CISSP Associate Role, has anyone done this?

Let me backtrack. I’ve been working as a level 3 support specialist for the last 8 years in local government. The pay is decent, I have a pension, stability, benefits are fantastic, my coworkers are great, I work a 4/10 schedule, and I have access to a gym and mountain trails that I can run on during my lunch. The problem with working at such an enjoyable place is the lack of turn over and opportunity for promotion. However, in the next year or two, 2 of our 4 senior level employees will be retiring, one of them being a Security Manager. My goal is to find myself in one of these 2 open positions when the time comes, preferably the Security Role. I work alongside 7 other technicians, who would also most likely be gunning for these positions but due to previous poor work performance, obvious maturity issues, customer service skills, etc, the realistic number of suitors drops to about 3 others. Here is where I’ve set myself apart with certifications…A+, Network +, Security+, MCP 70-290, CCNA (exp) and I’m sitting for the SSCP on Monday which I’m very confident about. I also have a degree, but so do the others.

The type of work we do involves supporting the entire life cycle of 1000+ computers. Maintaining software, upgrading computers, printers, etc…you get the picture, end user support. I’ve worked closely with the network admin in installing wireless AP’s, physically troubleshooting network related issues, with switches/routers, building/wiring new network racks, fiber runs/termination and have wired 3 new buildings from the ground up. (One library, one county health department and 1 county administration office) On the security side of things, we’ve monitored and troubleshot workstation AV software and Microsoft Windows Update. I’ve pulled lines for and have installed many security cameras. As far as I can tell, I do not believe I would meet the experience requirements for CISSP.

I’m prepared to study for the next year or so until I’m ready to sit for the exam. I understand it will come easier if I have the experience, but I’m confident I will be able to learn the requirements. My hope is to have that cert push me over the top, even if it’s an associate role. Once I gain the required amount of years, I could turn that into a true CISSP. On the chance I don’t get one of the 2 positions, I will be in a good place to walk and find something else. Despite the great work environment, I don’t want to be a tech support lifer, like some of my coworkers in their late 40s and early 50s. At 32 I’m the youngest on our side. My wife recently, unexpectedly, gave birth to twins. Having one more kid than we’ve planned for (3) has been a major driving force in becoming a better provider for my family.

Does anyone have any suggestions or any other certs that may be worthwhile if CISSP doesn’t seem realistic? I’m also considering digging into the VMware side of things.

One last note, the other senior level guys don’t really have any certs either.

Thanks!

Find more posts tagged with

Comments

bpenn

The experience requirements specify experience in 2 of the 8 domains:

Security and Risk Management (Security, Risk, Compliance,
Law, Regulations, and Business Continuity)

Confidentiality, integrity, and availability concepts
Security governance principles
Compliance
Legal and regulatory issues
Professional ethic
Security policies, standards, procedures and guidelines

Asset Security (Protecting Security of Assets)

Information and asset classification
Ownership (e.g. data owners, system owners)
Protect privacy
Appropriate retention
Data security controls
Handling requirements (e.g. markings, labels, storage)

Security Engineering (Engineering and Management of
Security)

Engineering processes using secure design principles
Security models fundamental concepts
Security evaluation models
Security capabilities of information systems
Security architectures, designs, and solution elements vulnerabilities
Web-based systems vulnerabilities
Mobile systems vulnerabilities
Embedded devices and cyber-physical systems vulnerabilities
Cryptography
Site and facility design secure principles
Physical security

Communication and Network Security (Designing and
Protecting Network Security)

Secure network architecture design (e.g. IP & non-IP protocols,
segmentation)
Secure network components
Secure communication channels
Network attacks

Identity and Access Management (Controlling Access and
Managing Identity)

Physical and logical assets control
Identification and authentication of people and devices
Identity as a service (e.g. cloud identity)
Third-party identity services(e.g. on-premise)
Access control attacks
Identity and access provisioning lifecycle (e.g. provisioning
review)

Security Assessment and Testing (Designing, Performing, and
Analyzing Security Testing)

Assessment and test strategies
Security process data (e.g. management and operational controls)
Security control testing
Test outputs (e.g. automated, manual)
Security architectures vulnerabilities

Security Operations (Foundational Concepts, Investigations,
Incident Management, and Disaster Recovery)

Investigations support and requirements
Logging and monitoring activities
Provisioning of resources
Foundational security operations concepts
Resource protection techniques
Incident management
Preventative measures
Patch and vulnerability management
Change management processes
Recovery strategies
Disaster recovery processes and plans
Business continuity planning and exercises
Physical security
Personnel safety concerns

Software Development Security (Understanding, Applying, and
Enforcing Software Security)

Security in the software development lifecycle
Development environment security controls
Software security effectiveness
Acquired software security impact

Do you at have least 2 domains of adequate knowledge? If not, you can definitely sit for the exam anyway. The CPE cost is only $35 every year until you get the full endorsement. I went ahead and took the exam last year and passed, even though I wont have the required experience until May. I had the money to throw at it and the free time to invest before I started my degree program so I thought, "why not!"

To be honest, I dont know how much the Associate level will help you. In the DoD, we have a directive called 8570 (I believe the name changed recently, though) that requires specific Tech, Management levels to hold a specific job and the CISSP meets both requirements. Outside DoD, I have never heard anyone recognize anything but a fully endorsed CISSP so take that into consideration.

The knowledge you get from studying is what matters and is what will help you transition into that security role. The cert is great, butthe journey is most important. I learned a helluva lot of information from studying for the exam and am a better professional for it. I would go for it!

apcronnelly

Awesome, thanks for responding Bpenn.

After breaking down the domains, I feel fairly confident that I could claim the "Asset Security" and "Security Operations" domains.

And you are right, the knowledge gained from putting in the true effort of learning the materials will trump the cert in the long run.