Comments on: Which Security Certification Should I Get?

By: elamb

elamb — Mon, 14 Dec 2009 04:43:18 +0000

"So you are saying don't get a certification from an online vendor. I have been trying to figure out which vendor or program to take. Some are expensive and some are as cheap as $100.00"

@Jay
regardless of what anyone says, certifications get companies to hire you and pay you more than the average employee. In my mind, that makes them worth having. But it depends on what you do. If you are a pure network guy working with Cisco equipment than you probably want a CCNA or CCNP. If you are security than Security+, CISSP. What ever the cert. it should fit your work. I would also recommend going with the hire level certs (MCSE, CCNP, CISSP, CCSP) or even expert (CCIE or CISSP-ISSE) Professional level and above are the ones that get you paid. These higher level certs are much more involved and expensive but once you get them, they pay you for as long as you have them.

By: Jay

Jay — Mon, 14 Dec 2009 01:59:49 +0000

So you are saying don't get a certification from an online vendor. I have been trying to figure out which vendor or program to take. Some are expensive and some are as cheap as $100.00

By: SGK

SGK — Sat, 11 Jul 2009 09:41:18 +0000

*if it's all bout the $$$ … then …

The steps to be taken is:
-pass the CISSP … (Aside from the CCIE, I don’t know of any other technical cert that will give so much credibility (even if you don’t deserve it … quote from elamb.org)
-get a real security related job … (not a typical IT position, i.e: a filthy help desk)
-get experienced … so you can quallified as an IT manager (read: “jack of all trades, Master of ONE“.) & earn lots of $$$

LOL,

By: elamb.security

elamb.security — Sat, 04 Jul 2009 13:24:08 +0000

Adrian Lamo:
Holy crap.. Adrian Lamo made a comment on my blog last year.. I’m not worthy!!

Shane:
There are a couple of things you can do. 1) Go to a vocational school that teaches toward the certification of your choice. People talk crap about vocational schools but if you’re serious you can learn a lot from there and do quite well. I know guys who have. 2) Go to a college and talk to an academic counselor. They will straighten you right out. 3) Join the military go in as a Computer Security guy.. DO NOT let them con you into being a COP or a COOK. Oh, and go into the Air Force.. NOT the Army, Marines or Navy because the suck (no offense.. just keeping it real). I was in Air Force and they got me my degree and several technical certs and lots of experience on every level of security (including management.. all in my 20’s). 4) The hardest way.. go get some books start reading, grab some equipment off ebay hook it all up, get a certification, apply for some jobs on monster or start your own business. You can do anything you set you mind to.

By: Shane Terry

Shane Terry — Fri, 03 Jul 2009 22:49:23 +0000

I’m 22 now and looking to apply myself in a new direction. I graduated high school but i haven’t wanted to spend money on conventional college. I took some ccna classes in high school but did not take them seriously at the time. So I’m basically a super beginner. I would love to go back and maybe retake the 1-4 classes, get the certification. Would it be possible to volunteer somewhere to gain experience and a chance to work in this field. Ultimately i would be interested in working security. Any advice that you might have would be greatly appreciated.

By: Adrian Lamo

Adrian Lamo — Mon, 08 Dec 2008 00:41:04 +0000

Lamo. Not Lano

Cheers!

By: Adrian

Adrian — Thu, 24 Apr 2008 11:30:48 +0000

Hi to all,
This post is quite interesting. I just pass the Cisco CCSP and wondering in what direction to take.
From what I’ve seen here, the CISSP certificate will be a plus, but it does not cover technical stuff.
What do you recomend: CISSP, CISM, SSCP, or the Cisco CCIE Security ?

Thanks

By: elamb.security

elamb.security — Wed, 23 Jan 2008 20:16:32 +0000

Sounds like a total waste of time for “DO”. I’ve met a couple of people who finisded it in an hour or so. It took me 5 1/2 hours and I found the question pretty hard… then again I’m not that smart.

I took the CCNA as well (in ‘03). Probably the funnest test I’ve ever taken.

I personally haven’t met anyone calling it a waste of time. Because even if you think the questions are stupid and irrelevant, the industry (security related) does not.. and they will pay your for it.

By: DO

DO — Mon, 21 Jan 2008 21:03:28 +0000

I have been in the industry for more than seven years now… the CISSP exam took me less than 1.5 hours, including double-checking my answers and work. It is a fairly simple exam… I learned nothing in the bootcamp (and made everyone save the teacher angry because I knew all of the answers and he and I kept going into in-depth discussions). They have to force you to have 5 years of experience because the exam is too easy (14 year olds were passing it without any experience), which says to me that the exam is worthless.

The CISSP is a weak exam because it is non-technical and covers many topics, but few things. No depth. What little depth it attempts to provide is generally wrong, though. For example, my exam had a question concerning buffer overflows and how to “prevent” them. The only somewhat correct answer is to check the range and offset, but even that’s not right. In all of the domains, excluding BC and DR, the CISSP has very little information, depth, or knowledge.

Also, just to add a twist, I took the CCNA 1/2/3/4 route through Cisco’s Networking Academy, which taught me a wealth of information that I retain today and has helped me through my college studies, work, and my research. CISSP has done nothing for me. In my case, I got the CCNA through a respectable means, rather than simply passing the exam, and I learned the most; I didn’t learn anything in the CISSP bootcamp and and no issues with ANY of the CISSP exam questions (save 2 that made no sense… the English was completely messed up).

My ultimate point is that certifications should mean nothing to you… it’s the knowledge. Anyone can pass an exam (I know CISSPs who couldn’t tell you the difference between a router, switch, lvl4 switch, lvl3 switch, hub, repeater, and bridge…. I know CCNAs who couldn’t either). I recommend that you take classes, go to University (and apply yourself), and participate in research. Certifications and ceritificates are pointless and don’t help you grow… when companies figure this out, we’ll see a dramatic shift in work quality and fewer losers in our fields (I do application PT, Web-based application PT, network PT, OS PT, and vulnerability assessments for a living).

By: James Sayles

James Sayles — Tue, 11 Sep 2007 05:25:58 +0000

While there are several security and audit certifications out there, one should based their decision to acquire based on individual situations and role requirements. For example, if you are working in a role that require you to audit or work with auditors (internal/external), then a CISA from ISACA may be a good fit. Perhaps your role is to manage and implement security policies and countermeasures. in this case I would definitely obtain a CISSP from IC2. Then there is the case where you role requires you to just manage security awareness and processes; therefore I would consider the CISM from ISACA.

Overall, obtaining one or more security certifications would be a “key” to have. if I had to make a recommendationon on one certification, it would be the CISSP. The CISSP exam is very comprehensive and will aide in developing the skills to implement security controls, many of which Auditors may require.

I agree with the post above, having a CISSP, CISA, CISM or any other security cert without practical knowledge or experience wont add the tens of thousands of dollars to your compensation or the corner office on the executive floor.
James Sayles
Chief Compliance Advisor
Ecora Software

See my other blogs and posts at: http://www.ecora.com/ecora/news/bureau.asp