CISSP- Worth doing?

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi all

Has anyone taken or considered studying for the CISSP by isc2?

I'm looking at this myself but it seems quite daunting........

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

CISSP is THE premier security cert... you need to prove to the company before you even undertake the training you have i think 3-5 years experience in IT security. The exam costs a fortune but if you have all the requirements its well worth it!

oh btw Welcome to CF!

 

thanks.

 

CISSP is not a technical cert as such. Among the certifications, you can consider it as an academic type. It is a very broad subject that covers loads of material in a very vast manner. For example it even covers what angle the razor wires should be if you consider it for physical security (I am not joking).

Anyway, it is a 6 and half hour exam. You then need to forward your pass result and apply for membership through a sponsor who is an upstanding member or a founder member.

You have to keep certifying in a security field continuously and become a respected professional in your field. It also needs to be fully updated (retaken) every three years and you have to pay an annual fee of $80 (currently) to keep the certification letters.

On top of all this, the exam is not easy and you have to also show at least 5 years of security experience.

Other than that; no, there is no problem at all

 

I've also been considering doing CISSP and would like some advice.

My background is really mainly development with 11 years experience as developer, senior dev, architect.

I'm currently self employed.

I'm interested in expeanding my knowledge and possibly moving into the security field.

I've considered taking the following certs security+, CEH, CHFI and CISSP.

Do you think I could successfully self study for the CISSP ?

Obviously I've made lots of application security related decisions and i've also tested the applications for security weaknesses. I was also involved in the design of IT infrastructure or technical architecture for the applications. Do you think i qualify for the experience requirement ?

I don't mind the membership fee but can't see myself taking a 6 hour exam every three years ?

Is there any other general advice on this field or these qualifications that may be relevant ?

thanks

Dave

 

technically, you don't qualify to be able to take the CISSP exam - you have to have been working in IT Security for four years before being allowed to sit it - although I'm not sure how well-policed this requirement is.

I don't want to work in compliance or management, but I think it will probably pay me to take the CISSP in a couple of years, simply because most pen-testing jobs will probably require it by then.

I'm (allegedly) studying for the CEH this year - with a view to taking it in October. Work are paying for me to take a CBT course (I work in Security) so I'll start doing some studying in a couple of months. I've taken a couple of mock tests and got around 45% - 55% in them, and thats without studying - so I don't think it will be that hard. I'm looking forward to taking an exam in a subject that I like for once - apart from my JNCIA, the last one I took was SQL Design about three years ago - and it bored me silly!

For info, here are the requirements for taking the CISSP exam

 

Thanks for the reply.

I've read the requirements which are located here :-

https://www.isc2.org/cgi-bin/content.cgi?category=1187

I quote :- " CISSP professional experience includes:

* Work requiring special education or intellectual attainment, usually including a liberal education or college degree.
* Work requiring habitual memory of a body of knowledge shared with others doing similar work.
* Management of projects and/or other employees.
* Supervision of the work of others while working with a minimum of supervision of one's self.
* Work requiring the exercise of judgment, management decision-making, and discretion.
* Work requiring the exercise of ethical judgment (as opposed to ethical behavior).
* Creative writing and oral communication.
* Teaching, instructing, training and the mentoring of others.
* Research and development.
* The specification and selection of controls and mechanisms (i.e. identification and authentication technology) (does not include the mere operation of these controls).
* Applicable titles such as officer, director, manager, leader, supervisor, analyst, designer, cryptologist, cryptographer, cryptanalyst, architect, engineer, instructor, professor, investigator, consultant, salesman, representative, etc. Title may include programmer. It may include administrator, except where it applies to one who simply operates controls under the authority and supervision of others. Titles with the words "coder" or "operator" are likely excluded.
"
and

"Valid experience includes information systems (IS) security-related work performed as a practitioner, auditor, consultant, investigator or instructor, that requires IS security knowledge and involves the direct application of that knowledge. The four years of experience must be the equivalent of actual fulltime IS security work (not just IS security responsibilities for a four year* period); this requirement is cumulative, however, and may have been accrued over a much longer period of time."

The first statement includes management, consultancy, teaching, R&D etc so sounds like i apply. The second one seems more strict and so i'm not sure.

I see no reason why one might say need to be a full time penn tester to qualify. I've worked on MOD contracts and numerous security critical projects so see no reason why a role with security in the title or company name would make one more qualified. Whole area seems as clear as mud to me, I'm still awaiting clarification from ISC.

 

LOL - that's why I said 'technically' you don't qualify

You can always say that your job was security-related - its probably not what they're after - I'd imagine that in an ideal world they want either technical compliance people, pen-testers, security managers or network security admins. That's what the second statement suggests - basically, you've been in a security-centric role for four years.

You can only ask though, see what they say.

 

Does anyone with direct CISSP experience have any answers to my earlier post ?

thanks

Dave

 

Thanks for the reply, yes I suspect it may well be a waste of my time, maybe i should do an MBA instead ;)

I've got a computer science degree and if i took security+ I would only require 2 years experience if I took the exam before october. I think I can justify 2 years security relevant experience during my 11 years !

Anyway I think my experience would be relevant for thoose looking for people who are experts in 'application security', and thus I could secure a security job. I take your point that the most common roles focus on compliance or infrastructure security where I have some experience but not as much as a full time security or IS person might have.

I was thinking more like security consultant or chief technology security officer. Not sure if this is realistic or not.

The CISSP cert seems aimed at security in general being a broad cert, I would think it would be largely irrelevant to many penn testers as well ? I was going to also look into doing other certs like CEH and CHFI as well.