Completely brand new to information security....career paths?

Read through these threads if you haven't: adynamik1's keatron Bookmarks on Delicious (the Adam Sandler one is great for a laugh).

I'd spend some more time trying to figure out which area of security you'd like to focus on. As our advice to you will probably vary considerably depending on what you want to do. Do you want to do pen testing, work with firewalls, research vulnerabilities, etc.

The Security+ is the obvious starting point. However, if you really want to be a master of an area, you're going to need to spend a lot of time developing the fundamentals first. If you just rush into the security arena without understanding how the underlying technology works, you're probably not going to do a very good job. It's difficult to stick through that part because it's not nearly as exciting as the security portion.

Welcome to the forums

I actually have read those threads. Well, except for the "I'm done with Adam Sandler movies" thread.

I paid the most attention to this thread, which seemed to break down the security roles pretty nicely.

As should be obvious in my mini-essay above, I'm a "big picture" person, so of all the roles on that thread, ultimately I hope to be the security policy guy, but security assessment also seems very interesting to me. Both, however, strike me as high-level positions that require a good understanding of multiple if not all domains of security. So, I have my end point in mind, just no idea of how to get there.

As far as certifications, Security+ was one of the ones I was looking at initially, but my colleagues encouraged me to go for CCNA Security instead. What's the difference? I understand that Security+ is vendor-neutral, but as to subject matter, which provides a better foundation?

Also, what would be the next step? SSCP?

Note: To me, the certifications are benchmarks along a path, and gateways to subsequent segments. I'm looking for the most comprehensive path, not the quickest one. To be honest, I drink this kind of information like a thirsty camel drinks water, so I'm not worried about how long it might take me.

JDMurray

LockeWiggin83 wrote: »

As far as certifications, Security+ was one of the ones I was looking at initially, but my colleagues encouraged me to go for CCNA Security instead. What's the difference? I understand that Security+ is vendor-neutral, but as to subject matter, which provides a better foundation?

Also, what would be the next step? SSCP?

Security+ is the standard beginning InfoSec cert. It is a single, vendor-neutral exam. It is recognized by government agencies and other certification vendors, and is actually required for some certs, like HIPAA, and can be used for others, like MCSA: Security and MCSE: Security.

CCENT>CCNA>CCNA Security is a much more technical certification path. There is much more information to learn and much of it Cisco-specific. People often fail the CCNA exam because they underestimate its difficulty and complexity. Having the Security+ (and SSCP) will help you with the CCNA Security exam, but not the CCENT and/or CCNA exams. And the Cisco ICND1 exam (for CCENT) covers more networking topics than the CompTIA Network+ exam does.

The Security+ is definitely going to provide the best foundation. The CCNA:S is going to focus on vendor-centric network security. It's not going to give you a broad overview of security like the Security+ will.

Compare the objectives between the exams:
CompTIA Certification Exam Objectives
https://cisco.hosted.jivesoftware.com/community/certifications/security_ccna/iins?view=overview

I think the CCNA:S is the more prestigious of the two, and it will probably give you a bigger bump career-wise. However, I'd still do the Security+ in addition to it in order to develop a solid security foundation.

For what you want to do, the CISSP sounds like a good end-goal. Also, you might want to look at some of the management-level certs here: GIAC Certifications

The SSCP would be another good one to take. It's more technical than the CISSP, so it will probably compliment what you're currently doing more than what you want to be doing eventually (but extra knowledge is never going to hurt you). JD refers to it as the Security++.

Keep in mind that while the SSCP has a one-year requirement and the CISSP has a five-year requirement (with up to one waived for other certs or education), you can still take the exams and become an associate if you don't meet the requirements. I believe you're given six years to meet the CISSP requirements, so if you're in a position where you're building experience (or will be shortly), there's no reason not to go for it (other than building up that foundation first).

How do you like working with Cisco? I think the best way to get to your desired location is going be choosing a path (or route if you like puns) and sticking with it. No matter what you do, you'll constantly be exposed to new things and will develop a greater understanding of the overall processes. The important thing is to pick something you find interesting and stick with it. If you like Cisco, take a look at the NP and SP, and possibly even an IE or two if you're feeling ambitious.

JDMurray wrote: »

Security+ is the standard beginning InfoSec cert. It is a single, vendor-neutral exam. It is recognized by government agencies and other certification vendors, and is actually required for some certs, like HIPAA, and can be used for others, like MCSA: Security and MCSE: Security.

Aren't the MCSA and MCSE certifications retired now? I was looking at getting an MCP certification, too, but it looks like MCSE and MCSA were replaced by MCITP: Server Administrator and MCITP: Enterprise Administrator, geared towards Server 2008. Are there new security-related Microsoft certifications, too?

JDMurray wrote: »

CCENT>CCNA>CCNA Security is a much more technical certification path. There is much more information to learn and much of it Cisco-specific. People often fail the CCNA exam because they underestimate its difficulty and complexity. Having the Security+ (and SSCP) will help you with the CCNA Security exam, but not the CCENT and/or CCNA exams. And the Cisco ICND1 exam (for CCENT) covers more networking topics than the CompTIA Network+ exam does.

Well, I'm already well on my way to earning my CCNA. Its mostly the terminology that is causing me problems, not the concepts. I learned networking on-the-job, so I have the practical knowledge. I just have to match it to the textbook.

dynamik wrote: »

The Security+ is definitely going to provide the best foundation. The CCNA:S is going to focus on vendor-centric network security. It's not going to give you a broad overview of security like the Security+ will.

Compare the objectives between the exams:
CompTIA Certification Exam Objectives
https://cisco.hosted.jivesoftware.com/community/certifications/security_ccna/iins?view=overview

I think the CCNA:S is the more prestigious of the two, and it will probably give you a bigger bump career-wise. However, I'd still do the Security+ in addition to it in order to develop a solid security foundation.

I'm definitely going to self-study in both, most likely, but I'm only going to choose one for dedicated training (paid for by my company, of course). So it sounds like CCNA Security is the one that'll actually require that kind of dedicated training, because it's more technical? Or I could save that training for the SSCP instead.

dynamik wrote: »

For what you want to do, the CISSP sounds like a good end-goal. Also, you might want to look at some of the management-level certs here: GIAC Certifications

Researching CISSP is what first drew me here.

I've heard the saying that CISSP is miles wide and an inch deep. That interests me for another reason: if I read a CISSP prep book or a self-study course, will that give me a good overview of security in general? I've read keatron's description of CISSP as the plastic loops that ties the six-pack together, and that interests me, because I've always been a top-down learner, meaning I learn fastest when I have an understanding of the big picture and where my current subject matter fits in. So while I might not qualify for the CISSP certification itself, I'm thinking that studying for the CISSP (or becoming an Associate of CISSP) might be a good way to at least get that overall perspective and accelerate the rest of my learning.

dynamik wrote: »

The SSCP would be another good one to take. It's more technical than the CISSP, so it will probably compliment what you're currently doing more than what you want to be doing eventually (but extra knowledge is never going to hurt you). JD refers to it as the Security++.

SSCP is something I'm planning for in the next year, maybe even in the next six months when we make our next training session selections.

dynamik wrote: »

How do you like working with Cisco? I think the best way to get to your desired location is going be choosing a path (or route if you like puns) and sticking with it. No matter what you do, you'll constantly be exposed to new things and will develop a greater understanding of the overall processes. The important thing is to pick something you find interesting and stick with it. If you like Cisco, take a look at the NP and SP, and possibly even an IE or two if you're feeling ambitious.

I'm not a big fan of Cisco hardware. My experience has chiefly been with Foundry (SX800s, FESXs, and MLXs), which is why I said my problem with the CCNA is mostly with the terminology, not the networking concepts.

Getting at least one CCIE, however, is one of my goals.

