CCT 048: Mastering CISSP and Navigating Cybersecurity Certifications

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey, all it's Sean Gerber. With CISSP Cyber Training And today's podcast, we're going to be getting into the various cybersecurity certifications and why are they important. I get a lot of questions from folks that I work with is what certification should I get? Why should I do it? I know, obviously we're studying for the CISSP, but how do I go from zero to hero? Now, that may seem like what do you mean, but the point of it is is that we're trying to determine how do you get from a situation where you have no background to actually taking the CISSP. So we're going to walk through what I feel are some of the key certifications that are important for you to have. Now, when I say certifications, that does not necessarily mean that you have to have the certification. It means you could just take the test or not take the test. You could actually study the material, have a good understanding of the material and then go from there. You don't necessarily have to take the test Now. Obviously, people like to get the certification. Because you go to all that work. You would like to have the ability to go aha, yes, i passed it, let's go. But we're just going to walk through some of the areas that you need to be concerned about or you need to be aware of if you're going to be going into cybersecurity, and how you can, what certifications would be valuable. So, getting started, let's look at CompTIA's A+ Now, if you look at the, you'll be able to see this video. I've kind of got it on my one note. What are some key concepts around it? But bottom line is, a+ is kind of the entry level and it's hardware based, and it's really bad to have about nine to 12 months of hands-on experience in the lab or field before taking the exam. Now, i took that exam. I would say it's definitely valuable to have a good understanding before you take it. Do you need nine to 12 months of hands-on experience? No, you don't. You can take it without having that. The chances are, though, you may run into some problems, but the good thing is there's plenty of online resources with A+ that you could actually utilize to help you pass the test. Now the cost of the test depends on what it's going to be. There's some various versions of it, but at the end of the day it's going to cost you around $200 US to take the test. Now we'll depend upon the region you're taking the test and this again, these numbers might be a bit dated, but bottom line just figure 250 bucks, so you can find a lot of the training online, plus 250 bucks for the test. So for probably less than $500 you can take the CompTIA A+ test. Now you want to sit for studying for this thing. You want to give yourself at least probably one to two months for the exam. It's just important to depend on how much time you have to study for it. I mean, some people can go out and crank this thing out, just go take it and pass it, but if you're going to spend that kind of money, you may want to waste or spend at least one to two months getting ready for the exam. Now, it is a globally recognized certification and it does give you the baseline skills to perform the core security functions And some of those areas of concentration are hardware troubleshooting and maintenance. I've done with that right. You have hardware systems that you've got to work through networking troubleshooting and network connections, configuring operating systems including Windows, mac, linux, operational procedures and security, and then mobile devices and virtualization. So it's the basics. It's to get you in, get you started and get you a little bit of a background and understanding in the security flash computer space. Okay, so then we're going to roll into CompTIA's Networks Plus. Now, if you've heard me talk about the CISSP from my podcast and over the years, one of the things that I've come to recognize is that you need to have some sort of networking understanding. Now, teaching at Wichita State University, a four-year college here in Wichita, kansas, i was teaching as an adjunct professor with many of my students, and as I'm talking to these students, you know these are folks that for the most part have come out of the high school environment, maybe a two-year college degree. But what I'm finding was with that group of people is they didn't truly understand networking And I'll just be blunt, i don't truly understand networking, at least not to the level that it probably should, and so, but I do know enough that to pass the Networks Plus test, and I do know enough that I can at least have adequate conversations with individuals when it comes to these various topics, and so what I do recommend is, if you are looking to get your CISSP, at least at a minimum you need to take the Networks Plus training that you can find on YouTube. I'm eventually going to be offering some of this training, maybe through affiliates or so forth, but realistically, you need to be able to understand networking, and the basics of networking would be very, very valuable, especially for the CISSP, because they're going to ask you questions that are not necessarily technical and from a Networks Plus standpoint, but you need to understand the concepts. You're going to need to know what a TCP IP handshake is. You're going to have to know what a SIN flood is, and those concepts are talked about in Networks Plus. If you don't have Networks Plus, then they may seem a bit foreign to you, so I would just recommend it. Now, when it comes to the time, you should have at least the A plus certification complete is what a recommendation is as well as nine to 12 months of networking experience. Now, is that necessary? No, can you get that by looking at YouTube? Probably. You probably can get everything you need by just watching enough YouTube videos, but having that hands-on skill is pretty valuable. Now the cost of the Networks Plus. Again, these are probably might be dated, but when it realistically it's by about 300 to $350. And that? so now you got that, plus your timing, you're probably looking at about 1000 bucks by the time you hear A plus and your Networks Plus complete Now it's very one to three months is what it'll take to study for this And especially if you've had prior experience, it may be a little bit shorter, depending on your study habits, could be a little longer. I stink at studying. I'm not very good, but you guys might be much better at that. So just