Do I need a CISSP to obtain a position in Cyber Security?

New2ITinCali

Now that I've been working in I.T. for almost 2 years now as a Technology Support Specialist/ Network Analyst and I have my Bachelors in I.T. Management, I've found that I am very interested in security. I really would like to get a job in security, but I found out to even qualify to sit for the CISSP exam, I need at least 5 years of security experience or 4 years with a 4-year degree; I have the degree, but not the experience. And I also need a sponsor that already has a CISSP, and I know of no one with a CISSP How do I go about preparing myself to get my foot in the security door?.. if I were to apply for entry-level security jobs will I be required to have a security certification?... I'm curious. Thanks for any feedback.

TeKniques

Anyone can prepare for and take the CISSP exam without the necessary experience. If you pass the exam you will be awarded the Associate title until you have the required amount of experience. Usually, networking in the info sec industry you will find others that have the CISSP title already, so finding someone to endorse you is not that big of a hurdle to jump. Even if you can't find anyone you can have the ISC2 do the endorsement.

If you want to get a certification to help get into security you may want to look at the Security+ or the SSCP exam as most entry-level security jobs may require them. Best of luck.

OctalDump

There's a bunch of security certifications that you can take with no experience requirement, or with minimal experience requirement. The SSCP is a good thing to aim at. If you have 2 years as a Tech Support/Net Analyst, then you probably have the necessary experience for the SSCP already.

You should go and do the Sec+ now, as it is nice and broad coverage and introduces you to most of the topics in Info Sec. Info Sec is a big area, and is increasingly becoming specialised. There's areas like network defence, penetration testing, systems hardening, auditing, incident handling/management, Info Sec management, secure programming (with its own specialities), and so on.

If you have networking experience, then maybe the Cisco Security track would be of interest.

It's also possible to get the 4 years experience without working in an "Info Sec" role, as long as you have sufficient experience in the related domains. Infrastructure roles, with a little lower level management, will often have enough in them to qualify for CISSP.

New2ITinCali

TeKniques wrote: »

Anyone can prepare for and take the CISSP exam without the necessary experience. If you pass the exam you will be awarded the Associate title until you have the required amount of experience. Usually, networking in the info sec industry you will find others that have the CISSP title already, so finding someone to endorse you is not that big of a hurdle to jump. Even if you can't find anyone you can have the ISC2 do the endorsement.

If you want to get a certification to help get into security you may want to look at the Security+ or the SSCP exam as most entry-level security jobs may require them. Best of luck.

I heard the exam is a very difficult exam and it's best to get the experience under your belt before even attempting to take it. I still keep in contact with the security professional at the place where I did my internship at and he said he's been studying for 3 years and its some really intense stuff, and he's been working in I.T. for over 20 years- so sometimes I feel intimidated when I hear how difficult the exam is.

yzT

My job experience is basically in security, with just a few months of internship as tech support. I don't have CISSP nor I'm planning to go for it. In fact, the only cert I have is the Sec+ and it's expiring this year and I won't renew it. IMO, certs are the worst thing that have happened to the IT industry. Funny thing is that people who really know about the cert business don't care about certs either, but about what have you done for the security community.

PS: my current position is in the management side.

dustervoice

yzT wrote: »

IMO, certs are the worst thing that have happened to the IT industry. Funny thing is that people who really know about the cert business don't care about certs either, but about what have you done for the security community.

I do understand your point but HR managers normally write a JD and they've added CISSP, CISM, etc to the requirements. Recruiters will put you higher on their list if you have those certs so they do have "value". While they might not accurately represent someone's knowledge in security, they do keep the calls coming in.

636-555-3226

In my area demand far exceeds supply. Anybody remotely interested in security gets hired and (hopefully) trained up. I can't say i'm a big fan of that approach, but that's the way it is in my area. So you can't do CISSP, big deal. Here's what I recommend to start with.

1 - talk to your infosec people @ work and let them know you're interested. now keep bugging them to let you help out (with your boss' approval). i can't tell you how many underlings i work with expressed an interest in security and never brought it up again. show your passion, show your drive. i look for passionate people who really like security when i hire.
2 - Get Darril Gibson's security+ book and start working on it & the cert. It's a great security foundation. Maybe consider Network+ first if your networking knowledge isn't 201-level.
3 - Sign up for all of the SANS newsletters
4 - Read Krebs on security website weekly
5 - Listen to Security Now & Paul's Security Weekly podcast weekly
6 - Download Nessus (free) and RTFM. It's actually a good manual and teaches you everything you need to know.
7 - Once you're good with Nessus (it isn't that hard) download Splunk (free) and learn what you can with the systems you have. Manuals are there, just not as good as Nessus'

Once you've done all that let's regroup and I can give you more homework. Don't worry, there's lots more to come!

