October 23, 2012
I write to you seeking career advice. I graduated from college in 2005 with a B.S. in Computer Science (programming). I was unable to timely find a job in my field of studies, so I accepted an offer to become an IT Auditor. I’ve been an IT Auditor ever since in two different business environments (banking and government).
Because of my background in programming, I absolutely enjoy undertaking tasks that are related to business analytics, data mining, re-performance, etc. However, my current line of work does not require or provide for that. In addition, I have become greatly interested in security, but while I feel that I am very capable of learning effectively and efficiently, I do not have a strong foundation on networks.
In order to push myself to strive for more, I have looked at the option of becoming CISSP certified. However, I am not sure if the SSCP would be a better choice for me based on my knowledge level.
I am currently CISA certified and know that having another, more technical certification, will better position me in my job or others.
What would you suggest? Thanks in advance for your help.
Programming My Future
The best suggestion that I have for you is not to pursue any certifications for the sake of positioning yourself in your current role or others. The certification alone will not help you, finding an environment where your skills are valued for their unique combination is the best way to further your career.
To begin with you have a degree in Computer Science and a background in programming. Next, you have 5-7 years of real world experience in IT Audit and you are a CISA. On top of that, you have an interest in security, and you have a history of gravitating to more technical projects.
The combination of these skills and your interests are unique. Your skills have a great deal of value to an organization who realizes how to utilize them and leverage them for their benefit.
Recently we have been engaged in a number of searches that are looking to find technical information security professionals to work in IT Audit environments. The primary reason for this is that corporations are recognizing that it is critical for these two business functions to understand each other, and the key to this is to either have audit minded security professionals or technically and security astute IT Auditors.
This being said, it is good that you recognize that your lack of networking experience is a shortcoming and a potential skill gap. My feeling would be for you to find a way to work on developing this skill and knowledge. This could begin by reading some books on the topic, taking some vendor based training, and maybe eventually getting a certification that demonstrates and reinforces this knowledge.
If successful, this may be 2-3 year undertaking. If you begin down this road and it “does not take”, then I would suggest you refocus your energies on you’re the enhancement of your strengths – and maybe learn some new programming languages, application security, code review, or other related skills.
If you are interested in learning about some of these blended opportunities, do not hesitate to contact us at LJ Kushner (email@example.com) . If you do so, in your e-mail please mention – Career Advice Tuesday!
Hope this helps,
October 16, 2012
Currently I am employed as an information security consultant with a large entity. As part of my compensation program, I earn a quarterly bonus based upon the achievement of utilization targets and billable hours. Our company has done well over the past five years, and my bonus has become quite predictable. Over the course of the year, it amounts to about 30% of my base salary and close to 20% of my overall compensation.
About a year ago, one of my peers left the company to strike out on his own. During that time, he has grown a small boutique consulting company that specializes in my area of expertise, GRC product implementation. While I am familiar and comfortable with the person as a peer, I am not fully comfortable with him as a business owner. He has recently made me an offer to join his team.
The position comes with a little more authority than I currently have, alone with a flashier title (From reading the blog, I know how much weight you put on this.) The salary is a small increase from my current salary, but the bonus appears to be more substantial. He has told me that, based on the corporate formula that they utilize, it could equate to about 50% of my base salary. This would be a sizeable increase, and potentially give me additional freedoms.
There is one problem that I have; I do not fully trust that this money is going to be there. I base this on the fact that I do not know what kind of businessperson he is and do not know if I can rely on the bonus to be there. If it does not materialize as promised, I will be taking about a 10-15% decrease in earnings, and I risk leaving a safe and comfortable situation.
Any advice would be appreciated?
While your question appears to be complex, fortunately, the answers are quite simple. By asking your potential new employer a few key questions, you will be able to figure out your answers about his business ethics, believability, and the health of the company.
Here are some easy simple steps:
1) Before accepting the position, ask the new employer if you can speak to some of your potential peers who have been working with the company for at least three months. During these discussions, ask these folks how their bonus has been, has it been paid, has it been paid on time, and if it was paid as stated in their offer.
This is your first line of defense. It will provide you with at least some history in seeing if your new employer is true to his word.
2) If this checks out, then I would want you to call your new employer directly before accepting the offer. When you speak with them, I want you to ask them to guarantee the bonus for the first six months of employment at the target rate. In essence, I want you to ask him to treat it as salary. Anyone in business who is adding additional people to their services team should have at least six months of visibility into their revenue stream and client base. He should not hesitate to honor this request. If he does, my antennae would go up.
You are entitled to request this based on the following factors that apply to your situation:
1) You are a known commodity. The employer sought you out. Knows your work, and knows what they are getting. There is huge value in this to them.
2) The business is a small business and it is their responsibility to help you manage your risk – since you are the one that is taking a chance on them. (As a side note, a company that has been in business for a while would not do this, and should not be expected to.)
3) They are recruiting you. You have a good job where you are content. You have some leverage in this situation so use it. All you are asking is for them to guarantee their promise. It should be a simple request.
(Note: As the audience reads this, understand all three factors need to apply. Do not think you can require this of a large fortune sized entity, an established security consultancy, or a stable security product vendor.)
In closing, my best advice is to trust your gut instincts. After these discussions, if there is something telling you not to trust the new entity, stay put. Tell the employer you would like to revisit the opportunity in 3-6 months. I am pretty confident that if this particular opportunity is indeed a good one, it will still be good six months from now.
Hope this helps.
October 9, 2012
I know tat you are a baseball fan, so I wanted to ask a themed question now that the baseball post season is upon us. The question I have is very simple, relates to interview mechanics and interview positioning.
From what I understand, for many senior level information security positions companies will interview between three and six people, I wanted to know if you felt that there was any advantage or disadvantage as to what order that you interview.
Some people have told me that it is best to go first, some say it is best to go last, some people say that it does not matter, I would like to know what you think.
Dear Mr. October,
Very good question and one that many people have differing opinions on. The question you ask is really, when it is the most beneficial to interview? I am going to tell you that in the end, there is probably no real difference when it comes down to decision making, but let me give you some strategies on what could be the best mindset depending on where you sit in the order.
1) Leading Off- If you are set up to interview first, you need to understand that you are setting the standard for all other candidates who will be interviewed for the role. The key to going first is to go into the interview with the goal for the hiring manager to decide that you are the best candidate for the role, and cancel the others. Although this will likely not happen, you can try your best to help them arrive at this decision, by making a memorable impression. The best way to do this is to excel at some of the intangibles – focusing on your alignment with the company’s culture, your appearance, and your communication skills. In essence, when you go first you will need to emphasize style as much as substance. The reason for this, is by the end of the process the interview team may get confused because all of the candidates will have good skills, however, the sharper communicator, the candidate with the best executive presence, and the best fit with the culture will be more memorable.
2) The Middle – No one likes the middle, but I don’t think that this is a disadvantage if you have some goals going into the discussions. To me, the goal of a “middle” candidate is to exclude the candidate or candidates who have previously interviewed. In essence, the candidate should go into the interview with a competitive attitude, since based on the fact that there is more than one candidate, this is now officially a competition and the interviewing team by nature will compare candidates. Once piece of advice would be to ask the interviewers questions about what qualities will make the person successful in the role, and continuing to ask questions geared to understanding the ideal fit, what is missing, and what are the key problems that need solving. By doing this, you may be able to get the interview team to reveal some of the shortcomings of previous candidates or to describe what attributes an ideal candidate will possess. Once you have your answers, it is your duty to demonstrate value and to emphasize your strengths in this context – effectively blowing out the competition and positioning yourself in a way where the decision should be clear, no matter who walks in the door next.
3) Hitting Clean-Up – or Going Last – I know that many people like this position, but it definitely has its drawbacks. If you go last, and the previous candidates are strong (see above) the interviewing team may view your candidacy as a nuisance and may not be fully engaged. However, when you go last in the interview process you have the ability to make a lasting impression and be top of mind during the evaluation process. You also have the ability to address any of the interviewers concerns about the role and the other candidate’s deficiencies. So, the best way to attack this interview is to combine the approach of the first two suggestions – combine both style and substance, and most of all compete! However, there is one thing that you can do if you interview in this position, than the others, you can “Close the Deal”. When I say “Close the Deal”, what I mean is that you can let the interviewers know that you want the job, and leave little or no doubt that if offered you will accept it. Not that you cannot do this in the other interviewing positions (and you should), but when you interview last, it is most powerful.
There is some additional piece of mind for the interviewing team to know that they will have their position filled, after the long interview process. By leaving the interviewers with the confidence that they are not going to leave the process empty-handed could be a huge advantage. Everyone likes a sure thing, and if they believe that you embody that, that could bode very well in the final decision making process.
Ideally there is no right or wrong answer here. In the end, in most interview processes talent usually wins out. But remember, that all interviews are competitive situations, and you need to be prepared to successfully compete against your peers no matter when your meetings are scheduled.
Hope this helps – Enjoy the playoffs!
September 12, 2012
Currently I am at the end of a job search. The interviews have gone great, I really like the company, and I am on the verge of becoming a CISO for the first time in my career. For about 95% of the process, I have been on “Cloud Nine”.
Unfortunately, my process may have hit a snag, and I really need your advice to potentially avert a catastrophe.
On the company’s application they asked me to list my current professional certifications. I listed my CISSP and my CISA, which I know are current, but I also listed a couple of technical information security certifications that I received earlier in my career. My assumption was that these certifications were current.
I received a call the other day from the background check company asking me to provide some proof of these certifications. I did some checking, and I do have the actual certificates, however the during my discovery I learned that these certifications have definitely expired.
Here is my issue; technically, I have misrepresented myself on the background check form, which I know speaks to my credibility. At the same time, these certifications are not even applicable to my hiring or the qualifications that this information security leadership role requires.
Do you have any advice on how I should handle this situations, to preserve this opportunity? On one hand I want to come clean and let them know of my oversight, on the other hand, since these certs are secondary, they may not even be verifiable, which would mean I would draw attention to something that will be irrelevant.
If you could let me know, that would be great.
My advice is simple but it is two-fold. It will be short but sweet.
First of all, “tell the truth”. What you need to do is to be in front of the story and to let them know that you made a mistake, and you want to bring it to their attention. You can let them know that your assumption was that these certifications were granted for life, and to your knowledge you did not need to renew them. If they question your sincerity, you can point to both your CISSP and your CISA, which are both current and in good standing, to demonstrate that renewing your certifications is a standard operating procedure for you. In addition, the fact that you can produce the actual certificate as proof, will at least demonstrate to your new employer and their background check company that you did actually achieve the certification and your initial statement was indeed accurate.
Secondly, whenever you speak about this, and to whomever you discuss it with, make sure that you do not make this a “big deal”. You should not send e-mails, or contact the senior members of the interview team – you should just deal with the background check company – and should do so via the phone, so that nothing can get forwarded to people with decision making authority for your hiring, who may have dogmatic views about this violation/oversight.
If you make it a big deal, it looks like you are attempting to cover it up and you got caught. If you make it like it is just an honest mistake, you may get them to overlook it altogether and it will most likely become a foot note, and not even become an issue.
What can be learned from this is that when filling out an application, less is more. Only include things that are essential and you know your can verify. If you can not be 100% accurate, omit it, you can always complete it at a later date.
Hope this helps and it works out for you.
September 5, 2012
I’m currently responsible for a security program for a large enterprise. Before taking this role a couple of years ago, security was not a concern for this company, and I believe I’ve made strides in correcting this. However, I feel that I’ve accomplished as much as will be possible given the corporate culture from the top down. The board and company leaders are much more risk tolerant than I am personally comfortable with. This goes beyond a difference of opinions – I have been asked to back down from a number of very basic security policies (i.e. must have a password on a smartphone) because leaders rather deal with a potential security breach than with dissent in the ranks as a result of changing basic behavior. I do not believe that my personal ethics and pride in what I do will allow me to continue to brush security gaps under the rug because they are inconvenient. As a result, I am slowly beginning to investigate the job market.
My question – when asked the inevitable, “Why do you want to leave company XYZ”question in an interview, how do I portray my personal integrity and ethics in a way that does not sound like I’m trashing my employer?
“Looking for the Right Words”
First of all, I want to thank you for this question, it is a very good one and it generally requires a delicate response, mainly due to the fact that the interviewer likely has preconceived notions of what an acceptable response would be.
Before I answer, I want to tell you that I think that this is the worst interview question and in all my years as a recruiter, I believe that this question should really be irrelevant to someone’s interest in a particular opportunity and here is why:
There is really no good answer
“What is a good reason for leaving?” – I mean really, if things were good, would someone really be leaving.
Here are some common Question/Answer responses:
1) If you say something like “I got passed over for a promotion” – the interviewer worries that you are not that talented and that if you are not promoted on your timetable you will leave.
2) If you respond saying that you are “looking for more compensation” – you are effectively a mercenary. You are now labeled as greedy and money motivated, looking for a job for all the “wrong reasons”, or willing to move again for the next biggest pay day.
