It seems like about once a month an aspiring coworker asks me how to get enough CISSP work experience. I think this shows a misunderstanding of the requirement, so I’m going to try to clear it up.
You don’t have to get your five years of work experience in one big lump. And that’s a good thing, because that would be hard to do. Sometimes you can get a security job without a cert and work your way toward it, but a lot of employers want you to come in with the certification already.
But that’s OK. As long as you’re doing something more than selling computers at retail, odds are you have some security experience that can count toward the requirement.
Working a helpdesk. Do you reset passwords? That’s security work. Take the percentage of time you spent resetting passwords times the number of years you spent on the helpdesk, and that experience counts.
Desktop support. Have you cleaned viruses? Applied updates? Recovered data? All of this is security work that counts toward the requirement. Again, take the percentage of time you spent on these tasks, multiply by the number of years you spent, and that whittles away at your five years.
Server administration. Do you apply patches? Administer backups? Administer a centralized antivirus server? Create user and/or service accounts? All of this is security work that counts toward the requirement. Again, take the percentage of time you spent on these tasks, multiply by the number of years you spent, and that whittles away at your five years.
Network administration. Do you create firewall rules? Create ACLs? Administer VLANs? This is absolutely critical security work. All of it. About the only thing a network administrator might do that wouldn’t count toward this requirement is racking the hardware. I can’t think of much else. Take the percentage of time you spent on applicable tasks, multiply by the number of years you spent, and that whittles away at your five years.
All you need to do is create a resume outlining the security-related tasks you’ve done in every job position, then find a CISSP in good standing to go over it with you. Ideally it would be a CISSP you’ve worked with for part of that time, but that’s not absolutely necessary.
In my case, my sponsor stepped backwards through my resume, tallying up the number of years of creditable experience I had at each position and initialed it. I think he counted up seven or eight years worth. At the time, I had been an IT professional for about 15 years. (I’d be better off financially if I hadn’t waited that long, but I think spending 7-8 years as a systems administrator makes you a better security professional–you understand more if you do.)
At any rate, all those years being the junior guy in the shop paid off in my case. Nobody else wanted the security-oriented work, so it fell to me. It made meeting my requirements easy.
And on an everyday level, all those years of pushing patches proved very useful when interacting with operations/infrastructure teams as a security analyst. Then, when I moved into the sales/support realm, working for a vulnerability management vendor, that experience on the other side became even more valuable. Not only have I heard every argument they’ve heard, I’ve been on both sides of those arguments.
So that’s how I knew I had enough CISSP work experience. Hopefully that helps you answer the same question for yourself too.