CISSP or not?

I am a CISA and a CISM. Does it makes sense to write CISSP exam?

I do both Security Management(40%) and hands-on (60%).

A few of the job postings ask either for a CISM or CISSP. That makes me think a lot of companies think CISSP and CISM to be the same when it comes to see if the person is certified with a credible security certification.

what do you guys think? should i invest time/money on CISSP?

Find more posts tagged with

Comments

colemic

Depends - if you are actively looking, it wouldn't hurt, simply because the CISSP has more name-recognition than CISM. But if you are comfortable where you are, I would think twice before it.

I thought the CISSP was roughly as difficult as the CISA exam in terms of question difficulty and trickery. (And I haven't sat the CISM, I am still on the fence for it, I don't know how much it will benefit me since I already have the CISSP.)

JDMurray

The CISSP/CISA/CISM is really the "hat trick" of Information Security. If you are publishing books and articles and looking for consulting opportunities or speaking engagements, having all three on your CV looks very impressive.

The potential revenue you get out of having all three certs will more than offset the initial and annual costs of the CISSP. Also, colemic is correct in that the CISSP has more recognition than either the CISA or CISM. Having the CISSP will certainly give you an edge over your non-CISSP-certified CCIE rivals. I really can't see a reason not to get the CISSP to complement your other certs.

colemic

...then maybe I will look at CISM in December. Not looking forward to it, though.

redmond

Great Replies.

colemic.. CISA was very tricky and CISM is similar to CISA.

I like JDMurray's Hat Trick analogy. It makes sense. A lot of CISSP concepts are already covered in CISA/CISM. The next question is to take the exam now or after the new changes?

I happened to have Eric Conrad's CISSP study guide and shon Harris's videos (both from work). Wil that be sufficient? or is there anything that will complement with these two i should use?

JDMurray

redmond wrote: »

I happened to have Eric Conrad's CISSP study guide and shon Harris's videos (both from work). Wil that be sufficient? or is there anything that will complement with these two i should use?

Knowing what study resources to use begins with what you already know about the CISSP domains. With the CISA/CISM under your belt, along with your CCIE and InfoSec work experience, you are already at an advantage far beyond most CISSP candidates.

In addition to what materials you have, I would suggest looking at Harris' AIO5 book and the (ISC)2's CISSP Official Study Guide. You need to identify the CISSP CBK domain topics with which you are the least familiar and get to know that material better. For example, you might find that application security, operations security, and physical security are your weakest areas and you need to spend more time on them than you do risk management, BGP, DRP, and crypto. I would say your CCIE has you well-covered for the networking/telecom domain.

badrottie

You likely have all the necessary knowledge, and only have to learn a few of the CISSP domains that are not covered by the CISA nor CISM.

Really: CISSP, CISM, CISA, CCIE. That is beyond a Hat Trick--that is a Grand Slam/Tiger Slam. The only thing left to do after that is the CCA.

JDMurray

badrottie wrote: »

The only thing left to do after that is the CCA.

Hey, let's not forget the GIAC Security Expert (GSE)!

akhilesh_rb

Hello people.. I am a newbie on this website.. So please dont go hard on me if I sound silly..
I'm a Computer Engineer form the University of Pune, India and am planning for a full time MS in InfoSec at some university overseas maybe US or Canada in Fall 2012. Meanwhile I was planning on getting a CISSP but have no work experience. So please help me out on this... Do I go for CISSP and will it help me to get a good job in InfoSec? And also which university do I prefer for my MSIS?

VegasResident

akhilesh_rb wrote: »

Hello people.. I am a newbie on this website.. So please dont go hard on me if I sound silly..
I'm a Computer Engineer form the University of Pune, India and am planning for a full time MS in InfoSec at some university overseas maybe US or Canada in Fall 2012. Meanwhile I was planning on getting a CISSP but have no work experience. So please help me out on this... Do I go for CISSP and will it help me to get a good job in InfoSec? And also which university do I prefer for my MSIS?

The CISSP is not something you can get with no work experience and your experience has to be signed off on by someone else to ensure people do not fake it. The certification represents a professional who already has a background in InfoSec

You wil have to meet work experience requirements so if you are not currently working in IT security (Computer Engineer may not have experience that qualifies), it is most likely that you will not qualify to garner the CISSP at this time

ITdude

badrottie wrote: »

You likely have all the necessary knowledge, and only have to learn a few of the CISSP domains that are not covered by the CISA nor CISM.

Really: CISSP, CISM, CISA, CCIE. That is beyond a Hat Trick--that is a Grand Slam/Tiger Slam. The only thing left to do after that is the CCA.

si, si....Or should I have said C, C?

redmond

You should try getting into some of the top schools.

Here is the list i found on internet..