kind of keep that in mind. Now. You want to have the ability to study this so that you can pass the test, but then you also want to be able to retain enough that you can go and work in this career field. Now, when it comes to the overall foundation of Networks plus, just to keep it put in perspective, networks plus is not something that's necessarily tied to cyber security and or the certifications that are tied to that. However, because we deal with so much in a networking world, it is a very important training. I would say it's probably more important than a plus if you're gonna be focused on the training aspects of it. Areas of concentration would be design, implementation, operations, troubleshooting, security principles the basics right, and then network and that theory and protocols. So that's a really good way to get started personally. Next one is comptia security plus. Now, the security plus. It is recommended for folks that are after you take the networks plus, you get the security plus understanding and they do recommend that you have two years experience in IT admin, obviously with a security focus. Now, is that necessary? No, it's not necessary. You can take security plus and some of the future training I have will be able to help you with that. But realistically, the CIS is p things that you're you're learning here, you don't need security plus. You really don't now networks plus, i would say you yeah, i would probably recommend that over security plus if you're already taking my CIS is p training, because if you're already taking my CIS is p training, it's gonna give you beyond what security plus can give you. Now, if you're just getting started and you don't have the five years for The CIS is p, then getting security plus might be beneficial to you, or at least at a minimum, going out and getting the training from YouTube. So, again, all of these can be found on YouTube for little to no cost at all. Now, again, you're gonna get the training you get and it may not be to the standard that you would like, but realistically it will definitely get you started. Now, some of the areas of concentration that you can expect to be with this as network security, compliance, operational security, threats, vulnerabilities, application data security, hosts or host security, access controls, identity management and then cryptography. So, if you've heard those comments, we've talked about that with the CIS is p routinely. So you guys all know that this is really kind of falls in line with the the CIS is p, but I would consider it like CIS is p. Light would be my thought process around that Next one and I'm putting these in order. Basically, how you would be good to know, because what's gonna happen is, once you get to number four with the ethical hacker piece, the rest of them are kind of me, maybe, maybe not, it depends and again, i'm focused at the goal of having the CIS is p Now the certified ethical hacker, the CEH. This is. You need to have at least two years of information security related experience, but you can attend an official training. So what does that mean? It's not like the CIS, is p where you have to have required to have training. They would like you to have the two years, and the reason I think it's valuable is you can understand what is a Shell. You can understand what are what's some scripting language. All of those things will fall into the CEH. Now the CEH can cost up to $1,200 and that, again, these prices may vary, but that's $1,200 just to sit for the test And that will help you decide on whether or not you want to actually take the test or not. Now it's going to take you between one and three months of self-study and they're basically the official training they have is about five days long. So the official training can cost you a couple thousand dollars, if not more, and you have to decide if you want to do that or not. Now this is offered by EC Council and it's designed to give you knowledge around exploiting vulnerabilities and systems, again using your powers for good, not for evil, from basically an ethical standpoint. So it's a good certification. It really is. If you're interested in pen testing or even if you want to be a CISO, i would say having a background, as just at least taking some of the understanding of the CEH even if it is online and it's just taking an online course and not necessarily getting the certification could be very valuable, just because you kind of have a better perspective of what the hackers are looking for. Areas of concentration would include ethical hacking, network security, reconnaissance techniques, system hacking, social engineering, and then web and wireless network security. Those are just some key areas that you would have to deal with as it relates to the certified ethical hacker. So you just have to decide. Is that something you want to do Now? I would tell you that if you have no background, those four are really a good four to have before you go and take your CISSP. They do provide a lot of value. That blends well with the CISSP. Now the next one is the GIC Security Essentials. Now, this one is a. There's really no specific requirements for this cert, but again, they want you to have a basic understanding of security concepts. Is the security essentials important? I think it gives you a little bit more of understanding around security. It's about $1900 to take the test, so unless you have a business that is willing to pay for it and fund it. It might be a little bit of a stretch. Does it give you what you need? Yeah, i mean it gives you. I think security plus, with this emphasis on studying for the CISSP, probably gives you just as much as the GSEC. But some people like the GSEC and they may be like a little bit more of the technical aspects of it, and that is where the GSEC comes into play. But at least it takes about four months to study, is what they recommend to get ready for this. You're talking network protocols, host-based vulnerability, password management, crypto, network architecture and then contingency plans. So all of those are kind of wrapped up in the GIC Security Essentials certification. Now the next one is this CompTIA Cybersecurity Analyst. Now, this is a new, relatively new certification and there are no strict prerequisites as it relates to the CYSA. They do recommend that you have networks plus and security plus certifications, or at least the same knowledge, with around three to four years of hands-on experience. What I would say that if