topic Re: TOGAF Pro's and Con's for complimenting the CISSP? in Exam Preparation

TOGAF Pro's and Con's for complimenting the CISSP?

112NextLevelPro — Fri, 07 Sep 2018 13:18:00 GMT

I'm looking to expand my skillset to encompass Enterprise Architecture. I am currently a CISSP and CCSP in good standing. The TOGAF certification has peaked my interest, but wanted to see what other members thoughts are on this certification and how it compliments what you currently have?

Thank you,

-Ed

Re: TOGAF Pro's and Con's for complimenting the CISSP?

Early_Adopter — Fri, 07 Sep 2018 18:39:53 GMT

Hi Ed, my probably pretty subjective take.

In this neck of the woods(Sotheast Asia) these guys https://iasaglobal.org are seemingly quite active, and I go to a seminar every now and then. I’ve toyed with the idea of studying TOGAF before as well as SABSA which is more security aligned(and complimentary to TOGAF), but I could never justify the time for either as I’ve been working on the software vendor side of the house.

I come across TOGAF in a lot of our customers, i’d say that TOGAF make a lot of sense if your role was dealing with enterprise architecture and it’s methods and frameworks lend it well to the task - also the fact it’s produced by the Open Group means it won’t be going out of fashion anytime soon. It provides potential relief from some of the slapdashery of agile and the lack of proper documentation that it seems to encourage(disclosure I’m a certified scrumaster and product owner, and yes the user stories should be there).

From a hiring/career standpoint for security roles it’s nice to have, but I’d say it’s more it’s own thing/separate requirement. You’d need a reason to build to it unless it was just for fun. Part of me wonders if CISSP-ISSAP as a concentration wouldn’t be more ‘complementary’ to CISSP - I’m going to attend the two day training course prior to congress this year so I’ll report back after October.

Re: TOGAF Pro's and Con's for complimenting the CISSP?

112NextLevelPro — Fri, 07 Sep 2018 19:04:06 GMT

Thank you for your take on this. My whole thing about it is to expand my knowledge but also bring to the table this knowledge to my current organization as from what I have seen here, people were promoted to "Architects" just because, with no real backing against a certifed governing body of being "certified" as an Architect.

Having say that, I felt at least right now, that the CISSP-ISSAP wouldn't be a good step for me as I want to expand my knowledge of "Enterprise Architecture" and have it confirmed against that of industry standards for Enterprise Architecture such as SABSA, TOGAF, ZACHMAN, etc... as you have already stated. Once I am more comfortable with that, I may venture into doing the ISSAP concentration.

As for building this for my career, I feel that adding Architecture to my repertoire would be beneficial as I already am in Information Security dealing with on Prem and Cloud hosted envrionments and having to work with how this is Architectured for the organization. I currently have my CISSP, CCSP, and hoping to add TOGAF v9.2 to that list.

Re: TOGAF Pro's and Con's for complimenting the CISSP?

Early_Adopter — Fri, 07 Sep 2018 19:57:37 GMT

I think that’s very reasonable, a good plan and best of luck with it.

As an aside, I’m always slightly sorry but mildly amused when speaking to architects(the ones that design buildings) on their frustration that the software industry seemingly appropriated their professional title and gave it to people with Visio. If they are good sports I’ll sometime tell them my unofficial title has ‘Architect’ in it. 😉

Re: TOGAF Pro's and Con's for complimenting the CISSP?

Caute_cautim — Sun, 09 Sep 2018 23:32:33 GMT

@112NextLevelPro wrote:
I'm looking to expand my skillset to encompass Enterprise Architecture. I am currently a CISSP and CCSP in good standing. The TOGAF certification has peaked my interest, but wanted to see what other members thoughts are on this certification and how it compliments what you currently have?

Thank you,

-Ed

Interesting, TOGAF belongs to the Open Group http://www.opengroup.org/

I went to an IT Architecture conference in August, originally it was called IT Enterprise Architecture conference, but they deliberately dropped the Enterprise bit, as apparently the Industry has had so many problems with people calling themselves "Enterprise Architect" but in fact they are plainly and simply are not. What I mean is the Open Group offer the ability to become a certified architect at different levels, but having achieved Master Architect level, I cannot then call myself an "Enterprise Architect", simply by having completed my employers own certification program internally, which is recognised by the Open Group i.e. recognised by industry at having reached their standard. And what I mean is there is a whole heap of Professional Giveback, over a three year period, additional evidence for Intellectual Property development, and other means of giving back. So every three years, I have to go through a formal re-certification program, to maintain the level of "Master".

So, I think it is good to obtain the TOGAF certification for awareness purposes, but just be aware, there is a whole heap of additional work to do, to formally be recognised by Industry as a certified Architect or even a "Enterprise Architect".

Previous colleagues, have studied SABSA, and applied the Zachman models appropriately.

I do know my own organisation is formally going through the process for the role of "Security Architect" to being formally recognised, but in doing so, this means obtaining industry recognition via the Open Group.

I suggest you also look at the https://www.scaledagileframework.com/

Scaled Agile Framework, which involves Agile methodology, not only as a culture within many organisations, but also within the context of "digital transformation" but ensure you really do have real Enterprise Architects, who really do understand the business guiding it.

My organisation, regularly develops, architecture methodologies including "Enterprise" approaches, and are aligned to the Open Group certification and career pathway. Being an Architect, is becoming also a career in itself.

Regards

Caute_cautim

Re: TOGAF Pro's and Con's for complimenting the CISSP?

112NextLevelPro — Wed, 07 Nov 2018 03:47:32 GMT

I just want to say that I am officially TOGAF v9 (9.2) Certified as of today. I have to say that I have enjoyed my journey in gaining the knowledge to get this certification. It is helping me focus my direction in security where I think Security Architecture is in my future.

The exam was tough to say the least, but if you are dilligent and read, comprehend, and absorb the material, you will have everything it takes to pass it.

Re: TOGAF Pro's and Con's for complimenting the CISSP?

Caute_cautim — Wed, 07 Nov 2018 03:55:54 GMT

Let me be one of the first to give you a hearty congratulations on your achievement.

Well done.

I and many others would also be interested in how you tackled it and any barriers to obtaining it, you encountered.

Regards

Caute_cautim

Re: TOGAF Pro's and Con's for complimenting the CISSP?

112NextLevelPro — Wed, 07 Nov 2018 04:14:18 GMT

Thank you very much @Caute_cautim. I am greatly honored to have been awarded the TOGAF v9 Certified designation.

To answer your question, I would first have to thank my journey when I received my CISSP a few years ago. In that study period, I was drawn towards "Architecture" where the TOGAF EA was mentioned several times in Shon Harris CISSP All - In - One. After a few years, I decided to go for it and got the materials to start my journey to the TOGAF v9 Certification

The Barriers that I personally came across was my own knowledge of Information Security and how I assmued it would integrate itself into Enterprise Architecture. I also had to drop my foreknown knowledge of certain terms and definitions and had to understand and comprehend what certain terms and definitions are in accrodance to the TOGAF standard.

The material for the exam (purchased from the Open Group) was sufficient enough to pass both parts of the exam. I however supplemented any gaps with video courses from Udemy which helped clarify anything that I couldn't grasp.

From the further research I have done, people who have taken both exams, have stated they have studied on average about 2-4 weeks. This was not the case for me as I have studied about 4-6 hours everyday (10+ on weekends) for almost 2 months, where I really tried to understand the concepts as deeply as possible and have used a lot of the resources available from the Open Group.

Going with the TOGAF over the CISSP-ISSAP was a decision based on visibility in the industry. I haven't seen a lot of job opportunites requesting the CISSP-ISSAP here in the United States unless it is DoD 8570 which I don't and don't perceive to be working for DoD in the near or long term futute.

I know SABSA would have probably better align with Information Security, but felt with the visibility in the industry that the TOGAF has, plus the reasonable pricing for the study material and exam costs made it more appealing for me.

Re: TOGAF Pro's and Con's for complimenting the CISSP?

112NextLevelPro — Wed, 07 Nov 2018 13:49:25 GMT

@Caute_cautim wrote:
@112NextLevelPro wrote:
I'm looking to expand my skillset to encompass Enterprise Architecture. I am currently a CISSP and CCSP in good standing. The TOGAF certification has peaked my interest, but wanted to see what other members thoughts are on this certification and how it compliments what you currently have?

Thank you,

-Ed

Interesting, TOGAF belongs to the Open Group http://www.opengroup.org/

I went to an IT Architecture conference in August, originally it was called IT Enterprise Architecture conference, but they deliberately dropped the Enterprise bit, as apparently the Industry has had so many problems with people calling themselves "Enterprise Architect" but in fact they are plainly and simply are not. What I mean is the Open Group offer the ability to become a certified architect at different levels, but having achieved Master Architect level, I cannot then call myself an "Enterprise Architect", simply by having completed my employers own certification program internally, which is recognised by the Open Group i.e. recognised by industry at having reached their standard. And what I mean is there is a whole heap of Professional Giveback, over a three year period, additional evidence for Intellectual Property development, and other means of giving back. So every three years, I have to go through a formal re-certification program, to maintain the level of "Master".

So, I think it is good to obtain the TOGAF certification for awareness purposes, but just be aware, there is a whole heap of additional work to do, to formally be recognised by Industry as a certified Architect or even a "Enterprise Architect".

Previous colleagues, have studied SABSA, and applied the Zachman models appropriately.

