cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
HTCPCP-TEA
Contributor I

Looking for Advice on Next Steps!

Hi All,

 

Ok, so I'm hoping to have the CISSP sewn up in the next month or so (Exam Done, Endorsement Done, just waiting for ISC2 to rubber Stamp and send back), and my Question is Where does one go from here?

 

For context, I have no worries about achieving the required Experience (I'm 10 years deep into InfoSec/ITSec), and I'm a "reformed" or rather "re-directed" person with particular skills. The Certified Ethical Hacker is my next stop comfortably just as it's a certification close to my heart, but it holds no context on where I go for my next certification.

 

I'm very aware that there are concentrations of CISSP to look at, but what is the general consensus on good routes to follow if one aspires to hit the heights of CISO or indeed CTO over the course of their career?

 

Cheers All.

 

 

 

 

18 Replies
Rocky-Ramirez
Viewer III

Hello 129426011,

First congrats on the CISSP. I am sure there will be a lot of people that can chime in with advice.

I can say that having a boss (your goal) that comes from a highly technical background, it is easier to communicate technical aspects of an event or sell them on a new approach or solution that has justification.

 

I just spoke with one of my counterparts and he recommended the OSCP as an alternative (or in addition) to the CEH.

https[:][//]www[dot]offensive-security[dot]com/information-security-certifications/oscp-offensive-security-certified-professional/

 

Are you an active member of any other groups beside ISC2?

ie. local hacking group or Infragard? 

 

Just an FYI, Infragard may expose you to management/director level knowledge and guidance as well as the FBI agent that oversees the infragard chapter. 

 

Just curious do you hold any higher education degrees?

 

I did the traditional route first, BS MS and then the CISSP.  I don't know if I will go for a PHD in infosec or a Business certificate.

 

I myself am not sure what my next steps will be, I may continue my career path and maybe teach computer science classes at the local community college at night or I may look into Government Agency work.

 

Either way it sounds like you are on a good path for what you are looking to achieve.

 

Thanks,

R

(886415799)

CISOScott
Community Champion

I was not trying to imply that a degree was needed, I found that in the work of obtaining my Master's degree, I had some really insightful courses that helped me become a good leader. Maybe I just went to a really hard school and not just some diploma mill. I have seen people with PhD's that couldn't manage/lead to save their life (or career), so a diploma does not equate success or knowledge. I found my Master's coursework much more difficult than my BS degree coursework was.

 

I also agree that setting an arbitrary requirement such as a degree is required does eliminate some good candidates, Part of the reason I obtained my BS was just so I could check off that box as I was tired of getting disqualified for that reason. I choose a generic degree (Business Management) instead of something I really wanted (Technology) because the generic path offered a quicker path based on my previous courses.

 

I actually liked the knowledge I learned in my advanced degree program in that it was much more relevant to my daily operations of leading the organization.

 

Baechle
Advocate I

Carl,

 


@HTCPCP-TEA wrote:

I'm happy in the knowledge that at least such things can be discussed honestly here.

 

We are in agreement that this forum is a place for open, professional debate.  One of those debates that we are having now is on the efficacy of earning a degree in preparing for different career paths.  You have raised several points of fact about preparing for careers in the C-Suite level (CISO/CTO/CIO) that I disagree with because of both how they were presented, and because of the (lack of) support you used presenting them.  Further, I propose that your statements were dangerous to those that may take your statements as truth simply because they were appealing (as opposed to being supported with research and logical reasoning).

 


@HTCPCP-TEA wrote:

I would actually advocate doing things in whatever way suits you personally, and of course proffessionally.


This appears to be a error in logical argument known as Avoiding the Issue or Non-Sequitur.  We were discussing the value of academic degrees in pursuing a C-Suite position not, "going where life takes you."

 

@HTCPCP-TEA wrote:

 

If someone wants to earn a degree there is no issue, and this is why I say it shoudl still hold some extended value. I simply wanted to rebuff the impression that one MUST have a formally recognised "higher education" to succeed, as this is simply not the case.. I am NOT devaluing such qualifcations, simply offering an alternative way of thinking.

 


As you know from military leadership courses, recognizing faulty logic and reasoning is an essential skill in important decision making.  Rather than asking, "What are the merits of pursuing a degree in preparation for a C-Suite position," you made a statement of proposed fact that academic degrees are overrated or unnecessary in pursuit of career in the C-Suite.  Unfortunately, your continued argument here looks like you're Having Your Cake.  You simultaneously claim that you are not devaluing higher education, but at the same time you are devaluing it lower than is existing value, to a value you think it should hold.  There's the mathematical equation version of this discussion, and then there's the practical application version.  It appears you're trying to be "technically correct" by putting out bad information.

