This post answers these questions: Why get the CISSP certification? What has it done for me? What else do I need to know?
Charles, one of my readers, asked me, “Do you have postings related to CISSP?” Not many, but here’s one….
CISSP = Cost-Effective Cert
The CISSP is one-fee-pays-all cert; very nice. I was shocked to see how the CISA charges you one fee for overall membership, one for local chapter membership (required), and another for the certification (that’s the real tri-fecta that pays off for ISACA). Sad.
The CISSP comes with no local chapter, but who cares? How many of you go to chapter meetings anyway? I rarely go to ISACA or IIA chapter meetings.
The CISSP requires 120 CPEs total over 3 years, with a minimum of 20 CPEs per year, which is fairly standard among certs. And for $85 per year, that’s not a bad yearly fee. Compare that $ to other certs which don’t carry the same weight.
Personally, I have not found any direct correlation between my CISSP certification and increases in salary. All the increases were due to my accomplishments, not the certification. The certification helped me achieve in some areas, and certainly gave my managers more confidence in me, so indirectly, I’m sure it helped.
Certs are most helpful when you’re new to a field or specific area, or looking for work. But even when you have years of experience, they can help round you out, and push you to learn new areas.
Best Certs for an IT Auditor
If you want to be a great IT auditor, I’d suggest you get the CISA and the CISSP. See my reasons under the same topic heading in CISA vs. CIA Certification.
If you don’t have either certification and want to get both, get the CISA first, as it is an audit certification. The CISSP is a security certification. The CISSP advice in this post assumes you have the CISA already if you’re an auditor. If you’re not interested in audit, then ignore the CISA info.
Getting a security certification is even more valuable when you don’t work on the security team, like an auditor or IT specialist. Such a cert will give you a sharp edge on others in your immediate field (especially if you already have a cert in your field in addition to the security cert). One Fortune 500 manager told me my CISSP cert was the deciding factor in hiring me. At another large company, I was the only CISSP on the audit team, which had more than 20 auditors.
I have no doubts that my CISSP has paid off. And I expect it to continue to pay off.
CISA vs. CISSP
I’ve found that it’s more important to have the CISA as an IT auditor than having the CISSP as a security pro. That’s because most IT auditors have the CISA; it’s pretty much required.
I like the CISSP because it gets your feet wet and dirty. However, be warned that the CISSP is not like the CISA, it’s M U C H more IT and security focused and much more technical than the CISA (the CISA is NOT technical). Be prepared. When I took the test, at least 50% of those who took it with me failed it. It’s doable, but you can’t party and study at the same time like some jokers do.
NOTE: I believe the CISSP has changed since I passed it; see CISSP isn’t as technical anymore. But it is still way more technical than the CISA.
The CISSP will help you if you stay anywhere near IT.
The CISA applies most to auditing, but I’ve never seen anyone in security have only the CISA; a security pro with the CISA is usually a former auditor AND has at least one security cert.
On the other hand, I was an auditor for several years with only the CISSP, and it was respected. IT folks understand and respect the CISSP more than the CISA.
CISSP Losing Ground?
SC Magazine’s CISSP! Who Cares? article says that security certifications are not as valuable as they used to be because they are rather commonplace. Too many people going for the same job have the same qualifications. However, that is not my experience, and I disagree with some of the article’s statements.
I earned my CISSP more than 5 years ago. Let’s take a look at a couple companies I’ve worked for and count the CISSPs… see Security Certs for Commoners? Nope.
Studying for the CISSP? Check out the Least Privileged blog for this person’s experience with the exam (he failed the first time) and lots of CISSP resources. Also check out my posts, How to Pass Certification Exams and Teach Yourself Security (see the link to free CISSP training).
My biggest CISSP study tip: know crypto inside and out, and don’t skimp on physical security. I know more people who failed that exam because they thought they could get by with little understanding of those topics.
Here’s another great resource, The Thrifty CISSP.
When I took the CISSP exam, I knew I passed. I wasn’t sure about the CISA. I guess that means I know more than I realize.
In my case, my certs are a marketing trap; they sure have helped me trap some good jobs. I know I’m fortunate and this doesn’t happen to everyone.
Finally, I don’t claim that certs are for everyone. I know plenty of folks who do okay without certs. More power and dinero to them.
The best 2 technical people I ever hired had no certs. But later on, they got certs because it helped their cause and gained them more respect. Sad, but true. So go get your certs and be done with it.
If you have a question about my experience with the CISSP, let me know, or leave a comment about your experience. Or just disagree with me because you’re in a bad mood.