EC Council && C|EH, Cisco && CCNA Sec, (ISC)2 && CISSP:
Earlier this year I was able to take and pass C|EH, Certified Ethical Hacker, from EC Council.
The insight this course, thank you Sean Hanna, and certification gave me is invaluable in my career.
Although I have been working in many small elements of Information Security for some years I have only just started directing my career that way.
I have been responsible for the application of security policies but not responsible for those policies themselves. So, over the next few years, I wish to build up a reputation internally for that and gain a significant amount of experience as I go.
The final “Gold Standard” will be obtaining the CISSP from (ISC)2. International Information Systems Security Certification Consortium, if you were wondering. This is a mammoth task though and I am expecting it to be difficult.
The C|EH wasn’t easy but covered a lot of ground I already had experience in. CISSP covers a vast array security related issues. As does indeed C|EH. But the latter is an in-depth certification, a concentration on a specific topic: active pursuit of the methods employed in hacking and related activities and their application – similar to Penetration Testing. CISSP is broader, some say that it is “an inch thick and a mile wide”.
Just looking at ten domains published by (ISC)2 as being covered by the CISSP:
- Access Control
- Telecommunications and Network Security
- Information Security and Risk Management
- Application Security
- Cryptography
- Security Architecture and Design
- Operations Security
- Business Continuity Planning and Disaster Recovery Planning
- Legal Regulations, Compliance and Investigation
- Physical Security
If you’re an expert in all those then you should already be at least a senior security manager and probably more likely a CIO. All of this constitutes the Common Body of Knowledge or CBK.
CISSP requires years of experience, vouched, in at least two of those domains, an exam and a reference from another CISSP.
First Step:
As has been stated, I have decided to start with the C|EH. The main reason was to learn something entirely new but building on knowledge I already had. The course has provided direct skills and knowledge (which will need to be maintained and built on constantly) that I can apply in my job.
Proving that I can start down this path was important to me. I have tried to specialise several times but work commitments or changes in structure, product base or vision have stalled each of those attempts. But security is never going to be removed from the list of requirements and applies to any product, vision and in every corporate structure.
This seems like an obvious career move.
Moving Forward with C|EH:
My plan is to apply the C|EH knowledge directly in my job, changing business practice in the process. However that must be tempered by the need to continue with my current remit and also a move slowly towards CISSP. As that will take several years I plan to learn skills I can directly apply to my business, which is a vendor specific certification: CCNA.
Cisco Certs:
As Cisco are synonymous with security architecture it makes sense to move towards understanding their products. As I have no direct experience I will have to start from the ground up. I obviously would love to get the security certification but must start with CCNA, Cisco Certified Network Associate. That alone will take up most of the next year. With that I can start to understand and analyse our existing configurations and then move towards CCNA Sec there after, allowing a more solid understanding of how to secure and monitor systems for integrity and confidentiality.
Continuing the Journey:
At some point thereafter I will try for the CISSP. This in itself will provide a backbone to hopefully allow me to advise on a wide range of security matters as well perhaps keeping my specialist areas of interest, message web and application security.
Education:
Each of these steps requires an examination, and therefore significant study. But even after all this I will need to keep the Certs and that means, in all cases, Continuing Education. There are many ways of achieving this, attending seminars, more exams etc.
I hope that I will be able to “share” hits on the requirements and re-Certs as I go on but this is a 5 year plan!
References:
EC Council
C|EH
Cisco
CCNA
CCNA Sec
(ISC)2
CISSP
Sean Hanna
Nemstar
QA
CISSP All in One Exam Guide
harlekwin 
Ill flick this though to Alan. He got CISSP certified befoe we left the UK and ran courses for IBM. He may have some stuff that could help you 🙂
“If you’re an expert in all those then you should already be at least a senior security manager and probably more likely a CIO.”
Lol – unless you emigrate to New Zealand – in which case your career is stuffed 🙂
Posted by Avalon | 2011/08/23, 12:15 pmMajorly impressed. Except about the NZ/Stuffed bit.
I’m worried about my experience levels TBH but I’ll carry on reading the book (see references in the article) and then make a decision on whether I meet them.
As I don’t have a degree I am looking at 5 years experience to get CISSP.
Posted by harlekwinblog | 2011/08/23, 1:17 pmCISSP is certainly very valuable – however it’s lost some of the ‘gold standard’ luster it had a few years ago. The specalisms particularly are just certs for $$.
You can work through the study material etc and get an associate membership – which means you passed the exam yet don’t quite have the years of IT experience.. If you’ve done Security stuff in an operational & policy sense part time for years that still counts. Worth looking out for the individual projects that broaden your coverage. There’s bound to be a BC/DR project underway somewhere that would benefit from further involvement.
If you’re looking at the Cisco certs, then it’s also worth considering all the SANS courses & exams.. They even have a CISSP Prep course these days.
Cisco = Security Architecture ~cough~ Just like McDonalds = Really Healthy Food. Sure they both have a passing acquaintance, although Cisco is not really synonymous with effective security.. Try finding someone who’s successfully implemented their NAC first time without lots of pain.
Seriously though, a fair bit of CISSP is the Gospel according to ISC2. Not necessarily what you’d do in the real world based on experience. But then every exam has some level of subjective opinion. CISSP is no exception.
Recommended Reading;
Simon Singh’s The Code Book – the crypto section of CISSP is fiendish and having interest piqued by some real history can help. Of course if that pings your interest go with Cryptonomicon for a tangential view of history there.
Krutz & Vines “CISSP Prep guide” All in One (aka gold edition) is much better than Shoun Harris also.. I used that as my primary exam prep guide. Although at the time it was that or Shoun Harris.
Plus the two official ISC2 publications, the freebie candidates guide and the paid for official exam guide by Susan Hansche is very good for stretching your understanding.
Keep in mind not all of the ten domains are equal in weighting when it comes to the exam.. So worth concentrating effort on area’s with high weighting especially if you’re practical experience there is weak.
HTH
Posted by Alan | 2011/08/26, 7:58 amExcellent!
Thanks for all that.
Cisco isn’t really an option here, alas. That or don’t bother.
the idea is to stretch myself and build a role. But I will look to get involved in the tangential projects as you advise.
Difficult as I don’t currently have any remit to do that. Willspeak to Management.
Already got re Harris book as it was recommended elsewhere several times (by other peeps I know.)
Me thinks I’m gonna struggle with balancing all this and a ‘home life’.
Gotta push yourself at some point though.
Thanks again.
Posted by harlekwinblog | 2011/08/26, 8:16 am