I am a PMP certified professional working with infrastructure projects for last 15 years. i would like to make a career shift into security.
Please suggest if CISSP is the right certification ?
The CISSP certification requires 5 years of experience in infosec, and is not meant as an entry-level certification. I usually recommend Sec+ and the like from CompTIA.
However, if you have been doing work within at least 2 of the CISSP domains for that period of time, you could get it.
Are you looking to get out of project management, or to move from infrastructure projects to infosec projects? I have seen folks who are infosec project managers, who almost all have both the CISSP & PMP. Which is a combo rarely found.
It really depends on several factors: your interest, your career path, and your experiences.
Information security is a growing area, and the trend is still very much on the up-swinging. Having both certifications certainly would help your career, but you will need experiences to be fully qualified as a CISSP.
Having obtained both myself, I find it is very beneficial, to cross-reference your knowledge from either fields. Exam-wise, CISSP is on-par with PMP in terms of difficulty level.
I would recommend that you read up more on information security in general and CISSP specifically. and research your career opportunities.
Best of luck,
The short answer, as noted by the previous posters, is: it depends.
The longer answer is a question back to you: What aspect, or aspects, of cybersecurity are you interested in? Cybersecurity operations? Cybersecurity engineering? Cybersecurity compliance? Cybersecurity policies and procedures? Cybersecurity leadership? Cybersecurity awareness and training?
The PMP certification, which I also hold, so I feel qualified to speak about it, essentially certifies that a person knows “how” to manage projects by following the methodology spelled out by the Project Management Institute (PMI).
This is somewhat similar in concept to the Certified Authorization Professional (CAP) from (ISC)2 which certifies that a person has mastered the Risk Management Framework (RMF) as a step-by-step approach to protecting a given information system.
However, the CISSP is often considered to be “a mile wide and an inch deep” certification that demonstrates a solid understanding of all 8 cybersecurity domains from the standpoint of a leader in the field. It does not necessarily represent mastery of a “how-to” approach. It is more representative of a “why this is the ‘most appropriate’ approach under a given set of circumstances” with some technical knowledge thrown in.
You can sit for the exam at any time, but the certification won’t be granted until you can prove a minimum of 5 years of experience in at least 2 of those domains and a CISSP in good standing endorses you.
You'll see threads elsewhere in the community wherein people are frustrated because they failed the exam after extensive preparation and practice tests. The common theme is often one of book learning versus experience. In my opinion - and this is just my opinion - while there is value in what can be obtained from a book, there is more value in having learned the same information by actually experiencing it.
The exam seeks to determine if a candidate can choose the “best” answer out of several that may be technically correct. While it is possible for some with little cybersecurity experience to absorb just the book knowledge and pass the exam, as I noted above, it is also possible - and I postulate, more desirable - to pass the exam with extensive experience, having acquired the knowledge that way.
The reasoning lies in what the CISSP is meant to represent; it is a cybersecurity leadership certification; many of the students in my test preparation classes are C-suite executives and high-ranking military officers. If you feel that you are ready to step into, or are already in, a role like that, attaining the CISSP may be a good choice at this point in your career. If not, I recommend seeking a more “hands-on” position to gain experience and sit for the exam when you feel you're ready to lead a cybersecurity organization.
With that in mind, and your answer to the question I posed earlier about which facet, or facets, of cybersecurity you are drawn to, review ALL of the certifications offered by (ISC)2 and roadmap accordingly.