CISSP Exam with No Related Experience?

allenh98

Hi All,

Ive been recommended to take this exam since cyber security is in hot demand and my current contract with the provincial government is ending soon.

How difficult will it be to pass this exam with no relevant InfoSec experience? I am 25 years old and graduated from engineering a few years ago. I have since developed in Java and C# for various employers.

I have taken the GMAT and scored very very well on it. How much of this exam is understanding/problem solving vs memorization?

Are there any recommended study material?

Thanks,
Allen

80hr

https://www.isc2.org/associate/default.aspx

Please read

TheFORCE

Short answer, you need 5 years of experience in any of the 8 domains. If you dont have it you can go for the associate version.

allenh98

Thanks.

So the way I see it is to pass the exam first and become an (ISC)2 associate, and then work the 4 years to become an CISSP.

Guess it's time to hit the books. Do you guys think 2 months is doable? My contract ends in about 3 months and, assuming I pass, I'd like to use the ISC2 associate designation towards my job search.

jcundiff

allenh98 wrote: »

Hi All,


How difficult will it be to pass this exam with no relevant InfoSec experience?

How much of this exam is understanding/problem solving vs memorization?

Are there any recommended study material?

Thanks,
Allen

1). Very since it encompasses 8 different domains, and expects you to understand and know how to apply concepts across all 8 domains. This is a senior level certification, you may want to start with Security + or a more entry to mid level security certification.

2). Memorization will most likely get you a test printout with a score below 700 versus a brief not that says "Congratulations you passed" as I stated above it is an exam based on knowing concepts and fully understanding how to apply them.

yes, you can pass the exam with no experience, but then you have a limited amount of time to acquire the required experience to even obtain the certification

jcundiff

allenh98 wrote: »

Thanks.

So the way I see it is to pass the exam first and become an (ISC)2 associate, and then work the 4 years to become an CISSP.

Guess it's time to hit the books. Do you guys think 2 months is doable? My contract ends in about 3 months and, assuming I pass, I'd like to use the ISC2 associate designation towards my job search.

2 months maybe, if your focus is soley on the CISSP exam about 15 hours a day... I had 12+ years in IT and 5 in Infosec across the domains and I self studied for the biggest part of a year and then completed a 55 hour boot camp the week before sitting the exam. It is all going to come down to how much you need to learn and how much time it takes you to learn it.

At $599, its a rather expensive way to find out how much you do/dont know

allenh98

jcundiff wrote: »

2 months maybe, if your focus is soley on the CISSP exam about 15 hours a day... I had 12+ years in IT and 5 in Infosec across the domains and I self studied for the biggest part of a year and then completed a 55 hour boot camp the week before sitting the exam. It is all going to come down to how much you need to learn and how much time it takes you to learn it.

At $599, its a rather expensive way to find out how much you do/dont know

Haha I guess 2 months is way too ambitious. I plan to study about 3-4 hours a day and maybe take a couple days off before the exam to review mistakes/weaknesses.

So far I have found the Shon Harris 7th ed book online. I read that it is recommended to go through this cover to cover for a newbie with no experience. Is the Shon Harris/Fernando Maymí book the Sybex official book that I keep reading about on this forum?

jcundiff

no it is not. And since Shon passed away before the CISSP domain re-org, it is not matched against the current 8 domains. Also, Shon can be a hard read for someone with little/no experience. Hit Amazon for the latest CISSP CBK ( about half the price it is on the (ISC)2 site and other resources

sybex

https://www.amazon.com/Certified-Information-Security-Professional-Official/dp/1119042712/ref=sr_1_1?ie=UTF8&qid=1483471663&sr=8-1&keywords=cissp+sybex

11th Hour CISSP (also highly recommended here)

https://www.amazon.com/Eleventh-Hour-CISSP-Third-Study/dp/0128112484/ref=sr_1_7?ie=UTF8&qid=1483471602&sr=8-7&keywords=cissp

allenh98

Ah nvm, just did some more searching and it seems the Sybex 7th edition is a paid study resource from Wiley

cyberguypr

Where's our official CISSP mentor, beads? I haven't seen him in a while.

allenh98

jcundiff wrote: »

no it is not. And since Shon passed away before the CISSP domain re-org, it is not matched against the current 8 domains. Also, Shon can be a hard read for someone with little/no experience. Hit Amazon for the latest CISSP CBK ( about half the price it is on the (ISC)2 site and other resources

sybex

https://www.amazon.com/Certified-Information-Security-Professional-Official/dp/1119042712/ref=sr_1_1?ie=UTF8&qid=1483471663&sr=8-1&keywords=cissp+sybex

11th Hour CISSP (also highly recommended here)

https://www.amazon.com/Eleventh-Hour-CISSP-Third-Study/dp/0128112484/ref=sr_1_7?ie=UTF8&qid=1483471602&sr=8-7&keywords=cissp

Thanks a lot for spoon feeding this to me. So far this is the list I'm prepared to purchase: Sybex official 7th edition, Sybex official practice test, CISSP CBK, and the 11th Hour CISSP.

TheFORCE

What are you currently working as? Software developer?

