CISSP is Worthless?

Doyen

My ISSA chapter is offering free CISSP training over the course of 3 Saturdays for 8 hours each. Both ISSA members and instructors at my college recommended that I attend. Some ISSA members also formed a study group to help one another that I was also invited to. They are both are telling me to strive for a CISSP certification while I am studying Security+. I've already had courses in Security+, CEH, SSCP, & CCNA Security at college so I am aware of security concepts, practices, and a few domains.

However, other than getting an easier time with understanding MSISA courses at WGU, I don’t know if it is going to be too much of a credential to me. I am still working on my BS: Computer & Information Science with a concentration in Network Security while studying for certifications. My work history is just retail totaling 16+ years (7 years at a Kmart and 9 years currently at a Sam's Club) so I have no IT professional work experience.

From my understanding, if I do pass and the exam, I would only be awarded “Associate of ISC2” and I would have 5 years (or 4 years after I gain my degree or Security+ cert) to gain security experience in two domains followed by an endorsement. I don’t see how that would be any different from passing a SSCP exam and earning the same title. Without the proper CPEs, it is just going to go into default after 3 years anyway, wasting my time and money right? So my question for the knowledgeable members on this forum, should I just forgo the CISSP training and certification since I am under qualified to do anything with it?

Maybe I’m low-balling myself in what they see in me & my studying tenancy, however, I am just getting the impression that the ISSA members and my instructors don’t see how the CISSP may be realistically worthless to me at my level. That is why this board's honest, professional opinions are appreciated & matter to me on what you think I should do.

EDIT: I did want to misconstrue the point that I have no problem studying for it; I just do not want to waste my money and time (a lot of time is needed for this studying) if the certification won't help me in out at my current level.

emerald_octane

Definitely a waste of cash. The associate title garnered me very little respect (which is what I expected) and really only benefits those in DoD roles where the associate holds as much weight as the full credential.

If you already have a degree that shaves 1 year off the 5 year requirement however this requires you to get an infosec gig in no less than 2 years so you have time to actually accumulate the experience, barring any layoffs or reorgs. You have SIX years to gain the required experience.

I oft recommend that no one go through the associate route unless they are already in an infosec role and require less than 2 years more experience to get the full 4/5 years experience out of the way, or an employer is paying for it, or there is a fat raise is in order after achieving it. There is too much stress involved with passing the exam only to risk jeopardizing your status because you couldn't get the experience quickly enough.

NovaHax

CISSP, for me, was never about what I could learn from it. It has unfortunately become an HR prerequisite. Waste a few weeks/months studying...and open a whole lot of new opportunities.

You might not be any more qualified for those opportunities (than you were prior to studying and taking the exam), but HR will no longer throw your resume in the trash because those letters aren't there.

Doyen

emerald_octane wrote: »

Definitely a waste of cash. The associate title garnered me very little respect (which is what I expected) and really only benefits those in DoD roles where the associate holds as much weight as the full credential.

...There is too much stress involved with passing the exam only to risk jeopardizing your status because you couldn't get the experience quickly enough.

Those statements right there is what I have been realistically thinking. The CISSP is a great security certification, but I think it benefits those that are already invested in field/career. I never saw any hits on Indeed.com for "Associate of ISC2" or "SSCP". Thank you for your viewpoint +rep

NovaHax wrote: »

CISSP, for me, was never about what I could learn from it. It has unfortunately become an HR prerequisite. Waste a few weeks/months studying...and open a whole lot of new opportunities.

Thank you for posting NovaHax. You are right about that. When I type CISSP on Indeed.com, there are a significant number of hits, proving your point. Do you think that if a job is IT security oriented, that is the first job requirement that pops into their mind?

