| career | career progression - Jeremy Aucoin
Should You Get Your CISSP?
Whether or not you should get your CISSP is a question with a simple answer: It depends. That's not a very satisfying answer. But when it comes to security certifications, there are many good options (We know. It's a tough problem to have.). So, let's start with the facts.
Positions that require CISSP certification typically pay very well. Depending on where you live, CISSP certification holders can typically make six-figure salaries. There's also no shortage of security positions in the United States. Next year, it's estimated there will be two million more security jobs than professionals to fill them. That's a compelling consideration.
Let's be honest, though — these numbers are only interesting to anyone thinking about a security career. For those currently working as a security professional, you know that it's all about personal preference and your professional strengths.
Here are a few reasons you should (or shouldn't) work toward your CISSP.
It depends on your work experience
Here's the first thing you should know, and it's important: CISSP certification is unattainable if you're just starting out in a security role. Sure, you can take and pass the exam. But you won't earn the certification until you have five years of paid work experience. There are ways to shorten that time by a year. But that's still four years, and you can't make that time pass any faster.
On the bright side, there are great reasons to earn the CISSP if you don't have five years of paid work experience. You can still become an (ISC)² Associate by passing the CISSP certification exam. CISSP Associates gain exclusive access to (ISC)² career resources and networking groups. They're also more desirable to employers, especially federal employers.
To earn your CISSP certification as an Associate, you'll have six years to gain the five years of required work experience, while meeting continuing professional education (CPE) requirements.
You shouldn't start with CISSP
If you're trying to break into your first security job, then you shouldn't start with the CISSP. You should instead go for a certification that validates the basics. CompTIA offers two certification exams — Security+ and CySA+ — that fall into this category.
CompTIA Security+ is an entry-level cybersecurity exam consisting of 90 possible questions that must be answered in 90 minutes. It's not necessarily an easy exam, but it's not supposed to be. It's intended to validate all the knowledge you'd learn in your first year as an IT and security professional. If you account for the difficulty of questions you'll face on the CISSP exam, the Security+ is arguably a simpler exam.
CompTIA CySA+ is another great option if you're new to IT security. CompTIA introduced this certification in 2017 to bridge the skill gap between the foundational Security+ and expert-level CompTIA Advanced Security Practitioner (CASP) certification. It's a step up from the Security+ cert and validates everything you'd typically learn in your first four years as a security professional.
The CISSP is a great next step beyond either of these two exams. If you earn either one, then you can also knock a year off the CISSP experience requirement. So, they might be good options for you to consider.
If you have broad infosec experience, you're good to start with the CISSP. Otherwise, it's better to start with another certification.
CISSP is great for government jobs
Many large organizations require the CISSP for career progression, including (and especially) the federal government. DoD Directive 8570.01-M requirements apply to all members of the DoD Information Assurance workforce (Read more about DoDD 8570).
The baseline certifications for government employees has four tiers:
- Information Assurance Technical (IAT)
- Information Assurance Management (IAM)
- Information Assurance System Architect and Engineer (IASAE)
- Cybersecurity Service Provider (CSSP)
You can see how these baseline certs breakdown in this chart.
You may notice that the CISSP appears quite a bit. In fact, the CISSP satisfies more IA baseline certification requirements than any other certification. So if you're in need of fulfilling an IA baseline certification requirement, the CISSP is a top choice.
If you're looking for the next best option, consider the CASP. The CASP is CompTIA's advanced-level cybersecurity certification. It satisfies all three levels of the IAT position and the first two levels of the IAM (one level difference compared to the CISSP) and IASAE positions.
CISSP requires recertification (and that's a good thing)
Just like the certification process, you'll have to jump through some hoops to recertify the CISSP — and that's not a bad thing. CPE credits are easy enough to earn by doing things you should be doing in your career anyway. For that reason, recertification is one reason to get your CISSP.
Here's how it works:
Every three years, CISSPs (and Associates) must submit a minimum of 90 Group A CPE credits and 30 additional Group A or Group B CPE credits to maintain certification. Typically, you can earn one credit for each hour spent learning.
For instance, you can perform any of these educational activities pulled straight from the (ISC)2 Continuing Professional Education (CPE) Handbook:
- Reading a magazine, book, or whitepaper.
- Publishing a book, whitepaper, or article.
- Attending a conference, educational course, seminar, or presentation.
- Preparing for a presentation or teaching information related to information security.
- Performing a unique work-related project that is not a part of your normal work duties.
- Self-study related to research for a project or preparing for a certification examination.
- Volunteering for the government, public sector, and other charitable organizations.
- Taking a higher academic course.
Basically, if you're learning about a topic covered in any of the eight security domains — as long as it's not a normal on-the-job activity — you can claim it as CPE credit hours. Just remember to document your CPE hours for activities not offered by (ISC)2.
Earning validated minutes with CBT Nuggets also count toward recertification — and they're easy to track and log with Certificates of Completion.
Group B credits are reserved for general professional development activities. They include anything outside the scope of the eight security domains. The same activities that qualified for Group A credits can be used for Group B activities.
Maintaining an average of 40 credit hours a year by performing any of the above activities is manageable. Again, you should be building on your security knowledge, anyway.
Final thoughts on the CISSP
Whether or not you should earn the CISSP mostly depends on your professional goals, work experience, and industry. Here's what to consider:
Are you trying to break into management? Or are you trying to specialize? If you're looking for a fast-track into management, CISSP is the way. Otherwise, you might want to consider these other security exams.
Are you brand new to IT? If so, then you should start with the fundamentals and work your way up to the CISSP. CompTIA Sec+ and CySA+ are only two certifications that will launch your security career. There are many others.
Do you work at a company that values the CISSP? If you're in government, then it's a no-brainer. Otherwise, you should seriously consider whether the CISSP will help you reach your career goals. There are other expert-level certifications that may serve you better, like Cisco CCIE Security or GIAC GSEC.
A final, final consideration. (ISC)² has one of the fastest-growing security communities in the world. With over 20,000 community members and more than 150 (ISC)² chapters worldwide, you'll have plenty of online and in-person opportunities to connect with peers, network, and learn.
Though these benefits come with every (ISC)² certification, if you're already considering the CISSP, and being part of a cybersecurity community interests you, this is one more reason to get certified.