I am currently a Marine holding the job of an Information Security Technician. I have only been doing this job for a little under a year, but I know this is a Career Field I would love to continue once I retire in 9 more years. The CISSP is something I keep hearing about, but I'm clueless.
I would love a mentor in this field. I would love a brain to pick.
How much does this cert cost?
best study materials?
do I need the five year experiance to test?
what other certs do you recommend in order to secure an high paying job?
First let me say a big thank you for your service. I am happy to answer your questions and help mentor you as I'm currently CISSP certified. Send me an e-mail at: email@example.com
You might consider first obtaining your SSCP, It is a precursor to CISSP the requires only 1-year experience and is more "technician". After achieving SSCP, you could then use your study time for CISSP to partially fulfill the continuing education requirements for the SSCP.
The CISSP has a 5 year experience requirement and is more "Management" (people, not systems). Although you could sit for the CISSP exam today, you could not apply for the certificate for another 4 years. During that time, you would instead need to go by the title "Associate of (ISC)²", which has very little resume value.
I also thank you for your service. I was a squid in the 70's, but despite our differences, I'm still willing to help a jar-head today 🙂
Since you're on active duty, you have free training resources available to you. In addition to what’s available through the official training resources of the U.S. Navy and Marine Corps, the Veterans Administration and the Department of Homeland Security joined forces a few years ago to develop an online training portal under a program called "Hire Our Heroes." The original idea was to encourage vets to pursue a career in cybersecurity, but the intended audience has grown since then.
Vets can still signup using their personal email address, whereupon they're granted an account upon verification of their service. However, for you it's important to note that it's now open to any US government employee or contractor with a government email account, so your dot mil should get you in. (As a contractor, I use my dot gov email, but as a Vet, I originally signed up with my personal email. A government email account gives you access to a few more classes that, while still unclassified, are a bit more sensitive in subject matter.)
There are dozens of on-demand training courses. The videos are recorded classroom sessions wherein an instructor, such as @Ben_Malisow from (ISC)2, taught the CISSP Boot Camp. The videos captured the instructor's talk, the slides as they were presenting, and the Q&A with the students. You needn't take notes because every spoken word is captured and transcribed into an accompanying PDF file.
Personally, I've completed about two dozen courses over the last few years. Upon completion of many of the courses you can take a test. Passing the test results in a certificate from the U.S. Department of Homeland Security, which will be in your official transcript and you can download any time. I don't know what the official USMC annual training requirements are anymore, but some of these classes may satisfy them; you'll need to check with your command.
Besides the fact that it's free, the on-demand format enables you to learn on your schedule. I typically set aside an hour or so, a couple of evenings a week after chow and household chores. I sit in my living room, open my laptop, login, and learn something. (It keeps me current, and by limiting it to an hour or so, keeps my wife from complaining about being a “training widow”)
Under constant refresh, older versions of material are replaced with newer ones, although sometimes the class you're watching may have been recorded a few years ago. Watching Ben's CISSP training a few years ago gave me the confidence to sit for the exam, which I passed easily in half the allotted 6 hours (it's shorter now), so I can personally attest to the value.
Please note that passing the on-line test for a course like the CISSP will get you a certificate from DHS, but that is not the same as taking a PearsonVue test from (ISC)2. The latter exam is the "official" one, as far as (ISC)2 is concerned, and much more comprehensive. The FedVTE DHS test is more of a knowledge check.
As for your requests and questions, other members have given you valuable answers, to which I'll add my two-cents…
"I would love a mentor in this field. I would love a brain to pick."
Others have offered this; my advice is to follow up with them. You're also welcome to communicate with me, although whether I have a brain is a subject of much humorous debate with the folks who work for me. Since you were willing to take the risks inherent in your current profession, you probably won’t shy away from the risk of talking to me. Send me a direct message and I'll give you my personal email address and phone number. I've spent many years as a consultant with many U.S. Government clients, including the USMC, so I speak Marine. I'm currently the Cybersecurity Program Manager (contractor) for a civilian agency at their DC HQ, so I work some exceptionally long days, often seven days a week. Accordingly, I may not respond immediately, but I will respond.
"How much does this cert cost?"
The "cost” of the certification isn't a straightforward answer. Many people take a 40 to 45 hour "boot camp" - trust me, that term means nothing like what it does to you and me, you won't spend weeks being screamed at, enduring loss of sleep, doing push-ups, running an O-course, or marching in bad weather. These are called boot camps because they are short, intensive training sessions to prepare people for the certification exams. They're not exclusive to the CISSP; many companies offer them for a variety of certs.
The cost varies considerably. Here in the Washington, DC area, they typically sell for $3,000 to $5,000 or so, for live instructor-led classroom training (the dead instructors are less, but not responsive to questions). Typically, classes are either taught in a Monday through Friday 8-9 hour per day format, or 5 Saturdays. Depending upon the company, this may include a voucher for the exam. Right now, the exam costs $700.
You’re not required to attend a boot camp in person. Many organizations, including (ISC)2, offer video training too, which can save a few thousand dollars. Nor is there a requirement to take one of these at all, I work with a fellow who passed the exam the first time after just reading a book, but he’s the exception. It’s important to understand that the boot camps don’t teach you cybersecurity, they teach you how to pass the exam, which is a remarkably different thing.
If you’re not comfortable with the underlying principles of cybersecurity or with certain technical aspects, such as hashing and encryption, or legal aspects such as due diligence and due care, you’ll probably have a hard time with the exam, and may fail it. Failing is expensive, because you need to pay the $700 each time you take the test.
So, if you want to take a boot camp, first check with your command. They may have arrangements with training providers for low (or no) cost classes. You may also be able to get the USMC to pickup the cost of the exam; again, check with your command. The DoD classifies the CISSP as meeting the requirements for Information Assurance Manager (IAM) Level III, the highest level of certification required to work on DoD projects and programs, under DoD requirement 8570.1. Check this Navy webpage: US Navy DoD 8570 Info.
An additional on-going fee is known as the Annual Maintenance Fee (AMF). My wife handles the finances, both business and household, so I don’t track these expenses myself, but I believe they’re $85 a year nowadays.
“Best study materials?”
Beyond those costs, many people invest in books and practice tests, and determining what is “best” is very subjective. There is a great deal of debate on these forums and elsewhere, as to the quality, accuracy, and relevance of said training material.
To anyone else reading this post, I don’t want to open a Pandora’s Box of evils by suggesting something here which they may disagree with, thus bringing that debate to your post. My information is my opinion, and I’m not claiming it as an authoritative recommendation.
With that said, I personally recommend officially sanctioned training material from (ISC)2 – it’s their program, so they know exactly what’s important. They publish, among other things, a Common Body of Knowledge (CBK), flashcards, and other material through their on-line store. Personally, I got the most value from reading the “CISSP for Dummies,” which although from a 3rd party, is also available on the (ISC)2 website. The one book I recommend that is not on their website is the “11th Hour CISSP.” Finally, although I didn’t use the “Official (ISC)2 Guide to the CISSP CBK” to prepare for the test, I keep a copy of it around as a reference book.
I found these two books were more than adequate for exam preparation, but neither one is a comprehensive tome on cybersecurity. Personally, I didn’t need to learn the material, I wanted to know what the test was going to throw at me, because I heard from other very experienced professionals who failed the test and were surprised by it.
As for practice tests, I purchased several and found fault with most. I read posts elsewhere that detail the experiences of others, so I recommend you look for them and read them. My issue with many was that they didn’t reflect a few (ISC)2 basics. For example, on the test you won’t see a question or answer about a “VM;” an (ISC)2 test will always spell it out as a virtual machine, the same is true for a database, you won’t see “DB” on the exam.
(ISC)2 is also international in scope, so you won’t see a question or answer about DoD 8570.1, since that is specific to the U.S. Department of Defense, something a citizen of another country may not know, nor need to know. Albeit, you may see a reference to the U.S. National Institute of Standards and Technologies (NIST) even though it is a U.S. Government organization. That’s because the adoption of the free NIST Special Publications and other materials (“best practices” according to many) is international in scope.
(ISC)2 is also vendor-neutral. You won’t see a question about VMware’s ESXi, or Microsoft’s Hyper-V, but you may see questions about hypervisor security. Unfortunately, the practice tests that I tried almost always had a U.S.- centric bias, and/or included questions about vendor-specific products. My feeling is to stick with (ISC)2 approved material, so I’d go with the “CISSP Official (ISC)2 Practice Tests,” and the official (ISC)2 flash cards, as a good way to test your knowledge.
Admittedly, my circumstances going in to the exam may have colored my recommendations; I have several decades of hands-on experience in every topic in the CISSP’s Security Domains and didn’t need to learn anything new to pass the exam.
