when I took this job HP had a posting open for a secuirty analyst and if I had had CISSP I would have been a great candidate for this job, to me it looked like heavy travel to client sites for assesment and Audit type stuff, which is what I am leaning towards, I am wanting to get away from small shops where I have to deal with silly folks who can't login or want me to repeat everything 15 times.

Anyway Thanks to everyone for all their help.

JDMurray · August 2008

slinuxuzer wrote:

I am wanting to get away from small shops where I have to deal with silly folks who can't login or want me to repeat everything 15 times.

I have news for you--this same stuff happens in larger shops too, only a lot more because there's a lot more people. Best to get away from the help desk-type of stuff altogether.

bcairns · August 2008

Just my $0.02 worth:

My question is to anyone who is a cissp or anyone who feels they know.

How valuable is this cert in the real world?
On a scale of 1 to 10 I would rate it about a nine. This cert is worth its weight in gold to contracting firms and goverment agencies...not to mention banks.

How lilkely is it to get me into a security analyst role?
You could land an entry level security analyst position now, and using your network admin knowlege move up very fast. Plus you would gain the experience you need for the CISSP requirment.

How hard is it to make the kind's of experience I have had map over to the professional experience requirment?
For me it was easy...just be honest when you fill out the application. Most folks get audited right after they pass (myself and 5 co-workers did).

How hard is this cert / what kind of time and study effort can I expect to be needed?
With 10+ years experience as a programmer and network admin, I found it to be a challenging test. I spent 6 months cramming for it. Not only do you have to know the material, you have to know why the material exists and how it is used in the real world.

contentpros · August 2008

These are a few tips to be a constructive criticism not a flame so please hear me out.

Resumes are not just about certifications or your experience. A resume and cover letter should serve as your introduction to the hiring or HR manager that is reviewing your submission. Build different resumes to fit the positions you are applying for. These people are looking for how good of a fit you are for the position so don't think of your resume as "one size fits all".

Spelling and grammar can get your resume tossed even if you are a great candidate. I admit spelling and grammar are not my strong point so I always have one or two people proof any of my official documents or items that will be read by multiple people(except for posts like this). Little items like "Verities" which I believe you were referring to Veritas can irk a reviewer because it does not show attention to detail. Other little items like "Dhcp, Dns, Rras, Vpn" keep items like this in the proper case DHCP, DNS, RRAS, and VPN once again attention to detail.

I know it may seem like I am being **** on some of these items but hiring for my department is part of what I do. If your resume gets handed to me from HR and I see little errors like this your resume it is something that I do take into consideration.

Don't be afraid to expand on your experience either! I see this all the time in your case under Advanced Business Solutions you have an item "Windows administration. Dhcp, Dns, Rras, Vpn, Server 2000 & 2003, Terminal Server, Active Directory". You are missing an opportunity here don't just tell me you administered Active Directory, Active Directory can be a beast what did you do with active directory? Did you just create user accounts? Did you work with GPO's? if so what did you use them for? Here is a chance to showcase that you have more then just a basic knowledge of an item.

Remember that when you are submitting your resume to organizations like ISC2 that the goal is to show what experience you have is relevant to the domains that you are claiming experience working with. Be specific to eliminate any doubt as to whether the work experience is relevant.

Another item that hiring managers love is when people use the word "expert". I don't so much mean love in a good way either. I can say this from personal experience as well as from other friends that handle the interview and hiring process. If you use the word expert in relation to anything on your resume you can expect to be drilled like crazy on whatever you claim to be an expert in. I will personally take the time to grab 25 or 50 questions of some of the most obscure facts or knowledge and stick you with these questions during the entire interview. If you claim to be an expert expect to be challenged on these topics.

Another item to remember is that anything you put on your resume expect to be challenged on. It could be regarding and application or whatever if it is on your resume it is fair game. This brings up the topic of resume fodder. Everybody expects some padding on a resume but you can pad using actual knowledge and just being more specific in how you performed a particular job duty. If you put experience in protocol xyz on your resume and I ask you about it and I get a response like well I read about it for my brandx certification two years ago but i've never had to actually use it... this can be bad also. How is this "relevant experience"?

A last piece of advice for when you go to attend an interview. Know about the company you are interviewing with! It doesn't take much to hop online and do some research about the company you are interviewing with. I know it sounds silly but it does make a difference when you sit an interview and you have a fair amount of knowledge about the company and what type of industry they are a part of and who is their clientele. Also remember Google, My Space, Facebook, Linked In, background checks and all of those resources can be a great tool for the people doing the hiring. What will a simple search of your name reveal? Will I find other jobs listed on your xxxx profile that doesn't show up on your resume? Will it make me ask why was this information omitted? I know it might sound silly but don't let one of these gotchas haunt you!

I know this was not exactly on topic but I hope this helps.

~contentpros

slinuxuzer · August 2008

Content, thanks for the review and info much appreciated. I don't pad my resume much at all, I could / should expand in more detail on the things I have done since I have done some high level Ad migartions and a few other large projects which aren't spelled out in detail, but I was told by a hiring manager once that it was in bad taste to have over a one page resume, on the other hand I feel like I get short changed with a one page resume because I can't show half my experience in one page.

I don't use myspace / face book alot, the email and personal info on my resume is generic and won't return anything really. ( I am wise to employers googling)

Thanks for pointing out the spelling errors and case mistakes. I most likely need to get my resume professionally redone. Any recommendations here?

Also, I feel like I am a security expert and could most likely answer correctly a large portion of obscure questions, but you do make a very good point, why open this door to being drilled and any potential misstep that might come from that. Thanks

When I first tried to break into IT, I did some padding and always managed to get a phone screen and I found out the padding thing didn't work and if I wasn't able to speak fluently about a subject then to leave it off the resume.

I had to learn alot of this the hard way and your review is right on and helped point out a few things to me, I hope that anyone who is just starting out and reads this will learn from this.

Thanks again.

Practical use of Cissp

Comments