NetworkNewb

You know you can't say your a CISSP anywhere if you don't have the experience right? You can't even say on a resume that you just passed the CISSP exam. Looks like your planning ahead for when your leaving your current position and thinking passing this exam will look good to possible future employers.

allenh98

I won't be able to claim that I am a CISSP but what prevents me from stating that I passed the exam, am an ISC2 associate, and looking to complete my CISSP?

NetworkNewb

You actually can't even state which exam you passed according to their rules:

Associates of (ISC)² are NOT certified and may not use any Logo or description other than“Associate of (ISC)²”. Under no circumstances may they identify which exam they havesuccessfully passed or use any Logo, other than “Associate of (ISC)²”, in any manner. Failure toabide by this rule may result in the candidate being prohibited from ever attaining any (ISC)²certification.

https://www.isc2.org/uploadedfiles/(isc)2_public_content/legal_and_policies/logoguidelines.pdf

allenh98

TheFORCE wrote: »

What are you currently working as? Software developer?

Im currently working as a build/deployment manager but there is not much work for me since I automated everything with Jenkins. So I am trying to take extra work by helping some front end developers with Angular2 and setting up the RESTful API.

But someone close to me convinced me to get some certifications to further my career and I like the sound of being a "paid hacker", so here I am.

lucky0977

Did you google "top cyber security certifications"? Every site lists the CISSP or CISM as #1.
Everyone says the CISSP cert is the "cream of the crop" of security certifications but fail to mention that you should have some fundamental certs beforehand.

A hax0rz certification this is not.

allenh98

NetworkNewb wrote: »

You actually can't even stat which exam you passed according to their rules:

Associates of (ISC)² are NOT certified and may not use any Logo or description other than“Associate of (ISC)²”. Under no circumstances may they identify which exam they havesuccessfully passed or use any Logo, other than “Associate of (ISC)²”, in any manner. Failure toabide by this rule may result in the candidate being prohibited from ever attaining any (ISC)²certification.

https://www.isc2.org/uploadedfiles/(isc)2_public_content/legal_and_policies/logoguidelines.pdf

Ok, I understand that now. But I will be able to claim that I am an associate of (ISC)2, correct? And is this something that employers will look for?

NetworkNewb

allenh98 wrote: »

Ok, I understand that now. But I will be able to claim that I am an associate of (ISC)2, correct? And is this something that employers will look for?

Since that "Associate of ISC2" is something someone would get for not having the experience for any of their certifications, not just CISSP, I can't imagine employers would ask for it. Also, since certifications are mostly to get past HR and get an interview it wouldn't help much. Since HR will most likely have zero clue what that would mean. The only place where I've heard people getting the Associate of ISC2 designation where it helps is either if they work for the Department of Defense and if fills a requirement there or if their employer specifically asks for it.

TheFORCE

allenh98 wrote: »

Im currently working as a build/deployment manager but there is not much work for me since I automated everything with Jenkins. So I am trying to take extra work by helping some front end developers with Angular2 and setting up the RESTful API.

But someone close to me convinced me to get some certifications to further my career and I like the sound of being a "paid hacker", so here I am.

Do you have any cloud certifications? You might be better fit to go for the AWS certifications and that will actually help you more really, Microsoft has some cloud based certification also. If you go the AWS path, you will have access also to security tasks which later on you can claim as experience for the CISSP. Besides, AWS holders i beleive get to command higher salaries and are in demand too.

BlackBeret

So, I'm probably going to make some people angry, but I've seen a number of times where the "Candidates must have a minimum of 5 years cumulative paid full-time work experience in two or more of the 8 domains of the (ISC)² CISSP CBK^®." requirement, ended up being Joe worked 2 years full-time in a position that encompassed 3 domains, thus 6 years cumulative experience.

You work in development? Surely you incorporate security practices into your software development, Domain 8. Do any security assessment and testing against those programs you develop, there's another domain. Deal with data handling, classification, distribution when doing software development? Domain 2. etc. etc. The domains and the time in them add up quickly in reality.

As for studying for the test, I went through the Shon Harris book (2 years ago, but the 7th edition was updated for the new version of the test) cover to cover in 5 weeks, read the 11th hour study guide the day before the test, and passed without problems. I had a good bit of experience in physical security and communications/network security, with some in the cryptography domains, but the other's were new to me for the most part. I found the All-In-One really did a good job of not just spoon feeding the information you might see on the test, but actually teaching the domains, then the 11th hour focused it to the test.

Good luck!

amcnow

My understanding for the experience requirement is:

1. You can claim a full-time position encompassing 1 domain as long as you can also claim at least 1 additional position encompassing a different domain.
2. You cannot multiply or overlap your experience. Joe having 2 years full-time experience in 1 position, even when encompassing 3 domains, means he still needs 3 more years of full-time experience.
3. You can claim a 1 year experience waiver for completion of a qualifying 4-year degree, advanced degree, or certification. https://isc2.org/credential_waiver/default.aspx

dhay13

^ what he said. That is my understanding. Look over the domains and see if you fulfill any of them. As you said, you will need 4 years in at least 2 domains. https://www.isc2.org/cissp-domains/default.aspx