This post answers these questions: Why get the CISSP certification? What has it done for me? What else do I need to know?

Charles, one of my readers, asked me, “Do you have postings related to CISSP?” Not many, but here’s one….

CISSP = Cost-Effective Cert

The CISSP is one-fee-pays-all cert; very nice. I was shocked to see how the CISA charges you one fee for overall membership, one for local chapter membership (required), and another for the certification (that’s the real tri-fecta that pays off for ISACA). Sad.

The CISSP comes with no local chapter, but who cares? How many of you go to chapter meetings anyway? I rarely go to ISACA or IIA chapter meetings.

The CISSP requires 120 CPEs total over 3 years, with a minimum of 20 CPEs per year, which is fairly standard among certs. And for $85 per year, that’s not a bad yearly fee. Compare that $ to other certs which don’t carry the same weight.

Personally, I have not found any direct correlation between my CISSP certification and increases in salary. All the increases were due to my accomplishments, not the certification. The certification helped me achieve in some areas, and certainly gave my managers more confidence in me, so indirectly, I’m sure it helped.

Certs are most helpful when you’re new to a field or specific area, or looking for work. But even when you have years of experience, they can help round you out, and push you to learn new areas.

Best Certs for an IT Auditor

If you want to be a great IT auditor, I’d suggest you get the CISA and the CISSP. See my reasons under the same topic heading in CISA vs. CIA Certification.

If you don’t have either certification and want to get both, get the CISA first, as it is an audit certification. The CISSP is a security certification. The CISSP advice in this post assumes you have the CISA already if you’re an auditor. If you’re not interested in audit, then ignore the CISA info.

Getting a security certification is even more valuable when you don’t work on the security team, like an auditor or IT specialist.  Such a cert will give you a sharp edge on others in your immediate field (especially if you already have a cert in your field in addition to the security cert).  One Fortune 500 manager told me my CISSP cert was the deciding factor in hiring me. At another large company, I was the only CISSP on the audit team, which had more than 20 auditors.

I have no doubts that my CISSP has paid off. And I expect it to continue to pay off.


I’ve found that it’s more important to have the CISA as an IT auditor than having the CISSP as a security pro. That’s because most IT auditors have the CISA; it’s pretty much required.

I like the CISSP because it gets your feet wet and dirty. However, be warned that the CISSP is not like the CISA, it’s M U C H more IT and security focused and much more technical than the CISA (the CISA is NOT technical). Be prepared. When I took the test, at least 50% of those who took it with me failed it. It’s doable, but you can’t party and study at the same time like some jokers do.

NOTE: I believe the CISSP has changed since I passed it; see CISSP isn’t as technical anymore. But it is still way more technical than the CISA.

The CISSP will help you if you stay anywhere near IT.

The CISA applies most to auditing, but I’ve never seen anyone in security have only the CISA; a security pro with the CISA is usually a former auditor AND has at least one  security cert.

On the other hand, I was an auditor for several years with only the CISSP, and it was respected. IT folks understand and respect the CISSP more than the CISA.

CISSP Losing Ground?

SC Magazine’s CISSP! Who Cares? article says that security certifications are not as valuable as they used to be because they are rather commonplace. Too many people going for the same job have the same qualifications. However, that is not my experience, and I disagree with some of the article’s statements.

I earned my CISSP more than 5 years ago. Let’s take a look at a couple companies I’ve worked for and count the CISSPs… see Security Certs for Commoners? Nope.

CISSP Resources

Studying for the CISSP? Check out the Least Privileged blog for this person’s experience with the exam (he failed the first time) and lots of CISSP resources. Also check out my posts, How to Pass Certification Exams and Teach Yourself Security (see the link to free CISSP training).

My biggest CISSP study tip: know crypto inside and out, and don’t skimp on physical security. I know more people who failed that exam because they thought they could get by with little understanding of those topics.

Here’s another great resource, The Thrifty CISSP.

