Pass CISSP w/o security experience?

Hello all-
Looking for some helpful advice about the CISSP exam. Can I pass the exam with out any security experience? Will the AIO and Official (ISC)2 Guide to the CISSP CBK ((Isc)2 Press Series) be enough to pass the exam?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

shednik

raied wrote:

Hello all-
Looking for some helpful advice about the CISSP exam. Can I pass the exam with out any security experience? Will the AIO and Official (ISC)2 Guide to the CISSP CBK ((Isc)2 Press Series) be enough to pass the exam?

Is it possible? Yes, will it be easy No. I personally can not say if those 2 resources are enough to pass the exam itself but if you look at some of the posts around the forum you'll see people will use MANY resources for their study.

Here are a few:

http://techexams.net/forums/viewtopic.php?p=272882#272882

http://techexams.net/forums/viewtopic.php?t=37696

tiersten

Even if you pass the exam, how are you going to fulfil the requirement to have 4-5 years of security experience?

JDMurray

The CISSP is a conceptual exam, not a factual exam. It will test you on your understanding of concepts and your cognitive ability to apply the principles of InfoSec to solving problems rather than on your ability to memorize facts and figures. While no CISSP exam candidate has actual working experience with all ten domains, it is possible to pass the exam with no InfoSec work experience if you can find enough sources to give you a good enough understanding of the concepts.

Anyway, after passing the CISSP exam, you will not be awarded the full certification without verifiable work experience. You will only be known by the designation "Associate of the (ISC)2" until you have obtain the required experience. This will not impress any employer; having a CISSP certification without work experience is pretty worthless for finding and keeping employment.

dynamik

tiersten wrote:

Even if you pass the exam, how are you going to fulfil the requirement to have 4-5 years of security experience?

As JD said, you'll be made an associate, and you'll have six years to satisfy the experience requirement. If you tack on a Security+ or an other acceptable certification or degree, that will drop your experience requirement down a year to four years. You'll therefore have two years to use your associate to break into the InfoSec field. It seems like an interesting strategy for getting into the security side of things, but I have no idea how effective a plan like that actually is.

JD, while this obviously wouldn't lead to one of those nice CISSP average salaries, you don't think an associate would help you earn an entry-level infosec position?

Slowhand

Building on what JDMurray and dynamik said, you may be better off looking at an exam like Security+ to start off with. It'll not only give you an 'entry-level' security cert, but also get your foot in the door with potential employers in order to start you down the road to get enough experience for the CISSP.

JDMurray

dynamik wrote:

JD, while this obviously wouldn't lead to one of those nice CISSP average salaries, you don't think an associate would help you earn an entry-level infosec position?

I've never seen an "entry-level infosec position." Usually, you get a junior position that has some InfoSec-related duties, such as net admin or help desk, and go up from there. I think there's a greater probability of success more along the lines of what Slowhand's suggests with the Security+ and either MCSE or CCNA. Having a CISSP make more sense when you already have years of experience in a parallel area, such as management or business or administration. Probably the most worthless area to combine with the CISSP is software engineering (sad, but true).

raied

Thanks for everyone's feedback. I will work on the Sec+ first.

Will I still need 4 years of security experience if I earn a Masters in the security field? It seems everyone is asking for a CISSP cert for security positions...

tiersten

raied wrote:

Will I still need 4 years of security experience if I earn a Masters in the security field?

Yes. The base requirement is actually 5 years. If you have a relevant degree or qualification then it is reduced by 1 to 4 years.

JDMurray

raied wrote:

Will I still need 4 years of security experience if I earn a Masters in the security field? It seems everyone is asking for a CISSP cert for security positions...

You don't need to earn a Masters to get one year removed from the requirements. Having the Security+ cert will allow you to qualify with only four years of experience. There is actually a long list of certs that qualify in this regard. Having a degree on top of this gets you nothing extra.

And I'd like to point out that people do not have six-figure salaries because they have a CISSP. They earn that kind of money because they have knowledge and experience (and sometimes friends and luck). The CISSP is just an additional requirement to get those kinds of jobs. Certification salary surveys make it seem like employers want to pay you six-figures just for passing a certification test, but that's not really how it works in the real world.

vital

JDMurray wrote:

raied wrote:

Will I still need 4 years of security experience if I earn a Masters in the security field? It seems everyone is asking for a CISSP cert for security positions...

You don't need to earn a Masters to get one year removed from the requirements. Having the Security+ cert will allow you to qualify with only four years of experience. There is actually a long list of certs that qualify in this regard. Having a degree on top of this gets you nothing extra.

And I'd like to point out that people do not have six-figure salaries because they have a CISSP. They earn that kind of money because they have knowledge and experience (and sometimes friends and luck). The CISSP is just an additional requirement to get those kinds of jobs. Certification salary surveys make it seem like employers want to pay you six-figures just for passing a certification test, but that's not really how it works in the real world.

I don't know what's the point of having the experience requirement to 5 years and then waive a year for having a Security+. Isn't it kinda obvious that anyone who passes the CISSP can just go walk in to a Security+ exam the next day and pass? Why not just say 4 years requirement and forget about the waiver?

tiersten

vital wrote:

I don't know what's the point of having the experience requirement to 5 years and then waive a year for having a Security+. Isn't it kinda obvious that anyone who passes the CISSP can just go walk in to a Security+ exam the next day and pass? Why not just say 4 years requirement and forget about the waiver?

They don't test on the same things though. CISSP covers things that aren't on Security+ and vice versa. I'm not too sure that just because you've passed CISSP that you'd automatically ace the Security+ exam.

JDMurray

tiersten wrote:

vital wrote:

I don't know what's the point of having the experience requirement to 5 years and then waive a year for having a Security+. Isn't it kinda obvious that anyone who passes the CISSP can just go walk in to a Security+ exam the next day and pass? Why not just say 4 years requirement and forget about the waiver?

They don't test on the same things though. CISSP covers things that aren't on Security+ and vice versa. I'm not too sure that just because you've passed CISSP that you'd automatically ace the Security+ exam.

The Security+ is much more technical than the CISSP, which contains mostly business-oriented material. The 2008 objectives have made the Security+ exam must more difficult than it was. Typical CISSP candidates will not be studying to the technical depth necessary to pass the Security+, although they may already know some of the material from their work. So passing the CISSP is by no means an assurance that one can automatically pass the Security+.

As for the four vs. five years, email the (ISC)2 and ask; tell us what they say.