CISSP? Now or later?

Paperlantern

Well, I wanted to ask this here knowing the community is very knowledgable and would be able to point me where I should be going.

I recently (November of last year) took, and passed the Security+ exam for CompTIA. in the wake of that exam, i felt that I enjoyed the material, and the testing process and felt like I wanted more. Well the year has sped past a ways, but I still feel the same. Additionally, my employer is creating a new position in the Security field to handle all of the security aspects of the company. I am the main candidate for that position as it is basically being created for me. Spurring this on, is a lot of our clients requiring the company have a CISSP on staff or at least on contract retainer.

I currently have been in the IT field about 8 years (not including 2 years i was a office administrator for a mom and pop computer shop where i did mostly front desk reception, shipping/receiving, parts ordering/returns and tech dispatching, if you include those 2 years then its been 10 years in the industry). Of those 10 years, I've been involved with a number of things, but not much true Security until I came here about 3 years ago. My role here hasnt been an active security one, but have dabbled in firewall policies, physical door control policies, password creation policies, data retention and encryption bits and pieces, but nothing HEAVY.

I'm wondering if I should even be aiming as high as CISSP and I should aim to a lower cert first and with another year under my belt then try CISSP, or if it is something I should be able to do with the right materials and study aids and I'm just psyching myself out. I didnt find Sec+ difficult, but it was interesting for me.

If you think I can do CISSP, what materials or resources would you recommend I buy/use or obtain before I start my journey.

Any opinions and thoughts are welcome.

Jinuyr

I am in a similar situation. I also recently completed the Security+ exam. After realizing how much combined experience I had with the 10 domains needed for the CISSP I decided to go for it. There are still some weak areas I am running into, mainly Application Security and the details of Cryptography but that's only a matter of time before I understand it.

Just make sure you have all the material you need and use at least two sources.

Paperlantern

See, you have some experience in those domains. My fear is because I don't, I would be getting in over my head, and even if I did pass, i wouldn't have enough experience to even get the cert. Again i could just be psyching myself out, which I do in almost any exam scenario, so i thought I would come to the voices of reason here at TE.

What materials are you thinking of using?

JDMurray

There's still great benefit in studying for a certification without taking the exam. In doing so you will get a good idea if InfoSec is really what you want to do for a living.

The top two study books for the CISSP exam are currently:

Amazon.com: Official (ISC)2 Guide to the CISSP CBK, Second Edition ((ISC)2 Press) (9781439809594): Harold F. Tipton: Books

Amazon.com: CISSP All-in-One Exam Guide, Fifth Edition (9780071602174): Shon Harris: Books

Also have a look at my blog articles:

The CISSP Certification Experience | TechExams.net Blogs

The CISSP Certification Experience: My Study Plan | TechExams.net Blogs

emaupin

I'm also in a similar situation. I passed Sec+ about a month ago. I've got about 2.5 years of experience in a security manager role, which covers all of the domains in various degrees of depth except software development. I'm planning to take a CISSP review seminar and exam in 6 to 9 months or so. I'll be an associate of ISC2 for a few months before I reach the experience requirement.

As for materials, I bought the All-In-One Shon Harris package that includes the practice test pack. I haven't started on it yet, but I plan to do so after the 4th of July. (I'm giving myself a little break to clear my head as I went straight from grad school into the CompTIA certs last year.) My style is probably different from most people. I prefer to slowly pick through the book in my spare time rather than grind through it. Once I finish the book, I'm going to do a practice test or two to assess myself. If I need additional help, I'll probably look to CISSP for Dummies. I've also gathered a fair amount of bookmarks by searching around the web and especially this site. They mostly consist of exam tips, review materials/notes, and free practice quizzes. If I feel like I need it, I might buy the cccure.org membership for those quizzes as well. I highly recommend browsing many threads in this forum.. it's full of great tips.

My goal is to feel fairly comfortable about passing the exam before I even go to the seminar. I figure that I've got 18 months or so before I'm eligible for the cert anyway, so there's no rush.

Jinuyr

Correct me if I'm wrong guys...

But I believe you can still complete the CISSP and become an Associate of (ISC)2 if you do not possess the required amount of experience. You have six (6) years I believe to obtain that experience and submit your endorsement to get your certification.

PS, the two books that JDMurray recommended are awesome. I am finding myself going through the Official book first and swapping to the AIO when I get stuck to see if it has better information that I can understand. I might also purchase the:

CISSP Study Guide by Eric Conrad

It has better reviews than the Official book and AOI at the moment. I would not get it first however since historically, people have had much better success with the books that JDMurray mentioned.

Paperlantern

Thanks for the suggestions guys, it does sound like I should be able to pull off the exam, it's just the endorsment at this point that I think I may have an issue with. I wonder how the company's clients would be with not a TRUE CISSP, but just the associate level for a while until i get that experience necessary to obtain the true cert.

Keep the suggestions coming guys, this is good stuff.

JDMurray

Paperlantern wrote: »

I wonder how the company's clients would be with not a TRUE CISSP, but just the associate level for a while until i get that experience necessary to obtain the true cert.

For one example, as per DoD Directive 8570.01, the US DoD only seems to care if their IA people pass the CISSP exam but not obtain the full certification.

Note that even if you do only become an Associate, you still need to submit CPEs and pay AMF. Here's the relevant blurb:

...if you are working towards the CISSP, you have a maximum of six years from your exam pass date to acquire the necessary professional experience, and two years for those working towards the SSCP. An Annual Maintenance Fee (AMF) of US$35 applies, and Continuing Professional Education (CPE) units must be earned each year (20 towards the CISSP and 10 towards the SSCP) to remain in good standing.

Paperlantern

JD you are amazing. That is good stuff to know. Okay good, then this really shouldn't be an issue, whether I get the full on cert or not, there SHOULD be no issue on the matter once I pass. I'm sure CPE units will also not be a problem, the company has budget for ongoing training anyway. Thanks!

JDMurray

Paperlantern wrote: »

... this really shouldn't be an issue, whether I get the full on cert or not, there SHOULD be no issue on the matter once I pass.

Assuming your employer, or future employer, only cares about you passing the CISSP exam and not obtaining the full CISSP certification. You can't actually say you are CISSP-certified on your resume, although you can state that you are "pending CISSP certification."

colemic

I would bet they fix that in the relatively near future.

afcyung

Who fix what? If you mean the DOD nope they wont be fixing it because it would limit their ability to hire a person into the spot. increasing the cost of the position.

colemic

Well, it's a bit pointless the way it is. And DoD doesn't care too much if it costs a company more to hire for a position.

badrottie

Someone who has passed the CISSP and lacks the requisite work experience is still an Associate of (ISC)².

The only drawbacks are the following:

1. You are not a CISSP until you have the minimum experience required and unfortunately will not be in the same pay-band as a credentialed CISSP (much like articling law school graduates are slave labour until the have passed the bar and can be legitimately recognized as Lawyers and licensed to practice.)
2. If applying for a position where a CISSP is mandatory, you will likely be disqualified by HR, as they will not have any understanding of what an Associate of (ISC)² means. They are told that a CISSP is mandatory for the job, and that is what they filter on.

Still, I would hire a candidate that had passed the exam, but their compensation would not be the same as someone who is a CISSP. Once they obtained the necessary experience, then they would qualify for a raise (This is no different than how other professional fields approach it: engineering, accounting, law, etc.)

guessswh0

I think it would be best to make sure you get someone who has experience in the IT Security field before your company really dives into it. If you don't have any experience really, it might help to get someone who has that experience so you can learn from them.

Security+ is a good certification to start off with, but personally I wouldn't have a company start a whole business unit based off of the Security+

At the same time, I would also recommend trying to work on studying for the CISSP as that will definitely benefit you in the future once you achieve it.

Paperlantern

Well, the position is being created, and I'm being promoted into it, it's not a question of whether or not that is happening, or if I should persue that, really my question was could I get CISSP now or not. It seems, based on another CISSP's suggestions, that I damn well can. Yes I will be starting to study for the exam. Ive gotten the Shon Harris and Tipton books and will be perusing them in the coming weeks. I'm hoping to be able to take the exam in the fall some time, or early winter.

guessswh0

Paperlantern wrote: »

Well, the position is being created, and I'm being promoted into it, it's not a question of whether or not that is happening, or if I should persue that, really my question was could I get CISSP now or not. It seems, based on another CISSP's suggestions, that I damn well can. Yes I will be starting to study for the exam. Ive gotten the Shon Harris and Tipton books and will be perusing them in the coming weeks. I'm hoping to be able to take the exam in the fall some time, or early winter.

I am not arguing the value of the CISSP. I definitely think it will help your knowledge of security, and your career. I was just saying my thoughts on what I would do if I was the owner.

I guess it also depends what type of "security" work we're talking about. Application security, network design, etc.