Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ISC2 Former Staff

As a cybersecurity pro, would you hire…

Associates of (ISC)² are people currently pursuing an (ISC)² certification. They have passed their certification exam (CISSP, SSCP or another) but are still gathering their required work experience to complete their certification. It’s like an apprentice program. Would you consider hiring an Associate of (ISC)² to work on your team? Why or why not? 

13 Replies
Viewer II

Applied knowledge / experience is more critical than a specific degree or certification. A combination of all these items would provide a more compelling candidate for hiring.

If a CISSP certification is required for a position then the prerequisites for the job and the cert would need to match. So if someone doesn’t satisfy the requirements of one, he/she wouldn’t meet the those of the other. You have to consider internal equity issues as well.

Short answer: if the job candidiate needs to be a CISSP then they are expected to have met all its standards — if not then they aren’t qualified for the position. Revise and repost the job if the cert isn’t mandatory to expand your applicant pool and maintain hiring integrity.

in my opinion CISSP for InfoSec is like a matriculation exam - obligatory at certain point of life/career but definitely not sufficient. More significant is a hands-on technical knowledge in a few Security Domains, backed up with soft skills (eg. C-level communication). So - I would reply - it depends what are other requirements than having C(whatever) certificate. If other knowledge fits a candidate profile and "CISSP is a must" than I would hire Associate as well. Having only CISSP is meaningless from my perspective.

Newcomer I

Yes I would. But, and it’s a big but, the certifications can be what gets you to an interview stage, not an actual hire.

Certifications (and similarly, education) say to me that they have either had good experience or are good test takers. There will be plenty of people who know more who can’t take a test and pass. I’m hiring for practical knowledge, not passing a test.

When I get resumes in, I look for:
Years of experience
Construction of the resume

That they took the time to get and pass the CISSP is a great thing, but if they can’t practically apply that knowledge and think that the cert will magically open a six-figure salary, they will be disappointed. I’ve had those applicants very recently.

For those who have their associates or the full CISSP, it’s a great thing, but there are plenty of “soft skills” that are needed.

To the ISC2 people here, it would be fantastic if you would offer a mentoring program, even online, for associates to be paired with CISSPs that are already further along in their field to help them get a leg up and understand the nuances of being mid-late career.
Newcomer II

I think peer mentoring is a wonderful idea! This also would help to bridge the inherent Catch-22 gap that the root post on this thread alludes to. On one hand, there is a big and growing gap between the demand and available quality talent in the infosec field (great news for the professionals already in the field). On the other hand, while numerous university programs exist to provide a solid foundation knowledge, certain skills can only be aquired in practice.


The younger professionals entering iformation security workforce often have to confront the disconnect between what the "nice to have" job descriptions demands of them (e.g. 1-3 years PLUS CISSP certification) and what they can actually demonstrate based on where they are in their professional development. This is, I think, one of the key reasons for some of the young pros to pursue certifications, before they get to know the business. After all, regorous study is something that they are very good at--coming out of school. Having one or more peer mentors and a career champion is key. One or more of the former will help the younger professionals to learn what they need to know. The latter will help to "get in the door" with whatever credentials and skills that the younger professionals can practically aquire.

Newcomer II

As many have mentioned, it depends on the position. Obviously, if somebody does not have the experience for a full CISSP, then you wouldn’t consider an Associate for a position where you want experience (senior positions, managers, SMEs, etc.). However, an Associate would be a great distinguisher for an entry level position, like a junior analyst, where I wouldn’t expect experience. I would tend to prefer somebody who is an Associate vs. somebody with only an IT background (given similar education and experience). If you are in IT and looking to transition, an Associate shows that you know cybersecurity and not just IT, then you can leverage your experience in IT and show how it relates to a new job in cybersecurity.
Viewer II

I'll take a person's experience in lieu of certification. 

Contributor II

I wouldn't not hire someone with it -- that's not really the same thing, though.


If the requirement is for a CISSP, then what it really is is a requirement for someone with 5+ years of experience plus some paper. Having 2-3 years of experience plus some paper isn't the same thing. However, it shows that a junior person is looking ahead in terms of career progression and reflects a good attitude towards learning. Those things are desirable.

-- wdf//CISSP, CSSLP
Newcomer II

It depends - how old is the person?  My organization only hires recent college graduates up to three years experience for entry level positions.  If you've been in IT for a five to seven years, we are going to want to see some certifications obtained.  If you're "in progress" for the CISSP, you probably won't be in information security, but another IT group - working for a large international financial organization ("we are everywhere you want to be" says Morgan Freeman our spokesperson); we have no trouble attracting super qualified people with advanced degrees and gold-standard certifications for about any job we post.

Viewer II

It will depend on the job requirement,  and if you are a company providing security services some customers might want someone with CISSP cert, then we hire accordingly.  


However, if there is no need for such requirement, hire as per your job requirements.