Welcome to cyberonthewire.com! I self-studied for the CISSP exam in my spare time whilst working a full time job and passed first time and you can too. If you’re looking for study materials check out the resources page.
If you’re here to find guidance and advice on studying for the CISSP exam and passing first time (fingers crossed) check out the links in my articles and study advice section.
What is CISSP?
Although much of the general self-study advice that I provide applies to preparing for any exam, this site concentrates on the CISSP exam. CISSP stands for Certified Information Systems Security Professional and is a industry recognized certification run by an organization called (ISC)². The official description provided by the organization for CISSP is: “The vendor-neutral CISSP certification is the ideal credential for those with proven deep technical and managerial competence, skills, experience, and credibility to design, engineer, implement, and manage their overall information security program to protect organizations from growing sophisticated attacks” ((ISC)² accessed January 2017). The most important things to know about the certification are:
it’s aimed at managers
you will need to have several years of paid relevant experience in order to become certified (more on this later)
it covers a (very) broad range of subjects
there are ongoing annual requirements to remain certified
in my opinion the reference to ‘deep technical’ should not be misinterpreted as suggesting that you have to be able to program/conduct hands on analysis of network vulnerabilities or conduct forensic recovery of storage media, rather it refers to being able to manage and have a working knowledge/understanding of all the parts of an organization’s security program. For example you may not have to physically set up an IDS but you will certainly need to know what it is. Note also that it’s not a certification that you are awarded by passing an exam alone. In order to be awarded the full CISSP certification you must have 4-5 years (depending on whether you can waive a year) of paid, relevant experience. The subject matter that you have to study ranges from high level governance topics to being able to provide the result of XORing two sets of binary values and everything in between. Its the sheer scale and variety of the exam material which makes it difficult and even once you’re certified you still need to provide evidence of professional development each year. So, why would you want to get certified?
As this site is primarily aimed at those who decide to self-study for the CISSP exam I decided that the first article ought to deal with the decision take the CISSP exam in the first place. I will start with a brief introduction to the certification itself followed by some reasons you may wish to get certified and close with my own decision process to take the exam.
Why would I want to sit the CISSP exam?
Well the answer is clearly because you want to get certified but why might you choose this certification over others? And for that matter why would you bother going through the study and expense to get any certification? Well for most people the short answer is because it helps you to secure a new job. You can find lots of lively discussion about whether this is the case (both in terms of certifications in general and the CISSP) but here is my view on it. It can’t do any harm. If you have a wealth of experience you may be able to secure a role based solely on that and you may not need a certification, however there are plenty of jobs which list being CISSP certified as either essential or desirable criteria (a quick search on indeed.com at the time of writing brought back over 11,000 jobs mentioning CISSP).
This may mean that although you are perfectly capable of doing the job, those sifting applications will sift you out simply because there are other candidates who are certified. Additionally if you are very experienced you may well find that there is less for you to learn because you already know much of the material from your experience, making studying for the exam easier.
However, what if you don’t have a great deal of experience? Well academic qualifications aside, having a certification will help mark you out as having demonstrated that you at least have the relevant knowledge for a role even if your experience is limited. Note that if you have no paid experience you cannot be CISSP certified, you can however become an Associate of ISC2. If you put yourself in the position of someone recruiting for a role and you have two resumes in front of you, both with limited experience but one has a relevant certification which one would you choose? In addition to these two points I would also suggest that you will learn things which improve your general knowledge and understanding making you better at your job. You may even find some of it interesting!
Why choose CISSP over another certification?
This is another topic on which you can find many a flame war with people making wild claims that the CISSP is the only cert worth having while others say it’s worthless and that there are others much more worthy of your time. From what I’ve seen, the CISSP is still the most sought after, desirable certification to have on your resume if you are interested in roles relating to information security, especially if you want a role in management. The CISSP is not practical, you won’t learn how to conduct penetration testing, or how to assess a network for weaknesses. If that’s more your thing then I would agree that you should be looking elsewhere but if you are looking for something at the management level or above, then this is still one of the most sought after certifications in terms of job adverts.
The other point that I’d like to make about the CISSP is that because it covers such a wide range of topics it doesn’t tie you to a specific field. ISC2 state in their description of the certification that CISSP is ideal for people in: