One Year Anniversary after passing my CISSP

kalkan999

]Aloha all,

Well, It is one year this month that I was the first on TE to take the CISSP via CBT and pass. For those who didn't read my posts from last year, I offer the following Reader's Digest version of events:

• [December 2010 Took the PBT and failed by 43 points
  
• February 2012 I took the PBT and failed by 5 points, receiving my results 5 weeks later in March
  
  
• April 2012, I saw that the CBT was offered in Latin Americas prior to the June 1st launch date of CBT in the USA. So, being the adventurous sort, I bought a plane ticket to Costa Rica, sacrificed my 1st wedding anniversary with the wife as well as my birthday, and passed the test.
  
• Did NOT come home to a ticker-tape parade much to my dismay.
  
  
• Made a promise on TE that I would quit the DoD and venture out on my own and learn more about the private sector.
  
  

Well, here I am, one year later. I am proud to report that I accomplished everything I promised myself and my very supportive wife. I went from Mild-mannered Department of Defense Security Geek to a Consultant for Dell SecureWorks. Not only do I make more than twice my fairly respectable former salary, but I am truly a person who is respected and revered by a multi-billion dollar corporation.
Not only am I a high-paid InfoSec Guru, I get to do all of my work from home! I do travel occasionally, but only when I FEEL like it is necessary for my work, and I definitely don't pay for it out of my own pocket!!!
My phone rings off the hook 10 times a day with recruiters offering me the sun, moon and stars, for long term contracts both remote and on-site. Can't say I enjoy all those phone calls, but hey...Necessary Evil.

And the pay ranges? I honestly had no idea that people with years of experience, now coupled with this highly sought after cert could command so much...Consulting ranges from $80 an hour W2, to $125 an hour all-inclusive for positions that last up to one year.
Full-time employment opportunities are high as well, but don't aim for the stratosphere like consulting gigs do, and vary based on location and cost of living. But the range starts in the low $70's (mostly working for city and state government offering great benefits and job longevity) to $130-150K annually for Director positions, (that number jumps to $220-250K in the New York and Boston Areas).

Why share income levels?

The answer is simple: Motivation for those of you who take this test and don't pass the first or even second go around.
Take the test, but do so for the right reasons. I took, retook, and re-retook the test because I absolutely LOVE what I do for a living; that goes a long way in explaining why I am successful in such a short period of time. I am also a shameless self-promoter who was never satisfied just being one of the guys in the IT Dungeon playing online games on the Aggregate line used in case of emergencies that is never monitored...(bet I struck a nerve with that one, didn't I?:) ) And though I am a self-promoter, I do not embellish. DON'T lie about your capabilities or lack thereof.

Anyway, Here I am, one year later, about to celebrate my 2nd wedding anniversary, taking my wife to Costa Rica this time instead of leaving her behind to take that beast of a test. I set my own hours because I deliver great work and just got my third Contract with Dell for another 6 months with a promise that they will re-extend for the next two years. I just got us a home more than twice the size of my old flat. I bought my wife a brand new Mercedes SUV, and still put thousands in savings every month.

Life is good, and I have all of you to thank for supporting me and giving me the strength and courage to see this test through when I struggled with my confidence after coming so close to passing and not doing so. Thank you, thank you thank you.
The best way I can really thank all of you here is to pay it forward, and I am doing just that. I am a Mentor and coach for the CyberPatriots, I volunteer at the VA hospital, teaching Information Security for free as part of the Wounded Warrior Program to returning wounded vets who need a vocation, and I am starting a not-for-profit Cyber organization, with webinar sessions being offered to Inner city schools.

paul78

Its always great to read about other people's success. Well done indeed! Thanks for sharing and I hope it inspires others.

cyberguypr

Glad to hear things are going well for you. Thanks for sharing.

jamthat

I'm in the middle of attempting a similar job switch (govt -> private), and while I'm not quite as far along in my career as it would seem you are, I still found this to be very motivational.

Thanks for sharing the success story, and congratulations!

ssehg

Great to hear your story of success.Congratulations and all the best.

kalkan999

JAmthat. Wherever you are in your journey, just make sure you enjoy what you do for a living, as it will show in your work. The rest falls into place.

tony71

This gives me some hope. My exam is in 3 weeks and I'm taking quizzes and trying to figure out why the answers is what it is.

joebanny

Great to have feedback from someone who has actually seen the benefits of this certification! Your story inspires me that my efforts, late night studies, time away from my family atimes is not in vain. It assures me I can do it too! I hope to be able to stand where you are a yr from now to encourage those aspiring as well. Now that you're happy with your career, enjoy your family!

DoubleNNs

Awesome inspirational post.

Motivates me to work harder on my own journey, so one day I can catch up to you! haha

Congrats on everything you've achieved. And thanks for sharing your experiences.

JockVSJock

Thanks for the positive post. I'm on the CISSP journey right now too and this was helpful.

thanks

Mike-Mike

DoubleNNs wrote: »

Awesome inspirational post.

