I need some advice from those with a CISSP

kriscamaro68

I am really contemplating taking the CISSP at this point and could use some advice. I am currently a Windows Sys Admin that deals with servers at a very basic level and don't deal with the network at all. I also don't really ever deal with Linux. I don't have a lot of experience with authentication and encryption with the enterprise and how to set it up. Most of my time is spent dealing with Config Manager 2012 pushing out software updates/patches and dealing with workstation imaging. I currently hold the certs that are to the left.

My question to you is would it be worth my time right now to get the CISSP without in depth knowledge of how AD works, PKI, LDAP, and so on also a deep knowledge of networking in general. Don't get me wrong I am not an idiot when it comes to this stuff and have a good grasp on the basics but by no means a pro at any of them. I would like to get your advice on if you think I should study and possibly get the MS certs, the CCNA, and maybe the Linux+/LPIC before taking on the CISSP.

I know a lot of it depends on what I want to do with my career in security which is something I will look at. I would rather you base it off your experience. Did the other certs/knowledge help or do you not really deal with any of what I mention above in your day to day duties.

I just want to know if the knowledge that I gain from studying and passing the CISSP within the next 6-8 months will be useful in possibly landing a higher paying job or, buckle down for the next year and study all the other stuff first then tackle the CISSP.

I hope this all makes sense.

Thanks.

TBRAYS

There isn't a cert out there that is irrelevant in regards to knowledge but in order for you to gain the CISSP credential you must have a minimum of five years of direct full-time security work experience in two or more of the 10 domains, 1 year can be taken off with a college degree or a ISC(2) approved vendor certification. If being an auditor, security professional or anything related to in depth security, I would suggest the CISSP to be in your path but if its not I would devote my energy and time more to your career path and not just for landing a higher paying job. Trust me the CISSP is no slotch, its a mile wide and inch deep exam. You have certs like the VCAP, CCIE, MS top level certs etc.

kriscamaro68

Thanks for the reply. Just to clarify I have always had a passion for security in all its forms so this isn't me just wanting it for a higher paying job. That is part of it but I have always wanted to be in the security field in some form. I am just trying to get an idea if I should hold off for now with the CISSP and get the technical knowledge in all the other areas or if you found that going that far wasn't needed for what you do. I have been in the I.T. support industry for 10 years now and the past 6 years I have had duties related to at least 2 of the 10 domains in the CISSP. The only thing I don't have is a title that specifically states that I work in a position that deals with security day to day.

TBRAYS

kriscamaro68 wrote: »

Thanks for the reply. Just to clarify I have always had a passion for security in all its forms so this isn't me just wanting it for a higher paying job. That is part of it but I have always wanted to be in the security field in some form. I am just trying to get an idea if I should hold off for now with the CISSP and get the technical knowledge in all the other areas or if you found that going that far wasn't needed for what you do. I have been in the I.T. support industry for 10 years now and the past 6 years I have had duties related to at least 2 of the 10 domains in the CISSP. The only thing I don't have is a title that specifically states that I work in a position that deals with security day to day.

It just depends on what you really want, if I were you, I would go to the ISC(2) website and download the CISSP CIB and look through it and see if its something you want to tackle now, because its takes at least at minimum 3 months of focused dedicated studying to get a general idea of the exam because by no means is this a technical exam.

thegoodbye

kriscamaro68 wrote: »

My question to you is would it be worth my time right now to get the CISSP without in depth knowledge of how AD works, PKI, LDAP, and so on also a deep knowledge of networking in general

As the CISSP is a mile wide and an inch deep, you don't need in depth knowledge of AD/PKI/LDAP and many other areas to pass the exam. Would it help? Sure, but the CISSP doesn't go in depth in many areas, rather, it scratches the surface.

The knowledge gained from the CISSP may assist in getting a better, higher paying job, but it isn't a garuntee. I would pursue the test with the hope go gain insight/knowledge into the various areas of infosec, not possibility of more money. I still think it's worth it to pursue the CISSP, as the knowledge gained from the test can benefit everyone, even those outside of IT.

kriscamaro68

It's not just money. That is a big part of it but my passion is security. More to the point I guess is in the current roles that you are in do you feel that you need the in depth knowledge in those areas that I mentioned. I ask because some of the job postings that I see say they want a CISSP but that they want CCNP or CCSP or strong knowledge in *nix and the sort while some don't. I more or less want your take on your current position and if that knowledge is needed or not. Like I said I have the basics down on most of it and some in depth knowledge on the Microsoft side but that's it. I just want to know if the roles that are out there that you work in are more technical or more of a adviser type role where knowing the concepts and the theory is enough for your position.

thegoodbye

kriscamaro68 wrote: »

It's not just money. That is a big part of it but my passion is security. More to the point I guess is in the current roles that you are in do you feel that you need the in depth knowledge in those areas that I mentioned. I ask because some of the job postings that I see say they want a CISSP but that they want CCNP or CCSP or strong knowledge in *nix and the sort while some don't. I more or less want your take on your current position and if that knowledge is needed or not. Like I said I have the basics down on most of it and some in depth knowledge on the Microsoft side but that's it. I just want to know if the roles that are out there that you work in are more technical or more of a adviser type role where knowing the concepts and the theory is enough for your position.

The CISSP exam is a managerial level exam. It explains most concepts at a fairly high level. The CISSP is often a requirement for both technical (e.g. security engineer/analyst) and adviser (e.g. management or consulting) roles. Knowing the concepts and theory is generally not enough to be effective at a position; you need to couple theory/concepts with years of hands on experience.

JDMurray

kriscamaro68 wrote: »

I just want to know if the roles that are out there that you work in are more technical or more of a adviser type role where knowing the concepts and the theory is enough for your position.

That sounds more like a description of academic, teaching roles rather than as someone who must know how to design, implement, troubleshoot, and fix systems. Just knowing and talking about concepts and theories won't get a network designed, built, and keep it running and secure.

TBRAYS

JDMurray wrote: »

That sounds more like a description of academic, teaching roles rather than as someone who must know how to design, implement, troubleshoot, and fix systems. Just knowing and talking about concepts and theories won't get a network designed, built, and keep it running and secure.

Agreed!

emerald_octane

Unfortunately it sounds like you have the IT experience but not the security experience. VMs are cheap and easy these days. Spin up a few and figure out how Active Directory PKI, AD et al work. It's not very difficult to setup, VERY easy to screw up (well, PKI is), but very powerful for those who can wield it. Once you work with these technologies and can speak to them even on a general level then doors start to open for you (at least in my experience). Anybody can setup a Windows AD. Anyone can assign every employee to the Domain Administrators group (I've seen it). But CISSPs/security folk can't be lazy. We will meticulously go through every ACL and routinely evaluate the level of access needed by administrative users! Forget the default settings! we dont support legacy kit. Bump everything up to the latest generation/highest security settings. Don't bother reading the morning paper; parse through the auth logs for your domain controllers and look for suspicious activity, all over that morning cupa' joe.
Because it's our job
and it's fun .

Kashir

I passed CISSP in first attempt, after 3 months of study. If you have the right experience, this exam is not that difficult. But if you dont have right experience, you would need a long time to study as questions asked in the exam are situational and subjective. Also dont expect questions from brain **** or any other sample test will repeat. ISC used a very large pool of questions that they keep retiring.

Good luck!

TBRAYS

Kashir wrote: »

I passed CISSP in first attempt, after 3 months of study. If you have the right experience, this exam is not that difficult. But if you dont have right experience, you would need a long time to study as questions asked in the exam are situational and subjective. Also dont expect questions from brain **** or any other sample test will repeat. ISC used a very large pool of questions that they keep retiring.

Good luck!

Kashir, having the right amount of experience doesn't guarantee you success on this exam, I have rite at 10 years of information security experience, others that know that have more experience than myself have also struggled with this exam. I commend you on your success on the first attempt. Also your your statement can be perceived as coming off as being arrogant. Some people are great test takers and some aren't, so I have to disagree with you on that, especially if individuals have test anxiety like I have. Also you need to tread very softly about saying the use of using brain ****, cheating gets you no where.

ssehg

@Krishcamaro68 : If you have 5 years plus experience in security in two of the ten domains then you can go ahead with CISSP certification.You need to check www.isc2.org/cissp/default.aspx .

JDMurray

Anyone can take the CISSP (or SSCP) exam at any time. Getting the full certification requires also having the minimum number of years of professional InfoSec work experience and passing the endorsement procedure.

ssehg

agreed...