Danielm7

The post right above mine is solid. There are a million things you can learn that don't involve needing the CISSP. Start at the basics, then try to get your foot in the door in a security dept, then continue to learn everything you can.

New2ITinCali wrote: »

I heard the exam is a very difficult exam and it's best to get the experience under your belt before even attempting to take it. I still keep in contact with the security professional at the place where I did my internship at and he said he's been studying for 3 years and its some really intense stuff, and he's been working in I.T. for over 20 years- so sometimes I feel intimidated when I hear how difficult the exam is.

Also, this is total overkill. It's a difficult exam, but 20+ years in experience and 3 years of study isn't needed for this test. I doubt he's really studying that intently. Anyone can open an article once a week or listen to an occasional podcast and call it studying. He could probably study seriously for a month or two and pass it at this point.

yzT

636-555-3226 wrote: »

4 - Read Krebs on security website weekly

Krebs, seriously?

Don't confuse journalism with learning lol

TechGuru80

TeKniques wrote: »

If you pass the exam you will be awarded the Associate title until you have the required amount of experience.

There is a time limit on acquiring the experience after you pass...I believe it is 6 years.

Danielm7

TechGuru80 wrote: »

There is a time limit on acquiring the experience after you pass...I believe it is 6 years.

Also recognize it doesn't give you the ability to even use the term CISSP on your resume even though you passed the exam. I've never met a single person who isn't in security who knew what "Associate of ISC2" means. Go for the ones that match your experience level. CISSP isn't typically a "get your food in the door" cert. (note, typically).

NetworkNewb

Danielm7 wrote: »

Also recognize it doesn't give you the ability to even use the term CISSP on your resume even though you passed the exam. I've never met a single person who isn't in security who knew what "Associate of ISC2" means. Go for the ones that match your experience level. CISSP isn't typically a "get your food in the door" cert. (note, typically).

If I passed the exam and didn't have the required experience, I would just put I passed the CISSP exam under whichever company I was at when I did it as a bullet point in my Experience section. But just list Associate of ISC2 under Certifications section on the resume.

That way your not saying your a CISSP holder, but have passed the exam.

Remedymp

yzT wrote: »

Krebs, seriously?

Don't confuse journalism with learning lol

Keeping up with what's trending in Security is beneficial from a knowledge standpoint.

Danielm7

Remedymp wrote: »

Keeping up with what's trending in Security is beneficial from a knowledge standpoint.

Absolutely. And, when I'm in the elevator with the IT director and the CISO and they ask if I saw X on Krebs... Note, this has happened more than once.

JoJoCal19

Hey New2ITinCali, haven't seen you post in a while. Others have covered it quite well. I would just add that, it seems to me that when you do gain InfoSec experience and are trying to move up, the CISSP is almost expected. Almost every single job posting that I've targeted the past couple of years listed CISSP as required, in many cases it was the only cert required.

TechGuru80

NetworkNewb wrote: »

If I passed the exam and didn't have the required experience, I would just put I passed the CISSP exam under whichever company I was at when I did it as a bullet point in my Experience section. But just list Associate of ISC2 under Certifications section on the resume.

That way your not saying your a CISSP holder, but have passed the exam.

Per ISC2 you can't even do that. I believe the idea is so the keyword CISSP doesn't mislead people or HR systems.

NetworkNewb

TechGuru80 wrote: »

Per ISC2 you can't even do that. I believe the idea is so the keyword CISSP doesn't mislead people or HR systems.

Where does it list that? I can't seem to find it on their website. I feel like that is a strange since it is not lying or even stretching any truth.

edit: not saying your incorrect btw, I'm just more curious

TeKniques

TechGuru80 wrote: »

Per ISC2 you can't even do that. I believe the idea is so the keyword CISSP doesn't mislead people or HR systems.

Yet, I'm sure they'll make sure you send in that AMF when it's due

renacido

NetworkNewb wrote: »

Where does it list that? I can't seem to find it on their website. I feel like that is a strange since it is not lying or even stretching any truth.