RTmarc

LockeWiggin83 wrote: »

I'm not a big fan of Cisco hardware.

Getting at least one CCIE, however, is one of my goals.

You'll have to learn to love Cisco hardware if you are going to be CCIE.

The 2003 MCSA/MCSE track has not been retired yet. It will be around for several more years.

The CCNA:S is going to give you a network-based security foundation, however, it is going to be heavily centric up on Cisco and their hardware/software.

I always tell people that want to walk down the security path to start in the same spot: Security+. Work your way out from there.

You certainly don't need a course for the Security+. If I were, I'd try to get a CBT Nuggets annual streaming subscription over a course. You should definitely look into that if you haven't already.

As far as the MS certs are concerned, the MCSA/E are still alive and well. Server 2003 isn't going anywhere any time soon; they haven't even announced when those tracks are going to be retired.

I'm going to be working on my CCNA:S and SSCP (along with various others) this year, so definitely stay in touch. Good luck with your journey, and keep us posted!

JDMurray

LockeWiggin83 wrote: »

Well, I'm already well on my way to earning my CCNA. Its mostly the terminology that is causing me problems, not the concepts. I learned networking on-the-job, so I have the practical knowledge. I just have to match it to the textbook.

Be sure that you know all of the topics on the CCNA exam's objectives list. It is unlikely that your job's activities has you performing hands-on operations with everything that's covered by the CCNA exam. You will still need to use the Todd Lammle books with hardware (or sims/emus) to learn everything you need. Don't be over-confidant that you know what you need to know to pass any Cisco exam or you may be unpleasantly surprised on exam day.

And yes, start learning to love Cisco hardware and terminology, marketing information, and the GUIs and command line. Otherwise, you'll just be hating what you do for a living.

What about studying CISSP material now, in lieu of Security+, even if I don't plan on getting the CISSP certification for a while? Are CISSP prep guides (like the All-in-One) comprehensive enough to cover *also* Security+ topics in addition to more advanced topics specific to CISSP, or do they start around where Security+ ends?

RTmarc

Jumping directly to the CISSP material is like jumping to calculus before you know algebra. You need to get the basics down and that foundation settled before you start trying to tackle the more advanced subjects. There is quiet a bit of information covered in the CISSP exam the assumes you have exposure to the underlying ideas and theories.

What's the hang up with starting with Security+? This is the basic, entry-level certification in the security world and where most people do/should start.

RTmarc wrote: »

Jumping directly to the CISSP material is like jumping to calculus before you know algebra. You need to get the basics down and that foundation settled before you start trying to tackle the more advanced subjects. There is quiet a bit of information covered in the CISSP exam the assumes you have exposure to the underlying ideas and theories.

What's the hang up with starting with Security+? This is the basic, entry-level certification in the security world and where most people do/should start.

I've got no hang up with it, but I know how my mind works. I learn fastest and retain the most information if I learn from the top-down, not the bottom-up. To use the algebra-calculus analogy, it would be like learning how what I'm studying in algebra ties into what I'm *going* to learn in calculus. Understand?

Anyway, knowing all the certs is great and all, but what about career paths?

The Security+ is a relatively comprehensive (albeit light) overview of security. I don't see how that goes against your top-down philosophy.

Like I said, pick a technology/direction and focus on developing and advancing in that area. Your area of expertise will be small at first, but the breadth will increase as you advance.

What sort of formal education do you have? You might want to consider pursuing a related graduate degree.

dynamik wrote: »

The Security+ is a relatively comprehensive (albeit light) overview of security. I don't see how that goes against your top-down philosophy.

It's not the breadth of the overview I'm looking for, it's the specificity. When I study something, I want to be able to see how it's relevant at all levels of experience and expertise. That means being able to identify a specific practical implementation of the theory at the end point.

What I wanted to know is if a CISSP prep guide gives that full length of relevance for all the topics covered by Security+, or if it only picks up where Security+ ends.

Either way, I'm definitely going to try to cover all of my bases and earn the certifications in order. What I'm talking about is the prep work, not the exam.

dynamik wrote: »

Like I said, pick a technology/direction and focus on developing and advancing in that area. Your area of expertise will be small at first, but the breadth will increase as you advance.

Hence why I asked about career paths as well as available certifications.

dynamik wrote: »

What sort of formal education do you have? You might want to consider pursuing a related graduate degree.

Yeah, an advanced degree is something I mentioned in my first post.

I agree that jumping to CISSP is not the smartest thing to do. Even when studying the simplest chapters like physical security, it will be difficult for you to understand why we need to lock racks and what's best to use and when, because you don't reallly know what's that for, reasoning will be difficult and you will end up memorizing a lot of thing instead of understanding, which will be almost useless in scenario based exams.

My advice, go for CCNA (use Todd lammle, and any simulator), if you find it difficult then go for Network +

I also recommend Security+, and Linux+. The MCSA or MCSE depends on your background. You really need knowledge and experience in IT in general to do find in InfoSec. Just general experience, I'm not talking expert-level experience, just a mid-level one.

good luck and welcome to the forums

UnixGuy wrote: »

I agree that jumping to CISSP is not the smartest thing to do. Even when studying the simplest chapters like physical security, it will be difficult for you to understand why we need to lock racks and what's best to use and when, because you don't reallly know what's that for, reasoning will be difficult and you will end up memorizing a lot of thing instead of understanding, which will be almost useless in scenario based exams.

Ok, that's the answer I was looking for.

We have a CISSP reference book in our office, but I just ordered Security+ for myself. I just needed to know if it was necessary to spend the extra money.

UnixGuy wrote: »

My advice, go for CCNA (use Todd lammle, and any simulator), if you find it difficult then go for Network +

All I need to do is convince my supervisor to squeeze the $250 needed for the exam into our budget.

UnixGuy wrote: »

I also recommend Security+, and Linux+. The MCSA or MCSE depends on your background. You really need knowledge and experience in IT in general to do find in InfoSec. Just general experience, I'm not talking expert-level experience, just a mid-level one.

Security+ or CCNA Security is my next step after CCNA. I was also considering RHCT and MCITP: Server/Enterprise Administrator, but I haaaate Linux with a passion, and my co-workers have told me that anything I learn while studying for a Microsoft certification, I can learn better and faster on the job.

Start with CCNA then Security+. Then it's up to you learn Windows Administration or UNIX or Linux Administration or Networking.

If you work in Windows environment, then you will learn Windows administration quickly, and all you need then is to go for Linux+ or LPI-1 to get the basics of Linux Administration if you want.

But if you want serious UNIX or Linux Administration skills, then you definitely need a job in a busy *NIX environment to do so, and it is the only way IMHO.

I recommend you work in the Cisco side or UNIX side, but that's just my personal preference.

Good luck

UnixGuy wrote: »

If you work in Windows environment, then you will learn Windows administration quickly, and all you need then is to go for Linux+ or LPI-1 to get the basics of Linux Administration if you want.

But if you want serious UNIX or Linux Administration skills, then you definitely need a job in a busy *NIX environment to do so, and it is the only way IMHO.

Yeah, I'm definitely not doing much in terms of Linux/UNIX in my current position. We have a couple of application servers to care for that are Linux, but the vast majority (like, 90%) of our servers are Windows.

What's the approximate marketshare of Windows vs. Linux/UNIX/anything else in the server market?

UnixGuy wrote: »

I recommend you work in the Cisco side or UNIX side, but that's just my personal preference.

Gee, I wonder why, UnixGuy?

Windows is used more everywhere, but the number of expertise in UNIX is less that's why you typically get paid slightly more.

This is up to you, choose what you like and then from that you can move up to security.

dice.com can you give you nice overview of salaries and market demands

I don't suppose you (or anyone else here) know of any site or resource that gives a good roadmap of infosec career paths? That would be immensely helpful.