Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Path to IT Security
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Wed, 19 Jan 2011 11:59:00 -0600

In order to get a CISSP you must have five years of direct full time 
experience in two or more of the ten security domains.  So you would have 
to get hired to work in security *before* you could even test for the 
CISSP.  You can reduce the requirement by one year if you have a college 
degree or a Masters in Information Security.

If you have no experience in IT at all, then you need to get a job in IT 
and begin to understand TCP/IP and networking.  Until you understand those 
well, you can't begin to understand operational security work.

If you have those under your belt already, then work to get hired by your 
current company's security department as a first level security analyst. 
Play around with open source tools at home so you're familiar with how they 
work and what they do.  Read security blogs, subscribe to security lists 
and pay attention.  Learn who's blowing smoke and who knows what they're 

To pass the CISSP test you're going to need to have at least a basic 
understanding of cryptography, security policies, risk management, business 
continuity, disaster recovery, physical as well as virtual security and 
operational controls.  But you've got at least five years plus to learn, so 
hit the books and get as much hands on as you can.

--On January 18, 2011 5:26:07 PM -0800 bk <chort0 () gmail com> wrote:

On Jan 18, 2011, at 8:10 AM, Emmanuel Apreko wrote:

After researching i found out that the most prestigious security
certification is the CISSP and it seems like a very long journey to it
since i have no experience in it at all but need to get my foot in.

Any certificate that is a based on a multiple-choice test is basically
testing your ability to memorize and recall, not your actual competence
in a field.

Could anyone please advise me on the best path to being a security
professional? ie from beginner to pro?

All advise will be well appreciated.

Go to conferences (small local ones, not the big expensive ones), start
following InfoSec people on Twitter, read InfoSec blogs.  You'll learn
more doing those than from all the certificates combine.

Once you have a knowledge, then study for a cert if you think you need it
to get a job.  It should be pretty easy, since you'll be familiar with
most of the ideas already.

I got a certificate to get past HR and because it looks pretentious on a
business card.  It wasn't worth the hassle of submitting paperwork and
paying dues to continue having it, so I let it lapse.  I haven't had any
problem getting a job since then.


Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]