When I took the CISSP exam, I knew I passed. I wasn’t sure about the CISA. I guess that means I know more than I realize.

Marketing Trap

In my case, my certs are a marketing trap; they sure have helped me trap some good jobs. I know I’m fortunate and this doesn’t happen to everyone.

Finally,  I don’t claim that certs are for everyone. I know plenty of folks who do okay without certs. More power and dinero to them.

The best 2 technical people I ever hired had no certs. But later on, they got certs because it helped their cause and gained them more respect. Sad, but true. So go get your certs and be done with it.

What else?

If you have a question about my experience with the CISSP, let me know, or leave a comment about your experience. Or just disagree with me because you’re in a bad mood.



Filed under Audit, Certification, Security, Technology

55 responses to “Why CISSP?

  1. Thanks for sharing your experience. I have just begun my CISSP studying and have already found the information both relevant and interesting.


  2. Mike

    Hi, I have MCP and am busy studying for my CISSP. What are my chances of getting a job without experience? Thanks : )


    • Mike,
      It depends, unfortunately. You didn’t describe the type of job you’re considering or what area that your MCP is in. You also didn’t describe your general IT background.

      Assuming you meant an IT auditor job and you have a general IT background (you understand the basics of servers, desktop, networking, applications), but no audit background, you might be able to get an entry -level IT auditing job.

      The challenge of IT auditing is that you have to understand 2 things: how to audit and how IT technology and operations work. Usually if you know one of them and you have the CISA, you can get an entry-level job.

      I recently worked with 2 new IT auditors. Neither of them had any audit experience when they were hired. One had a compliance background, but little IT. The other had some IT background, but not much. Six months later, the former was doing much better than the latter.

      Overall, I think audit experience is more important that IT experience. The CISA will give you more audit info than IT info, so it’s good in that sense. So if you can get an understanding of audit (study for the CISA), you’ll be ok if you have an understanding of IT or have an aptitude for learning it.

      I’d suggest that you also read my reply to Nick (see link below). While he has more experience than you, most of my comments to him still apply to you, particularly regarding how to go about finding an IT auditor job. My reply to Nick is here: http://wp.me/pxLr8-1OL

      Also read all my CISA posts at https://itauditsecurity.wordpress.com/2013/04/02/master-list-cisa-articles/

      Mike, if you give me more info, I can speak more specifically to your situation.

      Either way, don’t lose heart. I run into really bad IT auditors all the time, and they managed to get hired. :)


      • Mike

        Thanks a lot for all the info: ) I have mcp in networking, but have been out of the employment field for 4 years due to taking a break, meeting my wife, and helping her with her online business, moving and other personal things, so it might be tricky to get back into the field now with no experience for the past 4 years, but that is why I am adding my CISSP.
        Hoping it will work out well, as we are also expecting a little girl :)


        • MIke,
          The CISSP should help. If you have good reasons for taking the time off and can explain how what you did and learned during that time period will benefit your perspective employer, you have a great chance of getting hired. Have you thought of trying to hook up with a contract firm and ease back into the market that way? You’ll gain experience and get a look at some employers and they’ll get a chance to look at you too.

          Best wishes for your family!


  3. Betsy

    Thanks for the enlightening blog, which was an amazing and resourceful find for me. I just finished my postgrad degree in Information Security recently and it covers everything needed for IT auditing. Do I still need to get the certification to get a job as an auditor?


    • Hi Betsy,
      Sorry, but it depends. I always encourage those pursing IT audit to get the CISA for these reasons: 1) it’s “the” IT audit cert, 2) Managers look for it, 3) Most IT auditors have it, and 4) it will give you an audit foundation to build upon (how to audit).

      Having said that, if you understand how to audit (sampling, risk assessment, population validation, how to develop a test plan and execute it, etc.), you can get hired without the CISA. But the CISA is kind of like a high school diploma–it’s assumed you have it.

      Even if you KNOW auditing, you still probably don’t have the experience of doing it, and studying for the cert will give you another perspective besides your schooling. Even if you know auditing, the cost and effort required is minimal compared to the benefits it brings.

      I’d strongly suggest you find some other IT auditors and see what they think. [I’m always amazed other IT auditors out there don’t chime in with their 2 cents on these questions.]

      Wish you the best, and thanks for the Kudos! Let me know what happens!


  4. Hello,
    I am studying CISSP now and find this article helpfully to motivate me :). Currently I am holding CEHv7 and have experience as system administrator and security for an Internet service provider for more than 5 years. Now, I am a CTO for our ‘baby’ company related to IT Security pentest and managed hosting. Do you think I can pass it if I have only 1 month to study it? I already read 2 CBK of CISSP (IT Governance, Access Control and now start Cryptography).

    Thank you


    • HI Kalpin,
      Sounds like you know the basics of IT & security. If you can master physical security and crypto, you’ll have a shot. But it’s a hard exam. Make sure read my How to Pass Certification Exams post carefully. Wish you the best and let us know how you do.


  5. Jagan


    I am a Microsoft Application (MS office and Windows 7) Trainer and train end users in our company. i also take care of our Learning management system. i have a total of 5 yrs experience. but now i want to move into IT audit. Please suggest whether i should opt for CISSP or CISA.

    Many Thanks,


    • Jagan,
      Go for the CISA as it is an audit certification. The CISSP is a security certification that most auditors do NOT have. The CISSP will help you get audit work AFTER you have some audit experience. Get established as a auditor, then get the CISSP if you still desire it.

      Keep in mind that the CISA requires 5 years of audit experience. For more info, please see the comment I made in CISA vs. CIA Certification dated December 26, 2013 at 1:00 pm.


      • Jagan

        Thanks for the info. just out of curiosity i searched for CISA jobs in monster, but i dont see any job listing with 0-1 yr experience. will it be easy to get into audit jobs once i clear CISA? for your information i am in India.



        • Jagan,
          Probably not. Most audit departments will be more concerned about your understanding how to audit rather than your understanding of IT (although I maintain you need both).

          What you need to be able to do is describe how your past experience as a trainer and manager of the learning app will make you a better auditor –because of the aspects of risk, human nature, and IT that you already know.

          Departments do hire people without experience, especially from within, as they already know the company culture, Talk to auditors you know (or meet some) and ask their advice of how to do it in your area. I can’t speak directly to India’s job market.


  6. Dorothy Vega

    I have a BS in accounting and I will start my masters in accounting/auditing shortly. I would like to do something in like IT auditing, so I was considering getting my CISSP because I have a strong accounting background. You stated that as an IT auditor a CISA may be better a better fit. However, since I already have the necessary auditing background would it be better for me to sit for the CISSP because I am lacking the information technology skills?


    • Dorothy,
      If you already have an audit background and you study for and take the CISA, it should not be overly difficult for you. It’s cheap and you’ll have the main IT audit cert under your belt that managers look for when hiring IT auditors. I would still go that route.

      Also, even if you study well for the CISSP, that’s a much more difficult exam, even for IT pros with years of experience, as I was, when I took it. Keep in mind both certs require years of experience before they award the cert and schooling can only count for a portion of that. I would not use the CISSP as a way to learn IT and security. Risk in accounting and risk in IT/security are different mindsets and skills. Some people do both well, but not many.

      I’d suggest taking as many IT and security courses as you can in your masters program and do the CISA, and then the CISSP after that.


  7. Moe


    I think your article is great. I have two questions. My first question is, why do auditing and security positions require either a cisa or a cissp. Are they interchangeable in the eyes of the industry?
    My second question is, when you went through the endorsement phase of the cissp, did you spell out how your experience relates to the ten domains or did you submit a standard resume that you would submit to any other emplyer?

