On Becoming a CISSP

CISSPYeah-2016-02-21-10-27.png

Picture from kilala.nl.

(Note: I in no way received any compensation and no one has influenced me in creating this post. It is purely of my own desire and design.)

A CISSP is a Certified Information Systems Security Professional, and is essentially the “gold standard” of information security certifications, as well as one of the longest-standing.

I’ve been a CISSP since October of 2003. That’s almost thirteen years now.

Among hackers/computer security professionals, particularly ones who think they’re better than everyone else (and to be fair, some of them really are when it comes to computer security) the CISSP is seen as a “paper certification” that just about anyone can get. While it’s not impossible to get, I don’t think it’s nearly as easy to obtain as they might suggest, and to some extent I think that some people in those circles are covering up for the fact that they were too afraid to try to qualify. Regardless of the psychology of my peer group, I believe the certification has merit, which is both why I got it, and why I maintain it.

An illustration of that point is how employers treat it. It’s difficult to get a job in Information Security without some kind of certification, and the CISSP always works for that qualification. That’s not to say that you can’t get that same job without it; if you are a cyberninja and you can prove it, you can certainly pass on merit. However, you might have some difficulty making it past the HR screening software, which will likely have automatically eliminated your resume for not having included it in the first place.

Anecdotally, my obtaining the CISSP made a very big difference in my career, as you’ve likely read in my book. (You have, haven’t you? 😉 ) Having already been doing security work at what was Corsis at the time (later promotions.com) I had fulfilled the work requirement of the CISSP (then three years and a college degree; now it’s four years and a college degree) so it made sense to me that I should try for it, since Information Security is what I wanted to be doing. I started researching, and found that it was indeed difficult, and that I needed to prepare.

As I outlined in the chapter “Data Center Nightmares” it was a bit arduous to get the certification, requiring quite a bit of study, and a class. The class cost $3500 (not including airfare, but including hotel & breakfast each day) and took place in Fort Lauderdale, Florida. I actually took out an education loan from Key Bank ($KEYW) for the $3500 at the time, given that it was a class and that I’d spent my other $3500 from the tax return previously on the Computer Forensics class that I took.

It was a good investment. The payoff when I switched to my job at Capital IQ was an immediate increase in salary by more than $30,000 per year. That’s an immediate 8.57x return on my money (to say nothing of the lifelong value of that increase & subsequent ones) and I paid off the education loan well before it was due, thereby also increasing my credit score.

So while some people may say that a CISSP is not worth it, I tend to think it is. It will get you past gatekeepers – automated or otherwise, and proves to employers that you have a broad understanding of Information Security. You will still have to prove yourself at any job, but less of it will be upfront while attempting to get it. It ensures to employers that you have a level of competency, and more importantly, since you have to take an oath to actually obtain the certification, that you are trustworthy. Yes, some 1337 h4ck3rs may have levels of skills that are higher than some people with the CISSP, but there are other factors to consider, and those other factors play an important role and make the CISSP the prominent security certification that it is today.