CISSP Expectations

JWit · December 2011

Hello,

I'm new to these forums, but I was looking for a little insight. I recently graduated college with a B.S. in IS and recently passed the Security+ exam with an 883. I have a little over two years of experience in network security. With that being said I'm currently in the process of moving towards some C&A work and want to take the CISSP exam and become an Associate CISSP until I can fufill the work experience requirement. My plan is to study for about two hours per night for the next six months using Shon Harris AIO, ISC2 official guide and the Shon Harris lecture videos. With my experience and my study plan do you think I could accomplish this feat or is my lack of experience to much to overcome?

Darril · December 2011

Can you do it? Absolutely. You have a good plan and based on your other education I say that it is definitely within your grasp.

Not sure if you've looked at it or not, but with two years of experience you have the requirements for the SSCP so don't need to go the Associate route. You can use it as a stepping stone and the knowledge you gain while studying for the SSCP will help you when you take the CISSP.

Darril Gibson
Security Blog

Atomicfrog · December 2011

By all means, if you have the momentum, keep plugging away at those certifications, if for no other reason than to keep your edge. if I can offer any advice at all, it would be to build a solid understanding of the technologies that put the "Info" in InfoSec. By this I mean, network engineering, storage area networking, and software engineering. If you're going to be doing C&A work, you'll need to understand how these technologies work so that you can speak the language and make informed decisions and not just the dreaded "Box Checker".

JWit · December 2011

Atomicfrog I completely agree with you, the last thing I want to be is "box checker". I believe I have a solid foundation, but do you have any suggestions to solidify that understanding?

Atomicfrog · December 2011

JWit wrote: »

Atomicfrog I completely agree with you, the last thing I want to be is "box checker". I believe I have a solid foundation, but do you have any suggestions to solidify that understanding?

In regards to the CISSP / SSCP, if you are motivated to get it then go for it. Your study plan looks sound, and you haven't imposed an unrealistic time frame to prepare. In the world of certifications, people get used to the instant gratification that comes from studying for a few weeks, taking the exam, and then getting results immediately. While this strategy works fine for exams like the Comptia Certs and even the MS Certs to a lesser degree, the CISSP represents a much broader body of knowledge. As a result, you will see a large number of people apply the same strategy and then come up short on test day. So pace yourself, it's just too much information to cram. If you are going to be doing C&A work, you'll probably find the subject matter to be more applicable than if you were doing Network Security or Pen Testing.

As far as general IT skills go, learn coding theory. Unless you are doing help desk work, and maybe even then, a working knowledge of how to code / script will be a skill you will use throughout your career. Pearl, Python, or even Powershell are good languages to become familiar with. Learn to work from the command line. Learn Linux so when you get bored with C&A paperwork and want to become a freelance Pentester with the other five gazillion security immigrants. (Kidding, mostly) Or set up a security lab and go crazy.

Hope this help!

Turgon · December 2011

Atomicfrog wrote: »

By all means, if you have the momentum, keep plugging away at those certifications, if for no other reason than to keep your edge. if I can offer any advice at all, it would be to build a solid understanding of the technologies that put the "Info" in InfoSec. By this I mean, network engineering, storage area networking, and software engineering. If you're going to be doing C&A work, you'll need to understand how these technologies work so that you can speak the language and make informed decisions and not just the dreaded "Box Checker".

Totally true. So many box checkers in security these days. So few that actually understand how technologies truly work. If you are going to advise me on network security, Im listening to see if you understand what you are talking about, and what running a production network actually involves. Im less interested in rote learning from standards and certifications bodies from the passed up MCSE who got certified in security because it was 'cool'. To understand technology well, takes time.

JWit · December 2011

Thank you, I appreciate all the input. I feel I have a good grasp on a variety of IT domain, but I'll be honest everyday I learn something new. That continuous learning is what draws me to IT security. I don't believe anyone knows everything there is to know about IT security and that's what makes it so much fun. It is forever evolving and its up to you to continue to learn and understand how and why things work the way they do.

beads · December 2011

Just took the CISSP on the 17th of December myself. Surprising to see how much gray hair and big bellies there were in the room!

With that said the CISSP is or should be your security capstone certification not a check box as was mentioned otherwise. There are many more applicable certs in security land that would probably do you more good in real terms. The CISSP being, in reality not always in practice a mid-management exam.

Where people seem to have the most problem with the exam is the lack of long exam experience and seem to jump into the exam hoping to scrape by and be awarded the credential. When you here people say things like: "I saw nothing but four bad answers (for every question)..." I feel some angst for them. Its really a tough exam to sit through.

The larger question is what is it that you want to do in security? Are you in a security role now? Once your comfortable with these questions the CISSP and other tests like it will fall into place more easily.

- beads

JWit · December 2011

The larger question is what is it that you want to do in security? Are you in a security role now?

Well to be honest with you I see myself working more inline with Risk Assessment and C&A work rather than working "on the front line". I currently work in network security and while I enjoy it, I definitely see myself working more with the customer in the future. This may sound strange to a lot of people and would of even sounded strange to myself a few years ago being that I got into IT for the technology not the money or to be a manager.

Atomicfrog · December 2011

Nope, not strange at all. The folks that track the configurations are the ones that inject some order into the chaos. You can't truly appreciate configuration management until you suspect that one of your systems has been compromised and you're trying to find out what's changed. A good C&A Baseline will give you a roadmap that will help narrow down the haystack before you go searching for the needle. I say this all the time, not everyone can be a pentester, you have to have someone paying attention to the paperwork.

afcyung · December 2011

Why not try the CAP from ISC2 since you want to do C&A? Its the C&A cert from ISC2.

CISSP Expectations

Comments