Jonnyg

The CISSP is a requirement for many jobs, especially in the DoD world. However, the CISSP (IAT III/IAM III) is typically a requirement of more advanced positions and not entry-level positions, which will require a security+ (IAT II/IAM I). You could always study for the CISSP and get the Associate of (ISC)2 for CISSP, but it likely will not help you until you get the experience to go along with it and start qualifying for the positions that require actual security experience as well as the full CISSP credential. That's why I didn't both with the exam until I had enough experience to get the full CISSP. As soon as I hit 48 months (plus waiver), I took the exam.

For you, I don't think it would be worth it to go through the whole process right now. If your goal is to become a security professional, start with the Security+ and then go for the CISSP when you have enough experience to get the full credential. I think at that point in your career it would benefit you the most. The CISSP is a very well-respected cert in the security world, both government and commercial.

dustervoice

Its been a few weeks now that i've been studying for cissp and from reading a few chapters it seems to me that all the CISSP does is allow managers and security specialist to have a conversation about security related topics.(speaking the same language) but the problem is that most HR system scan resumes for "CISSP" if not found then delete which is a shame really!

Danielm7

How has your experience with the ISSA been? I just looked up my local chapter but it seems they only meet twice a year, is that normal?

sojourn

dustervoice wrote: »

Its been a few weeks now that i've been studying for cissp and from reading a few chapters it seems to me that all the CISSP does is allow managers and security specialist to have a conversation about security related topics.(speaking the same language)

Yes, it does. This is a pretty important topic for any business.

bigdogz

@Doyen
You may have more experience that you think. If you are working as a packet pusher, you will have taken one of the two domains needed for the experience. You may want to verify with (ISC)2. Mapping out the domains to your experience will assist you in your goal. I also think that you have 6 years to obtain the experience once you pass the exam.
People at you local ISSA Chapter may be asking you because they feel you have the knowledge or comprehension of the CBK and this would be a great opportunity for you. After all, you are attending the meetings for at least one reason. This may be a good opportunity for you to excel.

@Danielm7
Most ISSA groups meet once a month. Others will meet every other month and may have more than 2 hours or 2 CPE's for each Chapter meeting.

I hope this helps.

Doyen

Danielm7 wrote: »

How has your experience with the ISSA been? I just looked up my local chapter but it seems they only meet twice a year, is that normal?

Our Raleigh branch is one of the biggest. We meet once a month. With an average of 90 -110 attendees depending on the topic.

bigdogz wrote: »

@Doyen
People at you local ISSA Chapter may be asking you because they feel you have the knowledge or comprehension of the CBK and this would be a great opportunity for you. After all, you are attending the meetings for at least one reason. This may be a good opportunity for you to excel.

@Danielm7
Most ISSA groups meet once a month. Others will meet every other month and may have more than 2 hours or 2 CPE's for each Chapter meeting.

That is the other side of it. Instructors & ISSA members may see potential in me that I am not aware of. Maybe the quote of "being as smart as we know you are".

CISSP ISSA members do get 2 CPEs. So attending each month for a year will yield you 24 CPEs which will cover you minimum 20 CPEs a year.

JDMurray

ISSA of Orange County California is another big chapter and meets once a month in Irvine, CA. I've heard our chapter will be starting up free CISSP training too, but I don't know when that might be.

LionelTeo

CISSP knowledge is worth when it comes to the aspect of risk management. If you can detailed everything about IT Security into business perspective, return on investment, risk management, this would give you an edge over other candidate who only knows on technical implementation on IT Security.

One very good example that is covered is about a given technology, if implementing it cost 120k, would it be worth to protect a 60k profit business? This is where the CISSP knowledge comes into useful in evaluting if a control in place is worth the implementation.

When it comes to work related, in a tight situation where the management may not have some oversight on security, you can always bring up the risk management for convincing them.

You can always use what you studied for to grab a GISP cert, the easiest way to fill up the 'GIAC' HR requirement.

jvrlopez

Heard of free training being given as a way for instructors to gain their CPEs with ease.

Doyen

LionelTeo wrote: »

You can always use what you studied for to grab a GISP cert, the easiest way to fill up the 'GIAC' HR requirement.

Going for the GISP certification, now that is encouraging and not a bad idea. Especially if you have the CISSP info fresh on the mind.

jvrlopez wrote: »

Heard of free training being given as a way for instructors to gain their CPEs with ease.

That is a great way to encourage and reward sharing the knowledge to prospective ISC2 certification takers. ISSA board members also get more CPEs besides just the meeting CPEs.

SephStorm

I rarely see postings where a CISSP is the only acceptable certification, if it is written that way it is either a poorly written posting that I won't apply to, or it is targeted for a specific individual.

If you are trying to break into infosec, worry about getting knowledge and experience of the systems and technologies listed in openings. What I see right now is a paper tiger (no offense). Bunch of certs, and degrees, no experience.

LionelTeo

SephStorm wrote: »

I rarely see postings where a CISSP is the only acceptable certification, if it is written that way it is either a poorly written posting that I won't apply to, or it is targeted for a specific individual.

If you are trying to break into infosec, worry about getting knowledge and experience of the systems and technologies listed in openings. What I see right now is a paper tiger (no offense). Bunch of certs, and degrees, no experience.

+1 to this, sometimes the hiring manager may had no say at the IT Security job post requirements or the HR simply mess it ups via copy and pasting. This also show something about the organization culturally. If you walk into an interview with CISSP being the only recognize cert, then you should consider the company.

Bear in mind that we as candidate should evaluate the organization as much as the organization evaluates you. CISSP being the only recognize cert is a tell tale sign that the hiring manager do not know the IT Security industry certifications and even more on selecting candidate. If you are working for a manager only deems CISSP is the only recognize cert out there, chances are you are running into a big risk that the manager many not had been that much into IT Security to know the difference between technical and compliance area; this is even more important especially if you filling up a technical role, CISSP would be of limited help as compare to specific certification to technical role, such as those within forensics, intrusion analyst and pentesting.

Doyen

SephStorm wrote: »

What I see right now is a paper tiger (no offense). Bunch of certs, and degrees, no experience.

No offense taken. I appreciate your honesty. That is basically what I am. Hm...it makes a good custom profile user title for this forum. I'll use that for now while I strive to change that perception someday.

Slowhand

Doyen wrote: »

No offense taken. I appreciate your honesty. That is basically what I am. Hm...it makes a good custom profile user title for this forum. I'll use that for now while I strive to change that perception someday.

Well, to be fair, you've also got a lot of entry-level certifications; it's not like you're running around with a CCIE under your belt and zero experience and expecting to get a senior-level job. I think you've got a good foundation to build on as you complete your degree and get your career going. You'll have to start at the low-point on the totem pole, but chances are you'll move up quickly with the credentials you have and if you continue studying and gaining experience. Before you know it, those 4 - 5 years will have passed and that CISSP will be well within your grasp.

AverageJoe

I'll counter with some additional thoughts to consider.

First, everyone has given great advice, but all of us are only familiar with part of the picture so it's hard to be certain of a best path. Here are some other things to think about.

Someone else already mentioned DoD employment. If you think at all that you may be pursuing DoD employment -- directly or contracted, then it absolutely helps to have that CISSP associate since DoD classifies that the same as CISSP straight out.

Second, if you do pass the CISSP exam and wind up not getting the experience you need in time to flip it to a full CISSP in 5 years, so what? What do you lose? You take the test again in 5 years? Is that so bad? In the meantime you'd have the associate level on your resume. So consider this: while it'll be easy to recognize that you don't have the experience, it'll also be easy to recognize that you do have the aptitude. I've seen several folks put off getting certified, then get hired or promoted on the condition that they pass the test within 6 months or a year -- and that means studying while learning a new job. Some folks do it, but it can add a lot of stress right when you need it least.

