Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

02:30 PM
Connect Directly
E-Mail vvv

Why the CISSP Remains Relevant to Cybersecurity After 28 Years

The venerable Certified Information Systems Security Professional certification has been around for a very long time -- and for good reason.

I'm often asked why anyone should pursue and obtain a Certified Information Systems Security Professional (CISSP) certification and what advantages having the cert holds for an aspiring security professional. I've been enjoying helping others achieve this goal for almost three years, so I'm always happy to provide an answer. However, to provide a good answer, I need perspective — so I always reply with the qualifier, "It depends."

Depends on what? Allow me to offer some common perspectives.

A significant portion of people looking to land their first cybersecurity job want to know how having a CISSP influences employer decisions during the hiring process. The remainder have been in the information technology or information security field for years and view the CISSP not as a hiring advantage but as a necessary benchmark in their career. In some instances, these experienced professionals seek certification to stay employed during an economic downturn or to switch jobs when there is an employer preference or requirement for the certification.

For those in the former camp, please know that the International Information System Security Certification Consortium — (ISC)2 — requires CISSP candidates to have a minimum of five years of experience within at least two of the eight Common Body of Knowledge (CBK) security domains or four years of experience and a college degree. These requirements are necessary for maintaining the credibility of the certification. Those not meeting these minimum requirements can still sit for the CISSP certification exam and will be granted associate status until they meet them. Since cybersecurity is such a dynamic career field, (ISC)2 additionally requires all certified professionals and associates to continuously learn and upgrade their knowledge and skills.

CISSP's Storied History
Most newcomers are surprised that the CISSP has been around for a very long time. Created in 1994, (ISC)2 currently identifies over 70,000 CISSPs throughout the world. A widely recognized standard of achievement, the CISSP holds the distinction of being accredited by major organizations, including ANSI, ISO/IEC, the Department of Defense, and the National Security Agency. For people in DoD and NSA camps who are part of the Information Assurance (IA) workforce as defined by DoD Directive 8570.01, this means the CISSP is required, as are US federal civilian employees and government contractors interfacing with these organizations. Similar requirements may apply for non-U.S. candidates pursuing the CISSP for employment in non-U.S. military, intelligence and civilian government agencies.

To further enable employers, educators, employees and job seekers, recent NIST efforts have produced the August 2017 NICE (National Initiative for Cybersecurity Education) Cybersecurity Workforce Framework, which maps knowledge, skills, and abilities to standardized cybersecurity workforce roles and recommended certifications, like the CISSP, directly to those roles. Since a standard simplifies candidate selection during the hiring process, I predict that more employers will engage the NICE Framework to make informed candidate decisions in the future. As NICE is a NIST initiative, it's also a given that current and future US federal agency employees will be held to these new standards to a greater degree. In addition, progressive learning institutions are also leveraging the Framework as a tool for curriculum development. These exciting changes within the industry should provide all potential certification seekers an additional rationale on why having the CISSP is still relevant now more than 20 years since its inception.

"CyberSeek" the CISSP
A practical application of the Framework is illustrated by the NICE CyberSeek project. CyberSeek is a useful website for employers, employees, educators, and students seeking statistics and career planning insight regarding the current US cybersecurity workforce landscape. One of the most interesting features of this site includes a cybersecurity supply-demand heat map focusing on the number of jobs filled and available based on each Framework role and cybersecurity certification type, including the CISSP. I recommend that everyone seeking a CISSP certification explore this site, particularly the heat map tool, which provides cyber workforce statistics at the national, state, and municipal levels. Motivated job seekers should note that the CISSP is the highest employer-requested certification of all those listed on CyberSeek.

Finally, some personal insight: I started my cybersecurity career in 2010 after serving in various IT roles for the previous 15 years. When I decided I wanted to focus on cybersecurity, I realized how much variety existed across roles and became increasingly aware of my own confusion regarding concepts and terminology. I did not have a mentor to guide me. Industry hype and product marketing were not helping. I decided to set a goal to study for and obtain my CISSP certification and slowly began to wrap my head around fundamentals.

Since obtaining my certification, I've learned one of the most important aspects of being a CISSP is living out the values embodied by the (ISC)2 Ethics Statement. I choose to actively pursue those values by seeking to advance the profession, mentoring, and teaching others about cybersecurity. Today, the greatest degree of satisfaction I have in being a CISSP is helping others realize their goal of advancing their own career by also becoming a CISSP.

If you wish to learn more about CISSP certification, check out the SANS MGT414: SANS Training Program for CISSP® Certification course or research this topic online.

Related Content:


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

A native Houstonian and proud Texan by birth, Steven's cultural and technical roots are naturally and irreversibly intertwined within the oil and gas industry. His range of operations, engineering, and major capital project experience spans multiple sectors within this very ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
11/9/2018 | 2:33:27 PM
Re: Security Fundamentals Aren't Changing
True - the fundamentals have not changed and nearly every organization would benefit from a review and re-emphasis of those fundamentals.

But neither can we lose sight of the fact that today's Internet is really just a large experiment that grew wildly out of control and has long since escaped the laboratory.  The early ARPAnet pioneers weren't thinking about security - they were too busy trying to figure out the basic communications between systems.  Many of today's problems are directly traceable to a couple of dozen scientists and engineers who knew each other at least casually and who never envisioned the rapid global expansion of their experiment.  In the days when every single email address in existence fit easily on one side of a standard sheet of paper, nobody was concerned about identity theft or malware.

Yes the fundamentals are still completely necessary.  But they cannot be the entire solution.  When the underlying technologies which built the Internet are inherently insecure, we need more than fixing current software.
User Rank: Apprentice
11/8/2018 | 1:34:12 PM
Security Fundamentals Aren't Changing
The work the CISSP certification is based on was performed in the late 60s and early 70s when it was "discovered" that only trust of the Systems staff wasn't adequate security protection.

Fundamentals are fundamentals. I have a chemistry professor friend who puts it this way in her field, "The Periodic Table of the Elements hasn't changed much lately."

The real area of concern should be, why are we still not caught up with the security processes of those early mainframe days?

One might also ask a similar question about the engineering quality of software in many devices attached to the internet these days. We could be asking ourselves, "If we don't have time to do it right the first time, when will we have time to redo it?"

We could also ask, "How will we undo/extract the damage done from putting that defective software out there in the first place?"
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-01
Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1.
PUBLISHED: 2020-10-01
The hyperlinks functionality in atlaskit/editor-core in before version 113.1.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in link targets.
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.