New to the community, need advice

[mattyboync]

Hello all!

This is my first post, so apologies if I've ended up in the wrong spot!

I'm relatively new to information security, having worked in the area for about 2 years.  I spent my first year and a half working for a large bank in threat and vulnerability management, mainly focusing on data in motion and data at rest.  I ended that spell getting involved heavily in metrics, which led me to where I am now.  I work in IT Risk Management at my current company and have been tasked with developing a metrics program for info sec. So far its going well, and I hope to use this as a platform to get myself into more of a management role relatively soon.

My educational background is a BA in History, MS in International Trade / Economics, and I'm just a couple of classes short of my MBA.  My goal is to end up at the CISO or CIO level.

Now, for my real question, what certs should I be working towards right now?  I know the CISSP is where I really need to be, but I'm still 2 years short on the experience required to get it.  It's been suggested that I look at the GSEC, but I wasn't sure.  Would appreciate all advice and feedback!

[3xban]

you can also consider the CISM since you are looking to get into management.  GSEC is great if you are looking to get a little bit of technical knowledge on all platforms. 

How long have you been in IT?  The requirements state 5 years in at least two of the 10 domains.  Also you have an alternative of becoming an associate by passing the exam and then you have 6 years to get the experience.  You also might want to check out some of the SANS management courses.

http://www.sans.org/security-training/curriculums/management

Good luck!

[mattyboync]

Hey!

Thanks for the comment.  I didn't realize that the CISM let you have 6 years to get the experience.  That may be the route I take and just make sure I get myself into a good management position in the next couple of years.

I definitely want to focus more on the management side of things.  I enjoy the technical stuff, but I'm much better at managing and doing the strategic stuff.

I've only been in IT for 2 years when judging by cert criteria.  I've done it on the side my whole life, and did help desk work during high school at night.  I was also a network admin after high school, but that was 12 years ago so won't count. 

[ajohnson]

I'd do CISSP, CISM, and possibly CRISC if I were you. You're not going to need too much on the management side (though technical certs may be a nice bonus).

[mattyboync]

Do you have any thoughts on which order would probably be best?

Does the CISSP work like the CISM and let you have so many years to get the experience after you pass the exam?

My wife is pregnant with triplets and they are due in October, so I'm trying to get a head start on one now so I can try to take the exam this fall before my life becomes super crazy.

[ajohnson]

You should go in the order I listed. CISSP carries the most weight out of all of them, so if you can only do one for the foreseeable future, do that one.

And yes, it's the same. I believe you have six years from the day you pass to meet the five-year experience requirement. You can also waive a year with a qualifying cert or degree. If you don't have either, you could knock out Security+ quickly.

Just hit up ISACA and (ISC)2's websites and review the requirements; it's pretty straight-forward.

Also, congratulations on the triplets (and good luck).

[mattyboync]

Thanks man!

Perfect info.  I truly appreciate you guys taking the time to give me some advice.

I guess its now time to go get some study materials.