A CISSP is a professional certification. To attain CISSP, a professional must pass a six-hour, 250-question test and must have five years of professional experience doing work related to computer security. But after attaining the certification, what does a CISSP do?
An easy question on the test would involve what you have to be concerned about when running network cable through an HVAC duct. A medium-difficulty question might ask whether the CDMA or GSM standard for cell phones is more secure, and why. A hard question or series of questions would involve reading several pages of executive summary about a data breach and making recommendations to prevent it from happening again.
What does a CISSP do?
Some of us are security generalists. Some of us specialize. I specialize, to the extent I can, in the field of vulnerability management. That means scanning a network for missing patches. I can also develop a plan for deploying those missing patches effectively and efficiently.
Some CISSPs just look at business relationships and determine whether business partners handle data effectively.
A CISSP is not an expert on all things computer security. Nobody is. I know one CISSP who gets an uneasy feeling when he sees something wrong, then he calls someone for a second opinion. Sometimes that person is me.
What does CISSP stand for?
CISSP stands for Certified Information Systems Security Professional. Broadly speaking, this means computer security, but computer security encompasses a lot of non-obvious things. For example, I had to learn about fire suppression.
I had a former coworker, a systems administrator, tell me he thinks CISSP stands for Can’t Interpret Simple [Stuff] Properly. In that CISSP’s defense, a sysadmin usually isn’t expected to deal with Windows, Unix, and Cisco configuration. It’s not uncommon for a CISSP to have to. I’m not very good at looking at Cisco configurations either, but I can tell you what to do to stay safe if you can’t patch Java. I’m also supposed to be able to be conversant in fire safety, physical security, and insurance, and know enough to say something if I see someone about to make a mistake that could prove expensive, put lives in danger, or both.
What does a CISSP make?
This is all nice, but what does a CISSP make? I recommend you talk to a recruiter familiar with your area to get a good estimate because it can vary based on a number of factors, including experience. I think $75,000 is a reasonable floor in most parts of the United States. In a position of high seniority, the salary can be much higher. In areas with a high cost of living, the salary will be much higher.
Some people say the CISSP has lost something over the years because of the number of people who have it. That may be, but I still don’t think there are enough of us to go around. Back when I started thinking about getting CISSP around 2009, I remember seeing more than 60 job postings in St. Louis requiring it. Today there are at least twice as many. Maybe employers are pickier now than they were in 2009. I know I’m pickier. I can administer web content filtering proxy servers. Would I be happier doing that than what I’m doing now? In 2009 the answer was always yes. Today? Not always.