information security confusions

Hi guys…first post on GS..wonderful and lively forum u got here… so anyone from the information security domain here???
I just started out at an info sec consultancy and am a little confused about the career prospects this field has to offer…
Have heard a lot about the CISSP and CISA certifications but when i searched out the course description, it turned out to be purely theoretical, i mean we’ve all been taught what encrypted and plain text protocols are and blah blah… so here’s what boggles my mind, what does a CISSP or Cisa cretified pro actually do? the course doesn’t give you any hands on training of configuring system side security, etc… so is there any future for this cert ??
and one more thing does anyone know if there are other carrer options in info security other than penetration testing…

thanks

Re: information security confusions

We have a couple of IS security pros here, although they're not active posters... Kaleem and Saby should be able to provide more qualified opinions. Having said that, I do work regularly with IS Security professionals, so I'll try to answer your question based on my experience. I also obtained my CISSP back in 2002 - although I never worked in any regular capacity as a security professional.

The way I see it, the real benefit of these certifications is that they provide a qualification benchmark for employers and clients to hire or engage with a new consultant. To complement your real-world experience and project portfolio demonstrating your work, these certifications act as a testament to your familiarity with industry standards and best practices. Also, perhaps more significant is the criteria of maintaining a certification rather than obtaining it. Most of these certifications have a requirement for continuing education credits in order to maintain your credentials. This ensures that the candidate stays current with the developments in the industry and up-to-date with technologies in their areas of expertise.

Re: information security confusions

Thank you LC bhai for your valuable feedback.... so may I assume then that the CISA or CISSP may not be of much worth as a primary cert ...... and LC bhai, since you've gone through the CISSP path too, what is your take of the prospects of IS in the future..... just that I find myself at crossroads, stilll can't make up my mind whether to opt for traditional electronics engineering jobs like automation and industrial control stuff or info sec....

Re: information security confusions

You must understand the difference between a security architect and a product specialist. Cissp and Cisa provide information to further your path towards security architect who understands most of the domains involved in IS, where as a platform specific hands on training can make you a product specialist and one can end up becoming an administrator of the product.
If you feel that you are better off sticking to a vendor, go for Cisco, Nokia, or any other vendor of your choice. With that said, if you are a starter and have no experience of IS, don't jump into the band wagon of cissp, it is difficult for a starter to become a security architect in one leap.

Thank you very much Truth_Surfer for your interest.. from you're advice I infer that it would be better to focus on a particular product and develop my expertise in it first and then move on to the architect path...
And just in case you guys are wondering, the reason I'm so horribly confused is that at work, I'm surrounded by penetration testers who generally focus on things like application security, code auditing & web app testing and since we as electronics engg haven't been taught 2 dozen programming languages, I'm not particularly enthusiastic about pursuing the programming side of things, hence the dilemma.

No problem SC.
I'm not exactly sure of the context in which you're thinking of CISA and CISSP as "primary" certs - perhaps, if you mean entry-level certifications (?), then I can see why there may be some hesitation in pursuing these on the outset. However, I have seen many people make great inroads by obtaining these certs - esp. the CISA one because it's pretty unique in its subject matter. The way I see it, if you're a newbie in the IS security arena, then these certs can help establish a baseline credential that can land you some work in a security analyst type role. Meanwhile for connoisseurs, maintaining the credential in good standing is a testament to their up-to-date knowledge.

I agree with TS about deliberating your options according to the career path you wish to pursue - the distinction between an architect and a solution specialist is an important one indeed!
However, architects can certainly also specialize in specific solutions... this is especially true if you look at technology consulting firms - they advise on architecture, and also recommend specific partner solutions which they've had success with in the past. Normally, you'd find architects and implementers in a project team, but it doesn't hurt to have knowledge of both, while developing expertise in one. For example, when I was considering this route for myself, I obtained the CISSP and the Checkpoint certs because I wanted to advance further in application level firewalls. Others I know, pursued similar tracks with CISSP and Cisco's network security certs.

I also agree with TS in that CISSP is not to be taken as a silver bullet in IS security certs, and becoming an architect requires much more effort in terms of both experience and expertise. However, with the "Associate" credential, one should be able to get started with learning about best practices and hopefully with a basic role in devising and recommending security options.

Once again LC bhai, I'm extremely grateful for your very detailed reply.

Just one more question, how do you guys see the prospects of info sec in the coming years? I'd have had no doubt about the growth of this domain had it not been the advent of cloud computing....... That is something that really alarms me... do you think that as cloud computing grows, the concept of data centers and server rooms from individual organizations may become obliterated... do you think it may lead to further VERY drastic cuts and downsizing of IT personnel in the coming decade... specially those planning to get involved in the operations and maintenance functions...

Re: information security confusions

^ solar, unfortunately, I haven't worked on any engagements where cloud computing was a major component of the overall solution, but in my own view, I don't necessarily associate a new technology paradigm with obliteration of IT jobs per say... a shift in focus for sure, redistribution of jobs to certain new sectors of the industry, but not necessarily doom for IS security jobs. For instance, at the corporate level, I can foresee greater need for risk management type IS security roles to effectively evaluate service providers, and devise and manage service level agreements. Some of the architecture jobs would shift to these vendors and service providers who'd have much greater need for security pros as companies start adopting solutions across the board.