CISSP Associate Role, has anyone done this?

apcronnellyapcronnelly Member Posts: 11 ■□□□□□□□□□
Let me backtrack. I’ve been working as a level 3 support specialist for the last 8 years in local government. The pay is decent, I have a pension, stability, benefits are fantastic, my coworkers are great, I work a 4/10 schedule, and I have access to a gym and mountain trails that I can run on during my lunch. The problem with working at such an enjoyable place is the lack of turn over and opportunity for promotion. However, in the next year or two, 2 of our 4 senior level employees will be retiring, one of them being a Security Manager. My goal is to find myself in one of these 2 open positions when the time comes, preferably the Security Role. I work alongside 7 other technicians, who would also most likely be gunning for these positions but due to previous poor work performance, obvious maturity issues, customer service skills, etc, the realistic number of suitors drops to about 3 others. Here is where I’ve set myself apart with certifications…A+, Network +, Security+, MCP 70-290, CCNA (exp) and I’m sitting for the SSCP on Monday which I’m very confident about. I also have a degree, but so do the others.

The type of work we do involves supporting the entire life cycle of 1000+ computers. Maintaining software, upgrading computers, printers, etc…you get the picture, end user support. I’ve worked closely with the network admin in installing wireless AP’s, physically troubleshooting network related issues, with switches/routers, building/wiring new network racks, fiber runs/termination and have wired 3 new buildings from the ground up. (One library, one county health department and 1 county administration office) On the security side of things, we’ve monitored and troubleshot workstation AV software and Microsoft Windows Update. I’ve pulled lines for and have installed many security cameras. As far as I can tell, I do not believe I would meet the experience requirements for CISSP.

I’m prepared to study for the next year or so until I’m ready to sit for the exam. I understand it will come easier if I have the experience, but I’m confident I will be able to learn the requirements. My hope is to have that cert push me over the top, even if it’s an associate role. Once I gain the required amount of years, I could turn that into a true CISSP. On the chance I don’t get one of the 2 positions, I will be in a good place to walk and find something else. Despite the great work environment, I don’t want to be a tech support lifer, like some of my coworkers in their late 40s and early 50s. At 32 I’m the youngest on our side. My wife recently, unexpectedly, gave birth to twins. Having one more kid than we’ve planned for (3) has been a major driving force in becoming a better provider for my family.

Does anyone have any suggestions or any other certs that may be worthwhile if CISSP doesn’t seem realistic? I’m also considering digging into the VMware side of things.

One last note, the other senior level guys don’t really have any certs either.


Thanks!

Comments

  • bpennbpenn Member Posts: 499
    The experience requirements specify experience in 2 of the 8 domains:

    Security and Risk Management (Security, Risk, Compliance,
    Law, Regulations, and Business Continuity)
    • Confidentiality, integrity, and availability concepts
    • Security governance principles
    • Compliance
    • Legal and regulatory issues
    • Professional ethic
    • Security policies, standards, procedures and guidelines
    Asset Security (Protecting Security of Assets)
    • Information and asset classification
    • Ownership (e.g. data owners, system owners)
    • Protect privacy
    • Appropriate retention
    • Data security controls
    • Handling requirements (e.g. markings, labels, storage)
    Security Engineering (Engineering and Management of
    Security)
    • Engineering processes using secure design principles
    • Security models fundamental concepts
    • Security evaluation models
    • Security capabilities of information systems
    • Security architectures, designs, and solution elements vulnerabilities
    • Web-based systems vulnerabilities
    • Mobile systems vulnerabilities
    • Embedded devices and cyber-physical systems vulnerabilities
    • Cryptography
    • Site and facility design secure principles
    • Physical security
    Communication and Network Security (Designing and
    Protecting Network Security)
    • Secure network architecture design (e.g. IP & non-IP protocols,
      segmentation)
    • Secure network components
    • Secure communication channels
    • Network attacks
    Identity and Access Management (Controlling Access and
    Managing Identity)
    • Physical and logical assets control
    • Identification and authentication of people and devices
    • Identity as a service (e.g. cloud identity)
    • Third-party identity services(e.g. on-premise)
    • Access control attacks
    • Identity and access provisioning lifecycle (e.g. provisioning
      review)
    Security Assessment and Testing (Designing, Performing, and
    Analyzing Security Testing)
    • Assessment and test strategies
    • Security process data (e.g. management and operational controls)
    • Security control testing
    • Test outputs (e.g. automated, manual)
    • Security architectures vulnerabilities
    Security Operations (Foundational Concepts, Investigations,
    Incident Management, and Disaster Recovery)
    • Investigations support and requirements
    • Logging and monitoring activities
    • Provisioning of resources
    • Foundational security operations concepts
    • Resource protection techniques
    • Incident management
    • Preventative measures
    • Patch and vulnerability management
    • Change management processes
    • Recovery strategies
    • Disaster recovery processes and plans
    • Business continuity planning and exercises
    • Physical security
    • Personnel safety concerns
    Software Development Security (Understanding, Applying, and
    Enforcing Software Security)
    • Security in the software development lifecycle
    • Development environment security controls
    • Software security effectiveness
    • Acquired software security impact

    Do you at have least 2 domains of adequate knowledge? If not, you can definitely sit for the exam anyway. The CPE cost is only $35 every year until you get the full endorsement. I went ahead and took the exam last year and passed, even though I wont have the required experience until May. I had the money to throw at it and the free time to invest before I started my degree program so I thought, "why not!"

    To be honest, I dont know how much the Associate level will help you. In the DoD, we have a directive called 8570 (I believe the name changed recently, though) that requires specific Tech, Management levels to hold a specific job and the CISSP meets both requirements. Outside DoD, I have never heard anyone recognize anything but a fully endorsed CISSP so take that into consideration.

    The knowledge you get from studying is what matters and is what will help you transition into that security role. The cert is great, butthe journey is most important. I learned a helluva lot of information from studying for the exam and am a better professional for it. I would go for it!
    "If your dreams dont scare you - they ain't big enough" - Life of Dillon
  • apcronnellyapcronnelly Member Posts: 11 ■□□□□□□□□□
    Awesome, thanks for responding Bpenn.

    After breaking down the domains, I feel fairly confident that I could claim the "Asset Security" and "Security Operations" domains.

    And you are right, the knowledge gained from putting in the true effort of learning the materials will trump the cert in the long run.
Sign In or Register to comment.