+ Reply to Thread
Results 1 to 5 of 5
  1. Member silalaval's Avatar
    Join Date
    Apr 2014
    Location
    UK
    Posts
    33

    Certifications
    CCNA R/S; CCNP R/S; MCSE (2003); ITIL V3; Prince 2 Practitioner; CISA
    #1

    Default My roadmap... Here I go!

    Hi All,

    Apologies for another post on requesting advise on Certification. I hope Im in the right place for this.

    Ive worked in IT for over 15 years and achieved some good experience and certifications along my career.

    So far I have:

    ITIL Foundations
    Prince Practitioner
    MSCSE 2003 (old I know)
    CCNP : Expired a month ago
    CISA

    My path was:
    Service Desk support (2nd/3rd line) for about 4 years
    IT consultant for 4 years dealing mostly with Exchange and Windows servers, Migratin domains, etc
    IT consultant running IT assesments / audits for SMBs 2 years
    IT Team leader of a major Tech company reponsible for VMWARE, Exchange, Networking, Firewalls, Bluecoat, Wi-fi, telephny, projects and Internal Security (60% hands-on /40% management).
    Team Manager for a Business support team on an ISP


    Although I had the CCNP cert Ive decided to let it go because I didnt feel ready to take the new exam. Ive done a bit of work with mostly switches and never managed to do CCNP level work so most of the stuff on the CCNP Ive had studied and worked hard, I forgot because I didnt get my hands "dirty" as often as I wished at the time.. Another reason was that, lately, I was only being offered CCNP related roles and I dont want to troubleshoot networks and failing circuits. Companies and Recruiters just love "CCNP" on a CV.

    I now want to pursue a more Consultancy and project/management oriented role and keep my CISA alive. I find Security and auditingfascinating but from a architecture / management / project perspective, not so much from a "Hacker" and fire-fighting perspective.

    My plan now is to:

    -Build my tech skills on security
    • Learn Linux and penetration testing. Udemy Courses, a few good book I bought
    • Refresh my Cisco Knowledge: Ill be going through my INE Course (CCNP and CCIE material)- I still love Cisco networking and its absolutely necessary
    • Intro to Python (Udemy and a book)

    -Certifications Im thinking about for the tech skills
    - ISACA CSX practitioner
    - CYSA+ or Security+: I Need your input here J

    Maybe here, with the Certs and the tech knowledge I might jump into the job market and see what I can get on a security role.

    After this I plan on getting the more non-technical part done. (Juicy bit and my goal)
    ISO/IEC 2002
    CISSP
    CISM


    So, 4 months (Full time) for the tech skills and the rest to apply it and prepare for CISSP and then CISM

    Im taking a gap year for this and I will be doing this full time. Thats a lot of study and lab time. Then I want to focus more on the project and managemet part and move away from the fire-fighting and troubleshooting part.
    My goal is to work my way to Security auditing and/ or management role.
    Ive even considered a 6 month bootcampon the subject. See: www.Secureset.com The ideia is to fill my gap hands-on part (penetration testing, Linux, etc) but not necessarely to make a living out of it. Ive managed technical teams and I know from experience that you need technical experience to be competent as a manager or run a project.

    Do you think this is a credible plan? Any inputs will be highly appreciated.
    I feel I need to do this in a structured way as its quite easy to get a job and before you know it, youre being asked to look into technologies you dont want to support any longer like Exchange, VMware etc. Quite a few jobs are traps in disguise.. before you know it, a year has passed, you dont like what you do and youve spent time working on a technology you dont want to pursue in the future because "the business needed it"

    Thanks in advance.
    S.
    Reply With Quote Quote  

  2. SS
  3. Senior Member
    Join Date
    May 2006
    Posts
    2,159

    Certifications
    CISSP, CCSP, CCNA Cyber Ops, eJPT, ITIL,PA ACE,Qualys Certified Specialist, A+
    #2
    Project management and project managers in general dont deal directly with the infrastructure and don't make changes to the environment. You are focusing on all technical skills and not project management skills. So you are kinda contradicting yourself there. Have you looked at PMP? Thats project management.
    Reply With Quote Quote  

  4. Member silalaval's Avatar
    Join Date
    Apr 2014
    Location
    UK
    Posts
    33

    Certifications
    CCNA R/S; CCNP R/S; MCSE (2003); ITIL V3; Prince 2 Practitioner; CISA
    #3
    Hi,

    When I say project management I mean putting solutions in place by (re-)designing solutions, upgrades, process etc...

