Once people finish asking me how hard CISSP is, they often follow up with another question: Is CISSP worth it? As long as you have something to back it up with, I think the answer is a resounding yes.
Let’s get one thing out of the way first. CISSP does not guarantee competence, and therefore, it does not guarantee a job. It’s possible to game any system, and CISSP is no exception.
That said, the best security professionals I’ve worked with were CISSPs. I’ve worked with good security professionals who weren’t. Some were very proud they weren’t. The guys who were proud not to be CISSPs had issues.
If nothing else, CISSP forces exposure to things those proud not-CISSPs wouldn’t look at on their own. It also forces a certain amount of experience. Many security professionals I’ve worked with lack the seasoning they need to be really effective.
All that said, CISSP is like anything else. You have to put something into it to get the benefit. It’s possible to game the CPE system. You can get enough CPEs by going to two or three security trade shows, getting vendors to scan your badge and fill up your swag bag, and skipping the lectures. You learn nothing, but you got your paper credits.
CISSPs who do that aren’t going to be effective. Here’s what you need to do instead.
Recruiters and HR departments don’t necessarily know that, so if you have a CISSP, you’re going to get tons of phone calls and Linkedin messages. You won’t automatically get the interview, and you won’t automatically get the job. But there’s no such thing as a dead-end job for a good CISSP. As a CISSP, it takes me less than two months to find a new job. It takes 6-12 to find one without it.
Pay-wise, getting a CISSP moved me up about one pay grade. It took additional experience to get me to the next pay grade. But I know very good, very competent IT pros who are still making what they were making in 2005, once you adjust for inflation.
So I don’t complain about the cost of the test or the maintenance fees. The CISSP ended up costing me less than the clothes I have to buy to look the part at a higher pay grade. That’s the problem you want to have.
So is CISSP worth it? For me, it’s a resounding yes.