    Thank you


    • Hi Moe,
      I have never seen the CISSP required for an auditing position. Usually, in the US, the CISA is required for IT auditors, but not financial or operations auditing.

      No, the CISA and CISSP are not interchangeable, not in the security world or the audit world. CISA is mostly about auditing; the CISSP has very little auditing. While the CISA touches on security, the CISSP is all about security.

      When I was endorsed for the CISSP, I noted which domains I had experience in. You don’t have to have experience in all ten domains, just a few years experience in some of them.

      When I was certified, you didn’t need a fellow CISSP to sponsor you like you do currently; I listed my years of experience in certain domains on my application and my CIO signed it.I don’t think a resume alone would qualify.

      Hopefully that answers your questions. Let me know if you have any more. Mack


  8. Shaziya

    Hello All,
    I hope you have an excellent time.
    Well, I have completed my Masters in Computer Science from IGNOU in year 2012 and after that I started working in education field as an computer Instructor.
    Now, I want to do the CISSP Security but I have less knowledge about it and I have never working in any IT company. I am ready to work hard please suggest me how I can start as I cannot join any training I have to study myself due to financial issues.
    I took this step as because all of my friends is working and they all stop interacting with me as I am not in any IT field and they feel inferiority and also back at my home I have to support my family. So, please suggest me. I am also 29 years old now is it too late.
    I hope to get the quick response.
    Thank you.


    • Shazia,
      Free resources for getting started on the CISSP are noted above under “CISSP Resources”. You’ll need to buy at least one of the books I recommend in those links.

      You can’t get certified without the appropriate work experience, so you need to get some work experience as you study. You can pass the exam and get certified later when you have the experience. Just passing the exam will help you even if you can’t get certified due to lack of experience.

      It’s never too late to better yourself. I have changed careers 3 times already and will probably make another change in a couple years.

      You can do it, so go for it.


  9. Taimoor

    Hi all,
    Hope you are doing well. I have two years of experience in information security field. I got CISSP, CCNA, RHCE, ISO27001:2013 training. I have worked in ISO27001 implementation project. I was also the part of internal IT audit team. Now i am doing vulnerability assessment. Now some people say that focus on IT Audit, other says about ISMS and some about pen testing or network security. I am confused and require your guidance me what should i do to advance my career in info sec filed. Which certification and training will suit me from future perspective? I want to choose best career path. Kindly guide.


  10. Taimoor,
    I need more information on your goal in info sec. You want to manage security devices (firewalls, IDS), do forensics, be a security architect, or a security generalist who does a lot of all of that?

    It looks like you have some great certs and experience that give you a solid info sec foundation. Spend more time thinking about what you really want to do and let me know. Also, do you want to have fun, fix things, and/or make a ton of money?


    • Taimoor

      Yes, I want to manage security devices but unfortunately there management is out of scope in my department. Yesterday my manager ask me that what kind of training you will prefer related to your field. So still i am thinking about it but my manager was focusing on Penetration testing training. And of course i want to make money. :)

      What would you say about network sec field? Or what is the emerging security filed in these days or will be in demand in future?


      • Forensics are always in demand, and as the number of devices per person continues to rise (2x the number of devices than people, and in 5 years, some expect this to rise to 3x or 4x the number of people). Government agencies have a huge backlog.

        The problems with Forensics is that you don’t have a lot of people interaction (some people like that) and you see a lot of nasty stuff as porn continues to permeate life.

        Security architects make really good money and will continue to be in demand. They review projects and technology for risks and determine how to best configure networks, applications, systems, and devices

        The job I had the most fun in was a combination of security manager, penetration tester, incident responder, security awareness trainer, and security architect. While I’m not a device jockey, I loved reviewing ideas and plans and making recommendations. It was quite a bit of interaction with staff and senior management.

        The only downside was the 24×7 schedule. While I miss the excitement of being in the middle of it all and sneaking around the network, I don’t miss all the midnight calls. And I don’t have to fix anything, just find the problems and make recommendations on how to do things better and faster.

        Security architects need to be strong in many areas; my weakness was device management ,network protocols, and scripting, but I learned quickly when I needed to, which makes me a good auditor.

        My advice to you is to avoid getting locked into one area (like pentesting) unless you really like it (I”m not hearing that from you). Focus on areas that will help you no matter where you go, such as networking, protocols, and scripting languages. Then when an opportunity presents itself, you’ll have a broader background you can apply to almost anything.

        In the meantime, volunteer for projects at your company that give you opportunities to manage devices or whatever else interests you. If no opportunities exist, try volunteering somewhere that need some free help.
        I learned a lot about networks the year that I managed my church’s network. And I’m always helping friends out with their issues.

        I hope that helps. Let’s keep talking….


  11. F

    I am a sw quality engineer (with development background) and i moved recently to InfoSec and got my CEH.
    I want to work on a new certificate to increase my chances in getting a job in security domain.
    I am not sure if i should do the CISA or Cissp since i dont know what kind of title am looking for (auditing or security…). so i hope you can help. should i start with cisa and move to cissp, or should I study for a different certificate?
    I moved to security since I like the challenge of finding a vulnerability or be able to hack a network/system… but i dont want to work behind my computer all day, i also enjoy the interaction with people, also reviewing plans and give recommendations. Thanks!


    • F,
      I would go with the CISSP, as it will help you in security and audit. I had my CISSP before I got my CISA. I was doing audit before I got my CISA, but I learned the hard way. It would have been easier to transition to audit if I had the CISA before I started auditing.

      However, I was working on SOX while I was in security, and was working with auditors and working with controls long before I got into audit. So I had that advantage.

      However, I still think the CISSP would be better, but if you go into audit, you’ll need the CISA also. So why not get both?

      Having worked in security and audit, I almost think that I worked more with people in security than audit. I do the more technical IT audits, so I spend a lot of time on my computer and less with people.

      So I can’t really direct you one way or another. I’d talk to the auditors in your company if you plan to stay there and see what they think; they’ll know better what works in your company culture–and they’ll also know how technical the IT audits in the company are and how much people interaction you could expect.

      The CISSP is more technical and more in depth, so I’d always go technical first. If you liked the CEH, you are probably leaning more technical. You can always go less technical (into audit), but it’s harder to go the other way.

      Best wishes. Mack.


  12. What would you recommend for an IT Support Analyst (5 years level 2-3) who wants to break into IT Security auditing to take first?


    • The CISA, as explained above: “I’ve found that it’s more important to have the CISA as an IT auditor than having the CISSP as a security pro. That’s because most IT auditors have the CISA; it’s pretty much required.”


  13. Frank

    I guess it depends on what you want to do. Having both (and a CPA, CIA, CISM) I can confirm the CISSP test is more technical, and in my opinion more difficult. The CISSP has a lot of situational type questions that require you to think. The CISA seemed to have a lot of procedural, rules and standards questions that are easy to memorize. Many people failed the CISA the first go around when I took it as well, but they were mostly non-technical CPA types. If you can pass the CISSP the second cert I would recommend is the CIA, it is easy and you will learn the audit piece as well as be more valuable to the business side.


    • Frank,
      I have never known anyone personally who failed the CISA, but know several who failed the CISSP. Interesting. I agree with your assessment of the CISA material.

      I think the financial side of the CIA steers non-finance people (like me) away from the CIA. Knowing IT and finance is the best, and I wish I would have finished the CIA.


  14. hello. this is a great blog. kudos to you for posting frequently and helping people who are new to this field. a little background on myself:

    I just recently cleared the CISA exam and I hold the ACCA as well which is more or less like CPA in the states. In a month’s time I intend to give the CSX fundamentals certificate exam offered by ISACA. I have one year of work experience related to finance department–postings of manufacturing related documents on ERP and an overall understanding of how all the documents work within the system. I plan to relocate to UAE within a few months and so I am not working currently and have some spare time. I intend to start off with the infosec field and I’m not much interested in work relating to accountancy and taxation etc. From what I’ve gathered a good entry point for me would be to start off as an associate/junior IT auditor.

    As I am free for a few months and don’t intend on working for a while I was thinking of studying for another certification. My main objective whilst choosing this new certification are twofold:
    1- It would help me get the job among the potential employers
    2- It would provide me with a gradual salary boost in the beginning
    In keeping with the two aforementioned points, I short listed CISM and CISSP. I’m actually confused between these two and need your help as which would be most suitable to my scenario. Your advice would be highly valuable. (And thank you for taking out the time to read this long of a rant :)


    • groundzeroes,
      Glad you’ve enjoyed the blog.
      The main difference is that the CISSP is more of an security analyst certification and the CISM is more of a security manager cert.

      If you want to start off in IT audit, the CISSP would be better as it will help you understand the technology side better.

      I would think the ACCA, CISA, CSX, and CISSP is a great combo. You can work on finance and IT audits, so you can cover almost all audits, which makes you more versatile.

      Good luck. Mack


  15. hi again Mack. I just read the experience requirements regarding the CISSP and it states that you need to get that 5 years full-time paid security work experience WITHIN 6 YEARS from the date you clear the exam. I am a little unsure as starting off with the IT auditing would constitute as CISSP experience? Does IT auditing count towards your CISSP experience requirements?


    • groundzeroes,
      That’s an excellent question, and the answer is yes. The CISSP requirements state that “”Candidates must have a minimum of 5 years cumulative paid full-time work experience in two or more of the 8 domains of the (ISC)² CISSP CBK®” (see item #1 at https://www.isc2.org/cissp-how-to-certify.aspx). The CBK link in that last sentence takes you to https://www.isc2.org/cissp-domains/default.aspx.

      In that list, most IT auditors would gain work experience in the ‘Security and Risk Management’ domain from doing compliance audits (SOX, MAR, HIPAA, PCI, etc.) and any IT audit (which would involve confidentitality, integrity, and availability).

      The other sure domains an IT auditor is involved in is ‘Identity and Access Management’ and ‘Security Assessment and Testing’. Any auditing or consulting you do in these areas apply. Personally, I’ve audited in all of these domains as an IT auditor.

      So go for it. And don’t forget a college degree counts as 1 year of experience, and a degree is usually a requirement for such a position. Let me know if you have any more questions.

      Liked by 1 person

    • Rev

      Dear Mack,
      Firstly thank you for a wonderful blog. I have finally found some answers to my predicament.
      I am a CFSA and a CISA currently and I want to further pursue the CISSP. I am a Auditor( both IT and Internal) for 10 years now but have an accounting background as well.

      I am not very technical (IT) and would like to ask your expert opinion on whether I should do Network+ and Security+ before attempting CISSP? Or would the CISA and related experience be sufficient to attempt CISSP?

      Thanking you in advance for your assistance.


      • Rev,
        The amount of technical content in the CISSP is much higher than than in the CISA. I also believe it to be a more more difficult exam (that’s more of a comment on the CISA).

        Doing the Network and Security+ exams certainly won’t hurt you, but at the same time, they will not prepare you entirely for the CISSP. The CISSP is not just techncial, but it also has areas like physical security which the other exams probably won’t cover. I would not advise you to do those other certs; spend the time instead of studying harder for the CISSP, which I explain next

        I’d suggest you get the latest CISSP manual from ISC and Shon Harris’ CISSP exam book (All in One) and read/study those, along with the question banks that come included with them. As I have mentioned on my blog elsewhere, the ISC book is dry and boring, but I found it to have information the other books don’t have. If you can only study one book, I’d get the Harris book, but getting both are better, especially with your limited tech background. Harris’ book is engaging, informative, and funny.

