My switch from IT Ops to IT Cybersecurity - Certification Roadmap for 2014

Just some ranting.

I am currently in IT operation, and particularly, in Desktop Support. I have always yearned to become either a System Admin or a Network Admin, and have worked plans to achieve that. Somehow since last year, something in me has changed and my interest in pursuing as a System Admin/Network Admin has waned. I'm getting more and more tired by the day-to-day ops with the never-ending demand and requests from users, repeating the same stuff over and over again (maybe the boredom bored me out?)

On the other hand, I discover myself growing more and more interested in cyber-security. Whenever I surf the Internet, visiting to local libraries or bookstores, I will naturally pop over to the InfoSec section. So I decide to switch my focus to be in InfoSec and also to work on certification related to cyber-security. On top of that, if there is any specific area that will aid in my understanding for InfoSec, I will also consider to delve deeper into them and obtain the relevant certification as well (am I too ambitious?)

Nevertheless, this is my currently certification plan that is to achieve in 2014 (Edited):

1. CEHv8 - achieved
2. ECSA
3. eLearnSecurity PTS/PPT
4. CCENT-> CCNA Security
5. GSEC

Probably that will keep my hands full for this year, but if I manage to complete them before the end of 2014, and still have time left, then I will want to learn more. Is there any suggestion from you guys? Thanks in advance.

Find more posts tagged with

Comments

stryder144

Have you considered studying for CASP, SSCP, or CISSP?

chopsticks

I have heard of CISSP and know it is pretty in demand now.
What about CASP & SSCP? I have not come across them yet (sorry for my lack of reading on my part).

TByrd450

I am probably 100% wrong but I am still going to speak. I have no certs right now, but I want to take some that you have listed. I see SSCP as a less known cert, and not as highly sought after. Isn't the SSCP more technically based. And personally I wouldn't waste my time with CASP. If I'm wrong please correct me

JasminLandry

TByrd450 wrote: »

I am probably 100% wrong but I am still going to speak. I have no certs right now, but I want to take some that you have listed. I see SSCP as a less known cert, and not as highly sought after. Isn't the SSCP more technically based. And personally I wouldn't waste my time with CASP. If I'm wrong please correct me

The SSCP is not really technically based, it is very similar to Security+. I believe it's more of an introduction to the CISSP. It introduces the topics you'll dig deep into when studying for the CISSP. That's only from what I've read and heard.

bobloblaw

Not sure on the ROI for the ECSA. It gets zero hits on job boards.

N2IT

From my perspective (which is very little knowledge in security) the CISSP is the end game and everything else is icing. Just my perspective from what I have seen on these boards and other IT boards.

YFZblu

Practically speaking, CISSP is moreso the end-game for Management / Risk. Not for technical positions.

BGraves

I'd go Sec+ or GSEC if you can afford it and then try to find a position in infosec to start out.
Cisco exams are good for networking, personally I'd go CCENT>CCNA R&S>CCNA SEC but not in a rush.
CISSP requires a certain amount of time in InfoSec, wouldn't bother with that one till after you obtained a job in InfoSec.
ECSA, if you learn stuff it's prob not a waste of time but I wouldn't bother with it myself. Same with CASP. Same with SSCP.

Master Of Puppets

N2IT wrote: »

From my perspective (which is very little knowledge in security) the CISSP is the end game and everything else is icing. Just my perspective from what I have seen on these boards and other IT boards.

I have to agree here. Regardless of your infosec niche, the CISSP is key. It helps everyone. However, you do not seem to have the required experience for that. I wouldn't bother with SSCP. Might be better to become an associate of ISC by passing the CISSP and getting the full certification once you meet the experience requirements.

If your interests are in network security, the Cisco track will be great for you. Also, I doubt how much the ECSA will help you. From your list, I would only do GSEC(the GIAC certs are great) and Cisco. That is, if I am corrent in assuming that you are striving for a position in network security?

chopsticks

Glad to see more discussion coming

the_Grinch

I'd agree that taking ECSA off your list as it does not hold any weight. OSCP should definitely be on your list since learning to think the way those who wish to break into your network/system is definitely important. You can't go wrong with CISSP for sure. I always point people in the direction of having a firm foundation in the technology you are trying to secure. Thus if you are thinking network security, CCNA should be on your list.

NovaHax

bobloblaw wrote: »

Not sure on the ROI for the ECSA. It gets zero hits on job boards.

Agreed. As far as I can tell...it hasn't really done anything for me. I only took it because EC-Council mistakenly included the study material in my CEH training package.

veritas_libertas

This is (and what I'm currently doing) what I think is the best path when you are starting out: CCNA -> MCSA -> CISSP (or another well rounded security certification). Whether you begin with the CCNA or MCSA really doesn't matter. I'm currently struggling on the job because I don't have the Microsoft server knowledge that many experience before moving into a security role. As TheGrinch says, it's hard to secure what you don't understand. I'm not discounting on-the-job experience or your ability to search on Google for answers, but having a knowledge baseline is a big advantage.

bobloblaw

True. I've repeated this ad nauseam, but I don't expect anyone to know how to secure a network, Windows domain, linux servers, etc. when they haven't ran them.

N2IT

@ Bob no question about it. My statements were directed towards the certification path. I honestly believe if you have experience in half of the technologies you mentioned then a CISSP would snap in perfectly into your resume/CV/Portfolio of skills.

higherho

YFZblu wrote: »

Practically speaking, CISSP is moreso the end-game for Management / Risk. Not for technical positions.

I agree, that and it isn't that difficult (From what my colleagues say. All of them got the certification in 3 and a half weeks). It just gives you an overall broad based view of security. I would choose someone with an OCSP over an CISSP any day if I was looking for a technical security individual.

bobloblaw

higherho wrote: »

I agree, that and it isn't that difficult (From what my colleagues say. All of them got the certification in 3 and a half weeks). It just gives you an overall broad based view of security. I would choose someone with an OCSP over an CISSP any day if I was looking for a technical security individual.

Your colleagues are being disingenuous, or have plenty of experience in the CISSP CBK (I expect the latter).

higherho

That may be but three of them passed the CCIE (written and lab) so when they told me they did the CISSP in that period and said it wasn't that difficult I tend to believe them. They have a great deal of exp in both Networking and Systems. Honestly its not a technical certification (I consider it a managerial type cert ) so I would expect technical experts to pass it without a major issue.

bobloblaw

Clearly the latter. CCIE are a rare breed. I'm sure most things aren't difficult for them.

filkenjitsu

I moved onto Service Provider from SWITCH because of relevancy. I am enjoying my studies much more now!

filkenjitsu

Oops! Wrong thread!

chopsticks

Hi all, I'm happy to say, I'm going to start my ECSA study this week. Hope to learn more with this certification.

NovaHax

bobloblaw wrote: »

Your colleagues are being disingenuous, or have plenty of experience in the CISSP CBK (I expect the latter).

Having done both, I have to say that there is truth to what each of you say. Bobloblaw is right...the CISSP exam is a beast...even for someone with significant experience in the industry. That being said...being good at test taking can go a long way with an exam like the CISSP (regardless of how tough it is)...and that isn't true of a practical exam like OSCP.

chopsticks

Added one more along the way:

eLearnSecurity PTS/PPT

chopsticks

Learned that in the world of InfoSec, knowledge in Unix/Linux is a must.. so I added general Linux learning as my supplement learning and reading. Decided to follow the Fedora/Red Hat distro.

superg

chopsticks wrote: »

Learned that in the world of InfoSec, knowledge in Unix/Linux is a must.. so I added general Linux learning as my supplement learning and reading. Decided to follow the Fedora/Red Hat distro.

Known as the "3-in-1 Linux certification", consider the CompTIA Linux+ certification. Once you obtain it you can apply for LPIC-1 and SUSE Certified Linux Administrator (CLA) certifications without further testing. If you want to dive deeper at a later time, you can advance via LPIC-2 and LPIC-3.

Another point to consider, if you'll search for DoD Directive 8570 or 8140, you'll see an InfoSec advancement track well recognized by employers and government.

DOD%208570%20Chart%281%29.png

If I were in your position I would focus on these certs in addition to Linux+ and CCNA.

A decent track would be Network+, CCNA Security, GSEC, Linux+ (3-in-1)/GCUX, C|EH, MCITP/GCWN.

About that time you should have enough working experience to attempt the CISSP.

You may want to look into getting a BSIT degree from WGU, this will help you obtain some of these certs while earning your degree at the same time.

Online IT Security Degree | Information Security Degree | WGU College of Information Technology

My 2 cents.

cli_ninja

After you get some of the baseline certifications out of the way you may want to consider what you want to do in InfoSec and tackle some more specific certs/training in that area.

For example, if you wanted to get into Malware Reverse Engineering, and were studying CCNA you might be able to spend you time more wisely. I know you may not know specifically what you want to do in security, but as you begin to dive into your studies, keep asking yourself that question.

chopsticks

Thanks superg and cli_ninja for your great suggestion

shajeer

Well done , congrats chopstics..

so have you shifted from IT OPS to security..

chopsticks

shajeer, no no yet, because I have to build my InfoSec knowledge base first.