3) If you say that you “do not like your manager’s style”- then you are all of a sudden difficult to manage and red flags go up
4) If you say “you do not like the work environment” – you are now a malcontent.
5) If you tell them that you want to “work with smarter people” – you are now labeled as cocky and conceited.
6) If you say that the “commute is too long and the hours are too intensive” – they question your work ethic
7) If you state that you want “to work for a better company” – you lose a majority of your leverage and negotiation power
8) If you state that you “have a problem with your company’ s integrity and how they do business” – You are now either a “whistleblower” or have a “god complex”
Believe me, I can go on and on, but I will leave off at your question and try to help you find a better response.
One of my beliefs about interviewing is that the most successful interviewers are effective storytellers. The best interviewers are able to share their experiences in a way that points back to an underlying theme that will enable them to reemphasize a key characteristic or skill. In essence they take something that makes them unique and attractive, and they share experiences that force the interviewer to draw a conclusion aligned with how they want to be portrayed. This enables the interviewee to get their point across more gently, and allows them to paint a picture of both their skills and their character – focusing on the whole “body of work” and not just one particular experience.
In a situation like this, my advice to you would be to build a theme of “ethics and integrity” and make that your interview story. You may be able to begin your story with the reason you were attracted to information security as a career. You then may want to speak about managers that you worked for that reinforced this concept and discuss situations where your ethics and integrity were critical in helping both your employer and team accomplish its goal. You can even lead up to your current role, and speak about why you accepted it, discussing how when you began the role and established the function, that this was a main driver in making that decision.
Now, if asked why you are looking, you can simply state that the company and the people whom you work for now, are much different than the company that you originally joined. This will subtly reinforce your “theme/story”. The interviewer should be astute enough to draw their own conclusion without you having to verbalize this.
You can let the interviewer know that one of the reasons you are interviewing at their company is that from what you have learned and read, it appears that their company’s values align well with your values. You can then turn the interview around and ask them some questions on how ethics and values effect their decision making process. Hopefully they will provide you an answer that will make you feel more comfortable about joining their team!
Hope this helps you.
If you would like to speak more about this and your pursuit, please either contact my office, or send me a number where I may reach you.
August 14, 2012
I have been working in the IT industry for many years and have been dabbling in the Information Security realm for about 5 years now, but am having a hard time getting the experience I would like
I was recently asked by a friend to help with a side job which required a Security Assessment to be performed. I have never had to perform a Security Assessment so I am a little hesitant making the jump because if I accept the assignment, I want to do it correctly.
I’m not one of those guys that will take the job, if I do not believe I can perform it correctly. I do not want to be put in a position where I do a crappy job due to the fact that I do not know what I am doing.
How do I get the experience I would like, so I can take “jobs” like this one with confidence? I have a good reputation and I want to keep it that way.
Any advice you could give, I would be grateful.
“Biting Off More Than I Can Chew”
Dear “Big Mouth”:
I agree with your sentiments. You only have one reputation and anything that you do that detracts from your reputation will only stay with you through the course of your career. In the end, your work is a reflection of you, and it eventually will define you and become your “brand”.
I give you a good deal of credit for having the integrity to know that this position maybe beyond your scope of knowledge and “more than you can chew” at this point in your career.
I can offer you a couple of different options –
1) I would ask your friend if you would be open to “sub contracting” the assignment to someone that you trust. If they say that is OK – what you could do is to ask around your network or on Twitter – if anyone is interested in a consulting assignment – with the caveat that if they take the job – that they will let you shadow them on the assignment and teach you. This could be the best way to get practical experience – in essence you can learn – and someone else would get the revenue from the assignment. This would be viewed as quite an even trade!
2) Another option would be to get formalized hands on training. Now, I do realize that if you did take training, you would not be ready for this current assignment – however, with some foresight this could possibly give you the confidence to know that you would do a good job the next time that you get the opportunity to perform this type of work.
The key to this is to get “hands-on” training – not just some certification – that will give you the confidence that you will do the job correctly. Understand that you are doing for yourself, not someone else evaluating the value of the certification and utilizing that to judge your competency. In this case, you need to overcome your fear of failure – practical experience, even in a training or lab environment should enable you to simulate a real world “assessment”. It may not be live – but it is the next best thing.
With the right training, you should be able to do a “good job” on future assessments, and when you do, you can be sure that you will get additional opportunities to practice your craft.