Motivates me to work harder on my own journey

I agree!

and thanks for posting salary info, I think that's very important

kalkan999

I felt kinda weird about posting salary levels for this cert, and divulging (sort of) my pay range. I was just on a roll with my writing, and I remembered when I was struggling whether all of this was truly worth it, and of course, we all know the answer to that question from my perspective.
Timing played a lot into my being so sought after. The POV of Information Security, Information Assurance, by those who hold the purse strings has changed significantly in the last year. What was once perceived as a necessary evil to address mandates, regulations, and policies, has changed significantly. If you are in the private sector, especially, you MUST emphasize and quantify the money MAKING potential of Information Security. It's not hard to sell the idea of InfoSec to big businesses nowadays. Wait till Flame and Stuxnet are properly reverse-engineered by our adversaries; we will all have more work than we can handle.

ejg398

REMOVED UNNECESSARY QUOTED REPLY FROM PREVIOUS POST

I agree, we have shifted from a Compliance stance to more of a Security stance. Its amazing how many companies out there will do what they can just to make the numbers look right for the C class execs and not take care of the business needs leaving InfoSec wide open.

paul78

kalkan999 wrote: »

I felt kinda weird about posting salary levels for this cert....

Don't you mean for your job and role? I wouldn't discount that you earned the job and salary on your own merits, skill, and experience. Private sector don't pay individuals based on the certs they hold. Individuals are compensated based on the value and contributions that they bring to their employers.

Anyways, I don't mean to seem harsh but having a CISSP, certs, degrees, etc. doesn't equate the compensation level. Otherwise I would still be making 6.80/hr .

@kalkan - you don't need to feel weird, you earned that job and salary. The fact that you persevered to get the CISSP tells me you don't give up easily and that is the type of person that will be successful. Great story..

broli720

REMOVED UNNECESSARY QUOTED REPLY FROM PREVIOUS POST

I'll have to respectfully disagree with this statement. While it is possible to accomplish quite a bit without a degree and certs, the chances of that happening are pretty low.

bobloblaw

Bottom line is 9/10 times the person with the degree/certification in their field is going to be brighter than those without. The exception does not make the rule.

paul78

@broli - I don't actually disagree with you. My point was more about cause-and-effect. I.e. that obtaining the certification does not equate or gurantee the job or compensation levels. The individual that gets to the high salary and role, is usually one that can demonstrate compentency and value to the organization that they support.

I don't wish to detract from kalkan's OP though. I simply want to point out that I am sure that kalkan's hard work, perveserance, and acumen got him to where he is today.

RouteMyPacket

As I circle back around and go down the security path I have defnitely considering CISSP, I admitedly know very little about it at this point though.

timrvt

thank you !!! just what I needed to hear......I too failed last year by 4 pts.....this after attending sans , passing gisp ,,studying...
realy was crushed......but alas I now am studying again...started few weeks back ..went to a GK cissp prep(hated it)....but now
I'm back ...conrad book ,shon harris 6th edition ..(didnot use shon at all last time)..fedvte online cissp....giving myself a june/july attempt I think

broli720

@paul78 I don't recall saying that it was a cause an effect relationship but sometimes it does. If you know how some contracts go then you would know that a contractor gets to charge a set amount per sub or employee. The more qualifications the person has (degree, certs) the more they can charge. That's how profits are made for some of these companies. The person still has to know their stuff but that's just one example.

Like @bobloblaw was saying 9/10 the person with 6 years experience, a degree, and certs gets the job over the person with just the experience.

badrottie

kalkan999 wrote: »

I felt kinda weird about posting salary levels for this cert, and divulging (sort of) my pay range. I was just on a roll with my writing, and I remembered when I was struggling whether all of this was truly worth it, and of course, we all know the answer to that question from my perspective.
Timing played a lot into my being so sought after. The POV of Information Security, Information Assurance, by those who hold the purse strings has changed significantly in the last year. What was once perceived as a necessary evil to address mandates, regulations, and policies, has changed significantly. If you are in the private sector, especially, you MUST emphasize and quantify the money MAKING potential of Information Security. It's not hard to sell the idea of InfoSec to big businesses nowadays. Wait till Flame and Stuxnet are properly reverse-engineered by our adversaries; we will all have more work than we can handle.

There are 2 main ways business can be more profitable:
1) Produce more
2) Reduce costs

It is hard to quantify how IS can affect the production process, but cost reduction can be with using the appropriate metrics (If the number of security incidents has dropped 50% over a year and so has the corresponding downtime, then a cost savings can be demonstrated). If IS is ever going to stop being viewed as a financial "black hole", you must demonstrate how it can improve a businesses top or bottom line.

As for Stuxnet and Flame, the decompiled code is readily available if you travel in the right (or wrong) circles.... (Flame is truly an interesting piece of work, to say the least).

ssehg

Degrees and certification demonstrates you have knowledge. Without degrees and certs you might be able to do better.

