topic Re: MENTOR NEEDED in Career Discussions

MENTOR NEEDED

ISTREDD — Mon, 24 Dec 2018 00:50:22 GMT

GOOD EVENING,

I am currently a Marine holding the job of an Information Security Technician. I have only been doing this job for a little under a year, but I know this is a Career Field I would love to continue once I retire in 9 more years. The CISSP is something I keep hearing about, but I'm clueless.

I would love a mentor in this field. I would love a brain to pick.

How much does this cert cost?

best study materials?

do I need the five year experiance to test?

what other certs do you recommend in order to secure an high paying job?

Re: MENTOR NEEDED

kaojo1776 — Mon, 24 Dec 2018 01:37:10 GMT

Hi:

First let me say a big thank you for your service. I am happy to answer your questions and help mentor you as I'm currently CISSP certified. Send me an e-mail at: kehindeandann@gmail.com

Thanks.

Re: MENTOR NEEDED

denbesten — Mon, 24 Dec 2018 05:30:48 GMT

You might consider first obtaining your SSCP, It is a precursor to CISSP the requires only 1-year experience and is more "technician". After achieving SSCP, you could then use your study time for CISSP to partially fulfill the continuing education requirements for the SSCP.

The CISSP has a 5 year experience requirement and is more "Management" (people, not systems). Although you could sit for the CISSP exam today, you could not apply for the certificate for another 4 years. During that time, you would instead need to go by the title "Associate of (ISC)²", which has very little resume value.

Re: MENTOR NEEDED

rslade — Mon, 24 Dec 2018 19:08:42 GMT

> ISTREDD (Viewer) posted a new topic in Career on 12-23-2018 07:50 PM in the

> I am currently a Marine holding the job of an Information
> Security Technician. I have only been doing this job for a little under a year,
> but I know this is a Career Field I would love to continue once I retire in 9
> more years.

I particularly remember one Marine I taught. I recall him as being very polite ...

> The CISSP is something I keep hearing about, but I'm clueless.

You got here, didn't you?

> I
> would love a mentor in this field.

Hmmmm. About all I could offer you is "do as I say, not as I do" 🙂

> I would love a brain to pick.

I may have one around here someplace, but I'll have to shift the piles in order to
find it ...

> How much
> does this cert cost?

For that, you have to ask ISC2 ($600? $800?)

> best study materials?

Search on the word "study" and read those threads.

> do I need the five year experiance to
> test?

Not to test, as such. But, hey, you've got nine years to go before you need it ...

> what other certs do you recommend in order to secure an high paying job?

I used to tell my classes that if you want to get a job tomorrow, go and take a
SANS course. If you want to still have a job in ten years, get the CISSP.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
The brain is a mass of cranial nerve tissue, most of it in mint
condition. - Robert Half
(technically completely wrong, but you get the idea - rms)
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: MENTOR NEEDED

CyberLead — Sat, 27 Jun 2020 03:08:18 GMT

Semper Fi!

I also thank you for your service. I was a squid in the 70's, but despite our differences, I'm still willing to help a jar-head today 🙂

Since you're on active duty, you have free training resources available to you. In addition to what’s available through the official training resources of the U.S. Navy and Marine Corps, the Veterans Administration and the Department of Homeland Security joined forces a few years ago to develop an online training portal under a program called "Hire Our Heroes." The original idea was to encourage vets to pursue a career in cybersecurity, but the intended audience has grown since then.

Vets can still signup using their personal email address, whereupon they're granted an account upon verification of their service. However, for you it's important to note that it's now open to any US government employee or contractor with a government email account, so your dot mil should get you in. (As a contractor, I use my dot gov email, but as a Vet, I originally signed up with my personal email. A government email account gives you access to a few more classes that, while still unclassified, are a bit more sensitive in subject matter.)

It is known as the FedVTE site, but you might want to go to this website first for more info: Hire Our Heroes.

There are dozens of on-demand training courses. The videos are recorded classroom sessions wherein an instructor, such as @Ben_Malisow from (ISC)2, taught the CISSP Boot Camp. The videos captured the instructor's talk, the slides as they were presenting, and the Q&A with the students. You needn't take notes because every spoken word is captured and transcribed into an accompanying PDF file.

Personally, I've completed about two dozen courses over the last few years. Upon completion of many of the courses you can take a test. Passing the test results in a certificate from the U.S. Department of Homeland Security, which will be in your official transcript and you can download any time. I don't know what the official USMC annual training requirements are anymore, but some of these classes may satisfy them; you'll need to check with your command.