 

Mathematically, you are correct in that not every single instance of successfully obtaining a C-Suite position requires attaining a degree.  Even one person reaching this level without a degree falsifies the mathematical equation.  So, if you wanted to be mathematically correct, then congratulations - but it's still bad career advice. 

 

The practical application version however shows that these scenarios are so infrequent and come with so many caveats (they started their own company, they were hired by friends or family into ceremonious positions, they obtained the required knowledge in a military staff position, etc.) that the chance those same factors line up for the majority of people is insignificantly small.  These are exceptions.  They should be recognized as exceptions for others that read this thread looking for career advice.

 

 


@HTCPCP-TEA wrote:

 

In a world that is slowly seeing younger generations priced out of such an education, it is reasonable to look for alternative routes to get to a level above what one may be percieved as being held at, is it not?. Would it not be irresponsible to allow such generations to believe they can not get there, because they don't hold a degree?

 


This paragraph appears to have a problem with logical reasoning called an Appeal to Emotion.  Just because we may want to reach the C-Suite without a college education, does not mean that the path is available or reasonable to take.  It would be reasonable to look for alternative routes while pursuing the primary route.  It would be unreasonable to abandon the primary route until an alternative route has been positively identified and secured if the short term goal is the make continuous improvements toward the long term goal.

 

I do not think it's irresponsible to tell people that they are very unlikely to reach a career goal that generally requires certain education and experience, without obtaining that education and experience first.  I'll both refute your statement and repeat that I believe it is irresponsible to tell people that they don't need a certain level of education and experience to reach a career goal when it is likely that they won't qualify for those opportunities without them.  If the goal is achieving a C-Suite position, then the first alternative route being considered should be in finding an alternative way to fund the college education.  That single act of finding a revenue stream to fund a need is likely to be much more valuable on a resume or C.V. to a C-Suite position than earning your way up by being the best IT engineer or technician.

 


@HTCPCP-TEA wrote:

I would suggest the term "irresponsible" is a little subjective perhaps? As my whole thesis is based around experience and opinion, it serves to reason that the content of my previous post be, at least partly, a tonic to those who may not have the option of attaining educational standards such as degrees.


Respectfully, I contend that your statements were dangerous because they were based on faulty logic and because they were misleading by suggesting that the path to the C-Suite is commonly achievable without pursuing professional academic education.  Using a career advice thread to proport yourself as an expert in senior career qualifications and provide this dangerous information out of ignorance is irresponsible.  If your statements were intentionally misleading in order to sabotage the greater population looking for career advice then your statements were not merely irresponsible, they were fraudulent.  In either case I propose that your statements are toxic, not tonic, career advice.

 

The role of the CISO/CTO/CIO in business is formal and requires knowledge of formal business concepts.  Some concepts may be learned through on-the-job training, and through certification programs such as the CISSP, but the roles that these C-Suite positions take on is even wider than the CISSP CBK (Fitzgerald, 2007; Gordon, 2015).  The CISO/CTO/CIO positions in organizations is extraordinarily young, and over the last 20 years have matured from, “being the most knowledgeable technology person” to being an integrator of business processes with technology (Fitzgerald, 2007).  While some organizations have the CIO and lower positions operate with an IT focus instead of a business focus, this is less and less the case over 10 years ago and likely even less so today (Fitzgerald, 2007).  This becomes even more critical as law and regulations impact both the technology and the business processes that the technology supports.  Relying upon prowess with technology and your tenure at the company isn’t going to cut it anymore.  

 

Unless you are in a corporation that you owned, started, or have friends and family that make up the board, then you are going to have to earn your keep in C-Suite positions.  These positions have to speak the language of business, which means accounting and finance, law and regulation, and ethics (Karanja & Rosso, 2017; Fitzgerald, 2007).  Based on actual research studies using data collected about several C-suite positions, CISOs and up generally have a Bachelor level degree in IT and a graduate degree in business such as an MBA (Karanja & Rosso, 2017).  Not only do they have to communicate down to their IT folks, but they have to communicate across the C-suite to for example, Chief Financial Officers, and up to both the CEO and the Board of Directors (Karanja & Rosso, 2017).  If you’re not in a ceremonious position, then you’ll quickly find yourself on the employment chopping block.

