Hello, Community! I would like to introduce myself as I plan to be very active. But, also I have a few questions very important to me and I think this is a perfect place for some amazing answers.
My name is Dan. I am in my late 20's and I have recently decided to make a career out of Information / Cyber Security. This choice was not easy for me. My background is in Computer Engineering. I tend to pursue many interests; so while software engineering, hardware engineering, programming, robotics, etc. are VERY dear to me (and I will dabble in them still), I think Information / Cyber Security is what I want to do. I am leaving the military to pursue my passions and to really have the freedom to unleash myself professionally. Lucky me, I have been doing IT and Information Security already for 5 years. A couple years ago, I passed the CISSP exam and last year, I finally had the experience to take the title! It felt and still feels great! I feel really lucky to be part of such a great organization, shared by so many amazing professionals that have the opportunity to do so much good in this world.
My first question: I decided public-sector work isn't my cup of tea. I guess I'm not entry-level, but something about going from public-sector to private-sector makes me feel unprepared and new. I have learned to dress myself. I am learning how normal people network. I have put the military-unique stuff in the past. A few good first steps, but still. My question is, what advice would you give a young-ish Information Security professional if they told you, "I want to be an ISO. I want to be a CISO. I want to be one of the best. And I want to earn my way into a position to, one day, give back to the field" ?
To shake off some of the unprepared feeling, I am going after more certifications. I have been reading all the magazines and two certifications really stood out to me; the CCSP and SSCP. I bought what books I can for both; CBKs and Official Guides (Sybex), exam guides (Gibson and Carter), and an official practice test for CCSP.
Question 2, what resource did you find most valuable for learning the material and successfully passing the CCSP?
Question 3, what resource did you find most valuable for learning the material and successfully passing the SSCP?
Thank you in advanced! Looking forward to all the great answers.
-Dan
Congrats Dan.
CISO, eh? Keep senses of proportion and humour, understand that ‘the best’ is subjective, and you will have to balance yourself with regards to, what you can do. Try not to burn bridges with people.
I came from a military where I had twelve yours of experience and, slowing down your gearing while learning how to cope with ambiguity are going to help you. Play your strengths, but remember your colleagues going forwards, are on a balance probably more fragile than you were used to so avoid the ‘have a fight and see who’s right’ frame of mind if you can. Your ability(assumption) to go 18 hours a day for three months won’t bring everyone with you, and you’ll want to slow down eventually.
Attend B-Sides eetc, and throw yourself into a few communities.
CCSP was Moshe Ferber’s delivery of the ISC2 sponsored virtual training - still in the chat group a few years later. Textbook was propbably OK.
I haven’t done the SSCP, but I’d question why you would want it if you had CISSP and we’re looking at CCSP. Those are more consultant/manager/architect carts whereas the SSCP I feel fits more of a SOC Jockey, entry level incident responder. Not saying it’s bad by any means, just that you might spend the time better. Unless of course you wanted to be a SOC analyst or similar.
I’d say most importantly work out who you want to work for and where, then plan your certifications as you do them off that. On joining civvie-strasse for the first time since I was 17 at the age of 30 I took a number of contracts, and moved a lot and it took me three years to find a company I really enjoyed working for, and, I’m still here ten years later.
Couldn't agree more. I'm really glad to say, my experiences have me looking forward to getting away from the military frame of mind. I really value work-life balance and team-building communication skills now, haha.
I think the SSCP certification may just be more of a confidence thing. You're right in asking why I would go for it. I have a lot of management experience, but perhaps not as much technical, hands-on experience as I would have liked. If I am understanding the SSCP material correctly, I was reading some articles about where IT and Information Security lie in relation to eachother. Considering that conversation, it may not be a bad certification to have. I think I recall reading that the SSCP exam will be offered online come November of this year? Overall, it doesn't seem as scary as the CISSP exam and could be helpful.
Welcome Dan. I spent 25 years in the government sector. I found that there were a lot of jobs, including security tasks, that were going undone so I volunteered. That gave me the experience I would have otherwise never been given.
Rule #1: Follow your passion. I switched careers 15 years ago to one that I love and I don't feel like I have worked a day since. I feel like I am getting paid to work with, be around, and help people secure their computers. I make more money now than I ever could have made staying in the other field (aircraft painting) and my health is 200% better than it would have been.
Rule #2: Don't be the dept. of No. You have to understand that anyone who comes to you with a request is a customer and they have a need. Your job is to figure out how many options you can provide in order for them to perform that need in a secure manner. Sometimes 1 option is all that is needed. Sometimes you won't be able to find an option that they can afford. You have to look to see how you can help them accomplish their goals if at all possible. Be willing to come up with innovative solutions.
Rule #3: Work on your skills. Not just book learning and certification test taking, but hands-on skills required in the security field. Set up a home lab. Set one up at work if they have any surplus inventory or inventory they are getting rid of. Every place I have been I have always found old equipment to set up an experimental lab or test lab. This will allow you to avoid the trap of "They won't let me touch the firewalls, servers, etc."