you're dealing with a new SIM, which is your security incident event management system or I always get them screwed up, i've kind of had them backwards having that cybersecurity analyst certification could be valuable just in the fact that you understand what a SIM is looking for and it can help you get the ground running a little bit faster than without it. Now the cost of the CYSA is around 370, just figure 400 bucks and it will take you about two to three months to study for it. It is a step up from security plus. So I would agree It is definitely something that is beyond security plus scope. But if you're going for your CISSP, i would say it's nice training to have and if you can get some free training to do it, go for it. I don't necessarily feel that it's worth spending that kind of. I mean, 370 bucks isn't a lot. It's just to determine whether or not you want the certification, and there are people that just want to have lots of certifications behind their names. Great, more power to you, that's awesome. You don't necessarily need it, but if that's what you want, that's a great step. Now the CYSA. They do threat management, vulnerability management, incident response, architecture, tool sets and then data analytics and interpretation. So the company is. Security analyst is a really good one if you don't know what your long-term plan is or if you're not really sure about getting the CISSP, if you're just being started on your career. It isn't hurt, it's just you got another expense, so you just have to decide do you want to spend the money on it or not? Next one is the certified information security manager, cism. The CISM is you gotta have a minimum of five years of working experience in information security management. That is required And it must be gained within a 10-year period, again prior to the application date. Bottom line is they want someone that is like myself, that's a senior leader that's going to be able to help train them into how to properly deal with security issues. Now, the cost of the test is around 500, around 600 to potentially up to $800 for non-members. That varies right Now. Having that degree or degree, having that certification, could be very valuable depending upon the company you go and work for, but it just I would say it's probably one right below the CISSP. If you're going to, if you didn't get your CISSP, that would be one that you potentially could go for And I think you'd probably do better than you think on that, especially if you're prepared for the CISSP. Now, the preparation time can vary greatly, obviously, based on the background and depth of knowledge, but, like everything else, expect two to four months would be a good number to basically plan to flag on, and it's an advanced certification but it's worth knowing that it's also it's often a goal of IT professionals interested in managerial side. So, like in the case of ASISO, a CISM would definitely be a certification that would help you get that role. It wouldn't hurt versus, you know, but having the CISSP is probably the coup de gras on that is probably what you want to have. But if you are a CISM and you applied for a CISO job that's a lot of CISOs then you probably would have a pretty good chance at it. Just that's just my estimate on that. I haven't. I've dealt with CISS systems as well And for especially roles that I've looked to hire for it. Yeah, they know their stuff. They at least know enough that they can. You can have a good conversation And, like I mentioned before, you got a shark, you got a dolphin. they don't talk well, right, but if you can get one of them to learn shark or dolphin now, you can actually get something accomplished Now. The last one is a certified information security professional. Now, before I get into that, obviously there are lots of certifications you can take. Some of them are better than others. Some of them are not necessary And I would say, out of all the certifications out there, personally the only ones that I see as a necessity to be actually be certified would be the CISSP and potentially the CEH potentially. But the CISSP does open a lot of doors for you as mean globally, so it's important, i think, that you focus on that. Just my two cents. But you do what you need to do, but I think that having a good understanding of the CISSP and what that can provide for you would be very, very valuable. Obviously, they had eight domains of the CISSP and you need to have one year experience for the waiver to be granted. If you have a four year college degree or approved credential. But that doesn't waive the five year requirement, it just allows you to take the test early. Cost of the test may range from $800. I've seen it up as high as $1,200, and that will change from region to region. When it comes to studying for the CISSP, the number, the amount of time, is anywhere from three to six months is generally recommended for the CISSP. I would say, yeah, three months is probably depending on how much you're into it. It's probably pushing it just a little. Four months is probably the sweet spot. Six months gets to be a little bit old, a little bit challenging. It doesn't mean it can't be done, it just becomes just a little bit more challenging as all When you're dealing with the areas of concentration. You got your security and risk management, asset security, security, architecture and engineering, identity and access management, lots of security stuff. There's like four or five security aspects, actually, six, seven. They're. All say security, except for identity and access management. That doesn't talk about security, but that's kind of inherent within the IAM world. That is all I have for today. Today is, again, we're going to start over next week with the domain one and you'll be hearing more about that. Also, go to my website, check out the CISSP Cyber Training Blueprint and that will help you gain access to all of the stuff you need to pass the CISSP exam. It's going to walk you through step by step, what you need to do, how you need to do it, how much study you need to do, and then it'll keep you accountable. That's the ultimate goal. For this to happen and for you to pass the test is you need to remain some level of accountability, which I know. You all can take this thing, and I know you all can pass it. You just need a little assistance. That is all I have for today. I hope you all have a wonderful day and you have a great week coming ahead of you, and we'll catch you on the flip side, see ya.