Why it is essential to have experience - and not JUST to pass the CISSP
Growing The Garden of InfoSec
Think about your path in information security. It took a lot of work and study. No one is born knowing information security, and no child in any playground has ever said “when I grow up, I want to get a CISSP credential”. Information security is one of the most popular professions right now, and it is anticipated that the demand for qualified information security professionals will continue to grow for the foreseeable future.
Any great garden requires serious care and feeding, and your information security career is no different. It requires constant tending, but that is part of what makes information security a fun and challenging career choice. Not only is the salary for most information security jobs enticing, but the rewards of continued knowledge also act as great incentives for the effort. A person who holds the CISSP designation can demand a higher salary than a person without the certification. One may wonder why that is the case.
Before You Kill All the Weeds, Get Down into Them
One of the complaints of some people who study for the CISSP exam is that there is so much information to learn that is not within the primary responsibilities of their particular job. One could say that it is like the garden getting lost in the weeds. However, this expansive field of knowledge is precisely why the CISSP credential is so highly regarded in many corporate settings, and why a credentialed candidate can command a higher salary.
One could argue the following points:
- Why do I need to know about hardware architecture? This can be important when a team decides on a particular motherboard, and forgets to include critical security component such as the TPM chip that makes encryption possible.
- Why do I need to know specific attack names and techniques? I am not a pen tester, so why does that matter? This matters, because you need to be able to speak the language of the penetration tester, as well as the language of many other professionals in the security space. While all CISSP members are not pen testers, it is more than likely that the pen tester you are working with may possess the CISSP credential.
- Why do I need to understand the vulnerability landscape and the results of a vulnerability scan? This is important in order to explain the results of a vulnerability scan in plain language to a non-security audience, such as upper management.
It should be noted that the subject matter of the CISSP Common Body of Knowledge (CBK) is no way as deep as some of the weedy details of many parts of the information security disciplines. However, the weeds are the part where the candidate’s experience becomes important to achieving the full certification.
Experience Matters
One of the thornier weeds of the CISSP is the requirement that a candidate possesses five years of cumulative work experience across two of the domains in order to be certified. A CISSP candidate must also be endorsed as part of the certification process. Why does this matter? It matters because it prevents what is known as a “paper CISSP”, that is, a person who studied for the exam, but has never worked in the field of information security. In the early days of many certifications, all that was required was to pass one or more exams in order to become a member of a certifying body. The experience requirements for a certification offered by ISC2 considerably dampens that possibility.
Clichés, Idioms, and Maxims for Naysayers and Supporters
There are some people who seem to spend a lot of time speaking badly of the CISSP credential. Some go so far as to boast about either how easy the exam is, how useless the credential is, or how they could pass the test without studying. Some go so far as to criticize the entire ISC2 organization. In any knowledge endeavor, arrogantly touting superiority is probably not a valuable approach. Have there been many world class athletes, musicians, or other skilled individuals who speak negatively about the work required for them to achieve their success? Doing so is usually received with skepticism by those listening, and it detracts from the primary focus and serves little other productive purposes.
Consider the following:
Just as tending to a garden takes careful attention to reap beautiful results, the information in the CISSP CBK is worthy of careful attention. Its rewards can also be beneficial, both professionally and personally, but only if approached in the proper spirit. The knowledge gained from the CISSP study materials alone can help in maintaining and maturing an organization’s security. The credential is what emerges from that hard work.
How The CISSP Credential Can Help You Succeed
The knowledge required to be a successful Information security professional is vast, and constantly expanding. Every day, new events reshape the security landscape, requiring a combination of experience and knowledge. When an organization needs subject matter expertise, they can rely on those who hold the CISSP designation for a wide breadth of knowledge and experience that is not limited to just information security.
The CISSP is ideal for experienced security practitioners, managers and executives interested in proving their knowledge across a wide array of security practices and principles, including those in the following positions:
- Chief Information Security Officer
- IT Director/Manager
- Security Analyst
- Security Manager
ISC2 was the first information security certifying body to meet the requirements of the American National Standards Institute (ANSI) ISO/IEC Standard 17024 and the CISSP certification has met Department of Defense (DoD) Directive 8570.1.