The venerable Certified Information Systems Security Professional certification has been around for a very long time -- and for good reason.

Steven Paul Romero, SANS Instructor and Sr. SCADA Network Engineer, Chevron

November 6, 2018

5 Min Read

I'm often asked why anyone should pursue and obtain a Certified Information Systems Security Professional (CISSP) certification and what advantages having the cert holds for an aspiring security professional. I've been enjoying helping others achieve this goal for almost three years, so I'm always happy to provide an answer. However, to provide a good answer, I need perspective — so I always reply with the qualifier, "It depends."

Depends on what? Allow me to offer some common perspectives.

A significant portion of people looking to land their first cybersecurity job want to know how having a CISSP influences employer decisions during the hiring process. The remainder have been in the information technology or information security field for years and view the CISSP not as a hiring advantage but as a necessary benchmark in their career. In some instances, these experienced professionals seek certification to stay employed during an economic downturn or to switch jobs when there is an employer preference or requirement for the certification.

For those in the former camp, please know that the International Information System Security Certification Consortium — (ISC)2 — requires CISSP candidates to have a minimum of five years of experience within at least two of the eight Common Body of Knowledge (CBK) security domains or four years of experience and a college degree. These requirements are necessary for maintaining the credibility of the certification. Those not meeting these minimum requirements can still sit for the CISSP certification exam and will be granted associate status until they meet them. Since cybersecurity is such a dynamic career field, (ISC)2 additionally requires all certified professionals and associates to continuously learn and upgrade their knowledge and skills.

CISSP's Storied History
Most newcomers are surprised that the CISSP has been around for a very long time. Created in 1994, (ISC)2 currently identifies over 70,000 CISSPs throughout the world. A widely recognized standard of achievement, the CISSP holds the distinction of being accredited by major organizations, including ANSI, ISO/IEC, the Department of Defense, and the National Security Agency. For people in DoD and NSA camps who are part of the Information Assurance (IA) workforce as defined by DoD Directive 8570.01, this means the CISSP is required, as are US federal civilian employees and government contractors interfacing with these organizations. Similar requirements may apply for non-U.S. candidates pursuing the CISSP for employment in non-U.S. military, intelligence and civilian government agencies.

To further enable employers, educators, employees and job seekers, recent NIST efforts have produced the August 2017 NICE (National Initiative for Cybersecurity Education) Cybersecurity Workforce Framework, which maps knowledge, skills, and abilities to standardized cybersecurity workforce roles and recommended certifications, like the CISSP, directly to those roles. Since a standard simplifies candidate selection during the hiring process, I predict that more employers will engage the NICE Framework to make informed candidate decisions in the future. As NICE is a NIST initiative, it's also a given that current and future US federal agency employees will be held to these new standards to a greater degree. In addition, progressive learning institutions are also leveraging the Framework as a tool for curriculum development. These exciting changes within the industry should provide all potential certification seekers an additional rationale on why having the CISSP is still relevant now more than 20 years since its inception.

"CyberSeek" the CISSP
A practical application of the Framework is illustrated by the NICE CyberSeek project. CyberSeek is a useful website for employers, employees, educators, and students seeking statistics and career planning insight regarding the current US cybersecurity workforce landscape. One of the most interesting features of this site includes a cybersecurity supply-demand heat map focusing on the number of jobs filled and available based on each Framework role and cybersecurity certification type, including the CISSP. I recommend that everyone seeking a CISSP certification explore this site, particularly the heat map tool, which provides cyber workforce statistics at the national, state, and municipal levels. Motivated job seekers should note that the CISSP is the highest employer-requested certification of all those listed on CyberSeek.

Finally, some personal insight: I started my cybersecurity career in 2010 after serving in various IT roles for the previous 15 years. When I decided I wanted to focus on cybersecurity, I realized how much variety existed across roles and became increasingly aware of my own confusion regarding concepts and terminology. I did not have a mentor to guide me. Industry hype and product marketing were not helping. I decided to set a goal to study for and obtain my CISSP certification and slowly began to wrap my head around fundamentals.

Since obtaining my certification, I've learned one of the most important aspects of being a CISSP is living out the values embodied by the (ISC)2 Ethics Statement. I choose to actively pursue those values by seeking to advance the profession, mentoring, and teaching others about cybersecurity. Today, the greatest degree of satisfaction I have in being a CISSP is helping others realize their goal of advancing their own career by also becoming a CISSP.

If you wish to learn more about CISSP certification, check out the SANS MGT414: SANS Training Program for CISSP® Certification course or research this topic online.

Related Content:


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

About the Author(s)

Steven Paul Romero

SANS Instructor and Sr. SCADA Network Engineer, Chevron

A native Houstonian and proud Texan by birth, Steven's cultural and technical roots are naturally and irreversibly intertwined within the oil and gas industry. His range of operations, engineering, and major capital project experience spans multiple sectors within this very diverse energy vertical.

Professionally, Steven's 22-year career inside engineering offices, operations centers, control rooms, refineries, chemical plants, shipyards, ports, as well as onshore and offshore oil and gas production facilities around the world provide him with a unique perspective concerning society's fundamental dependency upon resilient critical infrastructure. This insight gives Steven a deep appreciation and love for the culture that defines oil and gas, and a thorough understanding of the stringent requirements by which organizations must adhere to ensure safe, reliable, and secure operations under very unforgiving and harsh environmental conditions.

Steven blends information security risk management, industrial control systems (ICS) engineering, safety instrumented systems (SIS) engineering, SCADA infrastructure engineering, maritime navigation and communications facilities installation, terrestrial and wireless telephony design, and management of core IT infrastructure services for the largest oil and gas organizations in the world into an interesting package focused on safety, security and resiliency.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights