CISSP Certification Dilemma

I started my security career as a technical writer in a security department. I gradually moved into program management of a penetration testing program and added incident response, security awareness training, and other duties. I have spent a lot of time working on my technical chops with the hope of becoming a penetration tester, mainly focusing on web app security. Among other things, I'm testing web apps in my current job. I was a web developer in an earlier life, so it made sense for me to focus on web apps. Along the way, I picked up Security+ and SSCP. I had always had it in mind to earn the CISSP. That was just something you did in security, or so I was told way back when. After SSCP, I earned eJPT and learned a lot in the process. Still learning as much as I can.

Last year, I decided that I needed to start working on CISSP. That kind of put a slowdown on my technical education. I jumped in feet first and created a study plan and bought materials and such. After a few months, I thought I was ready and took the test. Turns out I wasn't ready. So I backed up and created a new study plan. I've found myself actually dreading studying and putting it off when I had the chance. It's not that I'm not getting the material. It's just that there are so many things I would rather learn including getting deeper into web app testing, learning more about network penetration testing, secure software development, etc. To me, that's much more important than earning a management-level certification. A management position has never been my goal.

Don't get me wrong. I'm not trying to downplay the importance of the CISSP certification. I think it's a great thing. I'm just feeling that earning it might not be in the best interests of my career, despite all the work I've put into it. I don't ever want to be an ISO/CISO, though I've had some opportunities.

I have several great technical courses lined up for when I finish CISSP. They're just sitting there, and I think more about what I can learn from them, if only I had the time.

Long story short, since I've realized I don't really want or need the CISSP but get really excited about learning some new security tool or learning how to hack (ethically, of course) into an application or network, am I justified in abandoning my CISSP studies in favor of a more technical education?

Thanks for taking the time to read my autobiography!

Find more posts tagged with

Comments

mikey88

I think you are justified. CISSP is not the answer to all problems. Study what you enjoy learning and revisit it later if you choose to do so.

tedjames

mikey88 said:

I think you are justified. CISSP is not the answer to all problems. Study what you enjoy learning and revisit it later if you choose to do so.

Thanks! This is not something I just decided today. I've been thinking about it for a good long while. And if I do decide to pursue it again in the future, I have all of the materials.

NetworkNewb

tedjames said:

I've found myself actually dreading studying and putting it off when I had the chance. It's not that I'm not getting the material. It's just that there are so many things I would rather learn including getting deeper into web app testing, learning more about network penetration testing, secure software development, etc. To me, that's much more important than earning a management-level certification. A management position has never been my goal.

Don't get me wrong. I'm not trying to downplay the importance of the CISSP certification. I think it's a great thing. I'm just feeling that earning it might not be in the best interests of my career, despite all the work I've put into it. I don't ever want to be an ISO/CISO, though I've had some opportunities.

I'm assuming most people don't love studying for the CISSP... It is a cert that directed more from a manager level, its just a ton of security job ads like to see a person with it (some its a requirement). If you are planning on looking for a new position soon I'd assume having your CISSP is gonna help your job hunt a lot more than learning about technical topic for a month or two. Of course it isn't a requirement for most positions though and would probably be fine without it. Just makes you look better to have it for people hiring is all (for the most part).

Imo, its just a couple months to study for it and would be worth it for almost anyone in security. What is a couple months in terms of 20+ year career? For me the only reason I've been holding off from getting it sooner is because I don't see myself leaving my current company for a little while. Otherwise it would be a top priority to me.

DZA_

CISSP is one of those certifications you have to think if its really right for you. If you're in the technical stream and want to head into management, sure, why not, it's a pivot. It's a certification that you can obtain down the road if you're still interested, maybe it's not the right timing for you at the moment. The commentary that I can make is that job these days require that minimum CISSP although they may not necessarily need it; it cuts through the job application stack and makes you stand out from the crowd. I agree with NetworkingNewb on that point.

tedjames

NetworkNewb said:

I'm assuming most people don't love studying for the CISSP... It is a cert that directed more from a manager level, its just a ton of security job ads like to see a person with it (some its a requirement). If you are planning on looking for a new position soon I'd assume having your CISSP is gonna help your job hunt a lot more than learning about technical topic for a month or two. Of course it isn't a requirement for most positions though and would probably be fine without it. Just makes you look better to have it for people hiring is all (for the most part).

Imo, its just a couple months to study for it and would be worth it for almost anyone in security. What is a couple months in terms of 20+ year career? For me the only reason I've been holding off from getting it sooner is because I don't see myself leaving my current company for a little while. Otherwise it would be a top priority to me.

I'm five years from retirement from the state. That of course doesn't mean that I'm just going to stop working and drive a Winnebago around the country or something. I'm going to start collecting my pension and keep working. I'm going to stick with the state since I'm so close. I have benefits for life, and pension will mean guaranteed pay (much less per month, but still). That will free me up to pursue contracts, whatever.

If it were only a couple of months for me to earn CISSP, no problem. I could tough it out. But I've found myself starting and stopping more than once. I've known people who did it in a month. I realize that to earn something this big, most people recommend dropping out of everything (except work) just to study. That's kind of hard for some people. Like everybody else, I have a family and home responsibilities. I also play in a band and run a small business.

Over the next five years, I can really push my technical skills to the point where I won't have to worry about needing something like the CISSP to help me get my foot in the door.

By the way, it's not that I hate studying for CISSP. I love learning in general. I just see my time better used for other things.

NetworkNewb

tedjames said:
If it were only a couple of months for me to earn CISSP, no problem. I could tough it out. But I've found myself starting and stopping more than once. I've known people who did it in a month. I realize that to earn something this big, most people recommend dropping out of everything (except work) just to study. That's kind of hard for some people. Like everybody else, I have a family and home responsibilities. I also play in a band and run a small business.

Everyone can come up with excuses on why they don't do things... I have a full time job, kids, play in softball league, go golfing every so often... I study almost each night after the kids go sleep (taking 2 college courses atm). Yea, I lose some sleep but whatever. I think you've kinda made your decision by listing out things you'd rather do with your time anyways

In the end, its just a cert that will be helpful for those looking for a promotion or a job higher up, just like all certs are. I like learning as well but there is a lot of boring topics in this one. Definitely not as fun as studying more technical topics!

I'd have a harder time justifying going for this that late in my career and definitely understand not wanting to! I probably wouldn't

iBrokeIT

IMO I view the CISSP as more of a marketing tool for your InfoSec career than something that proves your InfoSec cred. If you are not planning on applying to an InfoSec/IT company or want to keep your options open, the CISSP is easily the most recognizable and requested cert which will improve your chances of getting an interview.

tedjames

These are all extremely valid points. If I do stop, I can always start back up if I want. And having a CISSP definitely does get you HR points. I've always thought of certifications as baselines of knowledge and experience. A hiring security manager sees someone with a CISSP and, if he has one himself, knows that the candidate possesses a certain level of knowledge. Of course, that doesn't translate to ability. I've worked with people with CISSPs who could talk about security all day but just couldn't actually DO security.

Some would argue that it's better just to get it over with, no matter what. That might be true. For me, I just feel that all the time I'm putting into it is just getting in the way of what I really want to do.

I do realize that everybody has circumstances that occupy their time and that mine are no different from or more important than anybody else's. I hope it doesn't sound like I'm making excuses not to pursue it. I don't think that I am. As @NetworkNewb said, I know what I'd rather be doing with my time.

There are definitely a lot of boring topics. When I took the test, I scored much better in the topics that interested me, like Software Development Security and Security Assessment and Testing.

I appreciate all of the great input.

