Earning The CISSP : What It Takes And What It Is Worth

Greg Schaffer

Recently, I became an International Information Systems Security Certification Consortium (ISC2) Certified Information Systems Security Professional (CISSP). The pursuit was difficult, but that was to be expected, as the certification is one of the most sought-after information security credentials. Like many certifications, it can add significant bargaining weight when changing positions or jockeying for a raise.

Certifications don't necessarily make or break one's career, but can contribute to one's overall package. Whether you're satisfied in a position or looking to upgrade, it's in your best interest to stay as knowledgeable and marketable as possible. Understanding that certifications may not be a panacea but certainly have value is the first step in determining which certifications (if any) are worth pursuing based on your career goals.

The value of certifications

There has been much debate over the validity and usefulness of certifications, but one thing is clear: knowledge without the ability to apply it is functionally useless. That's one reason why some certifications require significant real-world experience as part of the certification process. IT recruiters are keenly aware of this.

"You may be a whiz at taking certification exams," says John Estes, vice president at IT staffing agency Robert Half Technology, "but if you don't have the benefit of troubleshooting [experience] in a business environment, you won't last long." Justin Keller, an infrastructure recruiter at TEKsystems Inc., agrees. "Certifications are something that will set apart qualified candidates from the rest of the field but they cannot be expected to replace real life experience," Keller says.

However, there has to be some value to a certification besides a fancy certificate for display on the wall. Overall, it's not unreasonable to expect a relevant certification to command roughly a 10% average increase in salary over those performing the same duties without the credentials, according to Brian Hunter, an executive and technical recruiter at Talent Scouts Inc. He suggests that people interested in pursuing a particular certification do a cost-benefit analysis to determine the certifications' return on investment.

Without a doubt, pursuing certifications requires tenacity and a willingness to put in long hours of preparation, not to mention the monetary costs, particularly if a "boot camp"-type preparation course is used. As Keller points out, "the financial and time commitments that are required to get many of these certifications are significant."

Basically, certifications by definition should certify that a professional possesses the qualities necessary to accomplish the duties of a particular position. In information security, that means having a very broad experience, knowledge and skills base.

My pursuit to become a CISSP

Information security is one of the fastest growing areas in IT today. Keller notes that "specialization in this area is going to be a solid differentiator in a market that is already very competitive." Certainly in the information security field, having the paperwork to back up the knowledge can be quite valuable. As my information security duties have increased dramatically over the past several years to the point where the majority of my professional activities are related to information security, I felt it was time to achieve that differentiator.

While there are other information security credentials available such as the Certified Information Security Auditor (CISA) from the Information Systems Audit and Control Association (ISACA), I chose to go after the CISSP certification because of its reputation and vendor-neutrality and because my knowledge and experience matched the CISSP requirements well. In addition, the managerial components of the CISSP credential fit with my aspirations to become a chief information security officer (CISO).

To become a CISSP, a minimum of five years' work experience in two of 10 knowledge areas, referred to as domains, is necessary. We're not talking just technical areas here, as the domains include not only nuts-and-bolts topics such as networking and cryptography but managerial and planning tools such as business continuity and disaster recovery. This is because information security is at the core a business process or, more exactly, a method to ensure that the business continuity is unimpeded.

"It seems like almost every week, you hear about a Fortune 500 company or government department having a breach of sensitive information," explains Louie DiNicola, who expects to complete his undergraduate degree in computer information systems next spring and already has a position lined up working in IT assurance. "I want to be able to help companies avoid that and maximize their potential by helping them identify problems in IT policy and implementation."

DiNicola has an edge outside of the certifications with his college degree. Companies will often ignore a potential candidate, regardless of experience and qualifications, if he hasn't earned a degree. "It does not matter if the person can walk on water," according to Hunter. "If they do not have a degree, they won't be considered" for some positions.

DiNicola knows that a degree and certifications, coupled with experience, make for a powerful mix. "I realize that as an entry-level graduate, the certification might be better suited as a long-term goal," he explains. DiNicola has already begun plans to pursue the CISA credential and the CISSP certification after that.

The CISSP credential goes far beyond measuring one's book knowledge. First, the candidate must be endorsed by an ISC2-certified professional confirming that the candidate meets the experience requirements. Also, the candidate must pledge to adhere to a code of ethics. Finally, to maintain certification, the CISSP must constantly engage in security activities, such as ongoing education and participating in security speaking opportunities.

But it all starts with the exam, and there are many ways to prepare for it. For me, self study was the best way to go. You have to be disciplined and self-motivated to forego structured courses, but self study can provide more flexibility while saving costs. Note that bypassing the class route doesn't mean that you have to go it alone. I found valuable resources online from CISSP forums such as one at CCCure.org and free online workshops such as those offered by the University of Fairfax.

Passing the CISSP and other certification exam tips

The following tips helped me pass the CISSP exam, the most difficult certification exam I have ever taken. As learning methods vary, so should your approach to preparing for any certification exam.

My first action was to register for the exam to allow for two months of preparation. While this may seem obvious, registering for the exam a certain period in advance helps to focus on the goal. Without a deadline, it can be difficult to achieve that goal, since the propensity to procrastinate is great.

My next step was to purchase a review book with practice questions and exams. I opted to purchase ISC2's CISSP review book, which came with a CD of practice exams. Of course, there are other study guides with practice exams available. The point is to have a good resource to prepare with. Multiple books can help especially in locking down difficult concepts by approaching them from different angles.

You should take a practice exam before beginning to study because it can point out subject-matter strengths and weaknesses. Predictably, I was strongest in the two domains for which I met the required experience and quite weak in some others. This helped me prioritize my studying.

Plan to study until one week before the exam and spend the last week reviewing material at a leisurely pace. A light review the night before the exam is fine, but do not cram. If the test is given in a location that requires significant travel, plan on arriving the night before, particularly for an early morning exam. I relaxed the night prior to the exam, because I knew I would need all my faculties the next day.

The CISSP test consists of 250 multiple-choice questions that must be completed in six hours. That equates to less than one and a half minutes per question. There are various strategies for attacking such exams; mine was to be well rested and answer every question in the exam in four hours, then review the rest of the time. If time becomes a factor toward the end of the exam, answers will be rushed, so pacing is important.

After I left the exam, confident that I had a 50-50 chance of passing, I began crafting my retest strategy. Since I had just spent so much time over two months preparing for this exam, I planned to register to retake the exam the moment I found out I failed, because I didn't want to lose the freshness of the knowledge. Fortunately, I didn't have to activate that plan, but I was ready to.

Summary

While these tips are based on my pursuit of becoming a CISSP, they have applicability to other certifications as well.

* Match certifications with your goals and skills.
* Study, study, study. Whether that means books, classes or both, studying can't be overemphasized.
* Cramming rarely works. Rather, relax the night before, and get a good night's sleep.
* Certifications should be part of an overall success strategy, not the singular focus.
* The further up the ladder, the more important degrees become. If CISO is a goal, look into pursuing an advanced degree.
* Realize it's just an exam. Everyone has bad days, and failing is not the end of the world.
* If you do fail, plan to retest sooner than later. Don't give up the pursuit.

Finally, don't look at obtaining certifications as the primary goal but as part of an overall strategy for achieving your career aspirations. "No single accreditation will guarantee career success," summarizes Robert Half Technology's Estes. "But a mix of relevant, broad-based certifications can help support an IT professional who has experience in the field as well as a strong set of appropriate skills."

Greg Schaffer is a freelance writer based in Tennessee. He has over 15 years of experience in networking, primarily in higher education. He can be reached at newtnoise@comcast.net.

Sphere: Related Content

No comments: