Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Viewer II

Manual QA to CSSLP and later CSSIP

I'm currently working as a manual QA and was thinking of doing a career change into CyberSecurity.


My plan is as follows: Take some online courses, and get a Security+.


Then attempt to go for CSSLP - not sure if I qualify. It does say certain software testing experience counts, and I have many years of doing that as a consultant and as a full time employee.

How do I know if my experience counts?


In addition, I'm very concerned about getting a job after getting my CSSLP. I've already went back to school twice, and got two other certifications that were valued in the marketplace
but I get rejected for not having experience in one (My QA experience does not count in that one) and the other one I have insufficient experience (I have 1 year but 70% of postings require 5-7 years and remainder require more than 7 years)


I don't want to now have yet another certification and I'm still unable to make a career change.

2 Replies
Community Champion

I've always felt that the career change probably comes in front of the certification, rather than the other way round. Breaking into security was definitely helped for me by the Security+ back in 2004, but I then went on to do things like AD Admin, Firewall person etc.


I doubt I'd have had the perspective/opportunity to leverage a CISSP or even a CSSLP back then, because certifications are more a formalization of knowledge and skills in the domain, and until you've a few horror stories, funny stories and nice stories in a discipline its hard to know what to do and develop the networks. 


I'd also recommend deciding what you wanted to do in the cybersecurity field defined targets around a role would really help you focus and narrow your targets. 'Go to Siem Reap in Cambodia to see Angkor Wat' is a much more targeted aspiration than 'visit Asia'. Thinking along the same lines systems auditor, SOC team member, Network Security Analyst are all going to be more tangible than getting into Cyber Security.

CSSLP may map to some of your experience, but then again maybe not. You'll only know if you speak to someone with it, and compare notes. Passing the exam would give you a decent window to get the experience in.


Having said that the Systems Security Certified Practitioner(SSCP) I think is the best option ISC has now for someone after a career change, and makes more sense for employers if someone is starting out in security. Not taken it myself, but I've heard it's fit for purpose.


Lastly, I've never seen anyone hired on certification alone. Your strike rate on getting interviews via HR Consultants probably gets much better if you have it, but if you want to security conferences and joined your local ISC chapter it will get you started and I've seen someone with no experience offered a position just because they did well on 'Powerpoint Roulette' and/or a 'lighting talk'.


Hope this is somewhat helpful, and best of luck with the career refocus.



Contributor II

The thing about (ISC)2 certifications is that they're meant to validate experience already gained rather than open a door at entry level like the CompTIA ones.  That said, I have a CSSLP so I'll answer, incorporating some of what the other responder said.


I've had two QA jobs, but both were at security companies. One made CALEA compliance and intelligence support systems, where I did a lot of manual functional testing. In that job I learned a lot about attacking encrypted communications channels by performing man in the middle attacks, for instance. I've also been a QA lead at a well known vendor of IPS and firewall systems. We were a much bigger company and so I had more to do, getting involved in lots of formal SDLC phases.


After an acquisition, I went to a customer where I did DFIR, intrusion analysis, etc. Frankly, I didn't like that work much. But while I was there I got my CISSP and a couple of SANS certs. After a couple of years, I made a change into a very specialized field that might interest you, as it is security related but is a lot like doing QA, and that is FIPS and Common Criteria validations.  I'd actually had exposure to that while I was at the IPS vendor, as I was in charge from the QA side of our certification effort.  It was really easy for me to step into that role as a result.


Right now I'm not doing CC/FIPS things any more, but I work at a different independent third party test lab.  I spend a lot of time working with malware, exploits, etc. in order to validate the efficacy of network security solutions.  My job title is actually Sr. Test Engineer, which sounds like a QA title, but I take all the tools and techniques that I've learned from my security-related career and hobbies, including "hacking" stuff and then apply it in a controlled, test engineering setting to prove which systems are the best at preventing and detecting attacks.  It's actually kind of cool.


So, you can go from QA into an information security related field. There are actually a few very specific niches you could move into where it would make sense. However, in the mean time what I'd suggest is actually trying to get a QA job at a security product company so that you can get exposure and contacts in the industry as that's going to be key to getting jobs down the line and building the experience to get enough to get the certificate. I actually got my CSSLP after I got my CISSP, since I was being encouraged to get the CISSP. I had more fun getting CSSLP and use the topics there more often though.

-- wdf//CISSP, CSSLP