Hello ICS2
I am a 40 year old Talent Acquisition professional (recruiter) for a top 10 US Bank (household name) looking to make a career change and enter into the world of Cybersecurity. I have a BA in Psychology and no technical training whatsoever. The majority of my career has been cororate and agency technology recruiting.
I was advised by a Security Executive in my company to study for and take the CISSP exam as he said this would be the most appealing cert to Info Sec hiring managers. Since I dont have the prerequsite work exp to actually become CISSP certified, I realize I would only become and Associate if I pass. Im ok with that.
Here's my question; should I go straight to the CISSP or are there other (read:easier) certs that I should pursue first? I work full time, have 2 kids and they are home with us full time given the pandemic so study time is scarce but I am willing to make adjustments to my life to make it work.
Whats my passion you ask? Ultimately I would like to be as close to the tech as I can be... things like Pen Testing, Red Teaming, Malware Analysis, and the like are very interesting. I have never written code, nor do I have an infrastructure background but I am not at all afraid to learn. My secondary career choice would be threat intelligence and threat risk management (advising the business as to how to maintain secure operations, etc) if I were somehow unable to learn the tech. There are Security pros in my bank that would help me transition into their field so I am extremely lucky in that regard...
Having heard all of this, do you agree with my Security Executive's opinion that I should go straight for the CISSP or would you recommend starting with smaller or easier certifications? My primarly goal at the moment is entry into the Info Sec field. I dont have to step straight into the tech side; taking another role in the field and latticing into the technical stuff would be fine.
Thank you all in advance for any thoughts you have.
You might start by reading ISC's CISSP web page, especially the "Ensure the CISSP right for you" section. CISSP is most definitely NOT a "close to the tech" certification.
@Jack_Burton wrote:Hello ICS2
I am a 40 year old Talent Acquisition professional (recruiter) for a top 10 US Bank (household name) looking to make a career change and enter into the world of Cybersecurity. I have a BA in Psychology and no technical training whatsoever. The majority of my career has been cororate and agency technology recruiting.
I was advised by a Security Executive in my company to study for and take the CISSP exam as he said this would be the most appealing cert to Info Sec hiring managers. ... Having heard all of this, do you agree with my Security Executive's opinion that I should go straight for the CISSP or would you recommend starting with smaller or easier certifications? ...
Jack,
Your "Security Executive" is an ID10T and has given you TERRRIBLE advice. The CISSP is not an entry level certification, and is worthless to seek as an entry point into the cybersec/infosec field. If you were to follow his advice the best you could do is accomplish the test by rote and luck, then spend three six years as an Associate of (ISC)2 and then not be eligible to be certified, unless you got a solid security position within a year of passing the exam. [Edited 5/4 to correct the timeline as not d by Alec @AlecTrevelyan below.] You would lose your Associate status at the end of your allowed experience period, and have to start over with a new exam.
Since that "executive" is still above you in the company, remain polite with that person, but ignore any "helpful career advice" coming from that source.
That said, there is value in obtaining the Official (ISC)² CISSP CBK Reference, Fifth Edition and reviewing to learn the breadth of job types that make up then infosec world. Do not study it as for the exam, read it to learn how and why there are eight domains, and the sort of work that constitutes information security.
Next, go look at the NIST NICE program and in particular their cybersecurity workforce framework for a breakdown of tasks and work in the security field. By combining what you learn from the NICE framework and the (ISC) CBK domains, you will be able to determine with area your interests and talents may be best seated. Then plan your development course of action to learn more about those ares, while also picking up side knowledge in the other fields.
Next, go for advice with people who will know what they are talking about. (I repeat, your "security executive does not.) If there are active chapters of ISSA or (ISC)2 in your area, join them. Talk to the hands-on security practitioners in your company, since you said they are willing to help you transition. There are many legitimate infosec tasks and jobs that are not hard-line tech, but you do need to understand some aspects of technology to practice in any sub field.
If you wish to build on your psychology education, look at areas in human factors, and threat analysis. There is a crying need for social scientists in cybersec/nfosec to deal with the people part of our work that many techies ignore.
For formal training and education to enter the field, as well as credentialing that will make sense for your situation, (the CISSP does not). consider one of the many master's degree programs available online that are designed specifically for holders of undergrad degrees wishing to transition into the field. For meaningful certifications as formal credentials, CompTIA has a few that are relevant for basic tech into, particularly the A+, Network+, and Security +. Even if you work in a non-tech area of cybersec, the basic knowledge of those certifications will benefit you.
Should you be successful in entering the cybersec field, some years down the road the CISSP will become meaningful and appropriate. Should you get the basics of tech and wish to practice in the tech arena, then target the SSCP from (ISC)2 as a goal, after at least the tech knowledge from an appropriate MS or MA degree, or the A+ and Network+ certs.
Please stay active here in this forum with both questions and reports on your progress.
Good luck,
Craig
@CraginS wrote:
@Jack_Burton wrote:Hello ICS2
I am a 40 year old Talent Acquisition professional (recruiter) for a top 10 US Bank (household name) looking to make a career change and enter into the world of Cybersecurity. I have a BA in Psychology and no technical training whatsoever. The majority of my career has been cororate and agency technology recruiting.
I was advised by a Security Executive in my company to study for and take the CISSP exam as he said this would be the most appealing cert to Info Sec hiring managers. ... Having heard all of this, do you agree with my Security Executive's opinion that I should go straight for the CISSP or would you recommend starting with smaller or easier certifications? ...