UnixGuy

I think you just don't find CISSP engaging. I understand, because I don't either. However, since you've already studied and done the test once, you should definitely power through and get it done. It is a recognised cert in the industry (whether we like it or not..) so it will definitely help your career (even if you don't go into management...CISSP alone isnt enough for management btw)

Point is, get it done now. it will only add value to your career. you're almost there...the hardest part is over for you.

tedjames

UnixGuy said:

I think you just don't find CISSP engaging. I understand, because I don't either. However, since you've already studied and done the test once, you should definitely power through and get it done. It is a recognised cert in the industry (whether we like it or not..) so it will definitely help your career (even if you don't go into management...CISSP alone isnt enough for management btw)

Point is, get it done now. it will only add value to your career. you're almost there...the hardest part is over for you.

You're right about not finding it engaging. As with most people (probably), I can get behind the topics that I find interesting but find other things boring.

Good point, of course, about trying to finish. I haven't fully made up my mind, but I'm close. I already paid for three years on Boson, so if I do decide to pause CISSP, I'll keep taking the practice exams, just to keep the material in my mind. And then when I'm ready to get back into it, I won't be starting from zero.

anthonx

Why not commit one or two months of studying then take the examination? If money is not an issue. Some people simply cannot afford to fail because of money problems. You made a point that you don't need the CISSP certificate at this stage of your career but perhaps you want it. Some people are also concern about keeping a perfect record like not having to fail any exam. By the end of two months studying, take the exam. Ready or not ready.

Infosec_Sam

As someone who had previously only ever seen "You need to aim for the CISSP if you want a career in cybersecurity," thank you for this viewpoint. I think it's tough to find people who encourage you to pursue what you find interesting/fun, instead of the bigger paycheck and higher title, so this was a refreshing read!

I mean, maybe I'll change my mind once I get closer to the position where the CISSP would help me, but I'm glad I'm not the only one who likes to just do interesting stuff at work.

NetworkNewb

Infosec_Sam said:

I think it's tough to find people who encourage you to pursue what you find interesting/fun, instead of the bigger paycheck and higher title, so this was a refreshing read!

Unfortunately a lot those more interesting/fun jobs ask for people with this cert.

Infosec_Sam

NetworkNewb said:

Infosec_Sam said:

I think it's tough to find people who encourage you to pursue what you find interesting/fun, instead of the bigger paycheck and higher title, so this was a refreshing read!

Unfortunately a lot those more interesting/fun jobs ask for people with this cert.

Such is life, I suppose. I still have quite a few more years until I'll need to consider it, so I'm okay with collecting my CompTIA certs for now!

JDMurray

tedjames said:

To me, that's much more important than earning a management-level certification. A management position has never been my goal.

There are presently 136,428 CISSP-holders worldwide. Most of these people are not in management or will ever be in management. Since its introduction in 1996, the CISSP has become a common, checkbox item for HR and hiring managers when looking for InfoSec candidates to interview. The CISSP CBK contains excellent information that every well-rounded InfoSec professional should know. Having the CISSP certification itself only gets you a first-round job interview, but the knowledge you gain from the study of the CBK stays with your forever. Not having the CISSP pigeonholes you into being a specialist that has a more limited hiring potential.

tedjames

These are all perfectly valid viewpoints, and I can certainly see the logic in each one.

Big picture: Holding the CISSP certification will definitely benefit anyone's cybersecurity career.

Immediate: I still have a long way to go in my security career. There's so much that I want to learn and accomplish. Delaying CISSP while I ramp up my technical chops will benefit me more in my current job.

I remember a recent thread called Endgame. I'm nowhere near even beginning to know how I'll end my career or if I even will. I do know that I want to focus on web application security. Later, I might extend that. I'm going to do what's best for me in the short term and then resume CISSP prep. I've set some training goals for myself, and CISSP remains on that list. It's just that I have moved it down a couple of slots in my priority list. This is one of those things that, at least to me, has no right or wrong answer.

Again, thanks to everyone for all of the great advice.