Life after achieving CISSP?

fabostrong

Can anyone share how they're life changed for the better after they achieved their CISSP? It seems to be the most in demand security certification by employers. Has any one achieved it and received a lot more calls for jobs or a hefty raise?

Thanks

ITSpectre

Based on the threads here most people that have it have gotten more calls and have gotten a good pay raise because of it.
The CISSP is well sought after.... but its more of the manager side of Infosec

ITSec14

The people I know who have earned it definitely get more attention than they used to. I wouldn't say it's guaranteed to get you a job making 100k though.

ITSpectre

fabostrong wrote: »

Can anyone share how they're life changed for the better after they achieved their CISSP? It seems to be the most in demand security certification by employers. Has any one achieved it and received a lot more calls for jobs or a hefty raise?

Thanks

Is this something that you wish to pursue in the future??? If so I would also check the board and read up on it. Its a very good cert but you also need the experience to go along with it.

ramrunner800

ITSec14 wrote: »

The people I know who have earned it definitely get more attention than they used to. I wouldn't say it's guaranteed to get you a job making 100k though.

If you work in security and don't make 100k you need to look for a new job.

SteveLavoie

ramrunner800 wrote: »

If you work in security and don't make 100k you need to look for a new job.

It all depend on the area where you live and your experience but I would say that it is surely not a 50K$ job.

Usually security come after having many years of sysadmin or programming, you can secure thing if you don't know how it work and how company work too.

dhay13

Not much changed for me. I got it the end of last year. I updated my resume on all the boards but not much change in call activity. The one good thing was that I went to my manager with a list of my accomplishments and I did get a nice raise so that was definitely a plus.

As far as $100k, depends on where you are. Very hard to get that around my area. Security managers are barely cracking that.

TeKniques

Not much changed for me either, but it does carry some weight to help get the interview. I wouldn't expect to get a $100k a year job because you have a CISSP; you still have to interview and sell yourself why you're that valuable to a potential employer.

dhay13

dhay13 wrote: »

Not much changed for me. I got it the end of last year. I updated my resume on all the boards but not much change in call activity. The one good thing was that I went to my manager with a list of my accomplishments and I did get a nice raise so that was definitely a plus.

As far as $100k, depends on where you are. Very hard to get that around my area. Security managers are barely cracking that.

Let me clarify, I didn't get the raise because of the CISSP. I got it because I was already underpaid by quite a bit and got a few other certs and tons of training. On top of that I have busted my butt to earn it. The CISSP didn't hurt but think it only played a small part in the equation.

Also, like mentioned above, the CISSP (or any cert) is not a free pass. You still need to sell yourself. I suck at interviews because I am too honest and don't do well at expounding on things or glorifying them. When asked if I have VMWare experience I say 'well not in the real world but have it on my home network', and leave it at that. Instead of just saying 'well yes, I have used 5.5 and now 6.5 and have for about 2 years now'. The certs can help get you the interview, the rest is up to you.

Mike7

It helps when you interact with customers; they accept your proposals more readily and ask less questions. I also received more connection requests and job offers from recruiters after updating LinkedIn. CISSP is my first cert that requires CPE to maintain. It means that I invest time upgrading my infosec knowledge via seminars, courses or other certifications, which is not a bad thing given my passion for anything IT.

TLeTourneau

Nothing really changed for me but it was an achievement that I am glad to have achieved. As far as salary goes, as many others have said it depends on region.

Oh, there's this:
https://youtu.be/8DZkpynFhak

ITSec14

ramrunner800 wrote: »

If you work in security and don't make 100k you need to look for a new job.

As others mentioned, it depends on where you live. Sure, if you live in Cali, New York, Boston, Chicago, etc. you can make 100k easily I'm sure.

markulous

ramrunner800 wrote: »

If you work in security and don't make 100k you need to look for a new job.

That's just not true. If you don't live in an area with a high cost of living and you don't have a lot of experience, you're not likely making 100k. Also heavily depends on your role. E.g. if you work at a SOC and all you're doing really is forwarding incidents off to tier 2 or IR teams, it's unlikely you're going to be making much.

ITSec14

I think where a lot of people go wrong is relying on certs too much to get them a job or earn a ton of money. Certs get you to the interview, but it's your knowledge and experience which will get you the job and the paycheck.

LonerVamp

I got mine 8 years ago as a Sysadmin. After I got it, I was still a Sysadmin. No pay changes. But I will say, I get more notice from recruiters or HR due to it.

CryptoQue

I agree. There are a lot of factors that go into career advancement after obtaining certification credentials. Location, professional experience, in demand IT field, etc. Certs look good on paper, but you have to be elaborate in an interview on your ability to apply the knowledge gained by those certs to job. In the technical/engineering/architect role, there is a salary cap on how much one typically can make, but in IT management the sky is the limit.

ddayglo

More notice from recruiters and HR reps.
Additional creditability from others...
Although day-to-day, my CISM has been more valuable, especially when discussing security with executives....

ramrunner800

markulous wrote: »

That's just not true. If you don't live in an area with a high cost of living and you don't have a lot of experience, you're not likely making 100k. Also heavily depends on your role. E.g. if you work at a SOC and all you're doing really is forwarding incidents off to tier 2 or IR teams, it's unlikely you're going to be making much.

I was making north of 100 within 3 months of starting in IT, going directly into security, as a T2 SOC monkey watching the SIEM. I'm now ~3 years in and have turned down offers north of $160k base salary, and I live in a low to mid cost of living area. It's about being enterprising, hunting new opportunities, and being willing to relocate. Study like a madman, and avoid waste of time certs like Cisco and CISSP. Those help a lot in other parts of IT like networking and audit, I'm not just trying to rag on them, but the need right now is for hands on security skills like packet analysis, forensics, and malware reversing. Tons of people can do audit and info assurance, that isn't where the shortage is most acute. Your salary is only limited by your desire and drive.

Edit: I realize all that sounds confrontational, I don't mean for it to. I just want people to know that their career really is theirs to control. Be passionate, drive hard, go get what you want.

fabostrong

ramrunner800 wrote: »

I was making north of 100 within 3 months of starting in IT, going directly into security, as a T2 SOC monkey watching the SIEM. I'm now ~3 years in and have turned down offers north of $160k base salary, and I live in a low to mid cost of living area. It's about being enterprising, hunting new opportunities, and being willing to relocate. Study like a madman, and avoid waste of time certs like Cisco and CISSP. Those help a lot in other parts of IT like networking and audit, I'm not just trying to rag on them, but the need right now is for hands on security skills like packet analysis, forensics, and malware reversing. Tons of people can do audit and info assurance, that isn't where the shortage is most acute. Your salary is only limited by your desire and drive.

Edit: I realize all that sounds confrontational, I don't mean for it to. I just want people to know that their career really is theirs to control. Be passionate, drive hard, go get what you want.

Thanks for the insight. What certifications if any would you recommend? Have you done packet analyst, forensics, and malware reversal? What was your first security job?

LordQarlyn

Well, I got promoted to my current position, which required a CISSP, and was a 25% pay increase. I was already making six figures, so do the math; $599+~$300 in training materials netted me more than $25K raise, so it was definitely worth it in my case.

asiru77

I Don't know my situation is unique, it's my bad luck or i really don't know how to sell skills (was running family business before) that even after getting multiple certifications I am trying to get a job from last 2 months and till now don't get even a single interview call , only thing i see against me is i don't have any reference but does it really means on the interview stage when usually nobody perform reference checks ?

SteveLavoie

CISSP even costing about 1000$ (exam + material) is a bargain considered the payback.. in your case LordQarlyn, the back is great, but it is almost impossible to not get into black after 1 year (0.50$ / hour raise cover it in one year base on 2000h/year). If your boss don't raise you for this amount.. consider to switch job. My boss will pay for the exam, material and give me a few paid hours (40h), and he will still raise me I have a good boss.

ITSec14

ramrunner800 wrote: »

I was making north of 100 within 3 months of starting in IT, going directly into security, as a T2 SOC monkey watching the SIEM. I'm now ~3 years in and have turned down offers north of $160k base salary, and I live in a low to mid cost of living area. It's about being enterprising, hunting new opportunities, and being willing to relocate. Study like a madman, and avoid waste of time certs like Cisco and CISSP. Those help a lot in other parts of IT like networking and audit, I'm not just trying to rag on them, but the need right now is for hands on security skills like packet analysis, forensics, and malware reversing. Tons of people can do audit and info assurance, that isn't where the shortage is most acute. Your salary is only limited by your desire and drive.

Edit: I realize all that sounds confrontational, I don't mean for it to. I just want people to know that their career really is theirs to control. Be passionate, drive hard, go get what you want.

Totally didn't take it as confrontational at all! Always nice to hear success stories like yours. I just think your story is very uncommon. Salary can be limited by other factors too, not just drive. The average CIO in my area probably pulls in ~$200k, there is no way they would offer a SOC analyst 50% or more of what they make.

ITSpectre

ramrunner800 wrote: »

I was making north of 100 within 3 months of starting in IT, going directly into security, as a T2 SOC monkey watching the SIEM. I'm now ~3 years in and have turned down offers north of $160k base salary, and I live in a low to mid cost of living area. It's about being enterprising, hunting new opportunities, and being willing to relocate. Study like a madman, and avoid waste of time certs like Cisco and CISSP. Those help a lot in other parts of IT like networking and audit, I'm not just trying to rag on them, but the need right now is for hands on security skills like packet analysis, forensics, and malware reversing. Tons of people can do audit and info assurance, that isn't where the shortage is most acute. Your salary is only limited by your desire and drive.

Edit: I realize all that sounds confrontational, I don't mean for it to. I just want people to know that their career really is theirs to control. Be passionate, drive hard, go get what you want.

But I was always taught in order to secure something you need to know how it works... I don't feel CCNA is a waste of time or CISSP. My goal is to be in pentesting, and network analysis.

Pengu

Here in the UK its difficult to find someone who even knows what it is. Never even got mentioned at my last few job interviews. It is still in my CV but I don't put it after my name on the CV anymore - fed up of explaining what it is and what it means.

To be fair though my current job is more on the software testing security side at the moment.

Remedymp

ITSec14 wrote: »

As others mentioned, it depends on where you live. Sure, if you live in Cali, New York, Boston, Chicago, etc. you can make 100k easily I'm sure.

I am in Boston, I posted a thread about this before where a InfoSec position was offered to me for $14/hr and they demanded a CISSP.

ramrunner800

Someone sent me a disgruntled PM about my comment calling CISSP a waste of time, particularly considering that I hold CEH. Fair point, so I'll take a second to explain my reasoning.

I'll begin by saying that I earned CEH before I started working in IT, gaining eligibility through taking one of their courses, as I did not have the requisite two years of experience. As a CEH holder I will also say that everything everyone says about CEH is true. As a demonstration of knowing what you're doing, it's not good. As a resume builder, it is quite excellent. It is the cert that got hr departments to start calling me. My passion and home labs are what got me through interviews to my first IT job. It was a couple thousand dollars well spent, and it allowed me to enter the career at a higher level than if I had simply gone to a help desk and slogged away. I made a similar investment in myself later in my career, self-funding my attendance to SANS Forensics 610 and the GREM certification, which has also resulted in a great earning potential boost.

I won't knock someone getting CISSP, because we do what we need to do to get calls. CISSP is good for that, I will 100% admit. Some folks on the tech side of security say they throw away resumes with CISSP, but I think that's taking it too far. At the same time, I think that by the time you are at a point in your career where you are eligible for CISSP, there are wiser ways to invest your time. CISSP is not easy, and requires time and dedication to achieve, don't get me wrong. However, hard tech skills are at an absolute premium, and the CISSP will teach you absolutely none of those. I will admit that my experience is quite limited, but working in operations, the only technical security people who I've worked with who hold CISSP have been lackluster, to put it nicely.(edit: honestly, it's too nice, I can't tell you how terrible they've been) I'm sure it's great for auditors, and GRC people, and maybe even security administrators. In operations, hands on with attackers, perhaps I'll go for it one day when I'm ready to go to the quieter side. In the meantime there are a million and one ways bad guys can do things that I need to focus my attention on. Have you seen this squibblydoo nonsense? It was released in April, it's being used by TONS of malware, and it's super cool. Or what about the new way Sofacy is abusing certutil to extract payloads?

As far as the adage that you need to know how something works to be able to secure it...well...kind of. Yes, you need to know networking at a pretty intuitive level. Yes, you need to have a pretty good understanding of how Windows and Linux work. But to be 100% honest, I don't actually secure anything. There are large parts of the security field that do not involve making devices secure. If you want to know how to keep bad guys from popping your server, I'm not your guy. I, and others in the same part of the field, can certainly help you do that by letting you know what the current trends in attacker activity are, but you need a hardcore security focused Windows admin to sign off on it. I can't admin a firewall either. Those are also two things I would NEVER want to do. Those are specializations that you can make an entire career out of, and I call those guys when I need those answers. It is very important to know what you don't know, and be able to work on a team with guys who do. But there are some very specialized sets of skills that few of the folks who come up through the sysadmin ranks will have. Forensics, intrusion detection, packet analysis, malware reversing, and the like tend to be fairly rare skills(read as: they pay $$$$). Folks from admin backgrounds also tend to underappreciate that they don't know those things. I can't tell you the number of I've seen admins think they know absolutely what they need to do when their systems have been breached, and end up under-remediating or causing even further damage.

Certainly I'd get more calls if I added CISSP to my resume, but that isn't necessarily a good thing. Coworkers who hold it certainly get tons of calls. I don't get tons, but I get lots, and I get calls and opportunities they don't. I think of it as employer self-selection. Employers with cert requirements (outside of government, because that's a whole different ball of wax that NONE of this applies to) tend to be employers who don't know what they're doing. I know immediately that's going to be a bad fit, and I'm glad they don't call.

I think I have the second coolest job in the world, behind fighter pilot. That attitude combined with investment in yourself and drive to back it up, is how to build a cool career.

redsteel

This thread is really killing my mojo.

M0CAMB0

redsteel wrote: »

This thread is really killing my mojo.

It shouldn't, ramrunner is talking with a big bias based on the field he is working in, a big bias. CISSP is a management oriented certification, if you were to follow his advice you would be doing OSCP instead. I don't know about you, but I don't want to be doing malware analysis and reverse engineering exploits all my career, and that is essentially what you'll be pidgeon-holing yourself into if you go down this path and stick with it, because unless you have any management experience or education, you're going to be stuck doing it all your life and have a CISSP guy managing you. This is why there is a great demand for the hands-on guys, it is not a field of work the majority of people want to do for the rest of their life, you really have to be compassionate about it.

At the end of the day, do what you want to do, not what the industry is demanding, Security in general is one of if not the hottest fields in the IT industry to be in right now, we are in demand everywhere.

Mooseboost

It comes down to what you are looking for and what part of the field you wish to go into. Saying the CISSP is a waste of time is both true and false, with the line being drawn where you wish to place your focus.

The CISSP is not a technical certification. The position that truly require a CISSP are not going to require significant technical expertise although technical experience will assist you. This certification is aimed at providing a benchmark to your knowledge of policies, business practices, and general topics that management is concerned about. This is a certification for a business driver and maintainer, not for someone who is working in the trenches.

The CISSP doesn't hold a lot of value for someone who doesn't qualify for it. You may get a recruiter call as an associate if you put it on your resume but the technical/practical interview will make assumptions about your experience in the industry which you may not have.

It is great if you are looking to move into a position where the responsibilities align, then the CISSP is a good certification. Saying that there is no market for auditors is incorrect. That being said, there are several positions outside of auditing that can apply to this skillset. Information Security Officers and similar positions push for the CISSP. In a world where due diligence is a must, policy writers are needed. These are not your fresh to security folks but seasoned practitioners moving deeper into the field. The CISSP would also benefit you in a consultant position.

If you are looking for a technical role like engineering or pentesting - then the CISSP is a waste of time for you. It is not something that would benefit your career because it is not aligned to your goal. Something like the OSCP, CCNA/CCNP sec, etc would serve you a lot better here.

Keep in mind that certification will only carry you so far. Anyone who says that certification holds no value is A) on the wrong forum and has long forgotten how difficult it is to get your foot in the door. Sure, once you have 5+ years of experience you can let certs expired and move on without them but it is hard to get there without some accreditation.

Your area in the field will also have a play. Some regulations require certifications to touch certain technologies. For example, some of the DoD regulation that we must follow in order to have federal clients requires certification in any technology that a person will administer. So there is that approach.

Dr. Fluxx

dhay13 wrote: »

Not much changed for me. I got it the end of last year. I updated my resume on all the boards but not much change in call activity. The one good thing was that I went to my manager with a list of my accomplishments and I did get a nice raise so that was definitely a plus.

As far as $100k, depends on where you are. Very hard to get that around my area. Security managers are barely cracking that.

What state do you live in...so i dont move there