Another Email from Reddit

I should start off by saying I apologize if this isn’t the best forum to ask the following question, or if you get bombarded with these types of requests. I’ve been following /r/CISSP for the last couple weeks as I am planning to begin studying for it after I attempt the ITIL Foundation exam in the next week.

As I’m starting my InfoSec career (I currently have ~2 years work experience), my thought has always been to build a broad foundation of understanding as I feel to really understand/succeed in Security, it requires an understanding of Networking, System Administration, Management/Business, and Tools. Because of this, I’ve started working toward a variety of certifications, and will slowly start building those foundations up, while working on more specific Security certifications too. I currently hold the following certifications, Cisco: CCNA R&S and Security; CompTIA: Security+, CSA+, and CASP; EC-Council: CEH; Microsoft: MCSA 2k12; Splunk: Power User. I’ve run across your idea of “cert-snowballing” and I think it’s a great idea, and builds somewhat on top of what I was already doing.

I plan on continuing this year and trying to attain the MCSE: Cloud Platform and Infrastructure, as well as the Splunk Certified Admin this year after my CISSP (or in my case, Associate of ISC2). There are a lot of other certs I want to work toward after these: LFCS (CentOS), eJPT, CCNP RS/Sec, VMware, and more. But, I thought I would ask if you had any advice or thoughts on how you might recommend me snowballing my certs as my current job works primarily with Splunk/ACAS(Nessus) and I have the ability to study for a wide variety of technologies, whatever I feel would be useful going forward.

I appreciate you taking the time to read this wall of text, and any thoughts/advice you might have.

Respectfully,

Scott

Hey Scott,

First off, wow. You’ve built quite the collection of certifications and skillsets already. Congratulations. With the credentials you’ve already obtained, you’re already a formidable candidate. With that said, it looks like you have a wide and varying skillset. I think it’s time you dial it in a little and pick a specialization. It appears network security and perhaps SIEM & Analytics might be something your interested in focusing on? Honestly, pick your what you’re passionate about before anything else. It doesn’t have to be about money. That comes on its own. Figuring out what I want to do long-term is something I’m struggling with myself. I’m trying to decide if I should go for the OSCP or take the CCSP next. I still don’t know what I want to be when I grow up. 🙂

I think additionally, you might want to look into some mentoring. I had some very powerful mentors in the past and wouldn’t be where I am today without them. I’m currently looking to find someone to assist me with taking my career to the next level. I suggest you do the same. https://infosecmentors.net/ is a site I recently discovered. You might want to check that out.

Anyways, my .02: I think you should continue to read /r/cissp and continue to study. However, I think the SSCP would be a better bang for your buck at the moment. You can get the full-fledged certification instead of having to settle for the associate. All the knowledge you’d gain would be applicable to the CISSP anyway. Plus, you can take the remainder of the time to aquire other certifications between now and your 5th year.

Lastly, I think you’d be a really good candidate for a position I’m looking to hire. If you’re interested in working from home, making hella good money, and becoming a thought leader in the industry let me know. I love my job and I think you would too! https://www.cyberark.com/career-search/#!/job_region=35

Email from Reddit

I like giving back to the InfoSec community. I figure they’ve done so much for me so it’s only fair that I give back as well. As part of that, I moderate /r/CISSP. My goal is to provide up to date study materials, and answer any questions that come my way.

Recently a user reached out to me with a Direct Message. His questions were so relevant that I thought it would be good to post on the blog as well.

I’m the guy from this thread. What languages would be useful for me to learn? I’m learning python through learnpythonthehardway and -bash/ssh from overthewire.org but, I don’t really know how I would start to practice for the things I would do in a job. As stated in my thread, I am hoping to get a job in either government or a corporation.

What are some good blogs for CyberSecurity to follow and in general things that I should always keep up to date on pertaining to the field?

How long should I study for SEC+? I was thinking of picking a book around the end of the semester, study through summer and hopefully get the cert in time to put it on my resume for internships in October.

Honestly, if you’re looking to learn a language for a particular cert (specifically the CISSP), I wouldn’t bother. Coding/Scripting isn’t part of the Sec+, SSCP, or CISSP. HOWEVER…if you’re looking to get some more advanced hacking/pentest stuff (GPEN,OSCP,etc), you can’t go wrong with python. Depending on where you want to go in your career (red/blue/purple) will depend on what sort of skillset you should acquire.

SEC+ shouldn’t take you long. I’d say take no more than 30-45 days to study and take the exam. Everyone learns differently. Me? I can’t stand reading. Put a book in front of me and I’ll fall asleep in a matter of minutes. Online video training? That works as long as you keep the keyboard away from me so I can’t alt-tab out and surf reddit or something (oh the irony). Classroom? Oh hell yeah. I’m all about classroom training.

There’s a lot of resources online. I’m not much on the infosec blogs. Twitter however is where it’s at. It’s the primary social media of infosec practitioners. Podcasts are also a great resource. I personally listen to the The Cyberwire, Defensive Security, Southern Fried Security, Paul’s Security Weekly, and a few others. Also, check the sidebar on the /r/cissp page. The links there are legit. I swear ITPro.tv and skillset.com are my favorites.

Lastly, where are you based out of? The infosec community is a very close knit group. We look out for each other. I personally know a guy in Dallas that’s looking for a summer intern. Let me know where you’re out of and perhaps I can hook you up.

One other thing that I forgot to mention is that the CISSP requires 5 years of relevant work in the domains to be considered for the certification. Considering that you’re just coming out of school, you’re not going to be even in consideration for the full certification. You’d be getting the associates. I’d personally wait until you have some more certifications under your belt, more experience in the field before you tackle the CISSP. It’ll come much easier to you as well by that time.