EC Council && C|EH, Cisco && CCNA Sec, (ISC)2 && CISSP:
Earlier this year I was able to take and pass C|EH, Certified Ethical Hacker, from EC Council.
The insight this course, thank you Sean Hanna, and certification gave me is invaluable in my career.
Although I have been working in many small elements of Information Security for some years I have only just started directing my career that way.
I have been responsible for the application of security policies but not responsible for those policies themselves. So, over the next few years, I wish to build up a reputation internally for that and gain a significant amount of experience as I go.
The final “Gold Standard” will be obtaining the CISSP from (ISC)2. International Information Systems Security Certification Consortium, if you were wondering. This is a mammoth task though and I am expecting it to be difficult.
The C|EH wasn’t easy but covered a lot of ground I already had experience in. CISSP covers a vast array security related issues. As does indeed C|EH. But the latter is an in-depth certification, a concentration on a specific topic: active pursuit of the methods employed in hacking and related activities and their application – similar to Penetration Testing. CISSP is broader, some say that it is “an inch thick and a mile wide”.
Just looking at ten domains published by (ISC)2 as being covered by the CISSP:
- Access Control
- Telecommunications and Network Security
- Information Security and Risk Management
- Application Security
- Security Architecture and Design
- Operations Security
- Business Continuity Planning and Disaster Recovery Planning
- Legal Regulations, Compliance and Investigation
- Physical Security
If you’re an expert in all those then you should already be at least a senior security manager and probably more likely a CIO. All of this constitutes the Common Body of Knowledge or CBK.
CISSP requires years of experience, vouched, in at least two of those domains, an exam and a reference from another CISSP.
As has been stated, I have decided to start with the C|EH. The main reason was to learn something entirely new but building on knowledge I already had. The course has provided direct skills and knowledge (which will need to be maintained and built on constantly) that I can apply in my job.
Proving that I can start down this path was important to me. I have tried to specialise several times but work commitments or changes in structure, product base or vision have stalled each of those attempts. But security is never going to be removed from the list of requirements and applies to any product, vision and in every corporate structure.
This seems like an obvious career move.
Moving Forward with C|EH:
My plan is to apply the C|EH knowledge directly in my job, changing business practice in the process. However that must be tempered by the need to continue with my current remit and also a move slowly towards CISSP. As that will take several years I plan to learn skills I can directly apply to my business, which is a vendor specific certification: CCNA.
As Cisco are synonymous with security architecture it makes sense to move towards understanding their products. As I have no direct experience I will have to start from the ground up. I obviously would love to get the security certification but must start with CCNA, Cisco Certified Network Associate. That alone will take up most of the next year. With that I can start to understand and analyse our existing configurations and then move towards CCNA Sec there after, allowing a more solid understanding of how to secure and monitor systems for integrity and confidentiality.
Continuing the Journey:
At some point thereafter I will try for the CISSP. This in itself will provide a backbone to hopefully allow me to advise on a wide range of security matters as well perhaps keeping my specialist areas of interest, message web and application security.
Each of these steps requires an examination, and therefore significant study. But even after all this I will need to keep the Certs and that means, in all cases, Continuing Education. There are many ways of achieving this, attending seminars, more exams etc.
I hope that I will be able to “share” hits on the requirements and re-Certs as I go on but this is a 5 year plan!
CISSP All in One Exam Guide