Last point: life happens. Maybe this is the right time to dedicate to studying for the test. I don't know if you're married, have kids, have elderly parents that need care, or a million other circumstances, but if you don't have any of that now, you may well a few years down the road. I usually advise folks that you never know what's coming down the pike, so don't walk away from current opportunities without considering "life happens" and what it could mean.

Just my 2 cents.
Joe

LionelTeo

Doyen wrote: »

No offense taken. I appreciate your honesty. That is basically what I am. Hm...it makes a good custom profile user title for this forum. I'll use that for now while I strive to change that perception someday.

You are on the right track definitely, many simply hope that they would learn from their job, some simply aimed at CISSP as their first cert and really struggle for it. By reading and studying on certs while doing your degree, you would be a great IT Security Professional eventually as long you keep upgrading yourself during your career; and to add on, many first job you would get on your career start out would probably not give any fantastic experience to learn or speak of. There are great jobs out there, to get them, you would require both experience and great qualification to even get into it, while candidate seeks good job experience, great companies also seek to employ a group of great professionals and embark on great projects. Only by pushing in all directions in terms of experience, qualifications, certifications, soft skill, only then you could get into the desire industry to learn the desire experience that brings more opportunities.

Doyen

AverageJoe wrote: »

Last point: life happens. Maybe this is the right time to dedicate to studying for the test. I don't know if you're married, have kids, have elderly parents that need care, or a million other circumstances, but if you don't have any of that now, you may well a few years down the road. I usually advise folks that you never know what's coming down the pike, so don't walk away from current opportunities without considering "life happens" and what it could mean.

At this point in my life, I'm happily single without any burden of kids. I worked out a deal with my non-decrepit parents to go to school full time and not have to stress of paying any rent. My classes are 8am - 1:30pm, Monday through Thursday. I work around 30 hours a week at my retail job at various 8 hours shifts Friday - Sunday and 4 hours in the evening sometimes after class. I've even forsaken gaming and night out with friends for studying, labbing, and certification videos.

To my coworkers, family, and friends, I now have a drab social life and have acquired a nerd-like personality. However, I actually see this is the perfect point in my life to tenaciously grind for certifications, degrees, or so. I guess I'm investing the no fun lifestyle so I can hopefully "live it up" down the road. Selfish? Probably. But I couldn't imagine doing any type of grinding if I was involved in a relationship or had children to nurture.

You do bring up the a good point of so what on Associate of ISC2. If companies promotes/hires with the condition of having to acquire that within a year. What do you think the prospects of hiring an Associate of ISC2 that just needs experience? If I acquire SSCP and CISSP without the experience, is that two "Associate of ISC2" listed since I know you cannot list a distinction like "Associate of SSCP" or such on a resume. Would you think an employer would view "Associate of ISC2" as SSCP regardless of whether it was a CISSP exam that was taken?

AverageJoe

I think you cannot count on HR or a hiring manager knowing the rules of CISSP certification, so I'd probably make it as easy as possible to understand by putting "CISSP exam passed (working towards meeting experience requirement)" or something like that.

It sounds like you are in the perfect situation for knocking out as much school and certification as possible. Life will probably get more complicated, so your plan makes sense to me. Good luck!

Doyen

Thank you AverageJoe for your thoughts. I appreciate your evaluations Slowhand and LionelTeo.

One other concern that I've had is eventually I am going to have step out of my retail job and start to focus on my IT career experience during certification studying and school. Why would that be a concern for an aspiring goal? Frankly, my retail pay may be a meager $16.32 an hour after almost a decade, but most internships and help desk that I've seen offered are around the $12 range. It is a step-down in pay and flexibility in hours (most are 2pm-11pm or 11pm-7am), but any experienced members (or anyone that has been in my situation) see that as a smart sacrifice for IT experience? I haven't made that jump yet because I am under the impression that if I can acquire more certifications (most likely these entry levels ones I have listed below), I might be able to start off with better pay at least. Keep in mind, "a paper tiger" for an entry IT position. I would love to hear your thoughts since I have seen plenty of "start at help desk" posts around the forum.

AverageJoe

If you are in an area where DoD or DHS operates I would be looking very seriously at both USAJobs for gov jobs and internships and at the current holders of DoD contracts (like SAIC, Booz, etc.). DoD is one of the biggest IT and cyber security employers, and if you can move to follow the work you should have a very good chance of picking up a job that does better than the pay you describe once you have your degree and have passed the CISSP exam.

If you're willing to re-locate to an overseas location for a few years, I've seen folks take a DoD job in Japan or Germany (or Iraq though not so much these days) to get higher levels of experience that they couldn't find in the states. DoD isn't the only organization with great opportunities, but again, a lot has to do with how mobile you are. You may not get rich starting out like that, but you wind up getting experience and probably a security clearance that will serve you well for the future. You have to be looking for the opportunities, though.

Oh, DoD also does "recent grad" internships. Funding hasn't been as high for them in recent years, but if you can catch their open windows they are a great deal. They have a career target of hiring as GS-5 or GS-7 with promotion potential to GS-9 or GS-11 over a 3-year period.

Just my 2 cents.

kalkan999

Get enough experience along WITH your certification, the sky is the limit on how much you can make per hour. Doyen, I am guessing you are late mid-to late twenties, maybe 30 considering your comment about retail for a decade. I was 27 when I got out of retail, took a meager IT Pool employee job for a hospital group making $12 an hour (not bad for 1997 money), but I was never full-time. I went back to college at 27 at the same time, and got a Liberal Arts education (History and English), the latter of which really helped with my technical writing skills and oratory capabilities. Let me share with you what your retail experience brings to the table in the InfoSec world that is generally lacking: Retail means you are accustomed to 'face time,' and no I don't mean the Apple App. Personality, knowing your audience (similar to qualifying your customer in retail) will take you a LONG way in this field. Having technical prowess is ESSENTIAL, however, if you expect Subject Matter Experts (SME's) to be forthcoming with what they do on a daily basis, as your job in InfoSec will be rife with discovery. I am not saying you'll be an auditor, but what I am saying is that you can use your charm learned through a decade of retail AND your technical talent to work for you.
At your age, the word 'years' sounds like forever. Don't rush it. As a business owner (successful, I might add) who centers his capabilities around CISSP and a number of the domains, I can tell you that I have respect for those who persist and have the patience and understanding that all good things won't necessarily come to those who have an Associate cert while they await the requisite 4-5 years experience.
Stay focused, I am telling you that CISSP is worth it because those who have control of the money want a CISSP in the private sector, and if you go to work for US DoD or European Military, they want, or even require a CISSP now for you to get any position worth its weight in salt. It's unfortunate, but that mentality is NOT likely to change any time soon.
YES, this is an ISC2 means to make money and create validity in the InfoSec world (though technically ISC2 is not-for-profit), but they also do a good thing in that they, and we, are ethically bound to remain vendor neutral and truly objective. Being an associate means that you have opened the door to a HUGE opportunity down the road. Your Associate cert means that someone like me, a business owner, will consider you for a position that is not necessarily in the 'stratosphere' with the pay or the responsibility, but I'll DEFINITELY say that you carry more weight than someone with a Security + certification. Taking on the Associate says to me you are ambitious, willing to work hard, and that you are Goal-oriented. And if you fail and retake the test, it shows me that you are tenacious and determined; all traits a good hiring manager or successful business owner looks for in the InfoSec world.
Ultimately, what I, we want in the InfoSec community are people who are PASSIONATE about InfoSec. If you are truly passionate about this field, and understand that there is years of work ahead of you in this field, with LONG hours, and everyone else clamoring for you, then the money and the respect, and the phone calls begging for you will come.
TRUST ME ALL WHO READ THIS AND ARE NOT YET CISSP's: You are NOT going to miss the boat with InfoSec if you don't hop on board immediately. The entire Internet infrastructure is VERY broken. Years of bad practices by businesses intent on providing a product or service via the Internet and having security as an afterthought, or worse, only following antiquated checklists means that WE are very employable for the foreseeable future. Be a trailblazer, not a paper tiger. Take advantage of your youth, don't squander it. Lay the foundation for an inter-stellar career, but don't question the legitimacy of this exam, or its worth, as you'll be disappointed in yourself if you do like InfoSec.

