Security+ -> MCSE -> CISSP ?

After MCSE, If it were one of my employees it would be MCSE>MCSE:Security>C|EH> (either a couple of SANS certs or SSCP), then CISSP.

However, if you want to go a cheaper route, insert something a little higher level that's specifically seurity related between MCSE and CISSP. You'll thank me later.

keatron wrote:

After MCSE, If it were one of my employees it would be MCSE>MCSE:Security>C|EH> (either a couple of SANS certs or SSCP), then CISSP.

However, if you want to go a cheaper route, insert something a little higher level that's specifically seurity related between MCSE and CISSP. You'll thank me later.

Thanks !

Webmaster

keatron wrote:

You'll thank me later.

bcairns wrote:

Thanks !

Amazing! Ok, what's next week's winning lottery numbers?

Webmaster wrote:

keatron wrote:

You'll thank me later.

bcairns wrote:

Thanks !

Amazing! Ok, what's next week's winning lottery numbers?

grabs a pencil and awaits the loto numbers...

and the winning number is

20-5-3-8-5-24-1-13-19

Guess what that is?

keatron wrote:

and the winning number is

20-5-3-8-5-24-1-13-19

Guess what that is?

LIES !!!!!!!!!!!!!!!!!!!!

agustinchernitsky

What about CISM??

Yes, I agree, MSCE, MSCE: Security... then CISM or CISSP or SSCP.

any of the three or all of them!

Webmaster

bcairns wrote:

keatron wrote:

and the winning number is

20-5-3-8-5-24-1-13-19

Guess what that is?

LIES !!!!!!!!!!!!!!!!!!!!

On the very contrary

I was expecting I need to shift everything at least one position

Passed Security+ with an 803 and starting on my path to MCSE tomarrow.

Hope to bump into you fellows again in the future and wish me luck.

oldbamboo

Hi,
Just my two cents. I'm currently going for CISSP, and i've noticed that a large part of the body of knowledge is very general and was covered significantly by certain parts of the MCSE (NT4!) (especially the Networking Essentials and TCP IP over MS modules) that I got some years ago. So, I would say the MCSE can be a good thing to go for. In fact, the reason I ended up in security was that the MCSE modules gave me the expertise to do some rudimentary penetration testing for a consultancy.
On the other hand, while a rock solid understanding of networking is CRITICAL for a career in security, most threats now exist at the application level, so any understanding of the basic SDLC's and secure coding would be what I would look for in a security staffer in a big organisation these days.
In any event, the point is, no-one wants someone who has the basic security theory without the sharp edge on some facet of technology: My experience is those guys just get bullshitted by the people they are trying to police, so keep your hardcore MCSE on the rails mate!

Webmaster wrote:

I was expecting I need to shift everything at least one position

Or at least rot13.

daisycuter

When you all say your going for your CISSP what do you mean? I thought there was an application process - having more than 4 years experience, a degree / qualifications, written application and then finally sitting a 6 hour multiple choice exam.

Can you let me know because this exam is on my to do list. What are the pre-requisites and whats the process?

Thanks...

oldbamboo wrote:

any understanding of the basic SDLC's and secure coding would be what I would look for in a security staffer in a big organisation these days.

This is what I'm hoping to make use of with my software engineering experience. It is unlikely that I will ever have enough hands-on, server room IT experience to qualify me to get the MCSE or CCNA/NP/SP certs, so I need to find a path into an InfoSec career from the software perspective. I really like the software security stuff they do at Cigital and I'd personally like to move in that direction.

daisycuter wrote:

What are the pre-requisites and whats the process?

The CISSP applicant requirements are here.

Hey keatron, I was reading the page at the link in my previous post and I noticed no mention of needing to be sponsored by a CISSP-certified person as a requirement for the CISSP certification. Am I mistaken in assuming that sponsorship is a requirement, or has this page at the (ISC)2's site just not been updated?

mengo17

I was thinking:

Sec+ > CEH > MCSA > MSCE > MSCE: Sec > CISSP.

Should I do MCSE before CEH?

daisycuter

Yep - ok so I know what the website says but can we hear from some CISSPs out there? What was the process you used for applying and sitting this exam?

oldbamboo

mengo17 wrote:

I was thinking:

Sec+ > CEH > MCSA > MSCE > MSCE: Sec > CISSP.

Should I do MCSE before CEH?

To be honest mate, thats impossible to answer. The question is what do you want to be doing as a career? Lately I'm seeing a demand for infrastructure and software architects in the security field. Those are hard earned skills that pay (I'm talking about the contract market now).
If it helps, I got an MCSE, read up on security, then applied for a position in one of the Big 4. At the time I also had about five years exp in IT support, culminating in Proliant servers. When I got my break at a big 4 firm I had:

MCSE NT4 (electives of TCP/IP and MS Proxy Server),
Network+,
Compaq Accredited Systems Engineer.

