CISSP for non-IT professionals

So I'm taking my CISSP exam in August and then starting law school the following fall. I'm going to be studying information and intellectual property law. I'm curious if anybody on here works on the business or law side of information? Does anybody know if CISSP is as well known in the law and business fields as it is in IT?

Find more posts tagged with

Comments

Iristheangel

I don't believe it is as well known in the legal field but it might be in the the business management geared towards IT. That's not to say that there aren't people who've taken it and become lawyers but I don't believe you'll get extra recognition in the legal field for having it.

To be honest, I didn't even encounter the legal domain in the actual test itself and my CISSP instructor mentioned that the CISSP exam doesn't focus on it really but it definitely focuses on the business/management side of things.

kalkan999

You would think that large law firms who hold the proprietary and potentially damaging information about their clients would be among the most secure in the industry. Nothing could be FURTHER from the truth, and I am speaking from my OWN experience on the matter. The larger firms are starting to get hit by APT's and Hacktivist's on a much more regular basis. When hit, the biggest and baddest way my friend gets them to hire him is to show them a redacted BIA (Business Impact Analysis) from a law firm the size and scope he is pitching, showing the firms when to accept a risk, when to mitigate, and most important, he uses the magic words 'THIS IS WHEN YOU ARE LEGALLY LIABLE.'

Top that off with the fact that he is hired as a consultant for their system security, he also gets hired on as an Expert Witness, and charges up to $300 bucks an hour, plus expenses (per diem, travel, hotel, car rental, equipment rental), and he gets an up front retainer. He makes a great deal of money, but he is never home.

Now, with all of this said, he is geographically located where he can be anywhere within a day, and within 2 hours of many major international law firms. Living in Cheyenne, Wyoming, while a picturesque place, will not likely gain you ample employment within the legal community. Live near an International Airport near a major Metro area, and you can be successful if you pitch it correctly. But if I may be so bold as to say the following: You might be chasing the wrong certification...CISM sounds a little more up your alley if you are going to Law school and want to match an INFOSEC cert with your degree.

JDMurray

If you will be engaging in the legal site of information security, having industry-recognized InfoSec certifications on your curriculum vitae will help greatly when being considered as a recognized and verifiable expert in the fields of InfoSec. This is also true of professional licenses and academic degrees related to your fields of expertise.

JDMurray

Iristheangel wrote: »

To be honest, I didn't even encounter the legal domain in the actual test itself and my CISSP instructor mentioned that the CISSP exam doesn't focus on it really but it definitely focuses on the business/management side of things.

The (ISC)2 exams are international. it's really impossible to write exam items for all of possible laws and ethical considerations of 100+ countries where (ISC)2 exams might be administered. Therefore, it may be that the legal domain is only really applied to US-administered exams. Someone who has taken the CISSP exam in both the USA and say, Costa Rica, might have an non-NDA-violating opinion on any differences in the legal/ethical domain of the exams.

contentpros

If you are going down the legal route you should consider the CIPP certification. It is becoming more and more common in large enterprises and many of the people I know with this credential are lawyers. The CIPP is gear towards privacy, risk, governance and compliance so it seems to be a good pairing.

https://www.privacyassociation.org/certification

There are different flavors of the CIPP certification. Here is an excerpt from the CIPP/US, take a look at the who should apply...

< -- snip -- >

The CIPP/US credential demonstrates a strong foundation in U.S. privacy laws and regulations and understanding of the legal requirements for the responsible transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions. Subject matter areas covered include:

• The U.S. legal system: definitions, sources of law and sectoral model for privacy enforcement
• U.S. federal laws for protection of personal data: FCRA and FACTA, HIPAA, GLBA, COPPA and DPPA
• U.S. federal regulation of marketing practices: TSR, DNC, CAN-SPAM, TCPA and JFPA
• U.S. state data breach notification: California SB-1386 and select state laws
• Regulation of privacy in the U.S. workplace: FCRA, EPP, ADA and ECPA plus best practices for privacy and background screening, employee testing, workplace monitoring, employee investigation and termination of employment
See the complete current CIPP/US Body of Knowledge (pdf 1MB)

To become CIPP/US-certified, you must first successfully complete the Certification Foundation examination, followed by the CIPP/US exam.

Who Should Apply

• Chief Privacy Officers (CPOs) and other senior information management professionals who serve a U.S.-based corporate organization or a global multinational with business or policy interests in the U.S.
• U.S. corporate privacy managers, legal compliance officers and risk managers
• Staff members who serve or support a privacy or compliance team and who need to achieve a consistent level of privacy education
• Intermediate-level privacy professionals and entry-level candidates who are transitioning from non-privacy roles inside U.S. corporate organizations or who are entirely new to the privacy profession
• Information management professionals in the U.S. financial services, healthcare or telecommunications industries who seek to broaden their expertise into a general information privacy scope
• Information security professionals (CISO, CISSP)
• Information auditing and IT governance professionals (CISA, CISM)
< -- snip -- >

HTH
~CP

JDMurray

CIPP looks like it may be a good set of certs for an attorney into Privacy Law. There wasn't much chatter about it on a previous thread I posted.

the_hutch

Interesting suggestion on CIPP, I hadn't seen that one yet. But the main reason I was asking is because I was already locked into the CISSP bootcamp/exam before I decided to take the LSAT and go in the law direction. And now I'm trying to decide if I should cancel and try to get my money back or if I should still go through with it...

halaakajan

kalkan999 wrote: »

You would think that large law firms who hold the proprietary and potentially damaging information about their clients would be among the most secure in the industry. Nothing could be FURTHER from the truth, and I am speaking from my OWN experience on the matter. The larger firms are starting to get hit by APT's and Hacktivist's on a much more regular basis. When hit, the biggest and baddest way my friend gets them to hire him is to show them a redacted BIA (Business Impact Analysis) from a law firm the size and scope he is pitching, taking them all the way through the SLE X ARO = ALE process in detail, showing the firms when to accept a risk, when to mitigate, and most important, he uses the magic words 'THIS IS WHEN YOU ARE LEGALLY LIABLE.'

Top that off with the fact that he is hired as a consultant for their system security, he also gets hired on as an Expert Witness, and charges up to $300 bucks an hour, plus expenses (per diem, travel, hotel, car rental, equipment rental), and he gets an up front retainer. He makes a great deal of money, but he is never home.

Now, with all of this said, he is geographically located where he can be anywhere within a day, and within 2 hours of many major international law firms. Living in Cheyenne, Wyoming, while a picturesque place, will not likely gain you ample employment within the legal community. Live near an International Airport near a major Metro area, and you can be successful if you pitch it correctly. But if I may be so bold as to say the following: You might be chasing the wrong certification...CISM sounds a little more up your alley if you are going to Law school and want to match an INFOSEC cert with your degree. CISSP is VERY heavy on Disaster REcovery, Business Impact Analysis, Business Continuity, Information Security and Risk Governance. and Depending on your test, it hits Network, telecom and Cryptography pretty hard as well.

What is the position your friend holds ? And what is his Educational backgrond ? Certifications ? It is good to hear that there are people making that much per hour.

What an inspiration

kalkan999

JDMurray wrote: »

The (ISC)2 exams are international. it's really impossible to write exam items for all of possible laws and ethical considerations of 100+ countries where (ISC)2 exams might be administered. Therefore, it may be that the legal domain is only really applied to US-administered exams. Someone who has taken the CISSP exam in both the USA and say, Costa Rica, might have an non-NDA-violating opinion on any differences in the legal/ethical domain of the exams.

Was mine a Non-NDA-violating opinion? Is that a double negative joke? If so, I'll not take the bait for to do so might violate the Costa Rican CISSP NDA Agreement by making reference to the possibility of any double-negatives showing up on the test.

'He Shoots and he scores!' Nothin' but net. swoosh!

kalkan999

halaakajan wrote: »

What is the position your friend holds ? And what is his Educational backgrond ? Certifications ? It is good to hear that there are people making that much per hour. What an inspiration

He owns his own company in a major metropolitan area in the US, but travels throughout the contintental US regularly. He is looking to expand his business, but for those who dare, should know they are going to be responsible for their own taxes, and will need a credit card with a lot of room on it. You get paid when the law firms pay him. The checks are always 'FAT,' but sometimes 60-90 days out.
His education is IT and web design. CISSP, MCSE, etc. Degree in Graphic Design, but that's all, I think. He also delves into Trial graphics and demonstratives because they are a key element in all high profile cases.
My advice should you choose this field: Don't take on the 'pie in the sky' attorney's who are not part of a large firm. Most of the time smaller law firms are looking for a niche market, and ours is a romantic endeavor for them, but they usually lack the skills to effectively pitch the service we can provide them. Go after the BIG firms that spend lots of money, have lots of associate lawyers, paralegals, interns and other 'flunkies.'
Big law firms usually outsource their IT, so getting those third-party IT companies to cooperate is like someone trying to get me to eat Brussel Spouts...neither will happen without being bribed or extorted.

This is frustrating, but nothing new to those who have independently pen tested before.