        The question banks are to show you which areas you are weak in and where you need to study more. See my other tips under the Certification category re: CISSP and exams. Let me know how it goes.

        Glad you like the blog. Thanks for taking the time to let me know what you think; I also appreciated your question. Hope this helps. Mack


  16. You’re awesome Mack. Thanks a lot! :)


  17. Swathik


    First of all thank you for the well written blog and for your time and commitment in answering the queries of the readers.

    I have 10 years of experience in the field of Industrial automation and I have a very good understanding of IT. Since the past 3 years, i have been working with a Fortune 100 global oil company as Information Risk Analyst – performing IT compliance audits based on the company’s established standards and controls. I recently passed my CISA exam and currently going through the certification process.

    What are the skill sets I need to gain if i were to audit an IT environment independently? Can you suggest some open source IT Auditing tools that collect and analyse data?


    • Swathik,
      Glad you find the blog helpful.

      By independently, you mean in your own business, not working for a company? I’ll assume that.

      You’ve asked a really wide question. First, I think a firm understanding of auditing and IT in general are more critical that tools, because you can have all the tools and the data, but not be able to analyze and interpret it.

      So many tools exist. First, I’d suggest searching my blog for the word “tools” to see a couple posts I’ve written about them.Also check out my post Easy Windows Scanner.

      The problem is that so many different tools are needed for so many different kinds of data and audit types.

      For querying databases, you need a SQL query tool like Toad or one of the many free Microsoft SQL tools.

      It sounds like you want to do more security-type audits rather than SOX or Model Audit Rule (MAR) audits or operational audits. Even within those categories, the tools vary greatly.

      My suggestion would be to work as an IT auditor in a medium-sized company where you’ll have the chance to do many different types of audits and use many different tools. Then strike out on your own.

      Check out also the risk3sixty blog in my blogroll for how to audit IT.

      Sorry I can’t be more help than that.

      ANYONE ELSE have any suggestions?


  18. Swathik

    Thanks Mack that was helpful. My intent is to perform IT security audits, so would it be necessary to have some Microsoft certifications (Servers/SQL) under the belt?


    • Hi,
      It depends on your clients. Certs always give clients and employers more confidence, but having certs doesn’t mean you know your stuff.

      You’d be better off getting some, but I don’t think it’s necessary unless you don’t have a good foundational understanding networks, applications, databases, and operating systems.

      Most IT auditors don’t have MCSE or database certs. But they have the audit and security certs, as well as a good understanding of IT.

      If I were you, I’d get them.


  19. TT

    Hi Mack,
    Do you think CISSP cert could reduce chances for finding an entry level IT auditor job?


    • TT,
      No, I don’t. You mean it would make you overqualified?
      I can’t imagine that. You’d be overqualified if you were a seasoned IT auditor, but not because you had your CISSP.

      Why do you ask? Did I miss what you meant?


      • TT

        Let us define an entry level IT auditing job as a job requiring 0 to 1 year of full time IT auditing experience. The salary for this kind of job, I guess, is no more than $55,000, correct me if I am wrong please.

        Being a CISSP requires at least 4 years of full time info security experience. The average salary for a CISSP falls between $73,000 to $119,184. http://resources.infosecinstitute.com/average-cissp-salary-2013/

        The hiring manager would ask a question: why does this person want to take a $20,000 less paid job?


        • TT,
          I think the avg salary cited for a CISSP is probably $10K too high. It depends on what the CISSP is doing—managing user access or doing security analyst work. It really depends.

          Keep in mind that CISSP isn’t required to do IT auditing, and having that cert makes it more likely you’ll get the job, not that you’ll get paid a lot more.

          There’s all kinds of reasons someone with a CISSP would take an IT auditing job vs. security job. It depends on your reasons and how you can convince a hiring manager that you’re the best person for the job and that you’ll stay long enough to make it worth their while to hire you.

          Did a hiring manager ask you that question?

          I’d work into the conversation that because of your CISSP, you understand IT AND security better than other entry-level auditors. Not only would that make you a better auditor, you can help the other auditors on staff better understand security.


        • TT

          Nice points. I can use them for my cover letter or interview.
          Thank you.


  20. TT,
    Let me know how it goes.

    I always encourage people to sell themselves in an interview, as many interviewers are poor. This is the one place where you need not be shy about what you can do.

    And you have to believe in yourself before others will believe in you.,

    Have a couple mini-stories to work in that showcase your skills. I faced problem X, did Y about it, and the result was Z. Work them into the conversation as appropriate.

    You can’t wait to get discovered. You have to demonstrate to the manager you’re worth their while and will solve some of the problems they face today. If you have mentoring skills, mention those too, and describe how you mentored others and what the result was. That way, you can not only solve some problems, you can help others solve some too by coaching.

    It’s all in how you present yourself (assuming you have the goods to deliver).

    TT, I’m not directing all this at you specifically; I don’t see anything in our conversation that you’re not doing these things….I just got on my bandwagon and passionately preached. :)

    Good luck, bud.


  21. TT, for other reasons for security vs audit, see Top 10 Reasons to be an IT Auditor at https://itauditsecurity.wordpress.com/2012/10/02/top-10-it-auditor/


  22. Ann

    I just passed my cisa exam..but thinking of getting cissp as well..im not very technical. My work is more on process and IT compliance…but do you think i can pass the exam??


    • Ann,
      Congrats on passing the CISA!

      Since you said you’re not technical, I’m going to assume you don’t have an IT background other than what you’re learning via working in IT compliance.

      Yes, I think you can pass the exam if you study really hard and have a technical person that can help you with items you don’t understand.

      If you haven’t already, I’d suggest you read all my CISSP-related posts, especially https://itauditsecurity.wordpress.com/2010/03/24/teach-yourself-security/ and take the free CISSP tests. That will give you an idea of how much you know and where you are weak. Even if you do poorly on those exams, studying can fill in the gaps.

      Taking these exams will help you determine whether you are really interested in this subjects, and give you an idea of how hard you’ll need to work

      While I’ve written a post about how the CISSP isn’t as techncial as it used to be, it is still a technical exam. If you struggled with the CISA, you will struggle even more with the CISSP. You really need to be prepared for the CISSP exam.

      I would suggest you commit yourself to 6 months of hard study. Read my How to Pass Certification Exams and even better, find a buddy to take the journey with you. That will help you stay motivated.

      While many people will tell you that 6 months is too much to study for this exam, I’d ask yourself whether you’re trying to just pass the exam or learn the material. Learning the material helps you long after the exam. Many people (in my experience, at least half of the people who took the test with me) failed the exam because they tried to study only enough to pass, not learn the material, and failed on both accounts.

      Having said that, if you put forth the effort required to understand the material, you will pass. I wish you the best. Let me know if you have any other questions.


  23. Mansi


    I have completed my Master’s in Computer Engineering (Majors in Networking and Information Security) and I have work experience of nearly 4 years in Networking and Security background plus certifications like CCNA,JNCIA,JNCIS-Security. I would like to pursue my career in Security but on managerial side and less on technical side. I am wanting apply in big 4s like Deloitte, EY, PwC, KPMG and other security companies. Can you kindly guide with which certification is the best for me to pursue (CISA, CISSP or any other) in order to move forward in my career on security side with job roles offering more of managerial work plus technical.


    • Mansi,
      The CISM is the managerial equivalent of the CISSP. It would not hurt you to have both. Since you’ll probably need to work as a security analyst first before becoming a manager, I’d get the CISSP first, and then the CISM. As soon as you get the CISSP, start working on the CISM, as the CISSP knowledge will help with the CISM.

      What do others in the security field think? I’m always open to additional input and anyone who wants to challenge my opinion.


Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.