I also had a little early background study in journalism, so I could lay claim to being able to write to a certain standard. Basically, I got a suit and a haircut, and turned up to the three interviews hungrier than anyone else. They interviewed 60 people but I got the role.
The point I'm trying to make is that the Big four are a good target. Most of their IT audit staffers are finance accountants. They have genuine and ongoing difficulty:

a. obtaining good techies
b. that are presentable enough for their client base.

If you can jump that initial hurdle, you'll be working inside a big organisation with excellent mentoring, superb, company only technical documentation, and all the development you could ask for. At that point, alot of the concerns you have about all those quals will just melt away, trust me! Your cv will open a hell of a lot of doors.
Hope this helps. Also, I'd be keen to hear what other info sec pro's have to offer by way of useful career development info?

drakhan2002

mengo17 wrote:

I was thinking:

Sec+ > CEH > MCSA > MSCE > MSCE: Sec > CISSP.

Should I do MCSE before CEH?

I don't think you really need any of the Microsoft certs if you want to be in Information Security. I work at a Fortune 500 bank, one of the largest in the U.S. - most have the CISSP, CISA, or CISM (or a combination). Microsoft is just not a requirement for information security; the MCSE's are the server guys.

In a smaller organization, if you're required to wear many hats, then it might be more applicable to have the MCSE, along with the CISSP.

How much experience do you have in the IS space? What are your career goals? Do you want to work in a small company or a big company? I think you first need to get very clear about what your objectives are before you can make goals.

The path you have would probably make you a great network admin...or maybe a operations person. If I were hiring (at my current company), I would think you're too technical and not business enough for information security. The IT industry itself is changing - it is no longer the best techie that gets ahead...it is the best "versitalist" that gets ahead. You need business skills and technical skills. In my organization, we hire people skills first, because believe me, we can train you on the technology.

Don't get me wrong, operations and network admins are needed. They just are not the high paying, high promotion type jobs they were even a few years ago. If your goal is to be the best techie, please don't let me discourage you - go for it! You'll still make a decent wage...

Just my two cents.

drakhan2002 wrote:

I don't think you really need any of the Microsoft certs if you want to be in Information Security.

Especially if you intend to only work in IBM/Linux/Cisco shops, but then other MCSE-equivalent certs become necessary for IT people. I can see auditors not needing an MCSE or CCSP, but the "trolls in the trenches" certainly will.

jasav32

That is excellent advice drakhan! I have been a frequent visitor to this site and it has been a treasure trove of information so far. Like oldbamboo, I have a degree in Journalism, working an IT Service Desk and have a keen interest in the security field. It's great to hear this up-to-date report on the security industry and requirements for others interested in this type of career. Thanks for all the input.

jdmurray wrote:

Hey keatron, I was reading the page at the link in my previous post and I noticed no mention of needing to be sponsored by a CISSP-certified person as a requirement for the CISSP certification. Am I mistaken in assuming that sponsorship is a requirement, or has this page at the (ISC)2's site just not been updated?

JD. Your link points to the application to sit the exam. The application to actually get the certification is different. That's where the endorsement is required. The certification process is a two part process. 1. apply to take the exam and pass it (if you're allowed to take it). 2. apply for the certification after successfully passing the exam.

drakhan2002 wrote:

mengo17 wrote:

I was thinking:

Sec+ > CEH > MCSA > MSCE > MSCE: Sec > CISSP.

Should I do MCSE before CEH?

I don't think you really need any of the Microsoft certs if you want to be in Information Security. I work at a Fortune 500 bank, one of the largest in the U.S. - most have the CISSP, CISA, or CISM (or a combination). Microsoft is just not a requirement for information security; the MCSE's are the server guys.

In a smaller organization, if you're required to wear many hats, then it might be more applicable to have the MCSE, along with the CISSP.

How much experience do you have in the IS space? What are your career goals? Do you want to work in a small company or a big company? I think you first need to get very clear about what your objectives are before you can make goals.

The path you have would probably make you a great network admin...or maybe a operations person. If I were hiring (at my current company), I would think you're too technical and not business enough for information security. The IT industry itself is changing - it is no longer the best techie that gets ahead...it is the best "versitalist" that gets ahead. You need business skills and technical skills. In my organization, we hire people skills first, because believe me, we can train you on the technology.

Don't get me wrong, operations and network admins are needed. They just are not the high paying, high promotion type jobs they were even a few years ago. If your goal is to be the best techie, please don't let me discourage you - go for it! You'll still make a decent wage...

Just my two cents.

Your environment dictates that you your infosec people have management skills first. A lot of my clients (pen testing) are banks. In a large company such as yours, most people have very specific and defined job roles. I'm certainly not saying MCSE or any other certification is an official requirement for the CISSP, I just recommend it. You don't have to be able to read or speak fluent english to take american literature either, but you'll certainly get a lot more out of it if you can. I poke holes in written security policies every day because the people creating the policies often have no idea what happens when those policies are retro-fitted to a technical control for enforcement (group policy for example).