Another question from the big box o’ Google search queries: What are the real benefits of having a CISSP?
I don’t want to be flip, but here it is in two words: job security.
I’m about as generalist as you can get, and the market is full of generalists with low-level certifications or no certification. At any given time, before I got CISSP, I was doing well to find three or four job openings in my metro area that matched my skills and qualifications.
I started paying attention back in September or so of last year. And since then, I’ve been able to consistently find 8-10 jobs listing CISSP in their requirements. A guy who can do a lot of different things who has a CISSP is pretty marketable. And each time I’ve posted a resume update on the common job sites, my phone has started ringing within 24 hours. Without a CISSP, it always took a week or two for my phone to start ringing. And those phone calls have been worth taking. They’ve been serious jobs with pay that was at least in the ballpark of what I’m making now. I always get one person calling about an entry-level job who’s hoping I’m desperate enough to sit on a helpdesk somewhere, but that’s much easier to put up with when you get two serious inquiries that day as well.
I read this week that 51% of companies intend to hire information security specialists this year. Not all of those jobs will necessarily require CISSP, but since virtually every other security certification out there now is, for better or for worse, a subset of CISSP, having a CISSP qualifies you for more of those jobs than anything else.
A couple of weeks ago, I read that there are 74% more cybersecurity jobs today than there were a year ago.
“[Yoh senior vice president Don Hanson] sees demand for developers who can build secure applications, network engineers with security certifications, and architects who understand how to secure systems and processes. He says there is also a need for IT professionals to be involved with security monitoring, information assurance and regulatory compliance.”
You won’t pass CISSP without at least a passing familiarity with three of those four things.
“Most of these high-paying cybersecurity jobs are not for recent computer science graduates; instead companies are looking to hire IT professionals with five to 15 years of experience with security systems and processes as well as related certifications.”
Case point is a former coworker of mine. Eight years ago, he was bouncing around from desktop support job to desktop support job. We both landed at an ISP within a few months of each other. We went our separate ways after about six months, after which he went and acquired about a half-dozen certifications, the most important of which being CISSP and CEH (Certified Ethical Hacker). I don’t know why he bothered with the other certs because CEH is the only one that doesn’t the same ground as CISSP, but if he really wanted to take all those tests and pay all those annual dues, that’s his business.
All he has is an associates degree, but with his wall full of certifications and about 8 years experience doing jobs he can easily spin as security-related, he’s carved out a nice career for himself as a security professional. He doesn’t bounce around every six months anymore.
The other benefit mentioned in the article is that security jobs are unlikely to be outsourced. In a time when even bridge and road construction is being outsourced–seriously, cities are hiring Chinese companies to bring in their workers and build infrastructure–that’s an important consideration.
CISSP isn’t an easy test to pass. There are about 75,000 CISSPs out there, and based on my certificate number, at least 425,000 people have taken the test. So that means more than 80% of people who take it don’t pass. But it’s certainly possible, if you study diligently and take the test seriously. Just taking a class usually won’t be enough.
To me, the question isn’t whether to get CISSP. The question is, after getting CISSP, how soon to go for CEH and/or a master’s degree in IT management.