Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Newcomer II

CISSP Associates, how did you gain your relevant work experience in the 6 years?

As per topic, I am aware that in my region (Singapore) is offering CISSP training and even subsidize 70% of exam fees for its citizens and Permanent Resident while the entire exam fee is entirely subsidized for students and NSF (National Service Full-time, a.k.a Mandatory Conscription).


1up to 70% CITREP+funding for Professionals (Singaporeans and Singapore PRs) and 100% CITREP+ funding for Students / NSF (Singaporeans) is available for the net payable exam fee


The question is assuming someone managed to become an associate by passing CISSP, how is he / she going to find the relevant work experience? What types of the job are the best for fresh Computer Science degree holders to step into for gaining relevant work experience needed by CISSP?

15 Replies
Community Champion

Earned it before I took the test.  Also made it much easier to pass because the test is very much experience based.

Newcomer II

First off congratulations on your achievement. Passing the CISSP exam is a big deal, and you should be very proud.


You have a few options, assuming you don't want to go into software engineering (that could be another thread). One option is to look for network administration or system administration jobs. You may need to supplement you CISSP Associates with a combination of CCNA, LPIC, or MCSE. All of these positions will have a security component as part of the job. You may install or maintain a firewall, perform identity and access management, maintain an asset database, or review security logs.


A second option would be to peruse an OSCP certification (penetration test). This is a very well respected (and extremely difficult) certification in pen test circles (CEH is required for some government positions and will get you through some HR filters; it is not as respected by the community as the OSCP). Achieving this cert will get your foot in the door as a penetration tester.


A third option (if you have no experience) would be to peruse a help desk position. This position also carries to most risk. You may actions/tasks associated with identity and access management. You could also pigeonhole yourself with a skillset that is only valuable to a single company and not an industry. So try to avoid positions where you only support a single client facing product for a single company unless they have a history of other employees transferring to a junior admin (sysadmin or network) position after a two or three years.


You will may receive a lot of feedback about how experience is king, and people may attempt to diminish what you have accomplished. If any specific advise does not apply to your situation just skip over it. Right now at this point in your career, you just have to find a position that will get your foot in the door. If possible and you have the time and resources available, research option two. You will take several months to prepart, but you have the ability to start as a pen tester. Plus you don't loose a few years in a transitional job.


Good luck and congrats again.

Community Champion

Firstly, kudos to the Singaporean government for trying to assist with the shortage of Security folks. 


Touching base with the local  (ISC)2 Chapter ( ) or and start attending their meetings.  This would be a good place to start networking.  There is also an ISACA chapter that you could reach out to.


Contacting the chapter does not give a person experience per se but could put folks in touch with folks who MAY have entry level positions or know of some. No guarantees on this one.


Also, keep in mind if the person has an advanced degree (bachelor, etc.), they already have one of the years experience that they need.


As stated in the chain, working on a Help Desk is a good way to get experience, but also volunteering for  organizations is also a good way.  Network admin  or system admin are also a good ways to get security experience.   I have seen Help Desk admins doing authentication and authorization jobs in larger organizations.


Unfortunately, this is an age old problem.....I have the credentials but I don't have the experience.  It was true when I was starting out as an accountant fresh out of university and it is true today.  This is why I believe the networking portion is key.  Hopefully the candidate will find both a mentor and a sponsor to help them develop their careers.






Contributor I

As stated from the website, if you already have the appropriate degree, it can substitute for 1 year experience then you just need 4 more years experience.


Full time, part time, even internship experience count as well. So if you have relevant internship experience during junior year in college it'd count towards total experience as well.


While helpdesk positions are often a good starting point for someone to get the foot in the door, I'd like to advise you to think about your career path. Does the company/position offer room for growth? Some company/position has distinct separation where helpdesk position only serve as call center to handle phone call and perform level 1 troubleshooting.

Newcomer II

Thanks for the well wishes and the valuable information.

Well, I started this thread because I know people have been saying that the best is to get the relevant experience before the test but there are schemes like the above in my area that probably could qualify a 70% subsidy of exam fees (I am no longer a student, and serving the conscription in Singapore is a must as a male before starting university studies).

Therefore, I would like to hear advice on how did these people managed to gain their experience while not able to state that they are CISSP.

I am just SSCP for now, and I apologize if the wording did created an assumption that I have did the CISSP test (I am planning right now, and evaluating options)
Influencer II

> slee047 (Newcomer I) posted a new topic in Career on 09-24-2018 10:39 AM in the

>    The question is
> assuming someone managed to become an associate by passing CISSP, how is he /
> she going to find the relevant work experience? What types of the job are the
> best for fresh Computer Science degree holders to step into for gaining relevant
> work experience needed by CISSP?

You should be able, particularly with the Associate designation, to find admin level jobs in relevant fields.  For example, network, firewall, or access control admin type jobs.  (You will need to switch in order to get experience in the requisite number of domains.)

Another possibility is volunteer work.  This will take longer (although it can be done in concert with regular work), and you will need to document it with letters of reference, but it will gain you wider experience.  (Do a search on "volunteer" to get other discussions for particulars.)


Other posts:

This message may or may not be governed by the terms of or
Community Champion

Sweet deal -- kudos to the Gov of Singapore, and kudos to you as well. Security experience comes in many shapes, sizes and varieties. Associate of (ISC)2 is a rare and valuable credential; and it shows you are dedicated to excel in the profession. 


I didn't write the exam until I considered that I had enough experience. Even then, my experience is more on the risk analysis, business continuity, recovery management facets. If you don't have plans to recover, plan not to recover. 😉 So I second guessed myself. All the while I was gaining more experience in change management, architecture, cryptology, IAM, etc.


The CIA triad is our concern - sometimes we focus more on integrity or confidentiality; sometimes more on availability and integrity. It's a bit of a Rubik's cube of sorts. Experience is where you can get experience -- and value it!


Anyone can be a great practitioner of security (social scientists, economists, linguists, pure and applied scientists.) It's not merely engineers and techies who are the only ones to offer insight.


In fact, it's often those with insight into the why rather than the how of the attack who can see the best ways to obviate it.


Keep learning, keep practicing, keep doing, keep exploring -- soon you will have the requisite experience. And always you will have colleagues and mentors out there who are thrilled to help you achieve your goals in the industry.


Best regards.

Newcomer II

Thanks for everyone’s input. So usually CISSP assoicates would use the 6 years to do either or the combination of:

1) Get additional network or system related certificates including but not limited to MCSE, LPIC, CCNP etc. in order to increase the likelihood for getting a job in junior level network administrator

2) Be a pentester with relevant certs especially OSCP, and CEH for HR purpose.

3) Volunteer to work in this area if possible

4) Join a local ISC2 Chapter if possible (Singapore has one) for networking, which increases the likelihood to find a suitable mentor / organisation for this purpose.
Community Champion

I don't know if this is applicable in your region (or even if it's applicable or relevant at all!) However, CISSP is  not an entry-level cert given that one needs at least a few years of experience (often in IT, but not necessarily.) 


How I learned a great deal about business and security is through taking on a number of jobs related to or nearly related to what I was seeking to accomplish. All my professional life I was the one asked to write about it, document it,  describe it. Documentation is a great job because 1) no one wants to do it; 2) you become the most knowledgeable one in the room.


What I might suggest is that you continue a career track and be the "security guy" by applying the tools and techniques you have learned to assure the business processes and tasks you are doing meet best security practices.


In this way, you gain real-world experience and leadership skills to apply to your next jobs on the career path.