I'm hoping on a little advise on how to start my IS career.
I have worked in the IT industry for the best part of 20 years mainly in 1st, 2nd and 3rd line support. The last 8 have been managing the business requirements for a SME. This is where I have gotten a passion for everything security. For the last couple of years I have been doing as much security work as possible in my current role, (user awareness and education, assessing applications and cloud security with help from IT Security SLA's etc).
Now, my company has expanded and I have been given the opportunity to get more involved in security. (i must have been doing something right!) My role has not yet been defined, but it seems I will be working closer with our IT Security team (external) and will be the main point of contact within the company.
Because I don't have much experience the company are putting me through training, but i am likely to be restricted to one course a year so I want to make the most of that course without tackling something that is going to be too difficult and therefore possibly a waste of time. I am also considering what will benefit my CV as long term I would like to find a full time security role.
At the end of last year I sat the CISMP course and exam and passed that. I'm now considering the course this year and I am stuck. (Hence this message). Everything seems to be aimed at a higher level than what I am. Because i am not going to be technical I have written off the Security+, but I have been looking at the SSCP. it seems to be a good balance of technical (which I understand will benefit me greatly) as well as Risk management, incident response, BCP, DR etc.
Am i still aiming too high?
Is there a better course I can sit?
Any other advise from experienced IS professionals as yourselves?
Appreciate any advise you can offer.
A few questions for you...
1. Have you had this same talk with your supervisor yet? By way of comparison I lead 15 people and really enjoy it when people come to me with such discussions. It further helps me align work and goals for them to their benefit. Since your company digs you and you're getting more work in different roles, your supervisor may have thoughts/suggestions on what course would be good for you -- especially if you plan on staying at that company for a while. You don't have to necessarily do exactly what your boss says but s/he may have some interesting ideas regarding what you posted.
2. What industry is are you in? If it's anything affected by 8570, I suggest going for the CISSP. It's undeniable that gets feet in doors. Not sure if your resume qualifies you yet though -- given what you have posted but you can certainly take the exam and become an Associate of ISC while building up time toward the full certification. Getting the test out of the way is always a good thing!
3. Regarding your short and long term goals and your company's expectations, is a certification mandatory? Meaning, you're cross training it sounds like to a certain degree -- would a technical class from a technology provider rather than a certification course be a better short term fit for you as you take on new work?! Especially since you may only get one training opportunity a year?
4. What's your resume look like; how's it align to your goals, where you want to be? If there are any gaps, and formal training can fill a gap, align that to the training you want to take.
Thanks for replying @mgoblue93.
Unfortunately my manager isn't in the security field. She manages quite a diverse team of IT related individuals.
Currently it's difficult to even get a clearer idea of the role she wants me to play in our IT Security.
My ultimate aim is to sit the CISSP, however I think I am way too early in my career with way to little experience do pass the exam. That's why I thought the SSCP could be a good course to go on (and hopefully certificate to obtain) to give me more knowledge to prepare me for the CISSP.
I don't have the work experience to gain the full certification but I could go for the Associate and work on the experience.
Certification isn't mandatory, for me the knowledge is much more important and what I am mainly thinking about. However it's also the perfect opportunity to get qualifications that will make my CV look better and hopefully get me an interview at the very least.
I want to get the best training I can, I just don't want to bite off more than I can handle, or choose a course that doesn't give me enough.
If you've been in IT for 20 years, why not consider the CISSP? You probably meet the experience requirements already.
Although I have been in IT for 20 years very little has been in security.
It's always been a part of the job as I have been a bit of a "Jack of all trades" and security is just part of the job, and recently even more so. However I don't meet the requirements and certainly don't have the knowledge to pass the CISSP exam.
I'm really looking for courses to do now that will prepare me for the CISSP a little further down the line. I then have the added bonus of getting real life experience as well. The CISMP i did last year was quite good for a general overview and some more detailed knowledge, but now i'm looking for something more advanced, but not as advanced as CISSP.
Thanks for replying.
Thanks for the replies everyone. Just an update in case anyone else follows this thread. I decided on the SSCP in the end and very glad i did. The course was very good and i learnt a lot of very interesting information. It was more technical than I need in my day to day role, but some of that technical information has already proved very useful and helped me make sense of situations that didn't previously.
I'm happy to say that I passed the exam and completed the endorsement process so i am now a certified SSCP.