Thoughts on CISSP Certification

[spena]

Hey guys, I'm two years into my current job in Information Security specifically Access Control and recently my manager recommended me to look into CISSP certification for my professional development plan. My employer will cover the course @ ryerson this Fall and hopefully the exam as well. Looking at the description I'll be an Associate upon passing the exam with my lack of experience.

Just wondering if anybody has any input on CISSP Certification and what are its advantages for career progression or should I look at other certification(s) or save my pennies for mba/MMSc.

[sandman748]

CISSP is one the top earning certifications in the IT world. It will open up a ton of opportunity, even as an associate until you meet the experience requirements. And if your thinking MBA, you must be thinking management. Most Security manager positions \ consultant positions ask for it.

Absolutely worth it, especially if work is paying.

[spena]

CISSP is one the top earning certifications in the IT world. It will open up a ton of opportunity, even as an associate until you meet the experience requirements. And if your thinking MBA, you must be thinking management. Most Security manager positions \ consultant positions ask for it.

Absolutely worth it, especially if work is paying.

thanks needed that kind of feedback.

[Rohanster]

I have been looking to write the CISSP (as an associate) for a while now. It's pretty well respected and can lead you into the security field / auditing field quite well.

I know it's more of a get-past HR kinda cert as most of the higher level jobs they look for things like GIAC or SANS certs.

[TotallyKiller]

Really depends on what you are planning on doing with your career, but as someone already said, if work is paying for it then go for it. It's not a guarantee of anything, but it certainly can't hurt. I've got my CISA and CRISC and am currently studying for the CISSP and know a lot of people who have it. Same with CISM. It's not terribly relevant for the audit world, (unlike CISA, CIA) but certainly beneficial.

If they are also paying for a course (hopefully a boot camp and not a long drawn out one) then even better. Currently I'm working through the 'study guide' which is almost 4" thick in order to prepare for the 4-hour exam. Then it's all about CPEs after that.

[siriuskao]

If you want to get into security management, CISSP helps. The exam itself is known for its "mile wide, inch deep" coverage. Great for management (non-technical security positions) but useless in day to day operation. If you follow the big names in the security field, then you know it's not highly regarded. SANS certs are much better for security operation (e.g. incident response, forensic, etc).

However, I'd still go for it since your work is covering the course and exam fee. In addition, make sure your employer is willing to pay for your AMF (maintenance fee) and CPE. By CPE, I mean paying for additional courses, attending conferences. You can get CPE via free webinars, but they are mostly vendor advertising in disguise.

FYI, I am a CISSP.

[aaaaaa]

Siriuskao is right.

In terms of the associate stuff, from what I'm told, if you do any IT / telecom stuff now, it probably is good enough to count as existing experience. I'm not sure if that's true, but I see all kinds of ppl with cissp's, and no sec experience.

Do keep in mind that security certs are a joke (I guess offensive security has some decent ones these days), and don't require you to actually know anything. So if work's paying, great, and if you can get a job with one (or even just a raise), even better. They are decent if you're going into management for sure, so if that's your goal then I'd recommend it. In terms of the CISSP itself, it's one of the most recognized and desired certifications, so it definitely has that in its favour.

[bobus1964]

If work is paying, go for it.

CISSP is one of the most highly regarded security certs so is always a plus on a resume. It does cover a broad range of stuff so shows that you have a good general knowledge of the security field. For in depth operational certs, I would go with SANS GIAC certs.

Note : I am a CISSP

[saitojohn]

CISSP is one of the most highly regarded security certs so is always a plus on a resume. It does cover a broad range of stuff so shows that you have a good general knowledge of the security field.

How does ISACA's CISM (Certified Information Security Manager) designation compare to CISSP, in terms of prestige and marketability?

I know CISSP is considered as more technical than CISM, but what if it's for a job that's geared more towards information security management than hand-on daily technical operations? Let's say there's candidate A with CISSP and B with CISM, with otherwise similar skills and experiences, which would an employer favour?

[siriuskao]

How does ISACA's CISM (Certified Information Security Manager) designation compare to CISSP, in terms of prestige and marketability?

I know CISSP is considered as more technical than CISM, but what if it's for a job that's geared more towards information security management than hand-on daily technical operations? Let's say there's candidate A with CISSP and B with CISM, with otherwise similar skills and experiences, which would an employer favour?

I'd say CISSP is more well known therefore may carry some advantage over CISM. Generally if a job posting ask for CISM, it'll take CISSP as well.

[rUn-gUn]

I took the Ryerson course and it was great, the woman who ran the course was very knowlegeable and easy to listen to. I wrote the exam 2 months later and passed first try. Work paid for it, its defintly worth it especially if you're gunning for a promotion or looking for work elsewhere. They will literally stack out the resumes with CISSP and interview them before even looking at others for an IT security specialized position. Just the way it is unfortunately. Either way it shows initiative and that you have knowledge of the industry.

[TotallyKiller]

I'd say CISSP is more well known therefore may carry some advantage over CISM. Generally if a job posting ask for CISM, it'll take CISSP as well.

CISM is definitely more management oriented and requires more, and different work experience to obtain. While sometimes they will ask for either, don't assume they're considered synonymous.

[Thanh]

After a couple of years working in the field, it matters most to be certified than the specific certification you have. And job interviews are more about what you know and can do as opposed to having a piece of paper from the ISC2.

That being said, I've been a CISSP for many years and never regretted it. CISSP is a better choice than CISA/CISM stuff.

[saitojohn]

CISSP is a better choice than CISA/CISM stuff.

Could you please elaborate on how CISSP is superior to CISA/CISM?

[Thanh]

Could you please elaborate on how CISSP is superior to CISA/CISM?

1. More recognition. CISSP is the standard by which other security certifications are being benchmarked against.
2. Credibility of the organisation behind it. The ISC2 has a strong membership and they have a strong offering in terms of education, volunteering, community involvment, CBK, job searching, etc.
3. CISSP can't be compared with CISA since CISA is about Information Systems Auditing, thus not specifically related to Security and CISM is more geared toward management. I'm a member of ISACA and I'm also certified as a CISA but it seems to me as an organization without a clear focus. Also, their fees are outrageous (hello maintenance fees).

It all depends on what a person is doing. For an IT-flavored accountant found in big accounting firms, a CISA is probably a good fit but if information security is the field you want to work in, CISSP is the way to go as the best certification. But like others said before, it is typically described as "one mile wide, one inch deep" so don't expect to come out a specialist on something after certifying. They leave that to manufacturers certs like the ones offered by Cisco, RSA, Juniper, VMWare, etc.