I am a CISA, and I believe I can clear CISSP. I have never been a security professional, as I have been a general manager in a small company. However, I have strugled enough with my systems and therefore know about Windows settings and configurations. I have also fixed my own systems after virus infections, using guidance available at symantec.com. I am also a reseller for Web security certificates. I have overview experience of programming and database, having done some strong programming using C under DOS and followed that by learning Java, HTML etc. However, even after all this, somehow I feel all my systems are vulnerable to hacking and I can do very little about it. I think computers have become too complicated to be managed with any degree of guarantee. My question to you is whether it is possible for me to become an infosec professional without first becoming a computer engineer?
It is not necessary to become a computer engineer to effectively maintain security in your
current circumstances (and indeed, in other circumstances as well). To that end, make use of the
various post-installation checklists and lockdown information available on these Microsoft Web
Likewise, I would recommend reading heavily in this area and perhaps pursuing a more operational, hands-on certification like the SANS GIAC program rather than the CISSP if you really want to become a security practitioner. CISSP takes more of a theoretical, architectural and organizational view on security rather than a "to fix problem x, apply solution y" approach. Other certs will provide this latter perspective and are probably therefore more germane to your stated goals and needs.
For more information on this topic, visit these other SearchSecurity.com resources:
Careers and Certification Tip: The vendor-neutral security certification landscape
Ask the Expert: First certification for breaking into security
Ask the Expert: Prerequisite for GIAC certified Windows administrator
This was first published in October 2002