Hope this helps,
August 7, 2012
I am currently working as a penetration tester for a pretty large company. Prior to this, I worked for another large company, doing similar work. My current job is going well, I have a very good mentor, my company has been supportive of my professional development, and I like my hiring manager – as I feel that we have established an open line of communication.
I do have two complaints. First of all, I believe I can do more. Secondly, I believe that I travel way more than necessary to perform my duties.
I recently completed an interview process with a much smaller company that is in the middle of a growth spurt. Although they are much less structured, the people are very smart, and they have some focus in an area that interests me a great deal, Mobile Security. I believe that it is set up to enable me to take some leadership in this area. The position does not require a great deal of travel, and it will allow me more time to get involved in my local professional community.
The money for the position is very similar to my current role, however the position offers some stock, which is a exciting to me.
I have listened you’re your advice in the past about avoiding jobs that just provide the opportunity to “Change Golf Shirts”. Would like to know if you think I am doing this if I join the new company and accept the offer?
Any advice would be appreciated.
Based on your description above, I do not think you are “Changing Golf Shirts” at all, in fact, I think that these two opportunities are unique and very different.
Here are my thoughts:
1) First of all, the company you are joining appears to be a “Start-Up”, and it does not appear that you have any of that experience. Having the experience working at a “Start-Up” is unique, and I think that if you enter into that environment you will learn things about yourself that you would not have in the larger companies that you have worked for.
2) The new company appears to have some good alignment with your interests, which is great. Not saying that your current employer doesn’t, but it appears that you will be able to take more of a leadership role in this area in the new company. Smaller companies are great for this experience. Where in a larger company, there are more resources to compete with, a smaller company provides more opportunities to create more of a “Professional Brand.”
3) You are going to work with “Smart People”. Not that you do not already, but the only thing better than “Smart People” you know, is “Smart People” you do not know – because if you take this job, your “network of Smart People” just got much larger.
4) You have some earning potential with the stock options. No, you probably will not retire, but stock options provide some upside earning potential that you are not getting in your current role. As a “Pen Tester” there is a standard comp range that you are restricted to, based on the market – so compensation for a new job, is never going to be that significant of an increase, in that case, Stock Options provide you with a possible accelerator of you earnings. Even if they are worth nothing, there is no risk for you – as your compensation is going to be equivalent.
5) You can always go back to the big company. Even if your current company will not have you back, there will be another big company that will take you back, and they will probably be willing to pay you a little more money to go work there, again you do not have any risk.
My feeling to you is to take a shot on the new company, and see where it goes. Use the opportunity of not traveling to become more involved in your local community, become known to more people, and really sink your teeth into your interest in “Mobile Security” – and become more visible.
If you maximize this opportunity, it will be much better than trading for a “New Golf Shirt.”
Hope this helps,
July 31, 2012
For the past two months I have been in the middle of an interview process, for what I believe to be a pretty senior role. The role was a promotion from my current duties, and it was to provide me with a larger team of people, a bigger scope of responsibilities, and a larger compensation package.
During the interview process, I confirmed that the scope of the role was larger with both the hiring manager, and the hiring manager’s manager. This was confirmed both on the phone and via e-mail. I also had detailed discussions with the human resources person at the onset of the interview process about my compensation requirements and what it would take for me to give up my current role (where I am quite happy). I received assurances that this would not be an issue.
Well, I finished the interview process and the offer was incredibly disappointing. First of all, the role on the offer was for a lower level (similar to my current job) and the compensation was for 20K salary less than I requested.
The hiring manager told me that I should “trust them”, and they just had to smooth things over with the incumbents before they made the announcement. They also blamed the whole compensation thing on the HR team, stating that “they’d see what they could do”, but could not go much higher than the initial offer
Do you have any advice for me? Should I trust them? I feel so deflated as this was a job that I saw as the next step in my career and I feel that I have been “bait and switched” and taken for a fool.
Dear “Cadillac Man”:
Beware, if you take this job, you are going to get a “Clunker”
There is absolutely no excuse for two hiring manager’s to tell you something in writing about a position, and then not be able to back it up in writing and in an offer. The concept of “Trust Me” should be applied to minor details of a job offer – like a work at home policy, or extra vacation – but for something as important as the core reason that you were interested in the job, NO WAY!
Secondly, think about the organization that you are heading to. The hiring manager blamed the HR person. Whether that is true or not, this is very telling of their personal style and the corporate culture you will be heading into .
At this level of a search, if you were a key hire and being recruited for a “Senior” role then compensation should be something that should be able to be worked out if both sides are reasonable. Without having the details, maybe a request for 20K more than they offered was a bit aggressive – but I would figure that they would have taken a much different approach.
Also, at this level, if they really want you and you really wanted the job, this process of compromise would be easy.
The translation of their offer is as follows:
We liked you a great deal. We feel that you would be good for the role/level where you are currently performing at (at your other company). We do not mind paying you a little more to do that role at our company. It is possible that you will have the ability for a larger role, but it will not be on DAY ONE! You are welcome to try out for that role once you are an employee and prove yourself in our organization.
However, they have elected to be dishonest with you and try to sway you otherwise. I can assure you that if you accepted the offer to work for this company, that this would not be the last of the unwelcome surprises.
Hope this helps,
July 24, 2012
Currently I am an Chief Information Security Officer at a medium size company. About a month ago, I engaged in an interview process to be a CISO at a much larger company, and I was offered the position. The role was quite appealing, but after some deliberation with my family, we decided that the location was not going to be right for us, so I called the hiring manager (CIO) and told them that I would have to decline.
He understood, but he was obviously disappointed and a little frustrated.
Well, time has passed and I just can’t seem to get the opportunity out of my head. I really think that it was a very good career move, the money was good, the relocation package was solid, and my husband has become more receptive to the idea, finding certain elements of the location that would appeal to him both personally and professionally.
My question to you would be how could I reengage them? Is it possible? Have a ruined my chances?
“On Second Thought”
Dear “Second Thought”:
The answer to your question is – “No, you have not ruined your chances” and “Yes, it is possible to reengage them, and due to the reasons that you provided, and the way you have handled it (as stated), it may be welcomed.
How you reengage them is important, so here are some steps to follow:
1) Inform your source of introduction. If you worked with a recruiter, you need to let them know, as they may have some more knowledge on the current status of the search. They also may be able to get a better feel for how the company really felt about your original decline of their offer.
2) Call the hiring manager directly. I am a big believer in going to the source. The fact that you called the hiring manager to decline the offer, should work to your advantage this way – as it created a communication channel. When you call them, make sure that you explain to them that the reason for changing your mind is that your family is now receptive to the move, and that was the only reason you declined the role in the first place. Explain to them why they have come around, and you can include something like : “My husband knew that I wanted this job, and it has all that I have talked about since I declined. He is fully supportive.”
3) Do not renegotiate anything: You lost this privilege when you declined the offer, so do not even attempt to do so, as this will take away all good feeling. (Conversely, if they contacted you to reengage, you may have some leverage – but in this case you don’t.)
4) Give them a quick start date. Let them know that you could be out there in three weeks or less. This will show them you are serious, and ready to go.
Sometimes many of the best career decisions have been the result of an elongated decision making processes. Give yourself some credit for rethinking your original decision.
Let me know how it turns out. Hope this helps.
July 10, 2012
I am about to transition from Military to the Civilian work force. I am a IT Support and Security Professional. I am currently working to gain the CISSP through the SANS Security S+ course. My question is will this class help with gaining the knowledge I “really need” to pass the CISSP and will this help with the progressing in the civilian work force? This course is expensive but it come highly recommended from some of the professionals that I work with. Need some guidance.
First of all, let me say a big THANK YOU for your service to our country.
As a disclaimer – I am not familiar with the particular topics covered in the SANS Security S+ course – so my answer to your question will be a more general one.
The first thing that I want to say is that I question the concept that you actually “really need” to pass the CISSP to work as an information security professional in the civilian work force. Most of the customers that we support, are more interested in the candidate’s talent – as opposed to their certifications.
I believe that the question that you should be asking yourself is, “Which training class will enable me to develop my skills and make a smoother transition to work in a commercial environment?”
One of the best ways to determine this will be to first understand the foundation of your current skills and the strengths that you can be leverage. Generally speaking, these skills will be more “technical “ in nature – centering on either networking, operating systems, software development, etc. Once you are comfortable with this assessment, you may want to look at a training class that can help supplement these skills – possibly something in the area of incident response, security event management, penetration testing, etc.
In developing these skills and skill combinations, you should be able to place yourself in a professional information security environment that will provide you with some exposure to the “domains of knowledge” encompassed by the “CISSP Certification”. In the context of the job, engaging your peers, the purchase of some relatively cheap study guides, and some initiative you should be able to pass the CISSP (at a substantially lower price point)– if you decide at that this is a worthwhile career investment as you aspire toward your ultimate career destination.
Hope this helps,