Carnegie Mellon University
http://www.ini.cmu.edu/programs/pitt…stm/index.aspx

Georgia Tech
http://www.cc.gatech.edu/student.ser…seofstudy.html

George Washington Univ
http://www.seasva.gwu.edu/programs/csia/curriculum.htm

Purdue University
http://www.cerias.purdue.edu/educati…am/index.php#1

George Mason University
http://ise.gmu.edu/ms-isa/isa-course.html

Univ. of San Francisco
University of San Francisco (USF)

John Hopkins Univ
Johns Hopkins University Information Security Institute

Northeastern Univ
M.S. in Information Assurance | College of Computer and Information Science

School Offering MS in MIS

Schools offering Masters program with a specialization in MIS
U. of Washington Seattle
U. of Arizona
U. of Indiana Bloomington

Texas A&M University–College Station
http://business.tamu.edu/Departments…epartment=INFO

Virginia Tech
Computer Science @ Virginia Tech's Northern Virginia Center

University of Florida
University of Florida :: Department of Computer and Information Science and Engineering (CISE)

Rensselaer Polytechnic Institute
http://www.rsvp.rpi.edu/academics/co…mgmt/ism.shtml

New York University
NYU Computer Science Department > Master of Science in Information Systems

Carnegie Mellon University
http://www.mism.cmu.edu/catalog.asp?…ction=&p age=

Stevens Institute of Technology
http://howe.stevens-tech.edu/MSIS/Curriculum.html

Drexel
http://coreapp1.drexel.edu/webcourse…l=GR&Univ=DREX

IIT
http://www.cs.iit.edu/programs/new_m…og.html#MCS_IS

PURDUE
University of Michigan-Ann Arbor

http://www.si.umich.edu/msi/default.htm

UIC
http://www.uic.edu/cba/cba-depts/ids/GradProgm2003.htm

Berkeley
Master's Program | School of Information

akhilesh_rb wrote: »

Hello people.. I am a newbie on this website.. So please dont go hard on me if I sound silly..
I'm a Computer Engineer form the University of Pune, India and am planning for a full time MS in InfoSec at some university overseas maybe US or Canada in Fall 2012. Meanwhile I was planning on getting a CISSP but have no work experience. So please help me out on this... Do I go for CISSP and will it help me to get a good job in InfoSec? And also which university do I prefer for my MSIS?

akhilesh_rb

VegasResident wrote: »

The CISSP is not something you can get with no work experience and your experience has to be signed off on by someone else to ensure people do not fake it. The certification represents a professional who already has a background in InfoSec

You wil have to meet work experience requirements so if you are not currently working in IT security (Computer Engineer may not have experience that qualifies), it is most likely that you will not qualify to garner the CISSP at this time

Thanks for the help... So considering my situation which certification do I start with. I already have a Diploma in Cyber Laws, Certd. Cyber Crime Investigator and Certd. Cyber Forensics Professional (all 3 Indian Prospective) from Indian Certifying Authorities. But these aren't currently getting me into a InfoSec related job. Although InfoSec is a very general term used, my interests are in the domains of Legal, Regulations, Investigations and Compliance,
Operations Security, Physical (Environmental) Security & Network Security. I want a certification to start with which would definitely get me into the field of Information Security and take me to the managerial levels.

Turgon

akhilesh_rb wrote: »

Thanks for the help... So considering my situation which certification do I start with. I already have a Diploma in Cyber Laws, Certd. Cyber Crime Investigator and Certd. Cyber Forensics Professional (all 3 Indian Prospective) from Indian Certifying Authorities. But these aren't currently getting me into a InfoSec related job. Although InfoSec is a very general term used, my interests are in the domains of Legal, Regulations, Investigations and Compliance,
Operations Security, Physical (Environmental) Security & Network Security. I want a certification to start with which would definitely get me into the field of Information Security and take me to the managerial levels.

I think your best bet is to try and get a job with one of the massive Indian outsourcing firms. They tend to be much more relaxed about taking people on who are overqualified but have little or no experience as it adds to their certified portfolio. Western companies will hire the outsourcer not the person they send along. That will be an easier way in for you than knocking on the doors of companies without demonstrable experience. You could concentrate on your education at the same time.

akhilesh_rb

Turgon wrote: »

I think your best bet is to try and get a job with one of the massive Indian outsourcing firms. They tend to be much more relaxed about taking people on who are overqualified but have little or no experience as it adds to their certified portfolio. Western companies will hire the outsourcer not the person they send along. That will be an easier way in for you than knocking on the doors of companies without demonstrable experience. You could concentrate on your education at the same time.

My current situation isn't getting me a job. I was planning on a certification which would get me a job firstly in the fields of security and also that experience would allow me to get a CISSP. Please comment.

Fugazi1000

akhilesh_rb wrote: »

My current situation isn't getting me a job. I was planning on a certification which would get me a job firstly in the fields of security and also that experience would allow me to get a CISSP. Please comment.

I would consider pursuing SSCP (see: https://www.isc2.org/sscp/default.aspx) as the 1st rung of the ISC2 ladder. You still need experience, but only 1 years worth. It might be the foot in the door to the 5 years needed for CISSP.

I would also try to get into the larger Indian IT Service Providers, as Turgon suggests, and not specifically security services - as in my experience, they are desperate for good people.

Turgon

akhilesh_rb wrote: »

My current situation isn't getting me a job. I was planning on a certification which would get me a job firstly in the fields of security and also that experience would allow me to get a CISSP. Please comment.

Work for a massive Indian outsourcer. They want qualified people on the books that they can pass off as experts to land more business. Even if you are inexperienced, if you have the right certifications they may take you on. If you go direct to companies your lack of experience may hold you back. With an outsourcer you will be placed as a 'specialist' helping a client. If you get problems there will be backoffice staff who can assist you. If it doesn't work out you will be placed elsewhere but at least have obtained some experience along the way, hopefully not at the expense of a burned client.

Good luck!

redmond

I finally decided to postpone CISSP for a while. I am now finishing(3 more classes to go) my MBA from UMASS and planning for a PhD or a DBA. I am not interested in teaching fulltime but will do adjunct if there are opportunities.