    I had lots of this in my career where someone would approach me and say "oh, this needs to in place in a few days or weeks.. congratulations, youre it

    I know that in an ideal world, there should be a project team, a team to implement and another to support... Most companies save money by allocating that to the most experienced guy(s).

    I want to be able to manage and audit the infra-structure and be able to pinpoint the problems, recommend policies or solution, not necessarly applying patches myself...

    As for project management, I have Prince 2 Practitioner level and I think its enough for my needs...
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Nov 2016
    Location
    Iowa
    Posts
    156

    Certifications
    OSCP, OSWP, CISSP, CCNA Cyber Ops, Sec+
    #4
    Quote Originally Posted by silalaval View Post
    My plan now is to:

    -Build my tech skills on security
    • Learn Linux and penetration testing. Udemy Courses, a few good book I bought
    • Refresh my Cisco Knowledge: Ill be going through my INE Course (CCNP and CCIE material)- I still love Cisco networking and its absolutely necessary
    • Intro to Python (Udemy and a book)

    -Certifications Im thinking about for the tech skills
    - ISACA CSX practitioner
    - CYSA+ or Security+: I Need your input here J

    Maybe here, with the Certs and the tech knowledge I might jump into the job market and see what I can get on a security role.

    After this I plan on getting the more non-technical part done. (Juicy bit and my goal)
    ISO/IEC 2002
    CISSP
    CISM


    So, 4 months (Full time) for the tech skills and the rest to apply it and prepare for CISSP and then CISM

    Im taking a gap year for this and I will be doing this full time. Thats a lot of study and lab time. Then I want to focus more on the project and managemet part and move away from the fire-fighting and troubleshooting part.
    My goal is to work my way to Security auditing and/ or management role.
    Ive even considered a 6 month bootcampon the subject. See: www.Secureset.com The ideia is to fill my gap hands-on part (penetration testing, Linux, etc) but not necessarely to make a living out of it. Ive managed technical teams and I know from experience that you need technical experience to be competent as a manager or run a project.

    Do you think this is a credible plan? Any inputs will be highly appreciated.
    I feel I need to do this in a structured way as its quite easy to get a job and before you know it, youre being asked to look into technologies you dont want to support any longer like Exchange, VMware etc. Quite a few jobs are traps in disguise.. before you know it, a year has passed, you dont like what you do and youve spent time working on a technology you dont want to pursue in the future because "the business needed it"

    Thanks in advance.
    S.
    Off the bat, I like your experience and history. This is a great foundation for success in moving over to security!

    I think your first order of business is to continue to work on figuring out what you want to do, what's available in your area, and what jobs you'd shoot for. With your background, you should be able to make a case for audit/security admin/security manager, and even security architect pretty quickly.

    You've mentioned a few times about managing implementation projects and pen testing and auditing. The latter two often overlap, but neither of those really overlap a ton with the former.

    Next, I firmly believe if you want to be a pen tester to any degree, you're going to have to be comfortable with Linux. And I'm not necessarily talking about Ubuntu where you just use the desktop GUI environment, but more something like a Linux+ level or RHCSA/LFCSE prep work (exam not necessary). I also agree strongly with your choice to learn Python. I'd even include PowerShell as very useful for you.

    I'm not really familiar with the ISACA CSX or the CompTia CySA+. They both sound like equivalents to the CCNA Cyber Ops course where you're gaining the cert that will allow you to be a SOC tier 1/2 analyst type (fire fighters!). That's fine, but I imagine you should start beyond that already, imo. Security+ should be easy for you, as well, but can be a great starting point when studying for the CISSP (plenty of overlap there, at least back when I took them both). Feel free to get any of those, but I would imagine you should shoot a bit higher, like CISM/CISA from ISACA or shoot right into the CISSP from ISC2.