Join us, we'll be here waiting on you...

JoJoCal19

Getting the CISSP opened many doors that were previously closed. Once I added on the CISSP to my LinkedIn, Indeed and Dice profiles, I was getting more contacts from internal and external recruiters than I could handle and had to get a notepad to create a detailed contact log to keep up with everything. The CISSP got me contacted by an internal recruiter at the company I now have an awesome job with. My manager was amazed at my drive and determination to get the CISSP and especially after having just finished my bachelors degree. I have my profile on LinkedIn set to "not looking for opportunities" and I STILL get 4-5 contacts a week for positions, with recruiters saying "hey man I know you're not looking for anything, but I see you've got the CISSP and blah blah experience, I want you to at least hear me out on this opportunity". Recruiters do keyword searches for what they want, and the CISSP seems to be the go to for InfoSec. The CISSP will not get you a job, it will however get you the opportunity to at least be submitted to or interviewed for a job.

philz1982

I have seen direct results from my CISSP but not in a conventional sense. I am able to bring idea's and thoughts to bear on problems based on exploring areas for the CISSP that I do not traditionally cover. Additionally, it has helped me better understand functional units outside of my role allowing me be better at cross-functional management. I am one of a dozen of CISSP holders in a company of 140k ppl, that's pretty awesome to me.

zxbane

As others have mentioned, I can say that the CISSP has gotten me more contacts and job interests than any other certification and degree for that matter that I have. It was well worth the time invested and I learned a great deal during my studies as well.

emerald_octane

CISSP got me interviews at two very prestigious companies for two very high end positions where the CISSP was required....

...within a month of being certified.....

LionelTeo

Doyen wrote: »

I guess I'm investing the no fun lifestyle so I can hopefully "live it up" down the road.

Spend sometime investing in a game, its good not to over stress yourself. Also read up articles on CEOs talking about how mediation help them to focus on their goals would be of a help to you.

Doyen wrote: »

Thank you AverageJoe for your thoughts. I appreciate your evaluations Slowhand and LionelTeo.

One other concern that I've had is eventually I am going to have step out of my retail job and start to focus on my IT career experience during certification studying and school. Why would that be a concern for an aspiring goal? Frankly, my retail pay may be a meager $16.32 an hour after almost a decade, but most internships and help desk that I've seen offered are around the $12 range. It is a step-down in pay and flexibility in hours (most are 2pm-11pm or 11pm-7am), but any experienced members (or anyone that has been in my situation) see that as a smart sacrifice for IT experience? I haven't made that jump yet because I am under the impression that if I can acquire more certifications (most likely these entry levels ones I have listed below), I might be able to start off with better pay at least. Keep in mind, "a paper tiger" for an entry IT position. I would love to hear your thoughts since I have seen plenty of "start at help desk" posts around the forum.

To sum up for entry jobs in regards to the following

Networking - Initially High Entry Salary, but salary growth gets tougher as experience and certification accumulates
Security - Initially Low Entry Salary, but exponentially salary growth as experience and certification accumulates

beads

Doyen;

Your on the right track but the certification is hardly worthless given the right or appropriate time frame. The CISSP is considered a mid-career level certification and should not be considered an "entry" level cert though its oft treated as such. Meet many CISSP holders who have gleefully told me that they "just made something up" in order to falsify there credentials. Add too many falsified cert holders to any group, the meaning and value of said cert quickly becomes worthless over time. This can happen to any test and must be guarded against.

- B Eads