Besides the fact that it's free, the on-demand format enables you to learn on your schedule. I typically set aside an hour or so, a couple of evenings a week after chow and household chores. I sit in my living room, open my laptop, login, and learn something. (It keeps me current, and by limiting it to an hour or so, keeps my wife from complaining about being a “training widow”)

Under constant refresh, older versions of material are replaced with newer ones, although sometimes the class you're watching may have been recorded a few years ago. Watching Ben's CISSP training a few years ago gave me the confidence to sit for the exam, which I passed easily in half the allotted 6 hours (it's shorter now), so I can personally attest to the value.

Please note that passing the on-line test for a course like the CISSP will get you a certificate from DHS, but that is not the same as taking a PearsonVue test from (ISC)2. The latter exam is the "official" one, as far as (ISC)2 is concerned, and much more comprehensive. The FedVTE DHS test is more of a knowledge check.

As for your requests and questions, other members have given you valuable answers, to which I'll add my two-cents…

"I would love a mentor in this field. I would love a brain to pick."

Others have offered this; my advice is to follow up with them. You're also welcome to communicate with me, although whether I have a brain is a subject of much humorous debate with the folks who work for me. Since you were willing to take the risks inherent in your current profession, you probably won’t shy away from the risk of talking to me. Send me a direct message and I'll give you my personal email address and phone number. I've spent many years as a consultant with many U.S. Government clients, including the USMC, so I speak Marine. I'm currently the Cybersecurity Program Manager (contractor) for a civilian agency at their DC HQ, so I work some exceptionally long days, often seven days a week. Accordingly, I may not respond immediately, but I will respond.

"How much does this cert cost?"

The "cost” of the certification isn't a straightforward answer. Many people take a 40 to 45 hour "boot camp" - trust me, that term means nothing like what it does to you and me, you won't spend weeks being screamed at, enduring loss of sleep, doing push-ups, running an O-course, or marching in bad weather. These are called boot camps because they are short, intensive training sessions to prepare people for the certification exams. They're not exclusive to the CISSP; many companies offer them for a variety of certs.

The cost varies considerably. Here in the Washington, DC area, they typically sell for $3,000 to $5,000 or so, for live instructor-led classroom training (the dead instructors are less, but not responsive to questions). Typically, classes are either taught in a Monday through Friday 8-9 hour per day format, or 5 Saturdays. Depending upon the company, this may include a voucher for the exam. Right now, the exam costs $700.

You’re not required to attend a boot camp in person. Many organizations, including (ISC)2, offer video training too, which can save a few thousand dollars. Nor is there a requirement to take one of these at all, I work with a fellow who passed the exam the first time after just reading a book, but he’s the exception. It’s important to understand that the boot camps don’t teach you cybersecurity, they teach you how to pass the exam, which is a remarkably different thing.

If you’re not comfortable with the underlying principles of cybersecurity or with certain technical aspects, such as hashing and encryption, or legal aspects such as due diligence and due care, you’ll probably have a hard time with the exam, and may fail it. Failing is expensive, because you need to pay the $700 each time you take the test.

So, if you want to take a boot camp, first check with your command. They may have arrangements with training providers for low (or no) cost classes. You may also be able to get the USMC to pickup the cost of the exam; again, check with your command. The DoD classifies the CISSP as meeting the requirements for Information Assurance Manager (IAM) Level III, the highest level of certification required to work on DoD projects and programs, under DoD requirement 8570.1. Check this Navy webpage: US Navy DoD 8570 Info.

An additional on-going fee is known as the Annual Maintenance Fee (AMF). My wife handles the finances, both business and household, so I don’t track these expenses myself, but I believe they’re $85 a year nowadays.

“Best study materials?”

Beyond those costs, many people invest in books and practice tests, and determining what is “best” is very subjective. There is a great deal of debate on these forums and elsewhere, as to the quality, accuracy, and relevance of said training material.

To anyone else reading this post, I don’t want to open a Pandora’s Box of evils by suggesting something here which they may disagree with, thus bringing that debate to your post. My information is my opinion, and I’m not claiming it as an authoritative recommendation.

With that said, I personally recommend officially sanctioned training material from (ISC)2 – it’s their program, so they know exactly what’s important. They publish, among other things, a Common Body of Knowledge (CBK), flashcards, and other material through their on-line store. Personally, I got the most value from reading the “CISSP for Dummies,” which although from a 3rd party, is also available on the (ISC)2 website. The one book I recommend that is not on their website is the “11th Hour CISSP.” Finally, although I didn’t use the “Official (ISC)2 Guide to the CISSP CBK” to prepare for the test, I keep a copy of it around as a reference book.

I found these two books were more than adequate for exam preparation, but neither one is a comprehensive tome on cybersecurity. Personally, I didn’t need to learn the material, I wanted to know what the test was going to throw at me, because I heard from other very experienced professionals who failed the test and were surprised by it.

As for practice tests, I purchased several and found fault with most. I read posts elsewhere that detail the experiences of others, so I recommend you look for them and read them. My issue with many was that they didn’t reflect a few (ISC)2 basics. For example, on the test you won’t see a question or answer about a “VM;” an (ISC)2 test will always spell it out as a virtual machine, the same is true for a database, you won’t see “DB” on the exam.

(ISC)2 is also international in scope, so you won’t see a question or answer about DoD 8570.1, since that is specific to the U.S. Department of Defense, something a citizen of another country may not know, nor need to know. Albeit, you may see a reference to the U.S. National Institute of Standards and Technologies (NIST) even though it is a U.S. Government organization. That’s because the adoption of the free NIST Special Publications and other materials (“best practices” according to many) is international in scope.

(ISC)2 is also vendor-neutral. You won’t see a question about VMware’s ESXi, or Microsoft’s Hyper-V, but you may see questions about hypervisor security. Unfortunately, the practice tests that I tried almost always had a U.S.- centric bias, and/or included questions about vendor-specific products. My feeling is to stick with (ISC)2 approved material, so I’d go with the “CISSP Official (ISC)2 Practice Tests,” and the official (ISC)2 flash cards, as a good way to test your knowledge.

Admittedly, my circumstances going in to the exam may have colored my recommendations; I have several decades of hands-on experience in every topic in the CISSP’s Security Domains and didn’t need to learn anything new to pass the exam.

Thus, I found that the test questions were like the types of questions my clients ask me all the time. The CISSP exam is “a mile wide, and an inch deep.” In other words, it doesn’t go too far into the weeds on any one domain, but it does expect some knowledge of all of them.

“Do I need the five years of experience to test?”

No. You can sit for the exam whenever you’d like. To quote the (ISC)2 website: “A candidate who doesn’t have the required experience to become a CISSP may become an Associate of (ISC)² by successfully passing the CISSP examination. The Associate of (ISC)² will then have six years to earn the five years required experience.”

However, while those are the minimum requirements, let’s consider your next question.

“What other certs do you recommend in order to secure a high paying job?”

My advice to anyone considering pursuit of this—or any other—certification is to stop for a moment and think.

Think about yourself, are you the type of person who’d want to lead a cybersecurity program, or follow the leadership of another?

Think about your career goals, do you want to be in a managerial role, dealing with business strategies, budgets, and organizational politics, or would you be happier working with the technologies, the processes, and applying tactics in the cyberwarfare battlespace, either offensively or defensively?

Think about your personal life, and perhaps your family. Do you want to work in a Security Operations Center, that’s manned 24/7/365, with the toll that takes on health and families, or would you prefer the stabler worlds of cybersecurity compliance, cybersecurity policy, or testing?

Think about your strengths and weaknesses, along with your personal interests, the things that light a fire in your soul. Do you want to investigate things, perform forensics, test new or existing technologies, work in a lab, develop new types of encryption, or teach others how to be secure? Would you prefer to focus on protecting Information Technology (IT), Operational Technology (OT), Cloud technology, or some combination of these?

Think about your financial goals and requirements. Does the idea of a steady paycheck and benefits appeal to you? If so, working for a private company or government agency may be the best choice for you. If you’re willing to risk dry spells without a paycheck (admittedly rare and brief these days) and go without paid vacations, or sponsored insurance, but with high billable rates that are double or triple the typical W-2’s, then consulting may be the way to go. It takes years to build up a client base, and may involve a lot of travel, but depending upon your personal values, the payoff may be enough to justify it...and you get to meet some really cool people and travel to really neat places 🙂

These are some of the many areas of cybersecurity, and your answers will guide you toward the most applicable training and certifications to pursue.

@denbesten invited you to look at the Systems Security Certified Practitioner (SSCP), and I agree with him. According to (ISC)2 this pertains to the realm of “Security administration.” In comparison the CISSP is a “leadership and operations” certification. I’ve seen Generals, Admirals and civilian CEOs and COOs take the boot camp to get the CISSP, alongside technicians, engineers, system admins, and some weird people who wander in from the street, lured by the smell of coffee and croissants while looking for a public restroom. All may benefit from having such a highly regarded certification, but it may not be the best application of a person’s time and money.

