Security Administrator wannabe - Where to start?

You may wish to investigate Cisco's Certified Security Professional:

as well as Cisco CCSP Jobs:

and Cisco Salary Surveys:

Sincerely,

Brad Reese BradReese.Com® Cisco Resource Center Toll Free: 877-549-2680 International: 828-277-7272 Website:

Start with CISSP certification - that shouldn't be too hard for you. Visit

for the beginning, Take a look - maybe you decide to run into consultations. The more you invest into education, the better your security future is. Only those seminars and everything connected to security education is quite expensive. But worth it. And connect with other people of your kind - one true experience is worth much more than dozen of seminars.

Best, BB

I am not sure about the CISSP. It seems a little too geared towards management and not as much towards hands on staff.

Since you already have Microsoft experience, have you looked and MCSE+Security as a first step?

From there, you can look at the CCSP or CCIE:Security designations: Remember, a cert is a "cert". Without the experience and university education to back it up, your knowledge will be heavily scrutinized.

Good luck.

I'm not sure that's a bad thing.

The CISSP is sometimes described as "an inch deep and a mile wide".

IMHO it's the ideal certification for someone who has worked in a variety of areas of the IT industry for some years and developed a strong interest in security. The CISSP is well respected and not overly difficult to obtain provided you have a broad background and are willing to bone up on your weak areas - but very challenging for those without at least some hands on experience in the majority of the 10 domains.

One model says there are four Pillars of security - People, Policy, Process, and Products. When hiring or promoting, I also look for Perspective - and find it much more frequently in CISSPs than in candidates who hold technical certifications only.

Sunny

Hi. I would be interested to understand what you mean when you say "perspective'?

Cheers, dg

A balanced approach is a better way to describe it - but I needed a P word :-)

Many security people think largely in terms of technical controls - the Products pillar - and tend to treat Policy and Process as necessary evils. It's quite rare to find candidates who actually enjoy doing security awareness (People), especially when it comes to working with end users.

The big picture is about identifying, quantifying, and mitigating business risk. Sometimes that means just throwing another box on the network, but frequently there's a more cost effective solution which includes aspects of all four pillars - and has an inherent tendency to add depth to the defenses. The ability to conceive and implement such solutions is what I termed Perspective.

Sunny

I agree with that assessment. I started on it, but quickly stopped, because it was more of a word definition game than about actually *understanding* security. It looked nice for documenting to upper management what procedures you have put in place -- in an impressive language at that -- but won't do you much good in actually *understanding* security, nor prepare you for situations where the stipulated scenarios don't match real life. I'd rather recommend one of the GIAC certifications:

They're fairly good at trying to teach you the WHYs as much as the HOWs, and focuses less on defining exactly what constitutes an incident or an agent.

Regards,

No, it's not. To management it might be, but to a good admin, it's about keeping the data and operations as secure as possible at as low a pain level as possible. That includes securing it from what you CANNOT identify or quantify, taking personal responsibility, and knowing what to do should the worst occur.

IMNSHO, CISSP teaches you to cover your ass from your bosses, frankly speaking, which has very little to do with a true security focus.

Regards,

Absolutely, that's what the admin is paid to deliver. Management funds it to mitigate business risk.

It's tough to get resources allocated if you cannot identify or quantify

- but you can, at least in terms of probability and potential loss. That's how the insurance industry works, for example.

CISSP teaches you to analyse, document, and present risk in terms management can understand, with the goal of leading them to rational decisions so you get the resources you need to do the job right - and yes, also to CYA for the times they make the wrong call and things go pear shaped.

Sunny

"Arthur Hagen" wrote in news:d2vj80$inr$ snipped-for-privacy@cauldron.broomstick.com:

Agreed. Now that they pulled the practicals from the requirements, it should be even easier to get, naturally at the price of devaluing the cert.