UnixGuy

What a great post! Congratulations! your knowledge, experience, character, and CISSP got you where you are now! I always wanted to move to InfoSec, but looks like I'm still stuck with Unix administration for the time being.

kalkan999

REMOVED UNNECESSARY QUOTED REPLY FROM PREVIOUS POST

Hey Unix Guy, we NEED Unix people by the truckloads in security. No time like the present to study for your CISSP, CISA, or CISM. You have a lot of the other certs that prep you for this exam already. This exam is not Windows centrist, barring a few references to Active Directory, but even RHEL has their own flavor of that now. Join the crowd. Please.

timrvt wrote: »

thank you !!! just what I needed to hear......I too failed last year by 4 pts.....this after attending sans , passing gisp ,,studying...
realy was crushed......but alas I now am studying again...started few weeks back ..went to a GK cissp prep(hated it)....but now
I'm back ...conrad book ,shon harris 6th edition ..(didnot use shon at all last time)..fedvte online cissp....giving myself a june/july attempt I think

never give up. Never surrender. You went into this tenacious, and remain that way. There are many who have this cert who have skills and a higher IQ than myself. BUT, I believe that my tenacity, and my PASSION for Information Security shines through with anyone who makes the mistake of asking me what I do for a living. I give them an earful because I LOVE this. If you didn't love this Tim, I am sure you would have given up by now. Another poster, webgeek didn't pass the test until his 5th attempt. My close and personal friend TBRAYS took it three times got his congrats just last week. He stayed the night before with me and the wife, and I gave him a pep talk, so he credits me with helping him over the hump. I think he always had it in him to pass, just like I did, just like you do Tim.
Tenacity is key sometimes. We cannot all be Mensa members who take the test in 118 minutes like one guy did and pass My friend Emerald Octane here knocked it out in less than three hours and is only 22 years OLD! Yea, we aren't these guys, but that's ok. We all have our strengths and weaknesses. Strategy is the best way to look at this beast. This test was my crucible, and I passed. So will you. Anything I can do yo help any of you, reach out to me personally, and I will help all I can.

UnixGuy

kalkan999 wrote: »

Hey Unix Guy, we NEED Unix people by the truckloads in security. No time like the present to study for your CISSP, CISA, or CISM. You have a lot of the other certs that prep you for this exam already. This exam is not Windows centrist, barring a few references to Active Directory, but even RHEL has their own flavor of that now. Join the crowd. Please.

I studied half of CISSP material last year but put it on hold to go on a vacation.


Do you think an MSc in InfoSec is worth it? I have admission from one uni but it costs around 23K in total, is it worth it? or should I just stick to CISSP/CISA/CISM/CEH/OSCP ?

kalkan999

Most of the jobs I see out there are 'Master's Degree Preferred' but to be honest, the certs and the verifiable experience and kudos from your professional references will take you much farther than spending $23,000 on an exam. I am not taking anything away from an MSc, as it is well rounded and makes you take courses that I would not otherwise consider. I wound up taking correspondence courses in higher math and calculus so I could get a better understanding of cryptography, and because I needed to know Partial Differential Equations when I worked for the US Air Force Research Labs and Space Command on a high-tech program tracking Low Earth Orbiting satellites, and learning how to distinguish between decoy warheads and nuclear from MIRV's. PDE's not only helped me with learning about quantum cryptography, but also detecting the mass of an object the Coriolis effect and warheads re-entering earth's atmosphere, as nuclear warheads are denser than decoys. (Don't worry, it's all unclassified stuff I am sharing). It's kind of neat though how a Cal 3 course requirement in MSc course can wind up being practical in our field and in other fields where our experience protects. I was not hired to track those things, but because of my experience and education with PDE's I learned in crypto let me dive into something cool.
So, I guess, I would say to you that an MSc is expensive and may or may not be worth it, but the courses required may lead to other adventures.

ssehg

UnixGuy you can also be CISSP. Work towards it and soon you would be.

emerald_octane

kalkan999 wrote: »

My friend Emerald Octane here knocked it out in less than three hours and is only 22 years OLD! Yea, we aren't these guys, but that's ok.

kalkan please understand your experiences were instrumental to my success!! I would have been content studying on an off, an hour per day for a week or two before tackling it. But seeing your posts, Flying across the world to take the test ~sheer tenacity~. I definitely respect (feared?) the test during my persuits. So I upgraded to 4 hrs a day, EVERY day.
on the bus (CISSP Prep Gold Guide)
at work (review seminar handbook)
long walks on the beach (Shon audio recordings)

and when I walked out, I thought I failed!

kalkan999

REMOVED UNNECESSARY QUOTED REPLY FROM PREVIOUS POST

I remember. I was bragging on you. And thank you for the compliment.

UnixGuy

I took Calculus I, and II, differential equations, probabilities and random signals, circuits, electronics,..etc in my undergrad (Computer Engineering). you are right. Either way, I think I will start with CISSP

THANK YOU

Jasiono

Is math needed for this test?