| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 19 Jan 2011 11:59:00 -0600 From: Paul Schmehl <pschmehl_lists@...rr.com> To: bk <chort0@...il.com>, Emmanuel Apreko <eapreko@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Path to IT Security In order to get a CISSP you must have five years of direct full time experience in two or more of the ten security domains. So you would have to get hired to work in security *before* you could even test for the CISSP. You can reduce the requirement by one year if you have a college degree or a Masters in Information Security. If you have no experience in IT at all, then you need to get a job in IT and begin to understand TCP/IP and networking. Until you understand those well, you can't begin to understand operational security work. If you have those under your belt already, then work to get hired by your current company's security department as a first level security analyst. Play around with open source tools at home so you're familiar with how they work and what they do. Read security blogs, subscribe to security lists and pay attention. Learn who's blowing smoke and who knows what they're doing. To pass the CISSP test you're going to need to have at least a basic understanding of cryptography, security policies, risk management, business continuity, disaster recovery, physical as well as virtual security and operational controls. But you've got at least five years plus to learn, so hit the books and get as much hands on as you can. --On January 18, 2011 5:26:07 PM -0800 bk <chort0@...il.com> wrote: > On Jan 18, 2011, at 8:10 AM, Emmanuel Apreko wrote: > > > > > > After researching i found out that the most prestigious security > certification is the CISSP and it seems like a very long journey to it > since i have no experience in it at all but need to get my foot in. > > > > Any certificate that is a based on a multiple-choice test is basically > testing your ability to memorize and recall, not your actual competence > in a field. > > > > > Could anyone please advise me on the best path to being a security > professional? ie from beginner to pro? > > All advise will be well appreciated. > > > > Go to conferences (small local ones, not the big expensive ones), start > following InfoSec people on Twitter, read InfoSec blogs. You'll learn > more doing those than from all the certificates combine. > > > Once you have a knowledge, then study for a cert if you think you need it > to get a job. It should be pretty easy, since you'll be familiar with > most of the ideas already. > > I got a certificate to get past HR and because it looks pretentious on a > business card. It wasn't worth the hassle of submitting paperwork and > paying dues to continue having it, so I let it lapse. I haven't had any > problem getting a job since then. > > > -- > bk -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson "There are some ideas so wrong that only a very intelligent person could believe in them." George Orwell _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists