Seeking advice about specializations.




Posts: 1

Joined: Fri Feb 12, 2010 11:38 am

Post Fri Feb 12, 2010 12:05 pm

Seeking advice about specializations.

Hello forums,

New guy here, and would like some advice from the more seasoned security practioners out there.

First a little info about my situation. I'm currently on active duty in the US Military and recently changed my occupational speciality to Computer Defense Specialist. Its been amazing so far. While I won't say I have a 'carte blanche' for training...its about as close as I can get to it. They're throwing certs down my throat. A+, Net+, MCP, Sec+. If I want to attend a course or training event, all I have to do is ask, and more than likely the funds will be allocated...however I've come to a decision point.

Eventually, I plan on leaving the military, and I want to continue to pursue a career in infosec in the civilian job market. So I'm the point now, where I can just take what certs I think sound cool, but I need to think about what is going to make me marketable. Obviously the first thing that comes to mind is CISSP. First off, I dont see myself as a CIO, or CISO, ect ect. I don't mind managing, but the 'executive type' just isn't me. I prefer hands on, technical work, in the trenches, using my skills to combat the bad guys everyday. I don't really see any of that in the CISSP, but it feels like to be taken seriously in the civilian job market, you need the CISSP, or your resume won't make it past HR. Is this true in your experience? Regardless I imagine I will eventually obtain the CISSP, especially since we send people to the course every other month, damn the cost. :)

On the other hand, I can see the CISSP being valuable to a general security professional, sort of a jack of all trades. At least thats how I envision the positions that I see on the job boards and websites. People advertising for 'Network Security Engineers', or 'Security Analysts', ect ect. I see these positions as vary similar to what I'm doing right now in the military: conducting vulnerability assessment, secure network device configuration, remediation management, policy compliancy, firewall managment, ect ect. Thats what I do....does the job correlate in the civilian world? As far as technical certs....there are some really amazing specialties in this career field, and they all fascinate me. And as easy as it would be to shoot my supervisor an email asking to take the GPEN or CEH, or go for an LPT, my work experience in the military will never really be curtailed towards pentesting. Most of my work is the general security stuff, so should not my cert path reflect that, in order to make myself hireable? And what about the GIAC certs? GCIA fascinates me. Everything about Intrusion Analysis appears wonderful to me. Senior Intrusion Analyst...sounds sexy right? Is it? In the military it might be, but in the civilian world does it really boil down to graveyard shift log parsing and staring at Wireshark captures? GCIH? Same same?

In summary, I'm just looking for some kind of incite into how what I do everyday can translate to civilian work. I know it does, but will my cert path be better off mirroring my work experience, or is it possible to have some general security experince, grab a specialized cert like the GPEN, or the GREM, or the GAWN, and leap into the fire? Thanks in advance.
Last edited by stephen on Fri Feb 12, 2010 12:42 pm, edited 1 time in total.


User avatar

Hero Member
Hero Member

Posts: 1718

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Feb 12, 2010 12:53 pm

Re: Seeking advice about specializations.

Wow, that's quite the write-up, and I'm sure you'll get a lot of seasoned advice here.  Oh yeah, and welcome aboard, stephen.

I'm not former military, myself, so I can't vouch for what they have allowed you to take, or will allow you to take.  As you'll find throughout the forums here (dig around and search a little bit,) you'll see a lot of us giving advice on the different roads we've taken, or recommended to others.  It's VERY largely dependent, as you said, on what you really want to do when you get out.  We obviously can't make a decision for you, so I wish you the best as you do.

That aside...I'd tend to agree, that if you want to begin with general IT Security (not specific to pentesting, auditing, forensics, etc,) then I'd probably start with the basics:  A+, Net+, Security+, UNLESS you're already comfortable enough with your knowledge in A+ and Net+ to bypass those.  However, in any realm of security, the knowledge they teach is still a necessary evil, sometimes, whether from the standpoint of understanding physical or logical network layouts, or even hardware / software configurations and troubleshooting.  But specializing in security, the Security+, as a first step, would be good.  

If you get through that, and feel plenty comfortable with things, then you probably could start studying and working towards CISSP, or you could look more at the CISA / CISM tracks, again, it all depends on where you want to be in 5-10 years, and how you foresee your career advancing.  You're correct in noting that CISSP is very well-known, and in many of the customer environments I work with, they won't hire a security person, regardless of the job description, without it.  Does that mean it's the end all certification to have... definitely not.

If you decide you'd rather work as a consultant, or within a company that specializes in security, then you can focus more on what areas interest you, as well.  You could look at pentesting / ethical hacking, with CEH, GPEN, or OSCP.  If you wanted to move into law enforcement or some other fields, you might prefer to go into Forensics, as that's another field that is booming right now.  (CHFI and other forensic trainings come to mind.)

Ultimately, I'd never say you are 'better off' or 'worse off' to let your future mimic your current work.  I say this as, if you aren't happy with the specific work you do now, you likely won't find any peace in continuing similar employment afterwards.  (Besides, if you totally liked what you do now, the government benefits might far outweigh those you'd find on the outside, and if you were happy in what you do now, or close to it, I'd personally stay put!  - Note: my opinion only)  

My advice to you:  think hard about where you want to be... not next year, or in three years, but in 5-10, or longer.  Look at all the options that are out there and decide what you feel suits you best and what you WANT to do, then look at what career options and training are out there that line up with your goals and objectives.  At that point, if you're having trouble finding things that line up with those objectives, either make a conscious effort to dig further (and obviously feel free to ask us, as we'll definitely help to steer you, if you truly KNOW where you want to go,) or make the decision to look at your 2nd option.  Don't just go into it with one, but prioritize the various options.  Who knows, in the end (this isn't meant to say DON'T go into security,) you might decide that some other IT field, or no IT field at all, is where you truly want to be.  I can only tell you, from personal experiences, that if you don't at least attempt to do what you WANT to do and enjoy, you may regret it down the road.  It took me years to realize I'd missed my calling and enjoyment in IT security, before I came back around, but boy, am I glad I did!  Don't just focus on marketability alone, or you might very well miss the boat.

Good luck, look forward to others' advice, and again, welcome to EH-net!  You'll enjoy the interactions here!
Last edited by hayabusa on Fri Feb 12, 2010 12:56 pm, edited 1 time in total.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer,
but what none can see is the strategy out of which victory is evolved."
- Sun Tzu, 'The Art of War'

OSCE, OSCP (Former - GPEN, C|EH - both expiring / expired)

Return to General Certification

Who is online

Users browsing this forum: No registered users and 1 guest

Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software