I don’t want to discourage you from pursuing the CISSP, but if you do, kindly consider a piece of advice I share with the folks working for me. “Wear the CEO hat” when studying or taking the exam. Ben Malisow exhorts his students not to “buy a $10 lock for a $5 bike.” A security guy might want the $10 lock because it is the most secure, but the business guy, the CEO, may not consider it a sound investment to protect the bike, which is a $5 asset. Many of the exam questions will ask, “What is the best…?” or “what is the most …?” correct answer, meaning that more than one answer may be technically correct, but it may not be the best choice for the situation described.

The CISSP is the sexy one, the one that folks talk about. The other certs don’t carry quite the cachet but may be more appropriate for the job you’re doing or want to do. It also doesn’t hurt to have other certs to backup or round out the CISSP. Do you prefer working with risk management, such as the Risk Management Framework (RMF), as part of a good cybersecurity compliance program? If so, attaining the credential of a Certified Authorization Professional (CAP) might be a better choice.

Would you like to focus on cloud security? Consider becoming a Certified Cloud Security Professional (CCSP). I passed the exam for this in October 2018 and have been undergoing the endorsement process for the last 10 weeks, I should be getting the confirmation email any day now.

I don’t know what your definition of a “high paying” job is. Many people in the DC area define six-figure salaries as middle class, but it’s all relative. This is an awfully expensive area. The median household income where I live (in a suburb of DC) is $130K and some change. That’s a good income but it’s the median, so it sits right in the middle of the bell curve, neither high nor low. I encourage people to come into this profession for the reason you stated, “…I know this is a Career Field I would love to continue once I retire…” While there can be substantial financial remuneration, if money is your primary motive, there are other professions that pay better.

Regardless, I hope you’ll find a useful nugget or two in here, please feel free to write to me directly with further questions.

Re: MENTOR NEEDED

Ben_Malisow — Thu, 27 Dec 2018 14:19:35 GMT

Wow. If there is an award for Best Post On This Community, this one should win it, hands down (and not just because it mentions me favorably). This is well thought-out, informative, and comprehensive....Lloyd, you've outdone yourself here, sir. Anyone looking for info about certs, studying, and materials would be well-advised to read and heed.

Happy new year, all. Yes, even those of you from inferior military branches like the Navy and Marines.

Re: MENTOR NEEDED

CyberLead — Thu, 27 Dec 2018 16:27:37 GMT

Thank you very much, @Ben_Malisow. I appreciate the compliments and am humbled by them, even if they do come from an Air Force slacker 🙂

Re: MENTOR NEEDED

ISTREDD — Fri, 28 Dec 2018 18:34:42 GMT

Hello is there anyway I can get your contact information to call you later?

Re: MENTOR NEEDED

CyberLead — Fri, 28 Dec 2018 22:50:35 GMT

I just sent you a private message.

Re: MENTOR NEEDED

Caute_cautim — Sat, 29 Dec 2018 05:57:29 GMT

@CyberLeadThis response should be used as a template for others and I personally thank you for putting a great deal of effort into making the time to put together a very well considered response. You should be congratulated for this response. It certainly should prove very useful to the requester and many others.

Remember also that there is a global cyber security practitioner shortage, which will only increase over the next few years. My organisation also takes on Veterans in the USA, and we find often due to the calibre of the training and discipline associated with their service - that often they are the ones who can take charge calmly in a tense situation, whereas many others will run around like headless chickens. Many of those veterans have becomes leaders in their fields, so don't think that when age comes around, that you have to stop - step into the Private World, your skills will be put to good use for a long time yet.

Well done

Regards

Caute_cautim

Re: MENTOR NEEDED

CyberLead — Sun, 02 Feb 2020 15:24:29 GMT

@Caute_cautim,

Thank you sir. I am humbled by your compliments and between your post and Ben's, my wife has cautioned me about not letting them go to my head! 🙂

Your posts are well-thought out, and indicative of an insightful intellect.

I'm glad you raised the point about what veterans may bring to the table. My experience, both in the service and later as a civilian consultant, reinforced my belief that the military typically gives young people (very young, in my case) a tremendous amount of responsibility, including the ultimate responsibility for human lives. The reason – in my opinion – why this works more often than it fails is due to the relentless amount of training each warfighter receives. Throughout their career, regardless of their role, ongoing training is a fact of life. In my experience this appreciation of the value of persistent training is not recognized as readily in the civilian world – be it civilian public or private sector.

