2

Sorry if this is a duplicate however I felt it was a little more unique than the answers I found. Basically I am a software developer and I have moved recently into an architecture role. Throughout my short career I have worked with PCI auditors etc and found PCI a little off track for what I need so I want to focus on ISO27001 etc

I am thinking about doing some formal training to help my organisation and career within information security, I found the following image which kinda sums up what I want to do minus PCI and business continuity

enter image description here

Has anyone got any experience with these and what should I maybe and / remove from my learning path

M'vy
  • 13,033
  • 3
  • 47
  • 69
OliverBS
  • 445
  • 5
  • 14

1 Answers1

4

Most security folks are rather cynical about certifications. We get sold a LOT of certs, and we also validate that many of cert holding folks of the world aren't paying very close attention. (CCNA, you know default creds are bad!)

My advice:

  • Only get certs your employer pays for
  • If compliance is a concern, go that route first
  • Try not to go vendor specific unless you are absolutely married to that vendor
  • Realize that you'll have to do a lot of real training at home or on the side. Lots of folks with certs miss silly stuff like bad crypto and sql injection.

Besides that, you just want to ask yourself what's good for my career/what's best to do with my time?

Personally, from my perspective as a pen tester, the list looks a little bonkers.

  • "Cyber security" is a buzzword. I wouldn't pick a training course with that name.
  • Do you want to be a PCI auditor? Do you like doing PCI auditing? Is there a management role in it for you? If you don't like auditing I wouldn't train myself to do it.
  • Same goes for business cont.

From a pen tester role I like these certs:

  • OSCP
  • OSCE

But I understand that's not exactly what your organization needs or is asking you to do.

MrSynAckSter
  • 2,020
  • 10
  • 16