Jack,
Your "Security Executive" is an ID10T and has given you TERRRIBLE advice. The CISSP is not an entry level certification, and is worthless to seek as an entry point into the cybersec/infosec field. If you were to follow his advice the best you could do is accomplish the test by rote and luck, then spend three years as an Associate of (ISC)2 and then not be eligible to be certified. You would lose your Associate status at the end of your allowed experience period, and have to start over with a new exam.
Since that "executive" is still above you in the company, remain polite with that person, but ignore any "helpful career advice" coming from that source.
That said, there is value in obtaining the Official (ISC)² CISSP CBK Reference, Fifth Edition and reviewing to learn the breadth of job types that make up then infused world. Do not study it as for the exam, read it to learn how and why there are eight domains, and the sort of work that constitutes information security.
Next, go look at the NIST NICE program and in particular their cybersecurity workforce framework for a breakdown of tasks and work in the security field. By combining what you learn from the NICE framework and the (ISC) CBK domains, you will be able to determine with area your interests and talents may be best seated. Then plan your development course of action to learn more about those ares, while also picking up side knowledge in the other fields.
Next, go for advice with people who will know what they are talking about. (I repeat, your "security executive does not.) If there are active chapters of ISSA or (ISC)2 in your area, join them. Talk to the hands-on security practitioners in your company, since you said they are willing to help you transition. There are many legitimate infused tasks and jobs tha tare not hard-line tech, but you do nee to understand some aspects of technology to practice in any sub field.
If you wish to build on your psychology education, look at areas in human factors, and threat analysis. There is a crying need for social scientists in cybersec/nfosec to deal with the people part of our work that many techies ignore.
For formal training and education to enter the field, as well as credentialing that will make sense for your situation, (the CISSP does not). consider one of the many master's degree programs available online that are designed specifically for holders of undergrad degrees wishing to transition into the field. For meaningful certifications as formal credentials, CompTIA has a few that are relevant for basic tech into, particularly the A+, Network+, and Security +. Even if you work in a non-tech area of cybersec, the basic knowledge of those certifications will benefit you.
Should you be successful in entering the cybersec field, some years down the road the CISSP will become meaningful and appropriate. Should you get the basics of tech and wish to practice in the tech arena, then target the SSCP from (ISC)2 as a goal, after at least the tech knowledge from an appropriate MS or MA degree, or the A+ and Network+ certs.
Please stay active here in this forum with both questions and reports on your progress.
Good luck,
Craig
I agree with @CraginS and his solid advice about building upon your psychology and HR experience. You could be that person that pulls together everything we know or should know about "securing the human".
@CraginS wrote:...
...
then spend three years as an Associate of (ISC)2 and then not be eligible to be certified. You would lose your Associate status at the end of your allowed experience period, and have to start over with a new exam.
...
...
I'm not sure what you mean by this? Associate status can be maintained for N+1 years. Where N is the number of years of experience required to qualify for the full certification. In the case of the CISSP this is 6 years (5 + 1).
I agree that CISSP is probably not the right choice for you at the moment as for one thing, as per @denbesten's comment, it is not close to the tech at all.
You need to build a foundation that will get you to where you want to be. All the things you mention (pen testing, red teaming, malware analysis etc.) require fundamental knowledge in how computer and network systems function in terms of both their hardware and software. So my advice to you is to start by exploring learning opportunities that will teach you the basics of those things such as those @CraginS mentioned. e.g. CompTIA A+ and Network+ (I would also add Linux+ or some other Linux basics certification). Earning these should then allow you to find employment in the field.
Once you have a good foundation and are earning some experience, you can then start to look to move on to intermediate and security specific training. e.g. CompTIA Sec+ or ISC2's SSCP.
After that you can do more advanced training like eJPT if you want to be a pen tester, but hopefully by this point you will have a clearer understanding of exactly where you want to be and what it will take to get there, and will have the solid foundation needed to be able to achieve it, whether that is earning the CISSP or otherwise.
Good luck!
I understand where your cyber security executive was going by recommending the CISSP, but I think they should have phrased it like this: In your journey you should strive to get the CISSP as it is important to your future success. Here are some recommended posts to look at and ideas to consider:
https://community.isc2.org/t5/Industry-News/Security-Podcasts/td-p/2567/page/2
For the newbies go read The Cuckoo's Egg by Cliff Stoll. This will give you an idea how someone with no computer knowledge can make a big impact on cybersecurity.
https://community.isc2.org/t5/Industry-News/Building-a-cyber-range/m-p/9404#M806
https://community.isc2.org/t5/Career/CISO-to-CIO/m-p/32563#M2423
https://community.isc2.org/t5/Career/Looking-for-Advice-on-Next-Steps/m-p/10406#M886
These are just some to get you started and further encourage you as you start your journey. Welcome to the field.
@CISOScott wrote:
For the newbies go read The Cuckoo's Egg by Cliff Stoll. This will give you an idea how someone with no computer knowledge can make a big impact on cybersecurity.
Full support for everyone in our field reading Cuckoo's Egg! However, Stoll was not "someone with no computer knowledge." He was running the computer system for the observatory, and discovered the initial clue to a problem by reviewing the system logs. Further, he designed and implemented the first honeypot and intrusion alarm on that system, although did not use either of those names.
Craig
It's become very common to look at formal certifications first, for people thinking of entering the security field. In some ways that's unhelpful as it detracts from considering what you find intrinsically attractive about the work in the field and what those entering it can bring to it from the previous experience.