I do know my own organisation is formally going through the process for the role of "Security Architect" to being formally recognised, but in doing so, this means obtaining industry recognition via the Open Group.

I suggest you also look at the https://www.scaledagileframework.com/

Scaled Agile Framework, which involves Agile methodology, not only as a culture within many organisations, but also within the context of "digital transformation" but ensure you really do have real Enterprise Architects, who really do understand the business guiding it.

My organisation, regularly develops, architecture methodologies including "Enterprise" approaches, and are aligned to the Open Group certification and career pathway. Being an Architect, is becoming also a career in itself.

Regards

Caute_cautim

In my studies and jouney to getting the TOGAF Certification, I have learned, that where EA and Agile are, are at 2 different levels of the organization. Enterprise Architecture is at the Business Level, Agile is at the Business Unit Level. Also, The TOGAF is actually Agile in it's Architecture Development Method (ADM) where the approach may be iterative as well as responsive enough to have deliverables and component roadmap items to show Stakeholders their needs and concerns are met with Incrimental transition states.

Re: TOGAF Pro's and Con's for complimenting the CISSP?

Early_Adopter — Wed, 07 Nov 2018 05:43:18 GMT

Congratulations!

Re: TOGAF Pro's and Con's for complimenting the CISSP?

Krisboike — Wed, 07 Nov 2018 19:18:21 GMT

I too am a CISSP and CCSP. I have the TOGAF and ITIL certifications and feel that they complement the demonstration of expertise and experience I have very nicely. It shows the full lifecycle from the beginning of architecture, portfolio, application design, engineering, build, test, operate, run, through decomm. It's been well recognized by my employer and auditors.

Re: TOGAF Pro's and Con's for complimenting the CISSP?

112NextLevelPro — Thu, 08 Nov 2018 14:50:16 GMT

I'm looking at closing out with the HCISPP since I will be studying this certification with my brother. I am however, looking at either doing my Masters in Cyber Security, AWS Certified Solutions Architect, or CRISC and that I will be finished.

At one time, I was looking at ITIL, but the organization I work for, people who say they are ITIL certified here don't follow through or actually practice it. If my next (future) organization sends me to training for it, I'll do it, but not a motivator for me. I did the TOGAF to expand on the architecture side of the house, and also to solidify that I have knowledge and background in Enterprise Architecture. Unfortunatley again, the other "architects" here down play my certification since they seem to hand out that title here, so I know this cert will help me somewhere else.

Re: TOGAF Pro's and Con's for complimenting the CISSP?

Caute_cautim — Thu, 08 Nov 2018 18:50:08 GMT

Lets get down to the real truths here: If I offend any,one this was not my intention:

The name Enterprise Architect, from my recent experience locally at an Enterprise Architect conference, was a) it was not named Enterprise Architecture Conference, they removed the name Enterprise. b) There have been too many people assuming the title and therefore the role of "Enterprise Architect", but in fact the reality they are Technical Architects, with no actual practice in the 'art". One question asked during the conference, is there any practitioners under the age of 35 years old. There were none - it takes business acumen and associated experience, plus to prove you really are entitled to the title - then go for Open Group industry certification. It's rather like me being being an Instructor for Team Solution Design or Architectural Thinking courses within my organisation - there are mandatory courses for people wanting to be practitioners, but we still have to go through real certification processes, before we become recognised as actual architects. We cannot simply call ourselves Architects, unless you have been formally certified and recognised as such. Plus every three years, one has to go through formal re-certification to verify good standing and practicing the art in the "buff" in reality with actual real scenarios as required by the Open Group, who run the TOGAF certification examinations etc. Obtaining TOGAF certification is a good start, a good baseline, you can now understand what an Enterprise Architect should be doing and working within an organisation, and recognise short cuts and failings etc.

My organisation creates and develops many methodologies, which our IP, but often we find clients like the techniques so much they adopt themselves. Team Solution Design is a pre-sales approach to ensure a consistent approach within many groups, so we have reference architectures and actively use to speed up the process of Solution Design and engagements. Architectural Thinking, is getting down to the real plumbing, the thinking about how to look at many different perspectives, how to turn an idea into reality by going through the process and adopting different methodologies appropriate for the situation you are dealing with - regardless of whether it is Service Orientated Architecture, Agile Methodology, DevOPS etc etc TOGAF is a recognised methodology. and accepted during an engagement, but often you will find specialist areas, which requires an appropriate response. Enterprise Architecture keeps you in alignment with the business direction and objectives of the organisation - but there are many so state they are "Enterprise Architects" but in reality they are not.

The same principles apply to Security engagements. It is fantastic that you have achieved TOGAF certification, it provides a good knowledge baseline - now if you are serious, go practice it and go for full certification as an architect, then you will have full respect and recognition in the field as a practitioner.

Regards

Caute_cautim