Thus, I found that the test questions were like the types of questions my clients ask me all the time. The CISSP exam is “a mile wide, and an inch deep.” In other words, it doesn’t go too far into the weeds on any one domain, but it does expect some knowledge of all of them.
“Do I need the five years of experience to test?”
No. You can sit for the exam whenever you’d like. To quote the (ISC)2 website: “A candidate who doesn’t have the required experience to become a CISSP may become an Associate of (ISC)² by successfully passing the CISSP examination. The Associate of (ISC)² will then have six years to earn the five years required experience.”
However, while those are the minimum requirements, let’s consider your next question.
“What other certs do you recommend in order to secure a high paying job?”
My advice to anyone considering pursuit of this—or any other—certification is to stop for a moment and think.
These are some of the many areas of cybersecurity, and your answers will guide you toward the most applicable training and certifications to pursue.
@denbesten invited you to look at the Systems Security Certified Practitioner (SSCP), and I agree with him. According to (ISC)2 this pertains to the realm of “Security administration.” In comparison the CISSP is a “leadership and operations” certification. I’ve seen Generals, Admirals and civilian CEOs and COOs take the boot camp to get the CISSP, alongside technicians, engineers, system admins, and some weird people who wander in from the street, lured by the smell of coffee and croissants while looking for a public restroom. All may benefit from having such a highly regarded certification, but it may not be the best application of a person’s time and money.
I don’t want to discourage you from pursuing the CISSP, but if you do, kindly consider a piece of advice I share with the folks working for me. “Wear the CEO hat” when studying or taking the exam. Ben Malisow exhorts his students not to “buy a $10 lock for a $5 bike.” A security guy might want the $10 lock because it is the most secure, but the business guy, the CEO, may not consider it a sound investment to protect the bike, which is a $5 asset. Many of the exam questions will ask, “What is the best…?” or “what is the most …?” correct answer, meaning that more than one answer may be technically correct, but it may not be the best choice for the situation described.
The CISSP is the sexy one, the one that folks talk about. The other certs don’t carry quite the cachet but may be more appropriate for the job you’re doing or want to do. It also doesn’t hurt to have other certs to backup or round out the CISSP. Do you prefer working with risk management, such as the Risk Management Framework (RMF), as part of a good cybersecurity compliance program? If so, attaining the credential of a Certified Authorization Professional (CAP) might be a better choice.
Would you like to focus on cloud security? Consider becoming a Certified Cloud Security Professional (CCSP). I passed the exam for this in October 2018 and have been undergoing the endorsement process for the last 10 weeks, I should be getting the confirmation email any day now.
I don’t know what your definition of a “high paying” job is. Many people in the DC area define six-figure salaries as middle class, but it’s all relative. This is an awfully expensive area. The median household income where I live (in a suburb of DC) is $130K and some change. That’s a good income but it’s the median, so it sits right in the middle of the bell curve, neither high nor low. I encourage people to come into this profession for the reason you stated, “…I know this is a Career Field I would love to continue once I retire…” While there can be substantial financial remuneration, if money is your primary motive, there are other professions that pay better.
Regardless, I hope you’ll find a useful nugget or two in here, please feel free to write to me directly with further questions.
Wow. If there is an award for Best Post On This Community, this one should win it, hands down (and not just because it mentions me favorably). This is well thought-out, informative, and comprehensive....Lloyd, you've outdone yourself here, sir. Anyone looking for info about certs, studying, and materials would be well-advised to read and heed.
Happy new year, all. Yes, even those of you from inferior military branches like the Navy and Marines.
Thank you very much, @Ben_Malisow. I appreciate the compliments and am humbled by them, even if they do come from an Air Force slacker 🙂
I just sent you a private message.
@CyberLeadThis response should be used as a template for others and I personally thank you for putting a great deal of effort into making the time to put together a very well considered response. You should be congratulated for this response. It certainly should prove very useful to the requester and many others.
Remember also that there is a global cyber security practitioner shortage, which will only increase over the next few years. My organisation also takes on Veterans in the USA, and we find often due to the calibre of the training and discipline associated with their service - that often they are the ones who can take charge calmly in a tense situation, whereas many others will run around like headless chickens. Many of those veterans have becomes leaders in their fields, so don't think that when age comes around, that you have to stop - step into the Private World, your skills will be put to good use for a long time yet.