Re: MENTOR NEEDED

Caute_cautim — Sun, 30 Dec 2018 04:58:21 GMT

I know that feeling, I have a wife with similar wisdom, who keeps me grounded. I spent 20 years in the UK Government myself, traveling all over the world, before my wife challenged me, suggested as I was going no where, to go into the Private world. I joined Marconi SecureTrust, as their Principal Security Consultant, which led to opting to migrate to New Zealand, where IBM literally picked me up and where I have developed ever since - a world of ever increasing of engagements, learning and innovation. Where development is driven by yourself, and deliberately challenged regularly to assist others and develop those coming up behind us.

@CyberLead wrote:
@Caute_cautim,

Thank you sir. I am humbled by your compliments and between your post and Ben's, my wife has cautioned me about not letting them go to my head! 🙂

Your posts are well-thought out, and indicative of an insightful intellect.

I'm glad you raised the point about what veterans may bring to the table. My experience, both in the service and later as a civilian consultant, reinforced my belief that the military typically gives young people (very young, in my case) a tremendous amount of responsibility, including the ultimate responsibility for human lives. The reason – in my opinion – why this works more often than it fails is due to the relentless amount of training each warfighter receives. Throughout their career, regardless of their role, ongoing training is a fact of life. In my experience this appreciation of the value of persistent trading is not recognized as readily in the civilian world – be it civilian public or private sector.

Regards

Caute_Cautim

Re: MENTOR NEEDED

CISOScott — Mon, 31 Dec 2018 14:24:25 GMT

@ISTREDD wrote:
GOOD EVENING,

I am currently a Marine holding the job of an Information Security Technician. I have only been doing this job for a little under a year, but I know this is a Career Field I would love to continue once I retire in 9 more years.
what other certs do you recommend in order to secure an high paying job?

Since others have addressed the other points in your post let me address the one that stood out to me, the part about securing a high paying job. I have seen plenty of people go into this field because of the anticipated great money they would be making only to find themselves going to a well paying job that they hated. Don't be one of them. If this is truly your passion and you love it know that you will be taking on a mantle of continuous learning. You will have to learn about emerging technology, read constantly to stay abreast of new attacks and strategies to mitigate them. If you want to become really good at it you will also need to return to the community and help others.

If you become good to excellent at what you do the money will come, if you apply yourself. Learn not only information security stuff but also learn management skills. If you are retiring from the Corps you should have risen to levels of leadership along your path. Since you have 9 years left see how far you can rise and how many management duties you can take on. DO NOT acquire short-timers disease. I have seen promising future careers shot down by this serious affliction. Take advantage of the Command Training Center (CTC) facilities on your base. I know I worked at one USMC base and the service members had to use the CTC at another base 45 minutes away. I offered it to several of my directs and only a few took me up on it.

If you want to become really successful in this field you have to get away from the mindset that security is a stop sign and needs to be more like a speed bump You will have to come up with innovative ways to provide security with the funds/resources/talent level you have. Also do not get locked into the federal government's compliance mindset. Compliance does not always equal security but security can be compliance if applied correctly.

There should be numerous other free resources so ask around. I know that the NKO (Navy Knowledge Online) used to offer skillsoft courses for free, used to pay for certification fees, and had other free resources. The MCCS main library online used to offer access to online resources like Safari books online and books 24x7.

Read management books to learn to start thinking like management because to become successful in this field as a CISO (if that is where you want to be) you will need to be able to balance security requirements versus management abilities/resources. You didn't mention salary ranges you were looking to land in so it makes it hard for us to know what you consider high paying. When I was only making $5/hr back in the day, $10/hr was a high paying job to me. You can find plenty of analyst type roles in the $50-75$K range. Management can take you over the six figure number. Gov Contractors and consultants can also provide high pay (6 figures) with a trade-off of stability.

Hope this helps.

Re: MENTOR NEEDED

TimJing — Thu, 07 Feb 2019 21:32:01 GMT

I tell all the young guys in this field to:

Be curious.

Watch or podcast Security Weekly.

Learn the value of scripting and parse logs.

Re: MENTOR NEEDED

Caute_cautim — Wed, 13 Feb 2019 21:01:51 GMT

If only logs were available all the time - often the periodic statement is made - but we don't collect logs....