I'm looking into taking the Security+ cert sometime soon, and the CCNA shortly after that. I graduated from college and have yet to find a job in the industry. Working at starbucks isn't exactly helping my memory, and I'm feeling my knowledge slipping away...

Hence the certifications, since I can't seem to land a job yet.

Anyone been certified recently? If so, up-to-date information on your test experience would be appreciated.

I tend to find that working on personal projects and documenting the results works well. When an employer asks about a project I mentioned on my resume it's usually fairly easy to impress them with a description and it shows that you're exposing yourself to IT stuff outside of the work place.

As far as certs, my employer recently recommended that I complete the Sun Solaris 10 certification programs... they're giving me some cash to do so. I'm finding it to be a thorough certification program that has actually taught me a few things. I'd recommend it if you have the cash.

i have been wanting to take certs for years, i started with mcse back in NT4 days, and am currently looking at 2003 mcse, the problem is i do not have an employer willing to give me a break for doing them, so they are out of pocket, and, my employer does not exactly pay the best either, so they are always on the back burner, i get the material and read and practice but never get to the exam, though i am pushing extra hard right now so i can walk into a decent paying job, though i am possibly looking at career change anyway since i am becoming increasingly disenchanted with IT in general....

a friend recent got his network plus and a+ and said they were quite easy

In my experience certain employers are impressed by different things. Some like 4 year degrees, some like certs and still others rather have experience. Granted having all works the best, but I've missed out for either not having a cert or the experience when I first graduated. It stinks because some non tech people are involved in hiring and despite having a 4-year degree in computer science I didn't have an A+ cert. Now anyone knowledgable about the IT world knows how insignificant that cert is if you experience and a 4-year degree in the field.

i would tend to agree and disagree with that statement, we have a collegue who is going for a masters in computer science, unfortuantly getting a degree often just proves you can pay the fee, as in this case the guy does not amd cannot understand the first thing about supporting and using computers, he gives wrong information all the time and is totally useless at troubleshooting building, installing, using and generally everything to do with computers, even in areas like programming he thinks he knows more then he does, ( he knows less then i do and i do not programme anything more complex then the VCR.. it depends on a few factors, what you actually pick up, the area of focus a IT degree with get you, level of common sense, and again experience in the field, an example on the other side of things, another collegue has A+ and network+ and did not know what a centronics connector was nor could give the default addresses for simple things like com1 and com2 and other basic areas they should know having the cert.

many employers will take someone with a 4 year degree in geography for an IT position over someone who has had a few years experience and no degree or cert, others are different though there is a swing right now back to certification and degrees over that of actually having hands on... you are right though, some people want the prospective employee to not only have a 4 yr degree (or prefereably a masters) in the subject, they expect basic certification (A+) and a good 5 years experience in the industy (prefereably more) and then they expect them to work for peanuts...

if you can luck out and get a sweet deal somewhere use the time to get all the certs and training you can, then when you do leave for whaever reason you will be sought after...

Comp Sci and IT are different animals. I don't think any of my classes taught much about different hardware components beyond things like processor registers and memory usage as it relates to programming... though I do work in a IT type job, just about everything I know in that respect is through experience. Comp Sci just deals with programming, programming models, etc. I have no certs, so I'm not otherwise of much help. :\

If you plan on working in the IT field, than you should look at getting some certs. A four year degree in IT or CS is nice as it's normally a base requirement for IT jobs, but the certs set you apart from everyone else.

I took the Security+ years ago. I studied from one of those examcram books and didn't think the test was too bad. Just make sure you read all the questions a few times before answering them as they tend to word them funny to trick you.

I didn't have much problem with the CCNA test either as I had hands on with routers when I took it which is a definite plus. However, they changed the test a few years ago and I've heard it's much more difficult now.

from personal experience, it's the individual and personality in the interviews that i always hire. experience is tops in my books; being savvy with problem resolution is really the key to any IT position. sans experience, i'll take certs or school but really it will come down to gut reaction and how well they interview with me and other members of my teams.

if i was forced to pick disciplines for someone i would have to recommend CISSP first and CCNA as a close second. as far as i'm concerned, any general IT staff should be able to handle Win, *Nix, and basic networking regardless of the vendor solution.

anyhoo... that's my two cents. feel free to IM during the day to discuss further if you want. i've worked my way up from software engineer to CIO so i know pretty much every rung in the ladder (but i'm by no means an expert).

LOL

-alf

i think the most important thing certs or not is common sense, if you lack common sense you can have al lthe certs degrees and peices of paper under the god given sun, but you will be as useful as a chocolate fireguard in real situations..

i took experience from many other jobs, but mainly my A/V background to perform well in my current situation, i do find that any IT guy ( or many other professions related) it helps if you are a bit of a macgyver, and can think on your feet, we frequently get demands to pull systems, servers phone lines network lines, clothes lines, door knobs, you name it form seemingly no where, so far we have managed to rewire most of the third floor and the first floor of the building we're in, and i think we are setting sights now on the second *L*

not that i am included in any hiring practuce but i look for a good allround person for general IT work, it is fine having an M$ Access guru in your team, but what you really need is someone who can make cables wire patch panels build servers or workstation and support access over the phone, and perferably make the coffee too....

i started my job as a simple level 1 phone answering monkey that was last year, i have had 2 compnaies head hunt me(one was the bank our compnay is based in) the other was outside, and i have mutated my job away from the phones as much as possible to the point of (hopefully) getting a colleague and a different office and new department, that was just over 1 ½ years ago, sometimes it does help to start in a smaller business to be able to deal with multiple areas and to help get your certs ( alot of the certs really do require hands on to make them easier), but also a short time doing lots of thing getting knowledge in all areas will help your resume and your confidence...

i think you will find many of the "older" :D people here are a font of experience and less inclined for certs or degrees, but starting out get all the help you can, it honestly is a cut throat business for the green tech, (which is why i am thinking changing careers, i will find alot less competition in more mundane careers and probably more money!)

saying that i got some dumb assed questions on an A+ practice test today, they were asking stupid out of date shit and blatantly wrong answers too, one answer even contradicted a previous answer.

so be warned they may throw a curve ball disguised as a fast ball.... though ,my score on the test was 666 which i though amusingly appropriate....

don't get me wrong... i'm not saying going to school or getting certs is bad. everyone is different, and you have got to know what is best for you. some people do well by gaining experience and moving up, others need some sort of schooling to get an edge. only you know you.

bottom line... no matter what anyone tells you it boils down to what you can do, what you believe you can do, and how you want to get there.

drive... common sense... gut feelings... whatever you want to call it, you have to some it to get to the top or even just get your feet in the door.

-alf

I agree with Alf that experience is the most important, however when most employers look at resumes, they tend to look at buzz words from their postings (ie.. Degrees, certs required, etc..). So you can potentially have all the experiece in the world, but unless you have some of these other items you're resume may simply be put aside. I'll be honest: To me certs are all about my resume. I rarely learn anything new and useful when studying for them and I'm not into putting all those letters behind my name on a business card.

BTW, CISSP certification requires 4 years experience or 3 with a 4 year degree. You can take and pass the test, but unless you can get another CISSP to vouch for your experience level, you can't obtain the cert. (I just got it last month).

I recommend Goldragon start small. If he's looking at IT Security, I would recommend the Security+ and then perhaps the GSEC cert from SANS which is pretty good and doesn't have the exerience requirement. If he's looking at networking, then Network+ would be a good start/foundation followed by CCNA.

common sense = not touching the red wire metal contacts attached to the front of the tube with a crt monitor on.... :D

I agree with Alf that experience is the most important, however when most employers look at resumes, they tend to look at buzz words from their postings (ie.. Degrees, certs required, etc..). So you can potentially have all the experiece in the world, but unless you have some of these other items you're resume may simply be put aside. I'll be honest: To me certs are all about my resume. I rarely learn anything new and useful when studying for them and I'm not into putting all those letters behind my name on a business card.

BTW, CISSP certification requires 4 years experience or 3 with a 4 year degree. You can take and pass the test, but unless you can get another CISSP to vouch for your experience level, you can't obtain the cert. (I just got it last month).

I recommend Goldragon start small. If he's looking at IT Security, I would recommend the Security+ and then perhaps the GSEC cert from SANS which is pretty good and doesn't have the exerience requirement. If he's looking at networking, then Network+ would be a good start/foundation followed by CCNA.

good point Groovy... i forgot about the upfront requirement for the CISSP. as far as certs though, it's a whammy that will cause you to study.

also true with the buzzwords in a resume. if i need someone to maintain my EMC unit then i want to see SAN, SAN fabric, NAS, iSCSI, LUN, CIFS, NFS, Nix, and VLAN written all over that bad boy in one form or another. that candidate will also need to field questions in regards to those solutions and technologies. it's easy to read a few whitepapers on some of this stuff and think you know about it; it's another to be in the trenches figuring out solutions and being able to talk about them at a later date.

