If you can, get the CISSP, don’t waste your time with anything else. You don’t have to make it your last cert, but (if you can) make it your first. It has become the gold standard that gives you “just add-water” credibility. You can slap those initials at the end of your name and flash a badge with your ISC2, CISSP number on it.
The statement above will piss off a lot of security people, but it is the truth.. the inconvenient, sad and pathetic truth. To all you skilled hackers and IS pro’s, don’t hate the blogger, hate the game. I didn’t create the rules, I just hack them.
Old school hackers and security geniuses talk MAD shit about the CISSP, but what they fail to realize is that “to hack ‘the man’, you have to be ‘the man'”. What I mean is that playing the game is essential to your financial need$. There are always exceptions: Adrian ‘homeless hacker’ Lamos, Steve ‘I write entire apps in assembly’ Gibson, Gordon ‘I created nmap’ Lyon, Jeff ‘i created defcon and sold it in 2005 for 14mil’ Moss, Bruce ‘i decrypted code as a fetus’ Schneier..
For average bastards like you and me, the CISSP is way to go.
I do agree with DMiessler and Mckeay:
“I’ve met CISSPs who can’t configure a home network — no joke. Again, I studied for it and passed it in one week’s time, and that’s with zero previous study of the test materials.
More than I can a test that has a 70% first-time-pass rate that’s explicitly designed for managers and non-technical types. It’s for a wide, wide base of knowledge – not for testing whether or not you’d be qualified to actually do anything.” — dm
“..the CISSP is not a technical certificate! It is not now, nor was it ever meant to be, a technical certification.” — mckeay
Though you may see a couple of technical questions on the test, the over all test is pretty high level, unlike the Certified Ethical Hacker or the CCNA that ask specific technical questions about specific technical issues.
So what should you go for on the Security Certification front:
Go directly for the CISSP (if you can). The fact of the matter is that most companies, the government and foreign organization look for the CISSP. Aside from the CCIE, I don’t know of any other technical cert that will give so much credibility (even if you don’t deserve it).
A NOTE of caution: If you get it, be real with your self. The CISSP does not instantly make you an expert in all ten of its domains. It will not put an “S” on your chest and make you impervious to Kryptonite. Its just a test. Its not an I.Q. test or the Bar. Its just a test. If you have passed, congradulations… now the real work begins. Good security professionals are ALWAYs learning (even more so than your average IT guy, because we have to know the latest in IT as well as policies, some law and even some level of management). A real CISSP should be a “jack of all trades, Master of ONE“.
You should also consider that there is simply no replacement for a good degree except for experience. The good thing about the CISSP is that it requires you to have a certain amount of experience before you even attempt it.
Building to the CISSP:
Beginner: if you’re just starting, you want Comptia’s Security+ certification.
Now, if your just trying to the guy who looks at audit logs all day and report what they see, then your golden. But if you’re serious about security, then you need to play the game, get the damn CISSP (do not pass go, do not collect $200). It pays better than a Security+… much better.
Get into any kind of Information Security position and earn some “street cred“. You may even be in a typical IT position on a filthy help desk (sorry, I’ve done it and it sucks) you can still use it to your advantage by working your way into security tasks. If your in the military, volunteer to be the COMSEC guy or an IAO (it’ll be easy because nobody else wants to do it). Volunteer to work with the security guys and learn from them. The goal is the get into the security mindset and also rack up some experience. A degree will help to with a school that allows you to set up a lab.
After a solid year of security experience you should go for the Systems Security Certified Practitioner (SSCP®). Why the SSCP? It will help you build toward the CISSP. At this point, if you haven’t done so already I would recommend joining the Information System Security Association (ISSA). You’ll begin to network with other security folks from everything from forensics to the pentesters to information security managers (who don’t even know how to set up a network). By this time, you should have some idea what you’d like to specialize in. The CISSP is a great foundation as certification credibility goes, but you will need to specialize.
I found the test challenging. You don’t want to take it twice that is for damn sure. Just make sure your ready. You’ll have to have about 5 years total security experience.
Now checks this out:
“Effective 1 October 2007, professional work experience requirements for the CISSP® will increase from four to five years, and direct full-time security professional work experience will be required in two or more of the ten CISSP® CBK® domains.” –ISC2
Even a Masters degree will only replace a maximum of 1 year of experience (sounds like *NS to me):
Candidates can substitute a maximum of one year of direct full-time security professional work experience described above if they have a four-year college degree OR Master’s Degree in information security from a U.S. National Center of Academic Excellence in information Security (CAEIAE) or regional equivalent. If you hold both a four-year degree and a Master’s degree, you may only apply for a one year waiver of experience.