What to do with a CISSP and little tech experience?
December 11, 2009 11:45 AM Subscribe
I have a CISSP and 6 years experience in the IT Security field. Problem is, most of my experience is with policy, not technology. Where can I go from here?
I've been working in IT Security as a government contractor since 2003, and got my CISSP earlier this year. Most of my work has been on the policy side of things such as audit response/remediation, contingency planning, and certification & accreditation. Unfortunately, I've neglected to keep up with or even study a lot of the underlying technology supporting all of it. In other words, I could quote NIST or OMB regs all day long, but put me in front of a monitor with a bunch of logic statements or log extracts on the screen, and I probably couldn't say what I'm looking at. Even worse, my only degree is a bachelor's completely unrelated to any work I've done (thanks, liberal arts education!), and I had no prior experience in the field before this job. In terms of my career path, I'm kind of spinning my wheels, and despite the itch to move on to something and somewhere else, an informal browsing of job openings tells me many employers seem to place a high value on several year's worth of experience with the tech side of things, such as VPNs and firewalls or database management. This would seem to put a kibosh in my hopes of finding something within the next 9-12 months.
So, having belatedly realized that I've been an idiot and painted myself into a corner in the short term, education- and experience-wise, am I SOL in the job search given the timeframe above? Would moving into the auditor side of things be a viable alternative? And regardless of the job search itself it's clear I need to add a lot to my skill set, so where's a good place to start?
I've been working in IT Security as a government contractor since 2003, and got my CISSP earlier this year. Most of my work has been on the policy side of things such as audit response/remediation, contingency planning, and certification & accreditation. Unfortunately, I've neglected to keep up with or even study a lot of the underlying technology supporting all of it. In other words, I could quote NIST or OMB regs all day long, but put me in front of a monitor with a bunch of logic statements or log extracts on the screen, and I probably couldn't say what I'm looking at. Even worse, my only degree is a bachelor's completely unrelated to any work I've done (thanks, liberal arts education!), and I had no prior experience in the field before this job. In terms of my career path, I'm kind of spinning my wheels, and despite the itch to move on to something and somewhere else, an informal browsing of job openings tells me many employers seem to place a high value on several year's worth of experience with the tech side of things, such as VPNs and firewalls or database management. This would seem to put a kibosh in my hopes of finding something within the next 9-12 months.
So, having belatedly realized that I've been an idiot and painted myself into a corner in the short term, education- and experience-wise, am I SOL in the job search given the timeframe above? Would moving into the auditor side of things be a viable alternative? And regardless of the job search itself it's clear I need to add a lot to my skill set, so where's a good place to start?
Best answer: OK, I have a CISSP and have been doing more technical security work since 2001, to give you some background on my answer. I also haven't been looking actively on the job market in over a year. I've worked in healthcare/manufacturing/financial services/ISP spaces, and no very little about government, so my answer will just be for my frame of reference.
Working with your current skills, you still have a lot of opportunities. I would look at the compliancy growth areas for private industry. From my perspective, PCI is big and getting bigger as more companies come into scope. QSAs are PCI auditors, most that I've met have a technical bent, but my sample size is limited. Even so, companies are in dire need of an INTERNAL resource to coordinate, respond, track and remediate PCI findings. You don't need to be highly technical for that role. There would be a lot of documenting dataflows, working to limit PCI scope, things like that. Smaller (non level 1 or 2) shops that still need PCI compliance can self-assess (they don't have to hire a certified QSA) but they still may not have the technical resources to perform a self-assessment. Perhaps you could help there.
Stepping back from PCI, look at the GRC (Governance, Risk, & Compliance) software industry. Big names include Archer, Openpages, and Agiliance. They are all about building workflows around internal compliance, so you complete a list of general security controls and checks and those get applied to SOX, GLBA, PCI, or XYZ as relevant. I think that software has a big opportunity for growth in the next few years, and from an INTEGRATION standpoint will need people who can look at many different security standards and synthesize to a set of general controls.
Now, convincing someone that your knowledge of NIST regs can map to PCI, for example, might take a bit of salespersonship. I think a strong case could be made with some research and social engineering, though.
On becoming more technical, SANS courses are considered the gold standard (I've had mixed results personally). Lately I've been hearing great things about the Offensive Security web-based training. You might get better experience from them, but with lesser brand recognition.
Memail me for more questions or if you want to chat.
posted by These Premises Are Alarmed at 1:06 PM on December 11, 2009 [1 favorite]
Working with your current skills, you still have a lot of opportunities. I would look at the compliancy growth areas for private industry. From my perspective, PCI is big and getting bigger as more companies come into scope. QSAs are PCI auditors, most that I've met have a technical bent, but my sample size is limited. Even so, companies are in dire need of an INTERNAL resource to coordinate, respond, track and remediate PCI findings. You don't need to be highly technical for that role. There would be a lot of documenting dataflows, working to limit PCI scope, things like that. Smaller (non level 1 or 2) shops that still need PCI compliance can self-assess (they don't have to hire a certified QSA) but they still may not have the technical resources to perform a self-assessment. Perhaps you could help there.
Stepping back from PCI, look at the GRC (Governance, Risk, & Compliance) software industry. Big names include Archer, Openpages, and Agiliance. They are all about building workflows around internal compliance, so you complete a list of general security controls and checks and those get applied to SOX, GLBA, PCI, or XYZ as relevant. I think that software has a big opportunity for growth in the next few years, and from an INTEGRATION standpoint will need people who can look at many different security standards and synthesize to a set of general controls.
Now, convincing someone that your knowledge of NIST regs can map to PCI, for example, might take a bit of salespersonship. I think a strong case could be made with some research and social engineering, though.
On becoming more technical, SANS courses are considered the gold standard (I've had mixed results personally). Lately I've been hearing great things about the Offensive Security web-based training. You might get better experience from them, but with lesser brand recognition.
Memail me for more questions or if you want to chat.
posted by These Premises Are Alarmed at 1:06 PM on December 11, 2009 [1 favorite]
Best answer: Ever see how many places want 5+ years of experience with Windows 2008? Just cause they ask for it doesn't mean a whole lot.
Anyway, ever work for the Feds? The government job title is CSSO. They're mainly policy.
Also - 9-12 months is plenty of time to get a cisco security certification. That's very hands-on and technical. Add that to your degree and experience and you should have little trouble.
posted by anti social order at 1:25 PM on December 11, 2009
Anyway, ever work for the Feds? The government job title is CSSO. They're mainly policy.
Also - 9-12 months is plenty of time to get a cisco security certification. That's very hands-on and technical. Add that to your degree and experience and you should have little trouble.
posted by anti social order at 1:25 PM on December 11, 2009
Fellow CISSP with a technical background here. I came in here to suggest what anti social order. Do a bootcamp class, get a cisco security cert and you should be golden. Or the CEH pentest certification - that's another one I've seen people asking for. With either of those, your CISSP and your 6 years of policy experience, I thing you should be in good shape.
posted by deadmessenger at 1:45 PM on December 11, 2009
posted by deadmessenger at 1:45 PM on December 11, 2009
I came in here to suggest what anti social order DID. Jeez - maybe I should have stayed an English major after all...
posted by deadmessenger at 2:29 PM on December 11, 2009
posted by deadmessenger at 2:29 PM on December 11, 2009
This thread is closed to new comments.
posted by rmd1023 at 1:05 PM on December 11, 2009