Community Manager at Infosec!
Who we are | What we do
CISSP Certification Dilemma
I started my security career as a technical writer in a security department. I gradually moved into program management of a penetration testing program and added incident response, security awareness training, and other duties. I have spent a lot of time working on my technical chops with the hope of becoming a penetration tester, mainly focusing on web app security. Among other things, I'm testing web apps in my current job. I was a web developer in an earlier life, so it made sense for me to focus on web apps. Along the way, I picked up Security+ and SSCP. I had always had it in mind to earn the CISSP. That was just something you did in security, or so I was told way back when. After SSCP, I earned eJPT and learned a lot in the process. Still learning as much as I can.
Last year, I decided that I needed to start working on CISSP. That kind of put a slowdown on my technical education. I jumped in feet first and created a study plan and bought materials and such. After a few months, I thought I was ready and took the test. Turns out I wasn't ready. So I backed up and created a new study plan. I've found myself actually dreading studying and putting it off when I had the chance. It's not that I'm not getting the material. It's just that there are so many things I would rather learn including getting deeper into web app testing, learning more about network penetration testing, secure software development, etc. To me, that's much more important than earning a management-level certification. A management position has never been my goal.
Don't get me wrong. I'm not trying to downplay the importance of the CISSP certification. I think it's a great thing. I'm just feeling that earning it might not be in the best interests of my career, despite all the work I've put into it. I don't ever want to be an ISO/CISO, though I've had some opportunities.
I have several great technical courses lined up for when I finish CISSP. They're just sitting there, and I think more about what I can learn from them, if only I had the time.
Long story short, since I've realized I don't really want or need the CISSP but get really excited about learning some new security tool or learning how to hack (ethically, of course) into an application or network, am I justified in abandoning my CISSP studies in favor of a more technical education?
Thanks for taking the time to read my autobiography!
Comments
-
mikey88 Member Posts: 495 ■■■■■■□□□□I think you are justified. CISSP is not the answer to all problems. Study what you enjoy learning and revisit it later if you choose to do so.Certs: CISSP, CySA+, Security+, Network+ and others | 2019 Goals: Cloud Sec/Scripting/Linux
-
tedjames Member Posts: 1,182 ■■■■■■■■□□mikey88 said:I think you are justified. CISSP is not the answer to all problems. Study what you enjoy learning and revisit it later if you choose to do so.
-
NetworkNewb Member Posts: 3,298 ■■■■■■■■■□tedjames said:I've found myself actually dreading studying and putting it off when I had the chance. It's not that I'm not getting the material. It's just that there are so many things I would rather learn including getting deeper into web app testing, learning more about network penetration testing, secure software development, etc. To me, that's much more important than earning a management-level certification. A management position has never been my goal.Don't get me wrong. I'm not trying to downplay the importance of the CISSP certification. I think it's a great thing. I'm just feeling that earning it might not be in the best interests of my career, despite all the work I've put into it. I don't ever want to be an ISO/CISO, though I've had some opportunities.
Imo, its just a couple months to study for it and would be worth it for almost anyone in security. What is a couple months in terms of 20+ year career? For me the only reason I've been holding off from getting it sooner is because I don't see myself leaving my current company for a little while. Otherwise it would be a top priority to me. -
DZA_ Member Posts: 467 ■■■■■■■□□□CISSP is one of those certifications you have to think if its really right for you. If you're in the technical stream and want to head into management, sure, why not, it's a pivot. It's a certification that you can obtain down the road if you're still interested, maybe it's not the right timing for you at the moment. The commentary that I can make is that job these days require that minimum CISSP although they may not necessarily need it; it cuts through the job application stack and makes you stand out from the crowd. I agree with NetworkingNewb on that point.
-
tedjames Member Posts: 1,182 ■■■■■■■■□□NetworkNewb said:
Imo, its just a couple months to study for it and would be worth it for almost anyone in security. What is a couple months in terms of 20+ year career? For me the only reason I've been holding off from getting it sooner is because I don't see myself leaving my current company for a little while. Otherwise it would be a top priority to me.
If it were only a couple of months for me to earn CISSP, no problem. I could tough it out. But I've found myself starting and stopping more than once. I've known people who did it in a month. I realize that to earn something this big, most people recommend dropping out of everything (except work) just to study. That's kind of hard for some people. Like everybody else, I have a family and home responsibilities. I also play in a band and run a small business.
Over the next five years, I can really push my technical skills to the point where I won't have to worry about needing something like the CISSP to help me get my foot in the door.
By the way, it's not that I hate studying for CISSP. I love learning in general. I just see my time better used for other things. -
NetworkNewb Member Posts: 3,298 ■■■■■■■■■□tedjames said:If it were only a couple of months for me to earn CISSP, no problem. I could tough it out. But I've found myself starting and stopping more than once. I've known people who did it in a month. I realize that to earn something this big, most people recommend dropping out of everything (except work) just to study. That's kind of hard for some people. Like everybody else, I have a family and home responsibilities. I also play in a band and run a small business.
In the end, its just a cert that will be helpful for those looking for a promotion or a job higher up, just like all certs are. I like learning as well but there is a lot of boring topics in this one. Definitely not as fun as studying more technical topics!
