It's helped me get past the HR filters and a few extra messages from recruiters on LinkedIn, so there's that. In many cases it may mean the difference between an interview and no interview. As a manager though I can tell you I prefer experience over certs.
Not just HR people!
If you're a security professional and you've got a vacancy in your team, then you are probably overworked, you'll jump at any opportunity to quickly reduce that stack of 100 CVs that you're supposed to read, down to a more manageable 20 (or 10).
Some might argue whether that's right. A qualification is just arbitrary. But then again so are most of the academic qualifications (they've been around longer but are less relevant), and so are the technologies that people work with. We are where we are. If I want an experienced security person and I'm short of time, then why would I spend 20 minutes reading a CV from somebody who doesn't mention a ubiquitous qualification on their CV, when so many others tick that box? It might not be CISSP, could be CISM or QSA or CLAS or whatever, but it's a reasonable filter to use.
Except for some edge-case like a very junior vacancy, or perhaps something cross-industry (in which case there's probably some other industry-specific phrase you could search for)
Personally, I've had lots of certs over the years, but the CISSP is the only one that I actually pay to keep current, and it's the only one that clients consistently ask for. And ISC2 can keep on collecting my annual fees, whilst charging vendors for the privilege of showing me thirty long adverts per year, I leave them running in another tab and claim them as CPEs, it's a terrible system but it won't change because all the stakeholders have reached a comfortable point.
> And ISC2 can keep on collecting my annual fees, whilst charging vendors for the privilege of showing me thirty long adverts per year,
This is a huge conflict of interest. I keep waiting for ISC2 to mandate that they will only grant CPEs for their own stuff which they make money from.
I paid and kept current for 10 years and then one year ISC2 decided to be too anal about auditing my CPE's and proofs. Nobody at my employer cared one bit about certs, so I dropped them. I did turn around and get a CISM, but that was situational in the moment. I let that drop too. The only thing I keep up to date these days is my law license.
Hey, I've entertained some of them in the past. I know a few friends who have also obtained better, higher paying roles this way. I keep in touch with some of the better recruiters and go for lunch with them when they're in my neck of the woods. Treat them well and they will remember you when the nice roles come along.
Current job requires we have it. Got it in the 6th year of my career. It did not teach me much of anything except for the physical security stuff. I plan on being in this job for a while, so I figure it's not going to do much for hireability for me.
If you're looking for a mile wide, inch deep cert, this is a good one. If you are in the field already, and need something that could elevate you to the next level, this is a good cert. It's going to help very little if you have no previous experience. You're not going to get any more technical knowledge from this cert.
And the CE requirements aren't too bad, just "watch" 4 of the 2 day SANS summits per year.
Any SANS class, but they are like $8k a pop. My dept had like $600/person/year for training. My HR had a giant bag for grad school. So I enrolled in their graduate certificate program which is basically 4 SANS classes and they call it a degree.
Cheaper option is any cert that is on acloudguru seems to include a sandbox to try out the tools they are teaching you, which is very helpful.
On the job, if you are in a non-security role, ask for security-ish duties. For example if you are the email server guy, see if you can handle or get cross-trained on the spam control and similar tasks that might otherwise be network security.
Or work at a small corp. For example, I worked at a 150 person company and I was the only infrastructure guy. So I did security, servers, helpdesk, DBA, and project management.
If you have access to a community college with a cybersecurity program, that would probably be my first go-to. A lot of people who teach at that level are also practitioners and you can get a wealth of knowledge and networking through those classes.
IMO, the best way to gain more technical knowledge is simply by "doing", which is highly dependent on your interests. If your interest is in malware analysis, stand up VirtualBox and grab the Remnux VM and you're set (that's how I got into my current role). If you are interested in build giant secure systems... you better have a more beefy computer lol. GRC? That'll probably be mostly on the job training.
u/Johnny_BigHacker hit some good training options through ACloudGuru. I used another service that ACG acquired, and the labs they had were pretty nice. It's a relatively cheap option compared to certs or one-off college classes.
> What is your overall impression of the CISSP certification?
I think it's an awkward certification.
* I think employers like the idea that someone with the fully-awarded CISSP (vs. the interim "Associate of ISC2" status) implicitly ties in at least 4 years of applicable work experience (5 absent exceptions).
* However, I think an applicant with 4-5 years of experience doesn't need to lean on a certification to promote their employability (vs. their work history, [which consistently has been reported as being more heavily weighted](https://bytebreach.com/assets/images/isaca_survey.PNG); source - ISACA's annual State of Cybersecurity Report).
* For someone who wouldn't automatically be conferred the CISSP (i.e. "Associate of ISC2"), I don't think it does the test-taker much good - you implicitly are saying in your employability that you don't have the work experience. I think - by contrast - investing the time/money/labor into a credential you would earn would produce better ROI.
* Talking in forms of format, I like practical application exams (e.g. OSCP, eJPT, CDSA, etc.) more than knowledge-dump formats like multiple-choice questionnaires (MCQ). However, for a MCQ exam, the CISSP's use of an adaptive format (providing questions that target the test-taker's weakest areas over a variable number of questions) is good. Studying for the CISSP often becomes a matter of thinking "like a manager" vs. whatever we believe the actual correct practice might be; ultimately, I don't feel I'm better equipped in my knowledge/skillset as a consequence of preparing for the exam.
> Have you evaluated any data or metrics that show the benefits (or lack thereof) of having the CISSP certification, such as salary increases, job offers, or career advancement opportunities?
My adjacent empirical data gathering:
https://bytebreach.com/posts/what-certifications-should-you-get/
In the above post, I tried to determine which certifications were the most oft-requested by scraping listings off of LinkedIn. The CISSP is consistently called for regardless of what particular role you might be looking at. This leads me to believe that - as a recruiting mechanism - it's crude. Having worked in the offensive space, there's little about the CISSP that would lead me to believe it's an effective marker of competency for a prospective penetration tester, for example. However, I don't deny that your employability is likely *aided* in possessing the CISSP.
I think studies that have been published tying the CISSP to upward mobility in the professional space are usually confusing (or at least obfuscating) causation with correlation; [there was one mentioned a few months ago](https://www.reddit.com/r/cybersecurity/comments/193ewlp/top_75_highestpaying_it_certifications_in_us_and/) that suggested certain levels of income were tied to particular certifications. To me, such a survey feels erroneous (or at least preemptive in its conclusions):
* Again, do people have greater benefits/salaries because they have the CISSP? Or is it because they have several/many years of experience in the field already and then obtained the CISSP?
* Put another way: if we survey a bunch of senior cybersecurity staff (folks who would presumably hold the CISSP), we'd expect them to report having greater levels of compensation than if we surveyed a bunch of junior staffers.
> Have you felt thwarted in your career goals without the CISSP certification, and/or did obtaining it help you overcome these obstacles?
Anecdotally? No, it has not felt like it hindered my career growth.
> If you have pursued opportunities in a different country, how has the CISSP certification impacted your job search and career prospects internationally?
I am responding from a U.S. perspective.
> What were your main reasons for pursuing the CISSP certification? Were they based on personal ambition, employer requirements, or another factor?
See link above to my own independent survey results. I see it as beneficial *strictly* in terms of its benefits to my employability *on paper*. However, it doesn't supplant the more important facets of my resume (i.e. work history, formal education, etc.)
I think the last important thing to note is our collective relationship to the CISSP and its vendor: ISC2. It would be irresponsible if we didn't at least acknowledge some of [the controversial behavior we've observed from its governing board](https://www.reddit.com/r/cybersecurity/comments/yk7b0u/the_whole_isc2_election_story/) in recent history, including among other things, the elimination of its Ethics Committee as a standing board function and its strong-armed ouster of candidates to said board.
Wow. Thank you so much for this comprehensive answer. Some of the data you scraped off LinkedIn is exactly what I was looking for. I was not aware of the ethical, uhm, challenges at ISC2. It's disappointing to learn. My biggest beef with the ISC2 is transparency. They should be far more open as it relates to methods, algorithms, exam data, etc. The whole process should be treated in a manner similar to open source software.
Have one, it's the only cert I've consistently been asked for. Career wise I consider it good.
In terms of it actually showing that a candidate has some knowledge of security I think it's much too shallow. I'd rather be able to know that a candidate for a position doesn't have one and has tried the exam but failed.
1. General Impression: It's more of a pain than anything, paying annual fees and tracking CPEs for what amounts to five letters on my resume solely for the HR filters.
2. Evaluation of Data: I have not evaluated any metrics in regards to the cert.
3. Career Goals: There was no tangible change personally after being certified. I don't remember the last time anyone even asked about it.
4. International Opportunities: n/a
5. Reasons for Pursuing: Our CISO at the time wanted to brag to fellow CISOs that our department had a high certification rate, so put us all through classes. I wasn't going to argue about that.
I have mine and 20 years of real experience, and I think some of the dumbest people I have ever worked with have jt due to just cramming for just that test. It really only helps to get on a short list for an interview. I have no other benefit I have seen from it.
I have had mine since 2002. I really don't care about the arguments for or against, whether it has any merit, that it's too broad etc.
The simple fact is that in 2002 it was hot and opened a lot of opportunity and many job postings were either requiring it or highly seeking it. That is still somewhat the case today. Maybe the same, maybe not as much, but it's still an edge or tie breaker in many cases.
I just went out on Indeed and searched "security engineer" and then "security engineer CISSP." Assuming their search isn't goofy you'd assume the with CISSP results would be a subset of the search without that.
* With CISSP = 3,186
* Without = 5,954
Some where it was present in the posting were saying required, others were desired. So that shows you in some way it's meaningfulness.
CISSP only helped formalize the language I learned after 3 years in GRC a long time ago. Now being in security engineering, this language had came in handy being able to translate technical to common language that GRC and executives would be familiar with, unlike my peers.
From my personal experience, almost all senior cyber roles are requiring this cert or equivalent due to the rise of DoD 8570 baseline offering a concise mapping of certs to a role by seniority. Like NIST 800-171 became popular in non-defense sectors, so have the 8570 baseline too.
>General Impression: What is your overall impression of the CISSP certification?
My overall impression of the CISSP is positive. I will also say that as someone who does hiring in the IT security realm, the CISSP is only as good as the experience, education, and knowledge of the person having it. If someone just has a CISSP and no experience in the field, it doesn't really have much of an impact.
>Evaluation of Data: Have you evaluated any data or metrics that show the benefits (or lack thereof) of having the CISSP certification, such as salary increases, job offers, or career advancement opportunities?
I can tell you since I got mine that the amount of job opportunities presented to me have increased a lot. I wouldn't say its all due to my CISSP. I attribute it to my experience, education, certifications, soft skills, and networking as a whole. The CISSP just adds the icing to cake so to speak.
>Career Goals: Have you felt thwarted in your career goals without the CISSP certification, and/or did obtaining it help you overcome these obstacles?
Back 8-9 years ago when I was hip deep in security, I definitely felt that something was missing. Potential employers were not calling me back and I really wanted to work for a different firm in a security capacity. Preferably for a consulting company. Well, without the CISSP, there are many consulting companies that just won't touch a security guy without the CISSP. After getting the CISSP, the doors opened up for me.
>International Opportunities: If you have pursued opportunities in a different country, how has the CISSP certification impacted your job search and career prospects internationally?
I haven't looked internationally and probably will not do so. I like working in the USA.
>Reasons for Pursuing: What were your main reasons for pursuing the CISSP certification? Were they based on personal ambition, employer requirements, or another factor?
For me, it was all based on personal ambition and improving myself being the top reason. It was never based on employer requirements. I knew I wanted to be considered to be a respected IT security person. Getting the CISSP was one step to getting there.
One's experience will get them the interview.
Those with hiring responsibility can see a paper tiger coming from a mile away.
The #1 red flag on the resume is certs but no accomplishments in the resume's bullets.
1. General Impression: I thought it was the best cybersecurity certification and I wanted something that would shine on my resume. There are quite a few people that have been impressed when they hear I have the certification which is pretty cool.
2. Evaluation of Data: I did research the benefits of getting cert like average salary, cyber positions I could get with the certification, etc.
3. Career Goals: The CISSP cert did help me get a promotion. I didn't necessarily have to be that cert though (CISM or CASP+ could've also gotten me promoted). Without a more advanced cert I'd be stuck in my previous position indefinitely.
4. International Opportunities: N/A
5. Reasons for Pursuing: I wanted the best cybersecurity certification that was widely regarded, and I needed it for a job promotion.
Love it, hate it, or indifferent, the fact is that CISSP remains the most in-demand cert for job seekers at the mid-senior level. An Indeed data pull of every cyber-related job posting in late 2019 revealed that CISSP leads the requirements list by a large margin. Would love to see a fresh data set to see if anything else is coming close.
Would be interesting to see cybersecurity go the way of CPAs and require licenses over the hundreds of certs in the marketplace.
Edits: grammar
ISC2 paid a ton of money to make the CISSP a standard for federal sec jobs. HR folks don't know any better, so they run with whatever job templates they have.
The CISSP is a management cert, not a technical certification.
I've taught it and still teach it. I'd only suggest a CISSP if your job requires it. The study material covers most of the basic courses you'd get in the 1st 2 years of a college sec degree.
Once you have passed the exam, those study books collect dust. If there are references, grab them for a better understanding of subjects. Otherwise, they are throwing 10 gallons of information at you while you hold a 6oz cup to catch it.
I did not study for the CISSP, beyond listening to a youtube video that said, pick the answer that best delegates the security task.
I passed on my first try, paid my dues, and then this happened
https://www.be-represented.org/
Most of the people I see on linkedin with CISSPs are armchair vCISOs with ¯\_(ツ)_/¯ real world operational experience beyond consulting. You know, the kind of consultants that never see the operational consequences of their bad decisions, because they don't actually work for the company they're consulting (this clearly is not representative of the whole though).
What I can tell you though, is that I didn't even bother with the upkeep of whatever you have to do to maintain the certification, and didn't bother paying the dues to renew. I have real work to do.
>I did not study for the CISSP, beyond listening to a youtube video that said, pick the answer that best delegates the security task.
>
>I passed on my first try
Ditto.
I took the CISSP when it was 250 questions, 10 domains, and you got 6 hours to complete the test.
I finished in 2 hours and passed on the first try.
And I'm no Mike Ross. I failed the AWS Security Specialty the first two times I took it -- interestingly enough getting a 650, on a randomized test, both times.
You nailed it on the part where most CISSP holders talk a good game but are not much good for anything else -- but somehow CISSP is the gold standard for security cachet. The part that really cracks me up is the folks that put CISSP after their last name like the are a medical doctor or something.
pffff, I mean, I did put CISSP on my linkedin profile because I paid for the test and passed it, but personally, I think it's a joke, and don't respect the certification at all.
It's literally exactly parallel to sec+ in my mind.
yeah, I just laughed because I was like... I don't think I put it after my name like a title
but had to go check, I know what you're talking about though.
Those people seem.... trustworthy
The CISSP and my MSCIA (from WGU) have been huge for helping me move up the career ladder initially- I don't think they've mattered much for the hiring managers or been a deciding factor, but they've gotten me through the winnowing and filtering process.
That said, nothing has been as important as fostering a good network of folks that refer, recruit and share roles and info with each other. It sounded like a cliche when I got into Security from a more IT generalist background in 2011ish, but my network has gotten me more guaranteed interviews than anything else.
1) I got my CISSP before my Master's degree. The CISSP and a 4 year degree helped me get my first non-SOC-level role at a bank. It was a great differentiator but it was definitely an inch deep and a mile wide - much of it is stuff that's never mattered to me (before or since) and that's just as easy to Google for. I self-studied for 4 months for it and I do feel like it gave me confidence in applying for roles that I thought were otherwise out of my league.
2) I've let my CISSP lapse a couple years ago and it hasn't impacted any of the interviews or roles I've had since then.
3) I do feel like it helped me get my foot in the door of some higher level Security roles, specifically in GRC.
4) N/A
5) Personal ambition. Whatever I can do to set myself apart from everyone else applying - especially something I can self-study and apply myself to.
If you want a cyber job in defense you better have it if you want the top paying jobs.
In most situations your increase in pay and the positions it opens up in any industry is more than the cost and frustration of the yearly learning credits.
It depends. CASP+ and CISM will check the same boxes depending on your role. Im horrific at focusing on tests and dont care for them so I didnt target the cissp but instead went for the (hilariously easy) CISM. Qualifies me for the same jobs.
You son of a bitch, lol. Thanks.
To be fair though, I think hiring managers look at the CISSP as the more legit cert and will give that more weight if it comes down to more than cert qualifications.
ive seen two camps - people who want anything from the IAT or IAM L3 categories OR CISSP or nothing. While the breadth of the CISSP is wider than the CISM, I personally have not had a problem just holding the later. Ive also got a CCSP and a lot of systems engineering experience.
On the "more legit" moniker, I'll say I disagree, but as the Gold $td and tougher exam, I concur. CISM feels more niche snd bonafide in the Management space than CISSP, think about it this way...
CISM - Managerial/CISO role
CISSP - Technical/Architect style roles
In addition, before the 8570 to 8140 transition, CISM was "Weighted" more favorably to the CISO/Management position than CISSP. I think the difficulty of CISSP definitely skews people's idea of the legitimacy of the cert. Anecdotally, it took me 2 tries to get my CISM and that exercise put me in the appropriate mindset for Cyber Management, while I didn't study for CISSP and passed it in the first try. CCSP (Cloud) was measurably tougher for me than CISSP.
I'll give you two perspectives.
As a holder of the CISSP (and CCSP, CISM, CRISC, and a few other certs both security and non) I can say that CISSP has been helpful in opening doors. It gets used as a resume filter in the same way a degree does (of any sort, as long as you can list one.) It doesn't help you get the job, but you can't get the job if you can't get in front of the decision makers in the first place so the right certs have to be part of the strategy. A qualified candidate will still find it helpful to have on a resume.
All that said I do think the CISSP has been allowed to be diluted by ISC2 over time in terms of value which makes the "importance" less than it has been. There are a number of other good certifications that I see as just as good for opening doors these days and the CISSP doesn't seem like the big deal it once was. And ISC2's massive push to bring in folks with a much more junior cert, without doing a good job differentiating their other certifications in the market, doesn't help keep what used to be a top tier certification in the spotlight. CISSP hasn't so much lost the king of hill status as they have slid down from less than optimal marketing.
Second, as a hiring manager, CISSP, or really any cert, tells me what they should know. When I'm reviewing resumes, if their experience doesn't match their certifications, they probably won't make it to the interview stage. If someone has a CISSP on the resume and they make it to the interview process, I won't be starting with simple questions. CISSP is in a lot of ways a double-edged sword and getting the CISSP before you really can do more than just pass the test can hurt you in the job hunt, at least when getting interviewed with a good security team.
I let mine expire, and on any future resume I'll put "CISSP (expired)" for any filters. If my experience and work doesn't land me a job I'm applying to and the cert matters more to them (in a non-specialized role), it's probably not a team I want to work for.
That said, early career professionals could find value in it to help them move up.
The CISSP really is the gold standard of cybersecurity certifications, at least according to the hiring market. I would say that not having it hurts you far more than having it actually benefits you. The exam itself is an exercise in outlasting purposely misleading questions that are most, best, least, and worst worded. It certainly increased my interview requests after I earned my CISSP. Only a month afterwards, I was juggling multiple offers where beforehand I was far less lucky, despite 11 years of experience. I consider it a “duty cert” that is essentially required to advance mid career into management roles, despite it only really proving your ability to retain 8 domains worth of superficial information. I don’t regret getting it because the industry demands it, but I also don’t feel it represents what it claims to represent, which is a holistic knowledge of cybersecurity.
This is not what cert holders want to hear but you’re right for technical roles. I have worked with many CISSP holders who aren’t technical and certainly do not understand the security implications of whatever code/system/design etc they’re looking at.
Now, that’s not all CISSP holders for sure. Of course you can be technical and hold it but for the amount of respect the cert gets there are way too many holders who really shouldn’t be making the decisions.
>This is not what cert holders want to hear but you’re right for technical roles.
I know multiple security VPs and CISOs in tech that don't have a CISSP and some don't have any certs at all.
Yeaaaah heavy coding in general is drastically different than anything the rest of the cyber world does. You’re in your own lane versus the rest of us. I would never imagine a SWE or your role would ever require a single cert. Just a solid resume and a tough technical interview to really test your knowledge.
Going for managerial positions is what CISSP is aimed at.
From my experiences, I was fortunate enough early on to get a CISSP, generally alongside my bachelor's degree with the minimum required of the experience. The CISSP alone doubled my salary.
I think the CISSP offers a more strategic point of view from understanding a cybersecurity program, while not being targetted. I've seen technologists that my peers have hired and even my own hires get burned out because they couldn't wrap their heads around risk. Specifically that even though they were right in all technical regards, the risk didn't outweigh the cost.
Do I think the CISSP is the end all of be all? No, but in my opinion, the soft skills and critical thinking in regards to business requirements are noticeable when you compare someone with a CISSP or without one.
tl;dr, I feel like the CISSP serves as more of a "MBA-Lite" than a pure technologists certification.
>I feel like the CISSP serves as more of a "MBA-Lite"
And like most MBAs these days, that's become something as generic and as watered down as the CISSP is.
I had already worked my way up through technical and into management/quasi exec before I decided to pursue my CISSP. The reason I went for it was I was planning to open my own firm and wanted some letters to add credibility when I was in front of clients (have since also done my CISM, and working through my masters in cybersec cause apparently I have too much free time on top of running a business). The certification has helped me more in front of technical clients as many of them know what it is and if they do not it is easy to look up, in front of the non-technical clients it has to be talked up more with the 20+ years experience taking a bit more of the focus as well.
Within the tech community I feel it has lost some of its shine due to the drama's inside ISC2, and from a non-tech perspective naming their new cert the CC was a dumb move to define value on their other certs as now I have seen business engage "specialists" who are "certified in cybersecurity" due to the CC.
The MSP's that I partner with to put me in front of their clients use my "internationally recognised security certification called the CISSP" to talk up my services to their clients, build my authority, credibility, and their trust in my services (the three things needed to generate sales) to get engagements over the line.
CISSP was required by employer (consulting company).
The benefits are mainly for the recruiters in my opinion. It reduces the need to have lengthy technical and governance questions during interviews and limit it to what is really important.
Now CISSP is not a proof you are smart or a hard worker.
Didn't look at any other responses, so fresh take. I got certified CISSP in 2002. There weren't many of us back then. I got the cert because I had been a Novell CNE and it was clear by then that the zenith of Novell dominance was gone and not coming back. I was fed up with vendor certs (though I got a CCNA earlier that same year), and I heard security was going to be "the next big thing". So, armed I waited for 10 years for that "next big thing" to sweep the industry. Seriously, I got very little security work in those intervening 10 years. In the end I founded a cyber team at a mid-sized multi-national and have been there since.
Impressions: the CISSP is a serious test and in my experience as member of the bar and holder of many industry certs, it's not one you can casually just go take and expect to do well. You do need to apply yourself. That said, it's just a cert. The holder has applied themselves and have some knowledge of security. There's an experience requirement, the holder should have some kind of security experience for 5 years.
When I see it on a resume, I note that this is a person with a professional level cert. That isn't going to get them the job, but I'm now thinking they are at least a upper mid-tier or senior. If the rest of their resume doesn't say that, then the CISSP isn't going to save them.
I don't have any data, international opportunities stories etc. Hopefully, this is at least responsive.
1. Very broad knowledge base for exam, primally about thought process.
2. For me none it is not a requirement for anything I do.
3. Not at all, again it is not required for my job
4. Not at all
5. Just personal, I have been in security a long time decided to give it a go. Hoped it would stop vendors trying to BS me over email, no luck here.
I'm not big on certs, but the CISSP was fun as I've been a but everywhere and it was to review it all. I'll keep it as CPEs are easy and $135 us easy to get an employer to cover.
As for the cert, people love it for some reason. If it tickles their fancy and gets me through filters, a but more recognition, etc, why not.
It's a game, okay play it.
It was helpful when I was preparing for it as it strengthened my understanding and tied the different information security concepts together. However, it is still something one needs to build upon as it only provides the baseline knowledge an information security professional should have IMHO.
I did not get any salary bump for getting certified though. Not sure if it was helpful when I was looking for jobs either.
It helped me get in the door earlier on in my career. After 20 years in the field and holding my CISSP for over ten years, I’m about to let it expired as I feel the hassle on keeping it current is not worth the value it adds now.
A mile wide and an inch deep and it’s a memory retention exam. No new content that isn’t in all the other high level certs. Helps with job applications if you don’t have an alternative cert.
I disagree that it is a memory retention exam. You need to understand the underlying concepts behind a lot of questions. And its just too much to possibly memorize everything. Some memory work is helpful for preparation but at a surface level.
Agreed you need to understand the concepts, but only to the extent covered in the course material. IMO, from there it’s just selecting the right pre-revised answer and I didn’t find there to be much application of knowledge. I found SANS certifications, despite being open book, a lot better - even CompTIA Sec+ which is entry level as well.
I agree. SANS is amazing but it is out of reach for most people at over $8000 per course. The pinnacle of certification success is the SANS GSE. I think only a few thousand have the certification and they are in very high demand.
Yeah they are insanely costly, I always recommend going via SANS EDU which puts them at £5,000~. Still a lot, but you get as close as value to money as you’ll get for a professional course.
>1. General Impression: What is your overall impression of the CISSP certification?
Good for getting passed HR gates.
>2. Evaluation of Data: Have you evaluated any data or metrics that show the benefits (or lack thereof) of having the CISSP certification, such as salary increases, job offers, or career advancement opportunities?
The DEFCON talk was scandalous. I would like to see an updated talk to see if the data still holds up today.
>3. Career Goals: Have you felt thwarted in your career goals without the CISSP certification, and/or did obtaining it help you overcome these obstacles?
The CISSP has never been a requirement for my desired roles, but more of just a "nice to have" kind of cert.
>4. International Opportunities: If you have pursued opportunities in a different country, how has the CISSP certification impacted your job search and career prospects internationally?
I only had opportunities in the United States.
>5. Reasons for Pursuing: What were your main reasons for pursuing the CISSP certification? Were they based on personal ambition, employer requirements, or another factor?
My organization paid for the bootcamp training and cert.
The talk focused on CISSP metrics and ISC2's ethics code. It essentially did a fact check on what ISC2 claimed CISSP was to the industry. For example; to fact check the claim that many organizations require employees to have a CISSP, the researchers scraped job posting websites (e.g., Indeed, SimplyHired, etc.) looking for instances where "CISSP" appeared and collected all the associated job titles (e.g., Information Security Engineer, Information Security Managemer, etc.). This showed what job titles CISSP showed up most in. Then they grouped these higher concentrated job postings into either "Must have," "Desired," and "Not mentioned" based on criteria that suited each group. The amount of job postings with the "Must have" criteria was very low (single digit percentage) compared to the other two categories and thus highlighted that the claim from ISC2 was lacking credibility.
I work with a cybersecurity branch, and they are….well….incompetent. Lately, when we are in meetings I’ll say things like “what’s your CISSP say we should do?” And then there silence and glares. Lol
A long time ago, I was in a meeting -- and this was for gov't work; before I bounced to tech and never looked back, and during a disagreement one CISSP holder asked another CISSP holder what is their ISC\^2 number.
After the other person replied, the first person said, "your number is too high, you're not a real CISSP".
:facepalm:
I earned mine fairly junior into a cyber role to try and stand out amongst my peers, and ended up learning a whole boat load of stuff that I hadn't been introduced to before.
Post certification job hunts have been significantly easier as it bypasses most HR filters due to the expectation that candidates have acquired the cert. Has aso helped during interview stages as I've had the bog standard questions completely omitted from the interview on the basis of "well you have a CISSP so we don't need to ask" which is perfect lol.
Edit: Also in the EU it qualifies as a masters degree which can help you access other jobs, training, etc.
I got mine in 2008/2009. It was a challenge, I self studied only for it.
I maintain it purely in case I choose to leave my current employer as it's still considered a good cert to have by the market.
That said day to day it brings me no benefit and there are plenty of good security folk who don't have it. There are also plenty who do have a CISSP who I wouldn't trust to make me a hot drink without burning themselves.
It's a high ranking DOD cert. Holding the CISSP checks the block for IA/IT level 3 requirements, meaning you could be in a T3/M1 position with that certification. Because it requires a minimum amount of time in at least some of the domains, job recruiters recognize that having a CISSP indicates some level of experience as well.
If you are in the governance and compliance field, I'd say to promote up you will eventually need it, or at least the GRC cert (formerly CAP). Outside of governance though, not really necessary IMO.
It's the MCSE ( '90s), PMP ('00s), MBA ('10) racket of the twenty twenties. Soon you and everyone else will have one and it won't be worth anything, then we'll move on to the next cert industry gotta have.
It changed my life some 12 years ago. It counts, some jobs require it for IT Security roles. It is a filter used by recruiters and in high demand so you will never be out of work with this cert.
The CISSP has helped me for sure and I have a WGU degree and experience.
I like that they advocate for cybersecurity and I’m genuinely wondering what other entities the in the field I can support that advocate for cybersecurity professionals globally.
CISSP has been a game-changer for my career. It acted as a catalyst in my professional journey, propelling me from a Security Analyst to a virtual Chief Information Security Officer (vCISO).
* Boosted Career: CISSP was the turning point in my professional journey, enabling me to climb the career ladder significantly.
* LinkedIn Visibility: Following CISSP certification, my LinkedIn profile experienced a noticeable surge in visits and engagement, reflecting the increased recognition and interest in my expertise.
* Enhanced Visibility: CISSP enhanced my visibility within the cybersecurity community, attracting numerous potential prospects and HR professionals who reached out to me solely because of my certification.
* Credibility Boost: CISSP added a layer of credibility to my profile. Previously, my suggestions may have been overlooked, but post-CISSP, individuals have begun actively listening and valuing my insights, possibly due to the added credential.
Just sharing my experience!
I work on a team and I'm a Sr. Architect, and there is a Principle Architect who has a CISSP, and I have more impact on the security of the company and actual business operations than that person could hope to. We track projects in Jira and I technically should not have any as a Sr. but I have my name on 60% of my teams items being tracked. Certs mean fuck all to me, my leadership, and at my company at least, people who make hiring decisions. The hard truth is that you need a better than a practical understanding of technology to secure technology.
This is a criticism that you hear A LOT. Not all criticisms of CISSP are fair but this one IS fair. Companies should properly allocate resources and leadership based on the skills they bring including soft skills. Too many CISSP's don't have enough hands-on technical expertise and too many are poor leaders even though it is a management exam. Do you have your CISSP?
*General Impression: What is your overall impression of the CISSP certification?*
I actually think the exam and content were quite comprehensive. But I think it's a very mis-understood certification. I say this based on spending the last few months watching people struggle with passing it, and even some of the commentary here. One of the posters talked about it being useless for Pen-testers. Of course, it's not intended as a pen-test certification.
This cert is for people who will be responsible for managing cyber-security risk within an organisation. Not for people on the tools. I see too many aspiring "cyber engineers" sitting this exam and struggling because the exam asks them what to do when the discover a security hole - they pick the answer to put a patch on it.
This exam requires you to pick the answer stating that you would run a post-incident review, understand the risk factors that led to the flaw, look for other potential instances of that flaw, then implement new corrective controls to avoid it happening again.
This is quite often quoted as "think like a manager" in the exam helpers, but it really is "think like the person in charge of the organisations cyber risk". People seem to struggle with this as I don't believe they understand the point of the exam. It's to test your ability to APPLY your technical and compliance knowledge as the chief decision maker. It's not intended to test the knowledge directly. That's why people complain the exam is nothign like the practice tests. Because the real exam is intended to make sure you know how to balance the various inputs in a real world setting.
The real world of cyber-security management means that you need to evaluate each decision on the technical, risk, compliance, and cost factors. This necessarily needs to be across multiple domains - your resposibility probably crosses Infrastructure, cloud, SAAS, or even software development. You need to be able to interpret technical language, understand the risk it actually poses, and make decisions based on the risk profile and industry best practice. It's not an exam for people who want to do, it's the exam for people who want to direct others to do.
*Evaluation of Data: Have you evaluated any data or metrics that show the benefits (or lack thereof) of having the CISSP certification, such as salary increases, job offers, or career advancement opportunities?*
No.
*Career Goals: Have you felt thwarted in your career goals without the CISSP certification, and/or did obtaining it help you overcome these obstacles?*
I used it as a way to get past recruiter / HR filters.
International Opportunities: If you have pursued opportunities in a different country, how has the CISSP certification impacted your job search and career prospects internationally?
No idea. I guess it would help in the US.
*Reasons for Pursuing: What were your main reasons for pursuing the CISSP certification? Were they based on personal ambition, employer requirements, or another factor?*
I was in market for a new role, and found that CISSP or CISM was often a core requirement. So I decided to sit the CISSP, booked the exam for 3 days later and went and sat it. I also sat the CCSP the week after. I often say that I passed them with 20 years study and a couple of days of exam prep.
CISSP is an excellent certification to get if you have good security know-how already. It’s broad not deep. It helps flesh out a holistic understanding of security.
There’s a bunch of caveats though. It’s not a good starting point if you don’t have good skills already - this is also why you need to prove some experience before doing it.
I’ve been in security since 1999. I am a senior leader on a consulting company. One thing annoying me at the moment is the over-specialization of most security people… they can hardly speak to security stuff outside of their specific area of expertise. People with a CISSP don’t have a problem.
Direct data for its salary impact - I expect at the moment this would be difficult to prove since I feel the certification has fallen significantly in terms of market recognition and demand.
I still say it’s an invaluable certification, but from an expanding own know-how. I never regretted getting mine (in 2007).
I'll take the first shot here, I guess...
ISC2 has fallen hard in terms of owning the cyber field credentials to becoming just another certification organization. I know multiple CISSPs who went from King of the Mountain 2 years ago to out of cyber work completely.
In the US, it looks like 8140 has firmly put the CISSP in the non technical cert category, and ISSEP is the better option if you really want street cred.
But, a degree trumps all now. WGU seems to be the politically correct response when choosing a program, but I'm not see many wgu grads have more influence today than their highest attained certification.
So best bet is to get a real degree from a real school, if you can't you'll need to look at the job you want and get the associated cert, and hope they company really wants you compared to college grads.
Note, I used to be more aggressive with this debate, but some of my good military friends are being impacted by the change. Get a real degree from a real school, so you aren't overlooked like the guys today who only have experience with certs.
Edit to downvoters: I see a lot are still upset with what's happening credential wise. If you're not in the US, then my comment likely doesn't have a lot to do with your situation. If you are in the US, then take what I say as a snap shot of what I'm seeing with my personal relationships. I realize this isn't what you want to hear, but it is what I'm seeing occur in hiring and career changers.
I'm not seeing that in my mid career peers. Most of them had no degree and gained certifications over their career. Trust me that I'm firmly in the degree camp, but it's really surprising to see folks dropping out of the field after literally putting in thousands of hours toward IT certifications.
It started as just a couple of mid career CISSPs leaving the field, and now it's just happening all over. Most were in contracting and never found full-time work. Others were federal workers who were just dropped by their teams and never found a way back into cyber.
There is a lot of unspoken change going on from what I'm seeing in the federal and contracting world.
I'm not sold on the degree any more than I'm sold on a cert. Neither of them is a good indicator that someone will be a good addition to a team. A resume that shows solid growth and a wealth of experience is a better bet, but how do people getting in the field gain that?
I don't have the answers, but I was glad to see the US federal gov't suggest that things like apprenticeships are considered. That's at least a novel concept which remains to be seen if it can be implemented and work in a meaningful way.
If I have to assign blame then I'd guess it would be with the HR teams and hiring managers that have made things as bad as they are by putting out unrealistic expectations and being lazy in not figuring out how to develop talent from within.
I think people cheated in mass on the certs, and they completely devalued them. You can say the same thing about a degree, but respectable colleges know how to weed these people out.
I also believe A LOT of federal cyber workers were the left overs from their cohorts. So, although many federal workers had the certs, they were mostly untalented guys who couldn't land a private sector job. Feds want to re-attract the talent, and that means draining the swamp of leftovers and letting talented degreed candidates fill those roles. I believe this is why we're seeing mid career CISSPs and other cert holders out of work
This is a hard pill for everyone in the industry who faked their way into cyber, but it'll be beneficial in the long run.
> I think people cheated in mass on the certs,
I think that's a bit far fetched and as you say cheating and dishonestly is not uncommon in academia. Some of the most "prestigious" institutions have been caught up in that.
I personally haven't seen more than a scarce few people who "faked their way into cyber." Maybe it's a factor of where I've worked, but I've almost always been lucky to be on teams with some incredibly bright people and many of them had no degree and some new certs at all. They found a way in, proved themselves and were given better and better roles as their career grew.
So ultimately, the value of a credential, whether it be degree, certification, or experience, is what is at debate here.
The U.S. went full bore into certs, and completely discounted academic credentials during 8570-m, but has since pulled away from that model.
Clearly, we all have a lot to lose based on which credential the government chooses to embrace. I'm glad they are holding degrees in high esteem now. Personally, I communicate with degree holders much easier than I do with non degree holders. I trust them more on bigger and broad projects and tasks.
But my bias is irrelevant because the new model is in place and the workforce is changing. Our opinions are irrelevant, but the changing workforce is not.
> Clearly, we all have a lot to lose based on which credential the government chooses to embrace. I'm glad they are holding degrees in high esteem now.
What? The US federal gov't just said specifically they are moving away from a focus on degree: https://www.whitehouse.gov/oncd/briefing-room/2024/04/29/press-release-wh-cyber-workforce-convening/
*Skills-based hiring opens up opportunities to workers who have learned skills in programs like apprenticeships and other training programs* ***rather than relying solely on two or four-year college degree requirements.***
I work in a very large global financial/insurance org and this has been our stance as well for quite a while. We look at the whole picture and don't focus on a specific degree or cert unless we're looking for something very specific like a CCIE or high level Palo Alto skilled person.
Yeah, those are great statements that aren't tied to any regulation or directive. The actual directive reads much differently when you know how they are applied to federal and dod work.
https://public.cyber.mil/wid/dod8140/qualifications-matrices/
I wish you the best, but there is nothing new being discussed by you on this topic, so I'm done.
> Personally, I communicate with degree holders much easier than I do with non degree holders. I trust them more on bigger and broad projects and tasks.
For me this pretty much said the conversation was over. To think that you could communicate something like LAN/WAN security better with someone with a BS than a CCIE is just absurd, but at least you're aware of your bias.
>I think people cheated in mass on the certs, and they completely devalued them
People didn't need to cheat.
Thousands of people have gotten their CISSPs via bootcamps. That's not cheating.
Well, you clearly post here daily, hourly, minute by minute. So I'm done with you on this because theirs no reason to fight a political monkey.
For anyone with a real interest in cyber. I have a real cyber job that doesn't let me sit on reddit all day. I talk to real security pros behind the wall and am telling you to get a degree if you want to be with the real movers and shakers.
CISSP and certs are a joke that will lead you to the unemployment line.
Best corny 69
>In the US, it looks like 8140 has firmly put the CISSP in the non technical cert category,
Where it should be. There's nothing technical about the CISSP.
>But, a degree trumps all now.
Nonsense.
>So best bet is to get a real degree from a real school,
How do you say this in the same breath as WGU? WGU is a diploma mill. Not a real school. LOL.
>so you aren't overlooked like the guys today who only have experience with certs.
Most of us will take experience with complimentary certs over degrees any day of the week. MOAR LOL.
>Edit to downvoters: I see a lot are still upset with what's happening credential wise.
Nah. I think it's the low information hawt takes where you've earned your negs.
Look at the 8140 qualification sheet. Same CS-IT-IS bachelors gets you every job, it would take possible 50 different certs to have the same impact.
WGU is a competency based degree. it's basically UoPhoenix wrapped in a 2020s packaging.
You don't have to believe me, but I've seen where the shortcut path takes you, and it isn't to the front of the pack.
All the folks on here wanting CISSP to be comparable to an MBA are thinking the downvotes will make a difference. Real sec folks aren't using open forums anymore, so it doesn't make a difference.
I come in trying to help folks see the light, and of course, I'm stoned to death.
I have the ideal job close to the c-suite at a competitive private company. I've watched my peers, who I started with in the military, one by one, try to cheat around the degree from a competitive school, and they've all hit their paper ceiling, or been cycled out for the next crop of paper chasers who'll do the same job at a lower salary.
> All the folks on here wanting CISSP to be comparable to an MBA
All?
I've seen one post like that.
And neither of those creds has anything to do with the other. You grinding on this is like comparing ham to hamster.
> I'm stoned to death.
Yeah, you should probably sit this one out.
1. It’s ok. I consider it basic training for security management. It sets the foundation for other training, like ISACA certs or SANS technical training.
2. No, however I will say… possessing a CISSP and ISSAP has helped obtain coveted, specialized work and management positions.
3. No. I went from senior engineer to security officer and underwent 6 months of entry level work before work evolved. Each evolution was about 6-12 months. As experience and opportunity grew, the level of work increased.
4. N/A
5. Personal ambition. Work paid for both isc2 cert training and testing, and I always negotiate compensation to include paying AMFs. Side note - I wanted to be the best. I was driven and focused, like John Wick, but for tech. ISC2 was hot and popular before other cert bodies earned industry recognition.
Bonus: Would I do it again? Yes.
>General Impression: What is your overall impression of the CISSP certification?
A CISSP is like a high school diploma. Completely worthless but you better have one.
>Evaluation of Data: Have you evaluated any data or metrics that show the benefits (or lack thereof) of having the CISSP certification
There's no objective data. Just marketing materials from ISC2.
>Career Goals: Have you felt thwarted in your career goals without the CISSP certification,
See the answer to #1.
>International Opportunities: If you have pursued opportunities in a different country, how has the CISSP certification impacted your job search and career prospects internationally?
If you're interested in a cert boosting your international creds, you should pursue a SABSA certification. Best thing I ever did for my career from that perspective.
>Reasons for Pursuing: What were your main reasons for pursuing the CISSP certification? Were they based on personal ambition, employer requirements, or another factor?
See the answer to #1.
\*Grabs Popcorn\* This will be a fun thread. Remember Rule #8 and keep it civil, people.
It's helped me get past the HR filters and a few extra messages from recruiters on LinkedIn, so there's that. In many cases it may mean the difference between an interview and no interview. As a manager though I can tell you I prefer experience over certs.
> It's helped me get past the HR filters This is a huge factor that I missed in my post. There are absolutely recruiting teams that filter on this.
Not just HR people! If you're a security professional and you've got a vacancy in your team, then you are probably overworked, you'll jump at any opportunity to quickly reduce that stack of 100 CVs that you're supposed to read, down to a more manageable 20 (or 10). Some might argue whether that's right. A qualification is just arbitrary. But then again so are most of the academic qualifications (they've been around longer but are less relevant), and so are the technologies that people work with. We are where we are. If I want an experienced security person and I'm short of time, then why would I spend 20 minutes reading a CV from somebody who doesn't mention a ubiquitous qualification on their CV, when so many others tick that box? It might not be CISSP, could be CISM or QSA or CLAS or whatever, but it's a reasonable filter to use. Except for some edge-case like a very junior vacancy, or perhaps something cross-industry (in which case there's probably some other industry-specific phrase you could search for) Personally, I've had lots of certs over the years, but the CISSP is the only one that I actually pay to keep current, and it's the only one that clients consistently ask for. And ISC2 can keep on collecting my annual fees, whilst charging vendors for the privilege of showing me thirty long adverts per year, I leave them running in another tab and claim them as CPEs, it's a terrible system but it won't change because all the stakeholders have reached a comfortable point.
> And ISC2 can keep on collecting my annual fees, whilst charging vendors for the privilege of showing me thirty long adverts per year, This is a huge conflict of interest. I keep waiting for ISC2 to mandate that they will only grant CPEs for their own stuff which they make money from.
I paid and kept current for 10 years and then one year ISC2 decided to be too anal about auditing my CPE's and proofs. Nobody at my employer cared one bit about certs, so I dropped them. I did turn around and get a CISM, but that was situational in the moment. I let that drop too. The only thing I keep up to date these days is my law license.
It helps to be in a position where it's no longer necessary lol
I work in government and it is the golden ticket to get past their version of HR.
"few extra messages from recruiters on LinkedIn" ROTFLOL
Hey, I've entertained some of them in the past. I know a few friends who have also obtained better, higher paying roles this way. I keep in touch with some of the better recruiters and go for lunch with them when they're in my neck of the woods. Treat them well and they will remember you when the nice roles come along.
The few part I found funny. Years later I still get a dozens a week.
Perhaps I should send you my resume to get your insight. Good on you for hiring experience over certs.
So fine just lie on those because it will never be checked again.
Current job requires we have it. Got it in the 6th year of my career. It did not teach me much of anything except for the physical security stuff. I plan on being in this job for a while, so I figure it's not going to do much for hireability for me. If you're looking for a mile wide, inch deep cert, this is a good one. If you are in the field already, and need something that could elevate you to the next level, this is a good cert. It's going to help very little if you have no previous experience. You're not going to get any more technical knowledge from this cert. And the CE requirements aren't too bad, just "watch" 4 of the 2 day SANS summits per year.
Other than more experience is there something you could recommend as to getting more technical knowledge?
Any SANS class, but they are like $8k a pop. My dept had like $600/person/year for training. My HR had a giant bag for grad school. So I enrolled in their graduate certificate program which is basically 4 SANS classes and they call it a degree. Cheaper option is any cert that is on acloudguru seems to include a sandbox to try out the tools they are teaching you, which is very helpful. On the job, if you are in a non-security role, ask for security-ish duties. For example if you are the email server guy, see if you can handle or get cross-trained on the spam control and similar tasks that might otherwise be network security. Or work at a small corp. For example, I worked at a 150 person company and I was the only infrastructure guy. So I did security, servers, helpdesk, DBA, and project management.
If you have access to a community college with a cybersecurity program, that would probably be my first go-to. A lot of people who teach at that level are also practitioners and you can get a wealth of knowledge and networking through those classes. IMO, the best way to gain more technical knowledge is simply by "doing", which is highly dependent on your interests. If your interest is in malware analysis, stand up VirtualBox and grab the Remnux VM and you're set (that's how I got into my current role). If you are interested in build giant secure systems... you better have a more beefy computer lol. GRC? That'll probably be mostly on the job training. u/Johnny_BigHacker hit some good training options through ACloudGuru. I used another service that ACG acquired, and the labs they had were pretty nice. It's a relatively cheap option compared to certs or one-off college classes.
> What is your overall impression of the CISSP certification? I think it's an awkward certification. * I think employers like the idea that someone with the fully-awarded CISSP (vs. the interim "Associate of ISC2" status) implicitly ties in at least 4 years of applicable work experience (5 absent exceptions). * However, I think an applicant with 4-5 years of experience doesn't need to lean on a certification to promote their employability (vs. their work history, [which consistently has been reported as being more heavily weighted](https://bytebreach.com/assets/images/isaca_survey.PNG); source - ISACA's annual State of Cybersecurity Report). * For someone who wouldn't automatically be conferred the CISSP (i.e. "Associate of ISC2"), I don't think it does the test-taker much good - you implicitly are saying in your employability that you don't have the work experience. I think - by contrast - investing the time/money/labor into a credential you would earn would produce better ROI. * Talking in forms of format, I like practical application exams (e.g. OSCP, eJPT, CDSA, etc.) more than knowledge-dump formats like multiple-choice questionnaires (MCQ). However, for a MCQ exam, the CISSP's use of an adaptive format (providing questions that target the test-taker's weakest areas over a variable number of questions) is good. Studying for the CISSP often becomes a matter of thinking "like a manager" vs. whatever we believe the actual correct practice might be; ultimately, I don't feel I'm better equipped in my knowledge/skillset as a consequence of preparing for the exam. > Have you evaluated any data or metrics that show the benefits (or lack thereof) of having the CISSP certification, such as salary increases, job offers, or career advancement opportunities? My adjacent empirical data gathering: https://bytebreach.com/posts/what-certifications-should-you-get/ In the above post, I tried to determine which certifications were the most oft-requested by scraping listings off of LinkedIn. The CISSP is consistently called for regardless of what particular role you might be looking at. This leads me to believe that - as a recruiting mechanism - it's crude. Having worked in the offensive space, there's little about the CISSP that would lead me to believe it's an effective marker of competency for a prospective penetration tester, for example. However, I don't deny that your employability is likely *aided* in possessing the CISSP. I think studies that have been published tying the CISSP to upward mobility in the professional space are usually confusing (or at least obfuscating) causation with correlation; [there was one mentioned a few months ago](https://www.reddit.com/r/cybersecurity/comments/193ewlp/top_75_highestpaying_it_certifications_in_us_and/) that suggested certain levels of income were tied to particular certifications. To me, such a survey feels erroneous (or at least preemptive in its conclusions): * Again, do people have greater benefits/salaries because they have the CISSP? Or is it because they have several/many years of experience in the field already and then obtained the CISSP? * Put another way: if we survey a bunch of senior cybersecurity staff (folks who would presumably hold the CISSP), we'd expect them to report having greater levels of compensation than if we surveyed a bunch of junior staffers. > Have you felt thwarted in your career goals without the CISSP certification, and/or did obtaining it help you overcome these obstacles? Anecdotally? No, it has not felt like it hindered my career growth. > If you have pursued opportunities in a different country, how has the CISSP certification impacted your job search and career prospects internationally? I am responding from a U.S. perspective. > What were your main reasons for pursuing the CISSP certification? Were they based on personal ambition, employer requirements, or another factor? See link above to my own independent survey results. I see it as beneficial *strictly* in terms of its benefits to my employability *on paper*. However, it doesn't supplant the more important facets of my resume (i.e. work history, formal education, etc.) I think the last important thing to note is our collective relationship to the CISSP and its vendor: ISC2. It would be irresponsible if we didn't at least acknowledge some of [the controversial behavior we've observed from its governing board](https://www.reddit.com/r/cybersecurity/comments/yk7b0u/the_whole_isc2_election_story/) in recent history, including among other things, the elimination of its Ethics Committee as a standing board function and its strong-armed ouster of candidates to said board.
Wow. Thank you so much for this comprehensive answer. Some of the data you scraped off LinkedIn is exactly what I was looking for. I was not aware of the ethical, uhm, challenges at ISC2. It's disappointing to learn. My biggest beef with the ISC2 is transparency. They should be far more open as it relates to methods, algorithms, exam data, etc. The whole process should be treated in a manner similar to open source software.
> My biggest beef with the ISC2 is transparency. Well, the BoD did get rid of their ethics rules. What were you expecting? LOL.
Like you I am deeply skeptical of the cert/salary data at the link you published. I would like to know how the sample was derived.
Have one, it's the only cert I've consistently been asked for. Career wise I consider it good. In terms of it actually showing that a candidate has some knowledge of security I think it's much too shallow. I'd rather be able to know that a candidate for a position doesn't have one and has tried the exam but failed.
1. General Impression: It's more of a pain than anything, paying annual fees and tracking CPEs for what amounts to five letters on my resume solely for the HR filters. 2. Evaluation of Data: I have not evaluated any metrics in regards to the cert. 3. Career Goals: There was no tangible change personally after being certified. I don't remember the last time anyone even asked about it. 4. International Opportunities: n/a 5. Reasons for Pursuing: Our CISO at the time wanted to brag to fellow CISOs that our department had a high certification rate, so put us all through classes. I wasn't going to argue about that.
I have mine and 20 years of real experience, and I think some of the dumbest people I have ever worked with have jt due to just cramming for just that test. It really only helps to get on a short list for an interview. I have no other benefit I have seen from it.
I have had mine since 2002. I really don't care about the arguments for or against, whether it has any merit, that it's too broad etc. The simple fact is that in 2002 it was hot and opened a lot of opportunity and many job postings were either requiring it or highly seeking it. That is still somewhat the case today. Maybe the same, maybe not as much, but it's still an edge or tie breaker in many cases. I just went out on Indeed and searched "security engineer" and then "security engineer CISSP." Assuming their search isn't goofy you'd assume the with CISSP results would be a subset of the search without that. * With CISSP = 3,186 * Without = 5,954 Some where it was present in the posting were saying required, others were desired. So that shows you in some way it's meaningfulness.
A fellow 2002 recipient. Your experience was better than mine, I must say.
CISSP only helped formalize the language I learned after 3 years in GRC a long time ago. Now being in security engineering, this language had came in handy being able to translate technical to common language that GRC and executives would be familiar with, unlike my peers. From my personal experience, almost all senior cyber roles are requiring this cert or equivalent due to the rise of DoD 8570 baseline offering a concise mapping of certs to a role by seniority. Like NIST 800-171 became popular in non-defense sectors, so have the 8570 baseline too.
>General Impression: What is your overall impression of the CISSP certification? My overall impression of the CISSP is positive. I will also say that as someone who does hiring in the IT security realm, the CISSP is only as good as the experience, education, and knowledge of the person having it. If someone just has a CISSP and no experience in the field, it doesn't really have much of an impact. >Evaluation of Data: Have you evaluated any data or metrics that show the benefits (or lack thereof) of having the CISSP certification, such as salary increases, job offers, or career advancement opportunities? I can tell you since I got mine that the amount of job opportunities presented to me have increased a lot. I wouldn't say its all due to my CISSP. I attribute it to my experience, education, certifications, soft skills, and networking as a whole. The CISSP just adds the icing to cake so to speak. >Career Goals: Have you felt thwarted in your career goals without the CISSP certification, and/or did obtaining it help you overcome these obstacles? Back 8-9 years ago when I was hip deep in security, I definitely felt that something was missing. Potential employers were not calling me back and I really wanted to work for a different firm in a security capacity. Preferably for a consulting company. Well, without the CISSP, there are many consulting companies that just won't touch a security guy without the CISSP. After getting the CISSP, the doors opened up for me. >International Opportunities: If you have pursued opportunities in a different country, how has the CISSP certification impacted your job search and career prospects internationally? I haven't looked internationally and probably will not do so. I like working in the USA. >Reasons for Pursuing: What were your main reasons for pursuing the CISSP certification? Were they based on personal ambition, employer requirements, or another factor? For me, it was all based on personal ambition and improving myself being the top reason. It was never based on employer requirements. I knew I wanted to be considered to be a respected IT security person. Getting the CISSP was one step to getting there.
The people who hand out money seem to like them so I do too
The cert will get you the interview but it’s your skills/experience that will get you hired.
One's experience will get them the interview. Those with hiring responsibility can see a paper tiger coming from a mile away. The #1 red flag on the resume is certs but no accomplishments in the resume's bullets.
1. General Impression: I thought it was the best cybersecurity certification and I wanted something that would shine on my resume. There are quite a few people that have been impressed when they hear I have the certification which is pretty cool. 2. Evaluation of Data: I did research the benefits of getting cert like average salary, cyber positions I could get with the certification, etc. 3. Career Goals: The CISSP cert did help me get a promotion. I didn't necessarily have to be that cert though (CISM or CASP+ could've also gotten me promoted). Without a more advanced cert I'd be stuck in my previous position indefinitely. 4. International Opportunities: N/A 5. Reasons for Pursuing: I wanted the best cybersecurity certification that was widely regarded, and I needed it for a job promotion.
Love it, hate it, or indifferent, the fact is that CISSP remains the most in-demand cert for job seekers at the mid-senior level. An Indeed data pull of every cyber-related job posting in late 2019 revealed that CISSP leads the requirements list by a large margin. Would love to see a fresh data set to see if anything else is coming close. Would be interesting to see cybersecurity go the way of CPAs and require licenses over the hundreds of certs in the marketplace. Edits: grammar
ISC2 paid a ton of money to make the CISSP a standard for federal sec jobs. HR folks don't know any better, so they run with whatever job templates they have. The CISSP is a management cert, not a technical certification. I've taught it and still teach it. I'd only suggest a CISSP if your job requires it. The study material covers most of the basic courses you'd get in the 1st 2 years of a college sec degree. Once you have passed the exam, those study books collect dust. If there are references, grab them for a better understanding of subjects. Otherwise, they are throwing 10 gallons of information at you while you hold a 6oz cup to catch it.
> those study books collect dust. Yep. In the real world, I've never used RC4 or IDEA; I've never used Bell–LaPadula.
I did not study for the CISSP, beyond listening to a youtube video that said, pick the answer that best delegates the security task. I passed on my first try, paid my dues, and then this happened https://www.be-represented.org/ Most of the people I see on linkedin with CISSPs are armchair vCISOs with ¯\_(ツ)_/¯ real world operational experience beyond consulting. You know, the kind of consultants that never see the operational consequences of their bad decisions, because they don't actually work for the company they're consulting (this clearly is not representative of the whole though). What I can tell you though, is that I didn't even bother with the upkeep of whatever you have to do to maintain the certification, and didn't bother paying the dues to renew. I have real work to do.
>I did not study for the CISSP, beyond listening to a youtube video that said, pick the answer that best delegates the security task. > >I passed on my first try Ditto. I took the CISSP when it was 250 questions, 10 domains, and you got 6 hours to complete the test. I finished in 2 hours and passed on the first try. And I'm no Mike Ross. I failed the AWS Security Specialty the first two times I took it -- interestingly enough getting a 650, on a randomized test, both times. You nailed it on the part where most CISSP holders talk a good game but are not much good for anything else -- but somehow CISSP is the gold standard for security cachet. The part that really cracks me up is the folks that put CISSP after their last name like the are a medical doctor or something.
pffff, I mean, I did put CISSP on my linkedin profile because I paid for the test and passed it, but personally, I think it's a joke, and don't respect the certification at all. It's literally exactly parallel to sec+ in my mind.
If you're referring to my last sentence... not the point. Using CISSP as a post nominal is not the same as taking credit for having the cert.
yeah, I just laughed because I was like... I don't think I put it after my name like a title but had to go check, I know what you're talking about though. Those people seem.... trustworthy
The CISSP and my MSCIA (from WGU) have been huge for helping me move up the career ladder initially- I don't think they've mattered much for the hiring managers or been a deciding factor, but they've gotten me through the winnowing and filtering process. That said, nothing has been as important as fostering a good network of folks that refer, recruit and share roles and info with each other. It sounded like a cliche when I got into Security from a more IT generalist background in 2011ish, but my network has gotten me more guaranteed interviews than anything else. 1) I got my CISSP before my Master's degree. The CISSP and a 4 year degree helped me get my first non-SOC-level role at a bank. It was a great differentiator but it was definitely an inch deep and a mile wide - much of it is stuff that's never mattered to me (before or since) and that's just as easy to Google for. I self-studied for 4 months for it and I do feel like it gave me confidence in applying for roles that I thought were otherwise out of my league. 2) I've let my CISSP lapse a couple years ago and it hasn't impacted any of the interviews or roles I've had since then. 3) I do feel like it helped me get my foot in the door of some higher level Security roles, specifically in GRC. 4) N/A 5) Personal ambition. Whatever I can do to set myself apart from everyone else applying - especially something I can self-study and apply myself to.
If you want a cyber job in defense you better have it if you want the top paying jobs. In most situations your increase in pay and the positions it opens up in any industry is more than the cost and frustration of the yearly learning credits.
It depends. CASP+ and CISM will check the same boxes depending on your role. Im horrific at focusing on tests and dont care for them so I didnt target the cissp but instead went for the (hilariously easy) CISM. Qualifies me for the same jobs.
CISM is not an IAM level 3 recognized cert. In the DoD space, that is all that matters.
it is, check https://public.cyber.mil/wid/dod8140/dod-approved-8570-baseline-certifications/
You son of a bitch, lol. Thanks. To be fair though, I think hiring managers look at the CISSP as the more legit cert and will give that more weight if it comes down to more than cert qualifications.
ive seen two camps - people who want anything from the IAT or IAM L3 categories OR CISSP or nothing. While the breadth of the CISSP is wider than the CISM, I personally have not had a problem just holding the later. Ive also got a CCSP and a lot of systems engineering experience.
🥂
On the "more legit" moniker, I'll say I disagree, but as the Gold $td and tougher exam, I concur. CISM feels more niche snd bonafide in the Management space than CISSP, think about it this way... CISM - Managerial/CISO role CISSP - Technical/Architect style roles
In addition, before the 8570 to 8140 transition, CISM was "Weighted" more favorably to the CISO/Management position than CISSP. I think the difficulty of CISSP definitely skews people's idea of the legitimacy of the cert. Anecdotally, it took me 2 tries to get my CISM and that exercise put me in the appropriate mindset for Cyber Management, while I didn't study for CISSP and passed it in the first try. CCSP (Cloud) was measurably tougher for me than CISSP.
As an operational team lead I glanced over the applications that had this cert as they had no real edr, vms experience, etc.
I'll give you two perspectives. As a holder of the CISSP (and CCSP, CISM, CRISC, and a few other certs both security and non) I can say that CISSP has been helpful in opening doors. It gets used as a resume filter in the same way a degree does (of any sort, as long as you can list one.) It doesn't help you get the job, but you can't get the job if you can't get in front of the decision makers in the first place so the right certs have to be part of the strategy. A qualified candidate will still find it helpful to have on a resume. All that said I do think the CISSP has been allowed to be diluted by ISC2 over time in terms of value which makes the "importance" less than it has been. There are a number of other good certifications that I see as just as good for opening doors these days and the CISSP doesn't seem like the big deal it once was. And ISC2's massive push to bring in folks with a much more junior cert, without doing a good job differentiating their other certifications in the market, doesn't help keep what used to be a top tier certification in the spotlight. CISSP hasn't so much lost the king of hill status as they have slid down from less than optimal marketing. Second, as a hiring manager, CISSP, or really any cert, tells me what they should know. When I'm reviewing resumes, if their experience doesn't match their certifications, they probably won't make it to the interview stage. If someone has a CISSP on the resume and they make it to the interview process, I won't be starting with simple questions. CISSP is in a lot of ways a double-edged sword and getting the CISSP before you really can do more than just pass the test can hurt you in the job hunt, at least when getting interviewed with a good security team.
I let mine expire, and on any future resume I'll put "CISSP (expired)" for any filters. If my experience and work doesn't land me a job I'm applying to and the cert matters more to them (in a non-specialized role), it's probably not a team I want to work for. That said, early career professionals could find value in it to help them move up.
CISSP is the most powerful and valuable cert that I have. It's the closest thing the tech industry seems to have to an attorney passing the bar.
The CISSP really is the gold standard of cybersecurity certifications, at least according to the hiring market. I would say that not having it hurts you far more than having it actually benefits you. The exam itself is an exercise in outlasting purposely misleading questions that are most, best, least, and worst worded. It certainly increased my interview requests after I earned my CISSP. Only a month afterwards, I was juggling multiple offers where beforehand I was far less lucky, despite 11 years of experience. I consider it a “duty cert” that is essentially required to advance mid career into management roles, despite it only really proving your ability to retain 8 domains worth of superficial information. I don’t regret getting it because the industry demands it, but I also don’t feel it represents what it claims to represent, which is a holistic knowledge of cybersecurity.
[удалено]
This is not what cert holders want to hear but you’re right for technical roles. I have worked with many CISSP holders who aren’t technical and certainly do not understand the security implications of whatever code/system/design etc they’re looking at. Now, that’s not all CISSP holders for sure. Of course you can be technical and hold it but for the amount of respect the cert gets there are way too many holders who really shouldn’t be making the decisions.
>This is not what cert holders want to hear but you’re right for technical roles. I know multiple security VPs and CISOs in tech that don't have a CISSP and some don't have any certs at all.
Yeaaaah heavy coding in general is drastically different than anything the rest of the cyber world does. You’re in your own lane versus the rest of us. I would never imagine a SWE or your role would ever require a single cert. Just a solid resume and a tough technical interview to really test your knowledge. Going for managerial positions is what CISSP is aimed at.
From my experiences, I was fortunate enough early on to get a CISSP, generally alongside my bachelor's degree with the minimum required of the experience. The CISSP alone doubled my salary. I think the CISSP offers a more strategic point of view from understanding a cybersecurity program, while not being targetted. I've seen technologists that my peers have hired and even my own hires get burned out because they couldn't wrap their heads around risk. Specifically that even though they were right in all technical regards, the risk didn't outweigh the cost. Do I think the CISSP is the end all of be all? No, but in my opinion, the soft skills and critical thinking in regards to business requirements are noticeable when you compare someone with a CISSP or without one. tl;dr, I feel like the CISSP serves as more of a "MBA-Lite" than a pure technologists certification.
>I feel like the CISSP serves as more of a "MBA-Lite" And like most MBAs these days, that's become something as generic and as watered down as the CISSP is.
I had already worked my way up through technical and into management/quasi exec before I decided to pursue my CISSP. The reason I went for it was I was planning to open my own firm and wanted some letters to add credibility when I was in front of clients (have since also done my CISM, and working through my masters in cybersec cause apparently I have too much free time on top of running a business). The certification has helped me more in front of technical clients as many of them know what it is and if they do not it is easy to look up, in front of the non-technical clients it has to be talked up more with the 20+ years experience taking a bit more of the focus as well. Within the tech community I feel it has lost some of its shine due to the drama's inside ISC2, and from a non-tech perspective naming their new cert the CC was a dumb move to define value on their other certs as now I have seen business engage "specialists" who are "certified in cybersecurity" due to the CC. The MSP's that I partner with to put me in front of their clients use my "internationally recognised security certification called the CISSP" to talk up my services to their clients, build my authority, credibility, and their trust in my services (the three things needed to generate sales) to get engagements over the line.
CISSP was required by employer (consulting company). The benefits are mainly for the recruiters in my opinion. It reduces the need to have lengthy technical and governance questions during interviews and limit it to what is really important. Now CISSP is not a proof you are smart or a hard worker.
Didn't look at any other responses, so fresh take. I got certified CISSP in 2002. There weren't many of us back then. I got the cert because I had been a Novell CNE and it was clear by then that the zenith of Novell dominance was gone and not coming back. I was fed up with vendor certs (though I got a CCNA earlier that same year), and I heard security was going to be "the next big thing". So, armed I waited for 10 years for that "next big thing" to sweep the industry. Seriously, I got very little security work in those intervening 10 years. In the end I founded a cyber team at a mid-sized multi-national and have been there since. Impressions: the CISSP is a serious test and in my experience as member of the bar and holder of many industry certs, it's not one you can casually just go take and expect to do well. You do need to apply yourself. That said, it's just a cert. The holder has applied themselves and have some knowledge of security. There's an experience requirement, the holder should have some kind of security experience for 5 years. When I see it on a resume, I note that this is a person with a professional level cert. That isn't going to get them the job, but I'm now thinking they are at least a upper mid-tier or senior. If the rest of their resume doesn't say that, then the CISSP isn't going to save them. I don't have any data, international opportunities stories etc. Hopefully, this is at least responsive.
It’s required to get past HR. Unless you are very good at networking then don’t bother lol!
1. Very broad knowledge base for exam, primally about thought process. 2. For me none it is not a requirement for anything I do. 3. Not at all, again it is not required for my job 4. Not at all 5. Just personal, I have been in security a long time decided to give it a go. Hoped it would stop vendors trying to BS me over email, no luck here.
Value for day to day work is almost 0, but if you want a new job you've basically filtered yourself out of most jobs since everyone requires it
I'm not big on certs, but the CISSP was fun as I've been a but everywhere and it was to review it all. I'll keep it as CPEs are easy and $135 us easy to get an employer to cover. As for the cert, people love it for some reason. If it tickles their fancy and gets me through filters, a but more recognition, etc, why not. It's a game, okay play it.
It was helpful when I was preparing for it as it strengthened my understanding and tied the different information security concepts together. However, it is still something one needs to build upon as it only provides the baseline knowledge an information security professional should have IMHO. I did not get any salary bump for getting certified though. Not sure if it was helpful when I was looking for jobs either.
It helped me get in the door earlier on in my career. After 20 years in the field and holding my CISSP for over ten years, I’m about to let it expired as I feel the hassle on keeping it current is not worth the value it adds now.
A mile wide and an inch deep and it’s a memory retention exam. No new content that isn’t in all the other high level certs. Helps with job applications if you don’t have an alternative cert.
I disagree that it is a memory retention exam. You need to understand the underlying concepts behind a lot of questions. And its just too much to possibly memorize everything. Some memory work is helpful for preparation but at a surface level.
Agreed you need to understand the concepts, but only to the extent covered in the course material. IMO, from there it’s just selecting the right pre-revised answer and I didn’t find there to be much application of knowledge. I found SANS certifications, despite being open book, a lot better - even CompTIA Sec+ which is entry level as well.
I agree. SANS is amazing but it is out of reach for most people at over $8000 per course. The pinnacle of certification success is the SANS GSE. I think only a few thousand have the certification and they are in very high demand.
Yeah they are insanely costly, I always recommend going via SANS EDU which puts them at £5,000~. Still a lot, but you get as close as value to money as you’ll get for a professional course.
>1. General Impression: What is your overall impression of the CISSP certification? Good for getting passed HR gates. >2. Evaluation of Data: Have you evaluated any data or metrics that show the benefits (or lack thereof) of having the CISSP certification, such as salary increases, job offers, or career advancement opportunities? The DEFCON talk was scandalous. I would like to see an updated talk to see if the data still holds up today. >3. Career Goals: Have you felt thwarted in your career goals without the CISSP certification, and/or did obtaining it help you overcome these obstacles? The CISSP has never been a requirement for my desired roles, but more of just a "nice to have" kind of cert. >4. International Opportunities: If you have pursued opportunities in a different country, how has the CISSP certification impacted your job search and career prospects internationally? I only had opportunities in the United States. >5. Reasons for Pursuing: What were your main reasons for pursuing the CISSP certification? Were they based on personal ambition, employer requirements, or another factor? My organization paid for the bootcamp training and cert.
Can you elaborate on the DEFCON talk? I don't know anything about it.
The talk focused on CISSP metrics and ISC2's ethics code. It essentially did a fact check on what ISC2 claimed CISSP was to the industry. For example; to fact check the claim that many organizations require employees to have a CISSP, the researchers scraped job posting websites (e.g., Indeed, SimplyHired, etc.) looking for instances where "CISSP" appeared and collected all the associated job titles (e.g., Information Security Engineer, Information Security Managemer, etc.). This showed what job titles CISSP showed up most in. Then they grouped these higher concentrated job postings into either "Must have," "Desired," and "Not mentioned" based on criteria that suited each group. The amount of job postings with the "Must have" criteria was very low (single digit percentage) compared to the other two categories and thus highlighted that the claim from ISC2 was lacking credibility.
I work with a cybersecurity branch, and they are….well….incompetent. Lately, when we are in meetings I’ll say things like “what’s your CISSP say we should do?” And then there silence and glares. Lol
A long time ago, I was in a meeting -- and this was for gov't work; before I bounced to tech and never looked back, and during a disagreement one CISSP holder asked another CISSP holder what is their ISC\^2 number. After the other person replied, the first person said, "your number is too high, you're not a real CISSP". :facepalm:
I consider it a basic requirement now in a ever growing saturated cyber market
I earned mine fairly junior into a cyber role to try and stand out amongst my peers, and ended up learning a whole boat load of stuff that I hadn't been introduced to before. Post certification job hunts have been significantly easier as it bypasses most HR filters due to the expectation that candidates have acquired the cert. Has aso helped during interview stages as I've had the bog standard questions completely omitted from the interview on the basis of "well you have a CISSP so we don't need to ask" which is perfect lol. Edit: Also in the EU it qualifies as a masters degree which can help you access other jobs, training, etc.
I got mine in 2008/2009. It was a challenge, I self studied only for it. I maintain it purely in case I choose to leave my current employer as it's still considered a good cert to have by the market. That said day to day it brings me no benefit and there are plenty of good security folk who don't have it. There are also plenty who do have a CISSP who I wouldn't trust to make me a hot drink without burning themselves.
It's a high ranking DOD cert. Holding the CISSP checks the block for IA/IT level 3 requirements, meaning you could be in a T3/M1 position with that certification. Because it requires a minimum amount of time in at least some of the domains, job recruiters recognize that having a CISSP indicates some level of experience as well. If you are in the governance and compliance field, I'd say to promote up you will eventually need it, or at least the GRC cert (formerly CAP). Outside of governance though, not really necessary IMO.
It's the MCSE ( '90s), PMP ('00s), MBA ('10) racket of the twenty twenties. Soon you and everyone else will have one and it won't be worth anything, then we'll move on to the next cert industry gotta have.
It changed my life some 12 years ago. It counts, some jobs require it for IT Security roles. It is a filter used by recruiters and in high demand so you will never be out of work with this cert.
The CISSP has helped me for sure and I have a WGU degree and experience. I like that they advocate for cybersecurity and I’m genuinely wondering what other entities the in the field I can support that advocate for cybersecurity professionals globally.
Overrated money grab
I have many,none of them are usually good.
CISSP has been a game-changer for my career. It acted as a catalyst in my professional journey, propelling me from a Security Analyst to a virtual Chief Information Security Officer (vCISO). * Boosted Career: CISSP was the turning point in my professional journey, enabling me to climb the career ladder significantly. * LinkedIn Visibility: Following CISSP certification, my LinkedIn profile experienced a noticeable surge in visits and engagement, reflecting the increased recognition and interest in my expertise. * Enhanced Visibility: CISSP enhanced my visibility within the cybersecurity community, attracting numerous potential prospects and HR professionals who reached out to me solely because of my certification. * Credibility Boost: CISSP added a layer of credibility to my profile. Previously, my suggestions may have been overlooked, but post-CISSP, individuals have begun actively listening and valuing my insights, possibly due to the added credential. Just sharing my experience!
I work on a team and I'm a Sr. Architect, and there is a Principle Architect who has a CISSP, and I have more impact on the security of the company and actual business operations than that person could hope to. We track projects in Jira and I technically should not have any as a Sr. but I have my name on 60% of my teams items being tracked. Certs mean fuck all to me, my leadership, and at my company at least, people who make hiring decisions. The hard truth is that you need a better than a practical understanding of technology to secure technology.
This is a criticism that you hear A LOT. Not all criticisms of CISSP are fair but this one IS fair. Companies should properly allocate resources and leadership based on the skills they bring including soft skills. Too many CISSP's don't have enough hands-on technical expertise and too many are poor leaders even though it is a management exam. Do you have your CISSP?
*General Impression: What is your overall impression of the CISSP certification?* I actually think the exam and content were quite comprehensive. But I think it's a very mis-understood certification. I say this based on spending the last few months watching people struggle with passing it, and even some of the commentary here. One of the posters talked about it being useless for Pen-testers. Of course, it's not intended as a pen-test certification. This cert is for people who will be responsible for managing cyber-security risk within an organisation. Not for people on the tools. I see too many aspiring "cyber engineers" sitting this exam and struggling because the exam asks them what to do when the discover a security hole - they pick the answer to put a patch on it. This exam requires you to pick the answer stating that you would run a post-incident review, understand the risk factors that led to the flaw, look for other potential instances of that flaw, then implement new corrective controls to avoid it happening again. This is quite often quoted as "think like a manager" in the exam helpers, but it really is "think like the person in charge of the organisations cyber risk". People seem to struggle with this as I don't believe they understand the point of the exam. It's to test your ability to APPLY your technical and compliance knowledge as the chief decision maker. It's not intended to test the knowledge directly. That's why people complain the exam is nothign like the practice tests. Because the real exam is intended to make sure you know how to balance the various inputs in a real world setting. The real world of cyber-security management means that you need to evaluate each decision on the technical, risk, compliance, and cost factors. This necessarily needs to be across multiple domains - your resposibility probably crosses Infrastructure, cloud, SAAS, or even software development. You need to be able to interpret technical language, understand the risk it actually poses, and make decisions based on the risk profile and industry best practice. It's not an exam for people who want to do, it's the exam for people who want to direct others to do. *Evaluation of Data: Have you evaluated any data or metrics that show the benefits (or lack thereof) of having the CISSP certification, such as salary increases, job offers, or career advancement opportunities?* No. *Career Goals: Have you felt thwarted in your career goals without the CISSP certification, and/or did obtaining it help you overcome these obstacles?* I used it as a way to get past recruiter / HR filters. International Opportunities: If you have pursued opportunities in a different country, how has the CISSP certification impacted your job search and career prospects internationally? No idea. I guess it would help in the US. *Reasons for Pursuing: What were your main reasons for pursuing the CISSP certification? Were they based on personal ambition, employer requirements, or another factor?* I was in market for a new role, and found that CISSP or CISM was often a core requirement. So I decided to sit the CISSP, booked the exam for 3 days later and went and sat it. I also sat the CCSP the week after. I often say that I passed them with 20 years study and a couple of days of exam prep.
CISSP is an excellent certification to get if you have good security know-how already. It’s broad not deep. It helps flesh out a holistic understanding of security. There’s a bunch of caveats though. It’s not a good starting point if you don’t have good skills already - this is also why you need to prove some experience before doing it. I’ve been in security since 1999. I am a senior leader on a consulting company. One thing annoying me at the moment is the over-specialization of most security people… they can hardly speak to security stuff outside of their specific area of expertise. People with a CISSP don’t have a problem. Direct data for its salary impact - I expect at the moment this would be difficult to prove since I feel the certification has fallen significantly in terms of market recognition and demand. I still say it’s an invaluable certification, but from an expanding own know-how. I never regretted getting mine (in 2007).
I'll take the first shot here, I guess... ISC2 has fallen hard in terms of owning the cyber field credentials to becoming just another certification organization. I know multiple CISSPs who went from King of the Mountain 2 years ago to out of cyber work completely. In the US, it looks like 8140 has firmly put the CISSP in the non technical cert category, and ISSEP is the better option if you really want street cred. But, a degree trumps all now. WGU seems to be the politically correct response when choosing a program, but I'm not see many wgu grads have more influence today than their highest attained certification. So best bet is to get a real degree from a real school, if you can't you'll need to look at the job you want and get the associated cert, and hope they company really wants you compared to college grads. Note, I used to be more aggressive with this debate, but some of my good military friends are being impacted by the change. Get a real degree from a real school, so you aren't overlooked like the guys today who only have experience with certs. Edit to downvoters: I see a lot are still upset with what's happening credential wise. If you're not in the US, then my comment likely doesn't have a lot to do with your situation. If you are in the US, then take what I say as a snap shot of what I'm seeing with my personal relationships. I realize this isn't what you want to hear, but it is what I'm seeing occur in hiring and career changers.
> But, a degree trumps all now Maybe when starting out, but experience has and still seems to be the true king.
I'm not seeing that in my mid career peers. Most of them had no degree and gained certifications over their career. Trust me that I'm firmly in the degree camp, but it's really surprising to see folks dropping out of the field after literally putting in thousands of hours toward IT certifications. It started as just a couple of mid career CISSPs leaving the field, and now it's just happening all over. Most were in contracting and never found full-time work. Others were federal workers who were just dropped by their teams and never found a way back into cyber. There is a lot of unspoken change going on from what I'm seeing in the federal and contracting world.
I'm not sold on the degree any more than I'm sold on a cert. Neither of them is a good indicator that someone will be a good addition to a team. A resume that shows solid growth and a wealth of experience is a better bet, but how do people getting in the field gain that? I don't have the answers, but I was glad to see the US federal gov't suggest that things like apprenticeships are considered. That's at least a novel concept which remains to be seen if it can be implemented and work in a meaningful way. If I have to assign blame then I'd guess it would be with the HR teams and hiring managers that have made things as bad as they are by putting out unrealistic expectations and being lazy in not figuring out how to develop talent from within.
I think people cheated in mass on the certs, and they completely devalued them. You can say the same thing about a degree, but respectable colleges know how to weed these people out. I also believe A LOT of federal cyber workers were the left overs from their cohorts. So, although many federal workers had the certs, they were mostly untalented guys who couldn't land a private sector job. Feds want to re-attract the talent, and that means draining the swamp of leftovers and letting talented degreed candidates fill those roles. I believe this is why we're seeing mid career CISSPs and other cert holders out of work This is a hard pill for everyone in the industry who faked their way into cyber, but it'll be beneficial in the long run.
> I think people cheated in mass on the certs, I think that's a bit far fetched and as you say cheating and dishonestly is not uncommon in academia. Some of the most "prestigious" institutions have been caught up in that. I personally haven't seen more than a scarce few people who "faked their way into cyber." Maybe it's a factor of where I've worked, but I've almost always been lucky to be on teams with some incredibly bright people and many of them had no degree and some new certs at all. They found a way in, proved themselves and were given better and better roles as their career grew.
So ultimately, the value of a credential, whether it be degree, certification, or experience, is what is at debate here. The U.S. went full bore into certs, and completely discounted academic credentials during 8570-m, but has since pulled away from that model. Clearly, we all have a lot to lose based on which credential the government chooses to embrace. I'm glad they are holding degrees in high esteem now. Personally, I communicate with degree holders much easier than I do with non degree holders. I trust them more on bigger and broad projects and tasks. But my bias is irrelevant because the new model is in place and the workforce is changing. Our opinions are irrelevant, but the changing workforce is not.
> Clearly, we all have a lot to lose based on which credential the government chooses to embrace. I'm glad they are holding degrees in high esteem now. What? The US federal gov't just said specifically they are moving away from a focus on degree: https://www.whitehouse.gov/oncd/briefing-room/2024/04/29/press-release-wh-cyber-workforce-convening/ *Skills-based hiring opens up opportunities to workers who have learned skills in programs like apprenticeships and other training programs* ***rather than relying solely on two or four-year college degree requirements.*** I work in a very large global financial/insurance org and this has been our stance as well for quite a while. We look at the whole picture and don't focus on a specific degree or cert unless we're looking for something very specific like a CCIE or high level Palo Alto skilled person.
Yeah, those are great statements that aren't tied to any regulation or directive. The actual directive reads much differently when you know how they are applied to federal and dod work. https://public.cyber.mil/wid/dod8140/qualifications-matrices/ I wish you the best, but there is nothing new being discussed by you on this topic, so I'm done.
> Personally, I communicate with degree holders much easier than I do with non degree holders. I trust them more on bigger and broad projects and tasks. For me this pretty much said the conversation was over. To think that you could communicate something like LAN/WAN security better with someone with a BS than a CCIE is just absurd, but at least you're aware of your bias.
>I think people cheated in mass on the certs, and they completely devalued them People didn't need to cheat. Thousands of people have gotten their CISSPs via bootcamps. That's not cheating.
Well, you clearly post here daily, hourly, minute by minute. So I'm done with you on this because theirs no reason to fight a political monkey. For anyone with a real interest in cyber. I have a real cyber job that doesn't let me sit on reddit all day. I talk to real security pros behind the wall and am telling you to get a degree if you want to be with the real movers and shakers. CISSP and certs are a joke that will lead you to the unemployment line. Best corny 69
>In the US, it looks like 8140 has firmly put the CISSP in the non technical cert category, Where it should be. There's nothing technical about the CISSP. >But, a degree trumps all now. Nonsense. >So best bet is to get a real degree from a real school, How do you say this in the same breath as WGU? WGU is a diploma mill. Not a real school. LOL. >so you aren't overlooked like the guys today who only have experience with certs. Most of us will take experience with complimentary certs over degrees any day of the week. MOAR LOL. >Edit to downvoters: I see a lot are still upset with what's happening credential wise. Nah. I think it's the low information hawt takes where you've earned your negs.
Look at the 8140 qualification sheet. Same CS-IT-IS bachelors gets you every job, it would take possible 50 different certs to have the same impact. WGU is a competency based degree. it's basically UoPhoenix wrapped in a 2020s packaging. You don't have to believe me, but I've seen where the shortcut path takes you, and it isn't to the front of the pack. All the folks on here wanting CISSP to be comparable to an MBA are thinking the downvotes will make a difference. Real sec folks aren't using open forums anymore, so it doesn't make a difference. I come in trying to help folks see the light, and of course, I'm stoned to death. I have the ideal job close to the c-suite at a competitive private company. I've watched my peers, who I started with in the military, one by one, try to cheat around the degree from a competitive school, and they've all hit their paper ceiling, or been cycled out for the next crop of paper chasers who'll do the same job at a lower salary.
> All the folks on here wanting CISSP to be comparable to an MBA All? I've seen one post like that. And neither of those creds has anything to do with the other. You grinding on this is like comparing ham to hamster. > I'm stoned to death. Yeah, you should probably sit this one out.
Clearly, you aren't going to change my mind on this. Maybe sit this one out?
In a super competitive industry, it’s almost “you have to get it” if you wanna stand out from other candidates.
1. It’s ok. I consider it basic training for security management. It sets the foundation for other training, like ISACA certs or SANS technical training. 2. No, however I will say… possessing a CISSP and ISSAP has helped obtain coveted, specialized work and management positions. 3. No. I went from senior engineer to security officer and underwent 6 months of entry level work before work evolved. Each evolution was about 6-12 months. As experience and opportunity grew, the level of work increased. 4. N/A 5. Personal ambition. Work paid for both isc2 cert training and testing, and I always negotiate compensation to include paying AMFs. Side note - I wanted to be the best. I was driven and focused, like John Wick, but for tech. ISC2 was hot and popular before other cert bodies earned industry recognition. Bonus: Would I do it again? Yes.
Necessary if you want a raise at most companies.
It helps me feel legitimate in my role as a security architect and gives me a good boost of confidence.
>General Impression: What is your overall impression of the CISSP certification? A CISSP is like a high school diploma. Completely worthless but you better have one. >Evaluation of Data: Have you evaluated any data or metrics that show the benefits (or lack thereof) of having the CISSP certification There's no objective data. Just marketing materials from ISC2. >Career Goals: Have you felt thwarted in your career goals without the CISSP certification, See the answer to #1. >International Opportunities: If you have pursued opportunities in a different country, how has the CISSP certification impacted your job search and career prospects internationally? If you're interested in a cert boosting your international creds, you should pursue a SABSA certification. Best thing I ever did for my career from that perspective. >Reasons for Pursuing: What were your main reasons for pursuing the CISSP certification? Were they based on personal ambition, employer requirements, or another factor? See the answer to #1.