It seems like about once a month an aspiring coworker asks me how to get enough work experience to qualify for CISSP. I think this shows a misunderstanding of the requirement, so I’m going to try to clear it up.
You don’t have to get your five years of experience in one big lump. And that’s a good thing, because that would be hard to do. Sometimes you can get a security job without one and work your way toward it, but a lot of employers want you to come in with the certification already.
But that’s OK. As long as you’re doing something more than selling computers at retail, odds are you have some security experience that can count toward the requirement.