A few weeks ago I wrote a lengthy post to @ISTREDD concerning his interest in the CISSP accreditation. Most of that post was an attempt to answer his specific questions, and may not be relevant to you. With that said, kindly consider this extract of my answer to his question:“What other certs do you recommend in order to secure a high paying job?”
"My advice to anyone considering pursuit of this—or any other—certification is to stop for a moment and think.
- Think about yourself, are you the type of person who’d want to lead a cybersecurity program, or follow the leadership of another?
- Think about your career goals, do you want to be in a managerial role, dealing with business strategies, budgets, and organizational politics, or would you be happier working with the technologies, the processes, and applying tactics in the cyberwarfare battlespace, either offensively or defensively?
- Think about your personal life, and perhaps your family. Do you want to work in a Security Operations Center, that’s manned 24/7/365, with the toll that takes on health and families, or would you prefer the stabler worlds of cybersecurity compliance, cybersecurity policy, or testing?
- Think about your strengths and weaknesses, along with your personal interests, the things that light a fire in your soul. Do you want to investigate things, perform forensics, test new or existing technologies, work in a lab, develop new types of encryption, or teach others how to be secure? Would you prefer to focus on protecting Information Technology (IT), Operational Technology (OT), Cloud technology, or some combination of these?
- Think about your financial goals and requirements. Does the idea of a steady paycheck and benefits appeal to you? If so, working for a private company or government agency may be the best choice for you. If you’re willing to risk dry spells without a paycheck (admittedly rare and brief these days) and go without paid vacations, or sponsored insurance, but with high billable rates that are double or triple the typical W-2’s, then consulting may be the way to go. It takes years to build up a client base, and may involve a lot of travel, but depending upon your personal values, the payoff may be enough to justify it...and you get to meet some really cool people and travel to really neat places
These are some of the many areas of cybersecurity, and your answers will guide you toward the most applicable training and certifications to pursue.
@denbesten invited you to look at the Systems Security Certified Practitioner (SSCP), and I agree with him. According to (ISC)2 this pertains to the realm of “Security administration.” In comparison the CISSP is a “leadership and operations” certification. I’ve seen Generals, Admirals and civilian CEOs and COOs take the boot camp to get the CISSP, alongside technicians, engineers, system admins, and some weird people who wander in from the street, lured by the smell of coffee and croissants while looking for a public restroom. All may benefit from having such a highly regarded certification, but it may not be the best application of a person’s time and money.
I don’t want to discourage you from pursuing the CISSP, but if you do, kindly consider a piece of advice I share with the folks working for me. “Wear the CEO hat” when studying or taking the exam. Ben Malisow exhorts his students not to “buy a $10 lock for a $5 bike.” A security guy might want the $10 lock because it is the most secure, but the business guy, the CEO, may not consider it a sound investment to protect the bike, which is a $5 asset. Many of the exam questions will ask, “What is the best…?” or “what is the most …?” correct answer, meaning that more than one answer may be technically correct, but it may not be the best choice for the situation described.
The CISSP is the sexy one, the one that folks talk about. The other certs don’t carry quite the cachet but may be more appropriate for the job you’re doing or want to do. It also doesn’t hurt to have other certs to backup or round out the CISSP. Do you prefer working with risk management, such as the Risk Management Framework (RMF), as part of a good cybersecurity compliance program? If so, attaining the credential of a Certified Authorization Professional (CAP) might be a better choice.
Would you like to focus on cloud security? Consider becoming a Certified Cloud Security Professional (CCSP). I passed the exam for this in October 2018 and have been undergoing the endorsement process for the last 10 weeks, I should be getting the confirmation email any day now.
I don’t know what your definition of a “high paying” job is. Many people in the DC area define six-figure salaries as middle class, but it’s all relative. This is an awfully expensive area. The median household income where I live (in a suburb of DC) is $130K and some change. That’s a good income but it’s the median, so it sits right in the middle of the bell curve, neither high nor low. I encourage people to come into this profession for the reason you stated, “…I know this is a Career Field I would love to continue once I retire…” While there can be substantial financial remuneration, if money is your primary motive, there are other professions that pay better.
Regardless, I hope you’ll find a useful nugget or two in here, please feel free to write to me directly with further questions."
If you're really bored, you can read the rest of my post here: Mentor Needed.