Rule # 4: In order to make it to the C-suite you need to understand the organizational culture and how to communicate effectively. Do not just work on your information security skills. Work on business skills, giving presentations, the power of persuasion, conflict resolution, interviewing skills, management skills and leadership skills. Yes, there is a difference in management skills (managing things/people) and leadership skills (leading people/organizations). Learn that difference. If your boss is holding interviews, ask if you can join in and watch silently so you can see what it looks like from the other side of the table. Once I did that, my interviewing skills improved drastically.
Rule # 5: Perform job searches for the jobs you want now. See what they are looking for and acquire those skills. Periodically perform job searches for the job you want in the future, not just your next job. Look at CISO job applications now and see what they are looking for. Then work on acquiring those skills too. When you get into management, don't be afraid to go back down into the weeds to show someone how to do it a better way or to create a process/procedure if one doesn't exist.
Rule # 6: Don't be a jerk. It is amazing to me how many people I was promoted over to get the jobs I got. They were technically qualified, but they were jerks. No one wants to deal with a leader who is a jerk. I didn't back-stab, act in a cutthroat manner or step on people on my way up. Learn the difference between a yes-man and a go to person. Be the go to person your boss can rely on and you will be amazed at how fast you can move up. Learn to do the jobs no one wants to do and do them well. Volunteer. Apply yourself. Be eager to learn new tasks and take them on. Be willing to fail but learning while failing.
I went from a computer operator to CIO in 9 years and to the CISO 6 years later. Yes, I moved where the jobs were in order to get the job I wanted. Along the way I served as a Facility ISO, ISSO, and ISSM (ISSO Manager) before moving to the CIO of a small military detachment. I then went to Cyber Division Director, Deputy CIO (at a larger organization) and then to the CISO position. I kept looking for jobs that would stimulate my growth. Now I get paid for what I know, not for how hard I work, even though I still work hard, my work is not hard.
Having been on the contractor/private sector side of the coin in the DMV for 34 years I've used a phrase repeatedly when working with DoD/FedCIV: "Hurry up and wait". You have to get used to the stop/starts that are engineered into the Federal bureaucracy of decision making, procurement, integration, implementation, operations, etc. Every one of those layers has managers that are trying to protect their fiefdoms and their future and you are stepping on their toes because your new fangled tool makes them do something they have no interest in doing. Add in the constantly legislated unfunded mandates and everyone is grumbling like crazy.
We all know that the technology life cycle is about 6 months. DoD/FedCIV is great about stretching that to 10 years. Try conducting a Risk Management Framework assessment on 10 year old tech and looking the customer straight in the eye and tell them that not only does this fail, it shouldn't be anywhere in a live operation. Truly a challenge.
Getting more certs won't help you navigate this channel any better. It wasn't 'til my 34th year of professional IT work that I even bothered to get a cert. Another long discussion for another time. Short conclusion is I think that vast majority of them are needless and/or ginned up by external political factors.
But its all still very rewarding and fun. Experience and mentorship is the best way to accelerate your career path. You have started the right way by asserting yourself in this forum.
CISOScott, I really enjoyed your response. I have been reading so many articles recently and you spoke to all my favorite topics. It is really nice to see these themes again and reassuring that I am getting great information. Really appreciate it.
Flyslinger2, hahaha, I have seen a few of those situations and they get me every time. Really is difficult. What is the best solution you have found for customers like that? A customer or organization that has very weak information security while the value of their assets are demanding that they do have decent information security practices. I ask because I have been considering going for a MBA with Information Security concentration; hoping that well give me the edge there and the C-suite language. I have seen many books dedicated to translating IT/Information Security into business/C-suite speak too, if anyone has any recommendations. Thanks! I'm glad; I am looking forward to finding some mentors.
rslade, I do enjoy lifelong learning. A lot. Great to see others here for that same reason. Always new and interesting information. It is kind of difficult to say which domains I have worked in; military officer-side throws you into everything. When I completed my CISSP resume, I touched every domain except Security Assessment and Testing and Software Development Security, if that helps. Thanks for the readings and forums links! I will check them out.
Dan,
I'd be wary of seeking to be a CISO without the experience to handle the senior level company officers you'd encounter. Being a CISO is more about understand company strategy, it's customers, the board and internal politics as it is about understand the subject matter of InfoSec. You could be an exception engineer, fantastic security architect, great strategist and brilliant security programme manager and yet still not make the mark to be a CISO. By taking it one logical step at a time and looking 3 to 5 year ahead you're far more likely to come across as credible and employable in the private sector.
It boils down to whether they want to obey the law or not and the chain of command. I know that sounds simplistic but it is really is where it is at.
I try to work with them, because I really do want this to work AND be secure.