Corporate America and the U.S. government have been sounding the alarm bell for years: there's a vital shortage of skilled security professionals in this country. Although numbers vary among various sources, it's safe to say the U.S. lacks upwards of 350,000 security professionals, and the global shortfall for such jobs is expected to reach 3.5 million by 2021.
Almost every day, around 10,000 positions are available on U.S. job sites that request a CISSP. This points to a need for skilled infosec workers, and CISSPs in particular, which is great news for aspiring CISSP candidates.
A CISSP is a seasoned consultant or employee, usually with a title like Security Analyst, Security Manager, or Chief Information Security Officer, to name just a few. This person has been on the job for five or more years and has the thorough understanding of the IT threat landscape, including emerging and improved persistent threats, as well as controls and technology to minimize attack surfaces. A CISSP also makes policies that set a framework for proper controls and can perform or oversee risk management and software development security.
Here's what you will need to become a CISSP through (ISC)2:
Obtain Five Years of Security Work Experience You must be able to show proof of five paid full-time years of work experience in at least two of the eight CISSP CBK domains, which are Security and Risk Management, Security Engineering, Asset Security, Communications and Network Security, Identity and Security Assessment, Access Management, and Testing, Software Development Security and Security Operations. On-the-job experience is crucial for both the exam and the certification process.
Prepare For and Pass the CISSP Exam
Complete the CISSP exam with a minimum score of 700 out of 1,000. The exam is 6 hours long and involves a mix of multiple-choice and advanced innovative questions. It costs USD599. The (ISC)2 CISSP webpage offers a download of the exam outline as well as a link to a Study App. You can also get the official textbook and test your knowledge with CISSP Flash Cards. If you need more than self-study materials, (ISC)2 and a lot of third parties offer CISSP in-class and online training. Training costs vary widely, but the online self-paced course costs USD2,750 through (ISC)2. In-class training will require appreciably more. Before scheduling your exam with Pearson VUE, go over the background qualifications, which might exclude you from sitting for the exam.
Get Endorsed to Become a CISSP
Once you complete the CISSP exam, you will have to subscribe to the (ISC)2 Code of Ethics and complete an endorsement form to become a CISSP. The endorsement form must be signed by another (ISC)2 certified professional who can verify your professional work experience. You must submit the completed form within 9 months of passing your exam to become fully certified because passing the exam does not automatically grant you certification status.
After you become fully certified, you will have to maintain your credential by recertifying every three years. CISSPs are required to pay a USD85 maintenance fee during the three-year cycle. They must also submit 40 continuing professional education credits each year, for a total of 120 CPEs.
Other Certifications That Can Help You Reach the CISSP
If you are confident that the CISSP path is right for you, but you have no related work experience, look into becoming an Associate of (ISC)2. The program is ideal for students and career changers and will enable you to take benefits of educational opportunities, forums and peer networking offered through (ISC)2. Another approach is to get the entry-level A+, Security+ and Network+ certifications from CompTIA. With that foundation, you can apply for a security-related position and gain some much-needed hands-on experience in the IT arena.
If you've been working in IT security for a year or two, consider pursuing the (ISC)2 Systems Security Certified Professional (SSCP) credential. Although it's not an official prerequisite, the SSCP is regarded as a precursor of sorts to the CISSP, covering many of the same topic domains. In theory, obtaining the SSCP can also lead to the kind of security position needed to fulfill the CISSP work experience requirement.