From ISC2's website:

"Associates of (ISC)² are NOT certified and may not use any Logo or description other than "Associate of (ISC)²". Under no circumstances may they identify which exam they have successfully passed or use any Logo, other than "Associate of (ISC)²", in any manner. Failure to abide by this rule may result in the candidate being prohibited from ever attaining any (ISC)² certification."

https://www.isc2.org/logo-usage-guidelines/default.aspx

According to their rules, until you are certified you can only put Associate of (ISC)² on your resume. This is so that HR and hiring managers are not deceived by freshers who managed to pass the CISSP exam being able to pass themselves off as CISSP certified. The endorsement process ensures that CISSPs have the required experience. It is considered as important to certification as passing the exam.

If the CISSP was an exam-only cert it would not carry nearly the weight that it does. If you're qualified to certify as CISSP, good news is that it only takes about a month for ISC2 to certify you once they receive your endorsement application.

NetworkNewb

That link goes to some page where I'd have sign in with an account, probably why I missed that. Thank you

Yea... I wouldn't do what I suggested earlier lol

"Associates of (ISC)² are NOT certified and may not use any Logo or description other than "Associate of (ISC)²". Under no circumstances may they identify which exam they have successfully passed or use any Logo, other than "Associate of (ISC)²", in any manner. Failure to abide by this rule may result in the candidate being prohibited from ever attaining any (ISC)² certification."

That seems little crazy to me but it is what it is I guess. I can see someone in an interview...

Interviewer: "So I see you are an Associate of ISC2, what exam did you pass to earn that?"
Interviewee: "I'm sorry, I'm not at liberty to disclose that type of information."
***insert awkward silence here***

renacido

NetworkNewb wrote: »

Interviewer: "So I see you are an Associate of ISC2, what exam did you pass to earn that?"
Interviewee: "I'm sorry, I'm not at liberty to disclose that type of information."
***insert awkward silence here***

I didn't make the rules. But if they keep people from benefiting from a credential that they haven't earned, I support the rules.

I know you're not planning to put fraudulant certs on your resume or anything, you're just trying to understand the do's and don't's, but I'll expand on this in case someone else comes along on this thread who may be wanting to push this particular envelope further...

I will say that as an Infosec Manager, if I'm screening resumes for a position and I see CISSP on a resume of a candidate who doesn't have the credential, that resume goes into the circular file, maybe even on the Ineligible For Hire list in HR if it's an obvious attempt to bullsh** the process. That may seem severe, but I'd hire 1000 honest people with no CISSP for infosec jobs before I'd hire a bullsh**er. If I can't trust you to be honest in the hiring process I can't rely on you as a member of my team.

Nearly all infosec managers who do the actual hiring know very well that certifications are not proof of job competence, they are indicators of credibility. Before I got my CISSP I worked in several senior-level positions in infosec, both public and private sector. Most CISSPs outside of DoD/8570 have enough relevant experience that they don't need a CISSP to get the job they're in, all it did was help job recruiters find them more easily. The CISO/manager who hired them made the decision based on their experience and their interviews.

Bottom line, if you DON'T already have at least 4 very solid years of full-time experience in infosec, you're not competitive for any job where you'd have an advantage with a CISSP. And the Associate of ISC2 is virtually unknown to HR recruiters so I always tell others not to even bother taking the CISSP exam until you're eligible to certify as CISSP.

One more thing: Anyone who would give half a crap about the value of being an Associate of ISC2 would already know what exam you passed to be an Associate. So don't worry about having to resist the interrogation of an interviewer, you won't be in any danger of giving away ISC2's secret exam.

Rumblr33

636-555-3226 wrote: »

In my area demand far exceeds supply. Anybody remotely interested in security gets hired and (hopefully) trained up. I can't say i'm a big fan of that approach, but that's the way it is in my area. So you can't do CISSP, big deal. Here's what I recommend to start with.

1 - talk to your infosec people @ work and let them know you're interested. now keep bugging them to let you help out (with your boss' approval). i can't tell you how many underlings i work with expressed an interest in security and never brought it up again. show your passion, show your drive. i look for passionate people who really like security when i hire.
2 - Get Darril Gibson's security+ book and start working on it & the cert. It's a great security foundation. Maybe consider Network+ first if your networking knowledge isn't 201-level.
3 - Sign up for all of the SANS newsletters
4 - Read Krebs on security website weekly
5 - Listen to Security Now & Paul's Security Weekly podcast weekly
6 - Download Nessus (free) and RTFM. It's actually a good manual and teaches you everything you need to know.
7 - Once you're good with Nessus (it isn't that hard) download Splunk (free) and learn what you can with the systems you have. Manuals are there, just not as good as Nessus'

Once you've done all that let's regroup and I can give you more homework. Don't worry, there's lots more to come!

