Gege: In my opinion Security+ has no value if you’ve ever had a job — it’s so entry-level that I would only recommend it to a college student or someone moving in from a non-tech field to show basic competence, and even then I’m pretty dubious — I totally ignore Security+ on resumes when I’m hiring, even if I *am* hiring someone entry-level.

As for CISSP’s experience requirement, really don’t worry about it. As I say above, a few years in almost any tech field will meet it, so this really only matters when you’re first starting out (which it sounds like you might well be.) You can always get Associate of ISC2 (i.e. pass the exam without meeting the experience requirement) then upgrade the cert later.

All this said, honestly since I wrote this post four years ago I think certifications have declined in value. There are so many “paper CISSPs” out there with no real tech/security background who just studied for the test that hiring managers tend to discount it. Same goes for CSSLP, CEH, and even the advanced ISC2 certifications. People still put a lot of stock into the SANS certifications (which are good but exorbitantly expensive) and the advanced Cisco certs (i.e. the ones above CCNA), but not a lot else.

At this point, most certifications are just something you put at the bottom of your resume to get past the HR screener and show up in LinkedIn searches; once you get to the interview, nobody cares and it’s all about ability to talk about your real-world experience and demonstrate technical skill.

Busi: If you want to stay in governance, risk, and compliance, CISA is useful. It’s well-respected in the GRC world, but is considered nontechnical. If you want to move out of it and into technical security, it’s not, and CISSP would be better.

The most important things, though, remain 1.) be good at more than one thing, and 2.) be able to demonstrate real-world technical skill. Certifications only open the door, you still have to walk through it, and this is even more true today than it was four years ago.

Thanks for your Article. There’s a larger market for security generalists than specialists….. Very nice point.

There are multiple paths in infosec — audit & compliance, risk & governance, engineering & architecture (with this divided into operations or development.) Demand for infosec jobs is really high — unemployment in security is low, which will work to your advantage. The most important thing is to learn an area and really know it well — this could mean studying operational certifications (ISO 27001, etc.) for an audit role, studying security policy and governance (and perhaps getting a CISSP) for a governance role, or studying programming or operations for an engineering role. There are certainly certifications in all those areas, but your degree and experience can probably get you an interview (which is all certifications do for you anyway.) Your ability to demonstrate knowledge in an area is what will get you a job.

The CISSP is not really a high bar. It’s not a capstone cert like it was many years ago, it’s just above entry level and has little value by itself unless you have experience to back it up. With a masters’ degree I think you have all the “certification” you need for a first job; what’s going to help you the most now is actually working in the industry for a year or two, preferably in security but at the very least in a networking or development role.

much appreciate it

I have researched being anon on the net and find it near impossible. This concerns me. I think it should be a right. Something similar to freedom of speech.

You want to see scary breaches of internet privacy. Look up Googles patent on facial recognition software.

Its a new world.

Next year I think I know how to do it right. Stay AT the Rio, dont bring tools in carry-on luggage, let others deal with scavenger hunt, and only decode when I’m NOT at the event.

Spent way too much time in the TOOOL room, but I’m glad I did.

See you next year!

enough, and they have the resources or authority, they can still do so. This is why criminals aren’t out there committing