Career Advice Tuesday – “More CERTs Not Always The Best Answer”
September 8, 2009
Dear Lee & Mike,
I have over 20 years of technology vendors experience in enterprise computing including biometrics identity management, SOA enterprise integration, storage management, IT infrastructure management, CRM application, and RDBMS. In the last 4 years, I worked for 2 vendors who specialize in biometric identity assurance and secure credentialing solutions (smart card) to the Federal Government. I got laid off last Oct due to an economic problem at my last employer.
Since then, I have been looking for that right job and decided to take advantage of the down time to learn more about security with the goal of gaining the CISSP certification. I took the exam in early April and got the official CISSP cert. in May. In looking for a new job in the metro Washington DC area, there seems to be many opportunities in the different areas of security. I know I am coming from a different path than most people with CISSP.
I am most interested in learning and working in the security planning, policy, and C&A area. Can you please advice on what additional training I should look to get and where I can look to get some real life hands on experience?
“The Experienced Rookie”
Dear “Experienced Rookie”:
We often say that there’s no good substitute for experience, and in this case, you’ve got a significant amount of it. As you point out, that puts you in the position of being very different than most in the information security industry.
With your background, “more training” and “more certifications” aren’t the first things we’d suggest. With a background like yours, the issue with you getting a job isn’t likely that you don’t have the background or the experience; it’s likely that you aren’t presenting the experience well. That means you probably need to work on your resume, your network, and your brand within the industry.
Were we coaching you directly, we’d ask you to go through a personal brand assessment (like the one that we gave to the attendees of our seminar at Defcon) and we’d ask you to think about the following big questions:
- What makes you unique within information security? (Hint: it’s probably your experience)
- Does your resume adequately communicate and highlight those differentiators?
- Which people do you know within the information security industry that are influential in the places you hope to work?
- What do those people know you for? What is your “brand” with those people?
Far too often, people think that “more certifications” will make them more employable: while we’re all for certifications, that’s not usually the case, especially in situations where someone has a significant amount of experience.
Hope this helps,
Mike and Lee