    If the pen testing, hands-on route really is something you want, I'd suggest getting on board with looking at the OSCP in your free time. This will give you an idea of whether you like this at all or not. CEH, while derided for its poor grammar, past ethical choices, and low bar of entry, is still recognized commonly and can also be a starting point if you have the time and don't mind spending that money. I personally would suggest passing on it, but to each their own.

    Otherwise, for auditing and such, you're looking in the right place for CISA/CISM, I believe. I don't have either, but they seem to be the standard.

    If you have the money, SANS courses are top notch.

    Lastly, let's be honest here. Much like any IT discipline, getting job experience and landing a job is still the best thing you can do. I think it's admirable that you can take some time off and devote to studying, and if you can and want to, you should, but landing that first security job and starting to get hands-on experience day-to-day will almost always be a better proposition as long as you still pursue those certs and learning on your own as well.
    -------------------------------------------------------
    Security Engineer/Analyst/Geek, Pen Testing
    Reply With Quote Quote  

  6. Member silalaval's Avatar
    Join Date
    Apr 2014
    Location
    UK
    Posts
    33

    Certifications
    CCNA R/S; CCNP R/S; MCSE (2003); ITIL V3; Prince 2 Practitioner; CISA
    #5
    Quote Originally Posted by LonerVamp View Post
    Off the bat, I like your experience and history. This is a great foundation for success in moving over to security!

    I think your first order of business is to continue to work on figuring out what you want to do, what's available in your area, and what jobs you'd shoot for. With your background, you should be able to make a case for audit/security admin/security manager, and even security architect pretty quickly.

    You've mentioned a few times about managing implementation projects and pen testing and auditing. The latter two often overlap, but neither of those really overlap a ton with the former.

    Next, I firmly believe if you want to be a pen tester to any degree, you're going to have to be comfortable with Linux. And I'm not necessarily talking about Ubuntu where you just use the desktop GUI environment, but more something like a Linux+ level or RHCSA/LFCSE prep work (exam not necessary). I also agree strongly with your choice to learn Python. I'd even include PowerShell as very useful for you.

    I'm not really familiar with the ISACA CSX or the CompTia CySA+. They both sound like equivalents to the CCNA Cyber Ops course where you're gaining the cert that will allow you to be a SOC tier 1/2 analyst type (fire fighters!). That's fine, but I imagine you should start beyond that already, imo. Security+ should be easy for you, as well, but can be a great starting point when studying for the CISSP (plenty of overlap there, at least back when I took them both). Feel free to get any of those, but I would imagine you should shoot a bit higher, like CISM/CISA from ISACA or shoot right into the CISSP from ISC2.

    If the pen testing, hands-on route really is something you want, I'd suggest getting on board with looking at the OSCP in your free time. This will give you an idea of whether you like this at all or not. CEH, while derided for its poor grammar, past ethical choices, and low bar of entry, is still recognized commonly and can also be a starting point if you have the time and don't mind spending that money. I personally would suggest passing on it, but to each their own.

    Otherwise, for auditing and such, you're looking in the right place for CISA/CISM, I believe. I don't have either, but they seem to be the standard.

    If you have the money, SANS courses are top notch.

    Lastly, let's be honest here. Much like any IT discipline, getting job experience and landing a job is still the best thing you can do. I think it's admirable that you can take some time off and devote to studying, and if you can and want to, you should, but landing that first security job and starting to get hands-on experience day-to-day will almost always be a better proposition as long as you still pursue those certs and learning on your own as well.
    Excellent post. Many thanks for taking the time to do this. Im already CISA and I was quite proud when I passed the first time! This is one of the reasons I am saying goodbye to purely tech/troubleshooting roles.. They consume my time, dont pay that well and when you realize, another year went down the drain.

    Linux is definitely a priority. Ive been sticking to Fedora as its Red Hat close and from experience, Red Hat kicks ass on the enterprise level. I have a laptop running 100% on Fedora, not poisoned by Dual boot. I also have a CentOS VM to break as I please.

    I will learn more Powershell if I have to but I find it a complete mess... I like to call it powershit. I still have nightmares with the Exchange 2013 servers I supported 3 years ago... I remember once that I had a technical call with a Microsoft 3rd line engineer and even him was struggling to get the PS commands right! Its a nightmare Im not looking forward to live again.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks