I'm often asked why anyone should pursue and obtain a Certified Information Systems Security Professional (CISSP) certification and what advantages having the cert holds for an aspiring security professional. I've been enjoying helping others achieve this goal for almost three years, so I'm always happy to provide an answer. However, to provide a good answer, I need perspective — so I always reply with the qualifier, "It depends."
Depends on what? Allow me to offer some common perspectives.
A significant portion of people looking to land their first cybersecurity job want to know how having a CISSP influences employer decisions during the hiring process. The remainder have been in the information technology or information security field for years and view the CISSP not as a hiring advantage but as a necessary benchmark in their career. In some instances, these experienced professionals seek certification to stay employed during an economic downturn or to switch jobs when there is an employer preference or requirement for the certification.
For those in the former camp, please know that the International Information System Security Certification Consortium — (ISC)2 — requires CISSP candidates to have a minimum of five years of experience within at least two of the eight Common Body of Knowledge (CBK) security domains or four years of experience and a college degree. These requirements are necessary for maintaining the credibility of the certification. Those not meeting these minimum requirements can still sit for the CISSP certification exam and will be granted associate status until they meet them. Since cybersecurity is such a dynamic career field, (ISC)2 additionally requires all certified professionals and associates to continuously learn and upgrade their knowledge and skills.
CISSP's Storied History
Most newcomers are surprised that the CISSP has been around for a very long time. Created in 1994, (ISC)2 currently identifies over 70,000 CISSPs throughout the world. A widely recognized standard of achievement, the CISSP holds the distinction of being accredited by major organizations, including ANSI, ISO/IEC, the Department of Defense, and the National Security Agency. For people in DoD and NSA camps who are part of the Information Assurance (IA) workforce as defined by DoD Directive 8570.01, this means the CISSP is required, as are US federal civilian employees and government contractors interfacing with these organizations. Similar requirements may apply for non-U.S. candidates pursuing the CISSP for employment in non-U.S. military, intelligence and civilian government agencies.
To further enable employers, educators, employees and job seekers, recent NIST efforts have produced the August 2017 NICE (National Initiative for Cybersecurity Education) Cybersecurity Workforce Framework, which maps knowledge, skills, and abilities to standardized cybersecurity workforce roles and recommended certifications, like the CISSP, directly to those roles. Since a standard simplifies candidate selection during the hiring process, I predict that more employers will engage the NICE Framework to make informed candidate decisions in the future. As NICE is a NIST initiative, it's also a given that current and future US federal agency employees will be held to these new standards to a greater degree. In addition, progressive learning institutions are also leveraging the Framework as a tool for curriculum development. These exciting changes within the industry should provide all potential certification seekers an additional rationale on why having the CISSP is still relevant now more than 20 years since its inception.
"CyberSeek" the CISSP
A practical application of the Framework is illustrated by the NICE CyberSeek project. CyberSeek is a useful website for employers, employees, educators, and students seeking statistics and career planning insight regarding the current US cybersecurity workforce landscape. One of the most interesting features of this site includes a cybersecurity supply-demand heat map focusing on the number of jobs filled and available based on each Framework role and cybersecurity certification type, including the CISSP. I recommend that everyone seeking a CISSP certification explore this site, particularly the heat map tool, which provides cyber workforce statistics at the national, state, and municipal levels. Motivated job seekers should note that the CISSP is the highest employer-requested certification of all those listed on CyberSeek.
Finally, some personal insight: I started my cybersecurity career in 2010 after serving in various IT roles for the previous 15 years. When I decided I wanted to focus on cybersecurity, I realized how much variety existed across roles and became increasingly aware of my own confusion regarding concepts and terminology. I did not have a mentor to guide me. Industry hype and product marketing were not helping. I decided to set a goal to study for and obtain my CISSP certification and slowly began to wrap my head around fundamentals.
Since obtaining my certification, I've learned one of the most important aspects of being a CISSP is living out the values embodied by the (ISC)2 Ethics Statement. I choose to actively pursue those values by seeking to advance the profession, mentoring, and teaching others about cybersecurity. Today, the greatest degree of satisfaction I have in being a CISSP is helping others realize their goal of advancing their own career by also becoming a CISSP.
If you wish to learn more about CISSP certification, check out the SANS MGT414: SANS Training Program for CISSP® Certification course or research this topic online.
- 9 Traits of A Strong Infosec Resume
- 2018 State of Cyber Workforce
- (ISC)² : Global Cybersecurity Workforce Short 3 Million People
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.