 

I am currently in an Associate of Science Accounting degree program.  From that experience I can faithfully posit that if you’re just winging it as a CISO/CTO/CIO on the business side, then you are either unbelievably lucky or you’re probably doing something unethical, and may be violating a law or regulation.  So your suggestion that you just wing it into these positions is also asking folks to place themselves in an extraordinarily vulnerable and risky position on faith, coupled with a much decreased opportunity for success given the qualifications of their employment competition.

 

I’m not saying that you shouldn’t follow your dreams and do what feels good for a happy life.  But that is advice for a psychology self-help column, not sound business career advice.

 

References

 

Fitzgerald, T. (2007, Oct). Clarifying the Roles of Information Security: 13 questions the CEO, CIO, and CISO must ask each other. Information Systems Security, 16(5), pp. 257-263. Retrieved May 21, 2018, from https://search-proquest-com.cobalt.champlain.edu/docview/229605944

 

Gordon, A. (2015). Official (ISC)^2 Guide to the CISSP CBK (4th ed.). Boca Raton, FL: Taylor & Francis Group LLC.

 

Karanja, E., & Rosso, M. A. (2017, Dec 29). The Chief Information Security Officer: An exploratory study. Journal of International Technology and Information Management, 26(2), 23-47. Retrieved May 21, 2018, from https://search-proquest-com.cobalt.champlain.edu/docview/1981610373

 

 

 

HTCPCP-TEA
Contributor I

Thank you.

 

You quite clearly took some time to come back to each individual point within my previous statement, and I will say the effort in finding credible references is impressive.

 

To save readers of the forum, You or indeed I, from continuing a discussion that we clearly stand on different side of a hypothetical line, I will not argue further.

 

However, this is not a concession of my views or indeed an attempt to withdraw earlier comments. I simply have no time available to me to even attempt to "evidence base" my opinions.

 

I, in no way, hold any sort of issue with you, nor your opinions, facts or evidence.

 

I do hope to engage in such debate again at some point, maybe even while arguing a case for something we agree on, but until then......

 

Cheers

 

 

 

CISOScott
Community Champion

@Baechle, I like how you brought the brutal HR reality into this discussion.

@HTCPCP-TEA, I like how you brought up the "unfairness" and check-in-the-box HR requirements that screen out candidates.

I feel you both make great points. Yes it is unfair that some candidates, who would otherwise make great C-suite employees, get screened out because they didn't check off the degree box. Yes, there are plenty of candidates who have degrees but no to limited experience which hampers their success.

What does having a degree mean or prove anyways?

 

That you can stay with something for 4 years and complete it? That you can learn from people who are teachers but not actually doers? Actually, it is very much like what a certification shows. That you have achieved a certain level of core knowledge and concepts, verified by an outside source, that others, who have not gone through the academic rigors of the study, have not proven that they have obtained. Now that doesn't mean that they do not or have not acquired those same skills through experience, they just have not been verified by a trusted (accredited) outside source.

 

For HR and other people in the hiring realm, it is an easy way out. A simple "background check" that they can use to easily try to level the playing field from all of the candidates. I have found that the HR world has a lot of problems. They often are swarmed by many regulations that even they do not fully understand. They can get overwhelmed by the sheer number of applicants, depending on the location. In one area of the country I worked in, they would only open entry level positions for 5 days because they would get over 1500 applicants in those 5 days, for 1 position! They needed a quick way to cut down the applicants to a manageable number (it was government). The rules and regulations would not allow them to establish cutoff rules or shorten the period any shorter. I have seen HR specialist cut this pile down by establishing arbitrary disqualifiers, education, years of experience, certifications, etc.

 

For higher level positions you tend to get less quantity of applicants, but you still get applicants that run the gamut of "Why in the heck did this person even apply for this position?" to "There is no way we can meet this person's salary demands" and some candidates in between.

 

Yes, you are right to say that it is unfair to require a degree when that may not be the best determination of qualifications or even a valid talent evaluation method, but that is how the game is played. It is a way to "level-set" the playing field and screen out potentially unqualified candidates. Unfortunately using such a qualifier does throw out some good candidates with the bad ones. You can imagine the HR nightmare/tidal wave of applicants if they didn't have that screen-out requirement.

 

So if you want to have an easier path to the C-suite, a Bachelor's degree is a minimum, with a Master's degree as a highly desired quality. Can you get there without them, yes, but I can also get to the next town over by walking instead of driving, but I will show up tired, sweaty and 18 hours later! I know not everyone can afford to invest that much money in their future. That opens up another problem. You want to know why college is so expensive? Where else do you have a commodity that has businesses handing out loans that MUST be paid back, with no chance of getting them washed away through bankruptcy or debt forgiveness? So since they have an unending supply of money, colleges can keep raising the rates and they will be guaranteed that they will get paid.

 

Now there are other avenues besides education. You could become a guru and start showing up in trade magazines, writing research papers, hitting the trade shows and becoming very well known and highly respected as an expert in your field. That will open doors for you that will allow people to explain why they are bypassing the degree "requirement".  What you have to remember in hiring decisions is that people like to be able to have answers if the hire does not work out. The same reason I advocated some people to take a higher salary position with less stability over a lower paying, more stable job. Once someone has paid you $100K, others are more willing to pay you that much, because someone else has taken the risk of saying that they were worth that much. If you are the first person to offer someone a six figure salary, and it goes bad, your boss will say "Why did we pay them that much when no one else had?" It makes you look like you made a bad business/risk decision and they may question your business knowledge. So the education requirement just means that someone independently verified that they have reached a certain, agreed upon level of competence, in a certain area.

 

So if a degree is out of your budget, keep learning and proving your worth. Look for positions that give you an opportunity to keep developing your leadership roles. And don't be afraid to call up the HR department and ask if they can waive the degree requirement based on your many years of leadership experience. The worst they can say is no, but since it is their game, they may have the ability to bend the rules for one player or two.

CISOScott
Community Champion

I didn't touch on the value of increasing your business knowledge and language since @Baechle touched on that in their post. I just wanted to explain another one of the many factors that go in to hiring C-level talent.

Baechle
Advocate I

Carl,

 

I hope this doesn’t come off as an attack, I am sincerely providing advice that I hope you will think about in your “Next Steps” toward a senior leadership position.

 


@HTCPCP-TEA wrote:

 

To save readers of the forum, You or indeed I, from continuing a discussion that we clearly stand on different side of a hypothetical line, I will not argue further.

 

However, this is not a concession of my views or indeed an attempt to withdraw earlier comments. I simply have no time available to me to even attempt to "evidence base" my opinions.

Nolo contedere?

 

The ability to proactively seek, absorb, process, and then change your opinions to reflect new information is a hallmark of strategic thinkers.  Withholding forming of opinions until you have sufficient evidence to support them is a function of critical thinking, which is a trait of effective leaders.  Otherwise you have biased, unfounded, beliefs.  I hope you make time for it in the future.

 

Coming up with new ideas and alternative ways of thinking not yet supported by evidence, is not wrong.  In fact it is the foundation of innovation!  That is to be commended and nurtured.  But then, it needs to be tested and verified before it is accepted as fact.

 

Sincerely,

 

Eric B.

Baechle
Advocate I

Ken,

 

I would like to chime in here about the cost of education - the Online College at the University that I attend just cut their tuition rate in half for undergrad studies to $318/credit.  It's still a lot of money (about $1000/class or $40k for a degree) but Champlain has some of the highest rated IT and Business programs, including a digital forensics program built with input from the NSA and DoD's Cyber Crime Center (I wish I had that available for my undergrad).

 

 

Vermont Business Magazine: Champlain College cuts tuition in half.

 

 


@CISOScott wrote:

 

So if you want to have an easier path to the C-suite, a Bachelor's degree is a minimum, with a Master's degree as a highly desired quality. Can you get there without them, yes, but I can also get to the next town over by walking instead of driving, but I will show up tired, sweaty and 18 hours later! I know not everyone can afford to invest that much money in their future. That opens up another problem. You want to know why college is so expensive? Where else do you have a commodity that has businesses handing out loans that MUST be paid back, with no chance of getting them washed away through bankruptcy or debt forgiveness? So since they have an unending supply of money, colleges can keep raising the rates and they will be guaranteed that they will get paid.

 


 

 

 

HTCPCP-TEA
Contributor I

Hi Eric,

 

Not at all!

 

I'm far more thick skinned than many (Oweing to sufficient time in the forces). I fear no criticism nor difference in opinion, and of course I am happy to absorb the views of others in order to better myself. Furthermore, the occasional conflicting view will help me to re-address some of my own opinions in due course.

 

I simply didn't want to suggest I could continue with the discussion fully at this time, and it would be unfair to suggest otherwise.

 

As I say, I appreciate honest and open conversations like this, and I hope it serves to demonstrate to others that such conversations can be had amicably and professionally.

 

Cheers