Everything here is how I got my start in InfoSec. Learning Splunk has helped me tremendously. Kudos to you, 636-555-3226. By the way, what area do you live in?

Rumblr33

Danielm7 wrote: »

Absolutely. And, when I'm in the elevator with the IT director and the CISO and they ask if I saw X on Krebs... Note, this has happened more than once.

These are great conversation starters with upper management and even your coworkers. Shows you are keeping up with the ever changing world and potential threats.

cyberguypr

Hey New2ITinCali, haven't heard from you in a while. Glad to see things are working OK for you.

I can't even count how many people I've interviewed for security roles that completely blanked out when I asked "what sources do you use to keep up to speed in the ever-changing world of Infosec?" Heck, if you talk to me about something you read on Krebs or the other sources mentioned above, you are immediately above 70% of the people that I come across.

But back to your original question, in your particular case the CISSP doesn't make much sense since you can't back it up with experience. Going for the associate may be of some value for a few employers, but I rather see you entering the field with Security+ or some other more basic security cert.
Decent employers looking for an entry-level security person will include things like "Security+", "Windows/Unix and TCP/IP experience", "detail oriented, responsible team-player", "analytical and problem solving skills", and so on. Wannabes employers trying to tick the security checkbox with an entry-level security analyst (a.k.a super low pay) will start throwing big words like "CISSP, ISACA, GPEN. OSCP". Nothing wrong with those, just that most of the time they are not appropriate for what the basic role entails. So again, check out your local market. San Francisco will not be the same as Akron, OH.

You need to go out there on Indeed.com or similar and see what your local market expects from an "entry-level" security person. I use the term "entry-level" loosely because in this field entry level usually means you know a LOT across many different IT areas. Someone here eloquently compared in with a medicine doctor. When ready to look for a job, the candidate must have been through countless experiences before being an "entry-level" MD.

Then there's always the exception. Last year my team took a gamble and hired a girl fresh out of college who studied InfoSec but knew nothing about real hand-on security. I am happy to say that the gamble paid of and this person has been able to pick up a lot from us seniors and perform efficiently as a security analyst. She had zero certifications but is working hard on her forensics stuff and is planning to do the CISSP next year, when she is 2 years into a dedicated Infosec role.

So my final word here is to be ready for whatever comes your way. You may be able to get lucky and land something, but you may need to work hard to get into security. Building up your skill set and certs in a logical manner, with a specific goal in mind, is key.

tpatt100

I like Krebs /shrug. His site is a good starter for keeping current and if you want to dig deeper there are sites for that.

markulous

tpatt100 wrote: »

I like Krebs /shrug. His site is a good starter for keeping current and if you want to dig deeper there are sites for that.

Agreed. He has some good reports. The most interesting one is the guy that tried shipping heroin to Krebs' house to frame him and he ended up taking the guy down. That was pretty entertaining.

ArabianKnight

Per DOD 8570 reqs, getting an Assc of CISSP qualifies as a IAM III so can you not tell them that you have the cert, or just not put it on your resume?

Danielm7

ArabianKnight wrote: »

Per DOD 8570 reqs, getting an Assc of CISSP qualifies as a IAM III so can you not tell them that you have the cert, or just not put it on your resume?

You can put "Associate of ISC2" on your resume. You can't call it an Assc of CISSP.

OctalDump

And you can get "Associate of (ISC)2" by doing the SSCP (or one of the others) also. Since you can't say what exam you did, it could lead to some interesting results. I'm curious how the military thing works in practice.

yzT

Krebs' blog is:

40% posts about how cool I am.
40% news about skimmers and news about some hacked organization.
20% relevant stuff: detailed explanations, tips, etc.

Danielm7

Clearly you're anti-Krebs. But, for the 5 minutes it takes a week to check in to keep on top of the 60% you mentioned above it's worth it. Like I said earlier, these are things the rest of the business talks about, you want to know about these things. When I sit in large meetings and people go, "oh you're in security, have you heard about X big company breach?" The retort of "sorry that isn't technical enough for me to care" doesn't really fly.