-alf

The thing about the CISSP, I'd heard that like the CISA, anyone can take it and get an honorary title and get the experience afterwards. I was considering taking the CISSP but due to the fact that I haven't been living and breathing IT Security, I don't feel confident in my ability to pass it.

I've heard the CISSP test itself is pretty difficult, but it covers topics that are either outdated or are practiced differently in the real world. Some of my professors and guest speakers recommended taking it prior to working in security since some of the material would be different IRL. Thoughts?

Anyone have any good security/network scenarios that I can replicate in my spare time? I need me some solid experience. I should've done internships back in college but I didn't want to give up my steady job + benefits.

i honestly can't think of a cert or school curriculum that isn't outdated by the time you take it and get into a job/career. the industry and technology in general move so fast it's fairly hard to build a certification program or school curriculum on "bleeding edge" technology. personally, what you have to do is find what most interests and motivates you, then get some good, core knowledge/training in it (if you don't have any).

the point being is to get a good groundwork in understanding the basics so that you can discuss intelligently tasks, problems, and solutions at hand.

what is it that you have the most interest in?

-alf

General security administration and analysis is what I'm interested in the most. Took extra coursework to that end, but now that I'm out of school and not working in the industry I feel like I'm losing my edge. I dunno, maybe I just need more self confidence.

self confidence.

that's one of the keys to success... you need that no matter what you do.

things you should study (no particular order):
--IDS/IPS
--HoneyPots/HoneyNets
--Systems Forensics
--Physical Security vs. Social Security vs. IT Security
--Strength vs. Weakness of every OS (and they all have them)
--CISSP (good for core)
--CCNA/CCSP (good for core)
--Some Tools of the trade: Ethreal, Snort, TSK, Forensic and Anti-Forensic Tools, etc.

find a job in IT (anything other than call/help desk if possible) and learn what you can there. if security is the focus you want, then focus your attention there in your spare time (assuming you're hired for something other than security). document everything you do and how well it did or didn't go. those will be the projects you outline on your resume and talk about during interviews. the list will get longer and more diversified as you mature in the industry.

hardest part is just getting started. you already decided your discipline (security), now you just need to get your feet wet and go with it.

let me know if you have specific questions, i have a wealth of contacts within the industry and can ask around and get the answers for you.

one recommendation i would point out, assuming you're serious about security in IT... try to get a job at an ISP. trust me on this.

-alf

The thing about the CISSP, I'd heard that like the CISA, anyone can take it and get an honorary title and get the experience afterwards. I was considering taking the CISSP but due to the fact that I haven't been living and breathing IT Security, I don't feel confident in my ability to pass it.

You can't use the CISSP designation until you are officially a CISSP. So I wouldn't drop $500 to take this test until you have the experience requirments.



I've heard the CISSP test itself is pretty difficult, but it covers topics that are either outdated or are practiced differently in the real world. Some of my professors and guest speakers recommended taking it prior to working in security since some of the material would be different IRL. Thoughts?


Pretty much every certification exam I've ever taken has included outdated topics and methods you wouldn't use in the "real world". The CISSP exam itself wasn't as bad as I had thought it to be. The issue with the CISSP is that it covers so many different areas and the questions range from very general to extremely specific and detailed items that would you normally look up when you need to know them.

IMO, a security guy that's never had hands on network experience is more of an auditor and will be useless in an IT security role. Therefore, if you're looking to get into Security, I would recommend getting a good network foundation first. Make sure you understand how routers, firewalls, VPNs, ethernet, etc.. all work -- if you can swing the CCNA designation, you'll be ahead. Get as much hands on with servers and network devices as possible. In fact, if you haven't already, you may want to get a year or two of network administration experience under your belt before proceeding with Security.

While you network admin, try to reach a basic understanding as to how the organizational functions and goals relate to and depend on the IT devices. This is important because security by default is an inhibitor. In other words, if you make a system too secure, business processes will be affected negativly. Therefore, you need to understand what those business processes are and how they are executed in order to appropriately secure the systems without affecting availability. Learn to look at systems this way and you'll be far ahead when you enter Security.