I'd have a harder time justifying going for this that late in my career and definitely understand not wanting to! I probably wouldn't -
iBrokeIT Member Posts: 1,318 ■■■■■■■■■□IMO I view the CISSP as more of a marketing tool for your InfoSec career than something that proves your InfoSec cred. If you are not planning on applying to an InfoSec/IT company or want to keep your options open, the CISSP is easily the most recognizable and requested cert which will improve your chances of getting an interview.2019: GPEN | GCFE | GXPN | GICSP | CySA+
2020: GCIP | GCIA
2021: GRID | GDSA | Pentest+
2022: GMON | GDAT
2023: GREM | GSE | GCFA
WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops | SANS Grad Cert: Incident Response -
tedjames Member Posts: 1,182 ■■■■■■■■□□These are all extremely valid points. If I do stop, I can always start back up if I want. And having a CISSP definitely does get you HR points. I've always thought of certifications as baselines of knowledge and experience. A hiring security manager sees someone with a CISSP and, if he has one himself, knows that the candidate possesses a certain level of knowledge. Of course, that doesn't translate to ability. I've worked with people with CISSPs who could talk about security all day but just couldn't actually DO security.
Some would argue that it's better just to get it over with, no matter what. That might be true. For me, I just feel that all the time I'm putting into it is just getting in the way of what I really want to do.
I do realize that everybody has circumstances that occupy their time and that mine are no different from or more important than anybody else's. I hope it doesn't sound like I'm making excuses not to pursue it. I don't think that I am. As @NetworkNewb said, I know what I'd rather be doing with my time.
There are definitely a lot of boring topics. When I took the test, I scored much better in the topics that interested me, like Software Development Security and Security Assessment and Testing.
I appreciate all of the great input.
-
UnixGuy Mod Posts: 4,570 ModI think you just don't find CISSP engaging. I understand, because I don't either. However, since you've already studied and done the test once, you should definitely power through and get it done. It is a recognised cert in the industry (whether we like it or not..) so it will definitely help your career (even if you don't go into management...CISSP alone isnt enough for management btw)Point is, get it done now. it will only add value to your career. you're almost there...the hardest part is over for you.
-
tedjames Member Posts: 1,182 ■■■■■■■■□□UnixGuy said:I think you just don't find CISSP engaging. I understand, because I don't either. However, since you've already studied and done the test once, you should definitely power through and get it done. It is a recognised cert in the industry (whether we like it or not..) so it will definitely help your career (even if you don't go into management...CISSP alone isnt enough for management btw)Point is, get it done now. it will only add value to your career. you're almost there...the hardest part is over for you.
Good point, of course, about trying to finish. I haven't fully made up my mind, but I'm close. I already paid for three years on Boson, so if I do decide to pause CISSP, I'll keep taking the practice exams, just to keep the material in my mind. And then when I'm ready to get back into it, I won't be starting from zero. -
anthonx Member Posts: 109 ■■■□□□□□□□Why not commit one or two months of studying then take the examination? If money is not an issue. Some people simply cannot afford to fail because of money problems. You made a point that you don't need the CISSP certificate at this stage of your career but perhaps you want it. Some people are also concern about keeping a perfect record like not having to fail any exam. By the end of two months studying, take the exam. Ready or not ready.AnthonX
-
Infosec_Sam Admin Posts: 527 AdminAs someone who had previously only ever seen "You need to aim for the CISSP if you want a career in cybersecurity," thank you for this viewpoint. I think it's tough to find people who encourage you to pursue what you find interesting/fun, instead of the bigger paycheck and higher title, so this was a refreshing read!
I mean, maybe I'll change my mind once I get closer to the position where the CISSP would help me, but I'm glad I'm not the only one who likes to just do interesting stuff at work. -
NetworkNewb Member Posts: 3,298 ■■■■■■■■■□Infosec_Sam said:I think it's tough to find people who encourage you to pursue what you find interesting/fun, instead of the bigger paycheck and higher title, so this was a refreshing read!
-
Infosec_Sam Admin Posts: 527 AdminNetworkNewb said:Infosec_Sam said:I think it's tough to find people who encourage you to pursue what you find interesting/fun, instead of the bigger paycheck and higher title, so this was a refreshing read!
-
JDMurray Admin Posts: 13,101 Admintedjames said:To me, that's much more important than earning a management-level certification. A management position has never been my goal.
There are presently 136,428 CISSP-holders worldwide. Most of these people are not in management or will ever be in management. Since its introduction in 1996, the CISSP has become a common, checkbox item for HR and hiring managers when looking for InfoSec candidates to interview. The CISSP CBK contains excellent information that every well-rounded InfoSec professional should know. Having the CISSP certification itself only gets you a first-round job interview, but the knowledge you gain from the study of the CBK stays with your forever. Not having the CISSP pigeonholes you into being a specialist that has a more limited hiring potential. -
tedjames Member Posts: 1,182 ■■■■■■■■□□These are all perfectly valid viewpoints, and I can certainly see the logic in each one.
Big picture: Holding the CISSP certification will definitely benefit anyone's cybersecurity career.
Immediate: I still have a long way to go in my security career. There's so much that I want to learn and accomplish. Delaying CISSP while I ramp up my technical chops will benefit me more in my current job.
I remember a recent thread called Endgame. I'm nowhere near even beginning to know how I'll end my career or if I even will. I do know that I want to focus on web application security. Later, I might extend that. I'm going to do what's best for me in the short term and then resume CISSP prep. I've set some training goals for myself, and CISSP remains on that list. It's just that I have moved it down a couple of slots in my priority list. This is one of those things that, at least to me, has no right or wrong answer.Again, thanks to everyone for all of the great advice.