cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
chyobo
Newcomer I

Passed CISSP exam on 2018-07-10. Which concentration (ISSAP, ISSEP or ISSMP) should I work on next?

Hi people.

 

I (provisionally) passed CISSP exam today on 2018-07-10 on my first attempt. I read 4 textbooks and did lots of extra reading on cybersecurity-related articles. 

 

Does anyone know which one among ISSAP, ISSEP and ISSMP is most sought after in the industry at the moment please? Thank you.

 

For those preparing for the test, best wishes!

4 Replies
HTCPCP-TEA
Contributor I

Hi,

 

I'm not sure which is most "Sought-after", but I would suggest two things:

 

1. As they are specialist concentrations, I would go for the one you specialies most in....hope that makes sense.

 

2. If you "specialise" in all 3, whats stopping you acheive all 3? I'm not even sure if that is possible, if it;s not, refer back to 1.

 

I think it's important to back yourself. If you specialise in a field, be proud of that and market yourself on what you are. If you then aspire to do more or something different, that's great. What is sought-after today will not be what is sought-after in the future.

 

CraginS
Defender I

Are you considering the CISSP concentrations for any of the following reasons?

 

  1. You want a structured curriculum to aid you learning in a particular focus area of information security.
  2. You want to collect professional certifications like merit badges in scouts, so you can have a long list on your resume and in your e-mail sig file.
  3. You want key recognized certification on your resume to help get past first screening in HR shops to reach the actual hiring managers.

Each of those is a legitimate reason to seek professional certifications, and no one should denigrate you for having any of them in mind. For most folks, the reasons are mix of those three and a few others.

 

That said, allow me to comment on each.

 

  1. When you want to learn a new topic, there is great benefit in using a formal curriculum from experts in that field to guide you in what to learn.  There will always be sub-topics that are "what you don't know you don't know" that those experts in the field should guide you to add to your skill set. Remember. also, that true professional standing in any field must be based not only on book & test knowledge, but also experience and action. Just passing the ISSEP exam without ISSE experience will not make you a valuable ISSE. 
  2.  Externally awarded certificates and certifications are a good way to keep track of learning goals, with confirmation from outside your own self-judgement. However, be judicious of when and where you advertise any or all of your list. In Academia, the full list definitely belongs on  your curriculum vitae (c.v.).  Keep the full list on your generic file resume, but never submit that resume for a specific job; cull the list so the list is only the ones directly relevant to the specific job you are seeking. When some of us see a sig file or profile with more than three or four certifications, we wonder how that person has time to actually get real work done, while juggling the exams and continuing education for so many sets of alpha characters to keep up. (Alternately, in a few cases we may wonder of the list is the truth.)
  3. Before diving into any certification for job-search purposes, mine the job adds for which ones appear in hiring announcements. We see CISSP in HR announcements often. While they may exist, I have never seen s job announcement asking for a CISSP-ISSAP or CISSP-ISSMP. If your goal is to get past initial screening in HR, go for the credentials that HR is saying they look for.

Budget your time and attention for the most bang for the buck in your career. If you want to focus on pen testing or forensics or policy writing, seek learning objectives to sharpen that focus; don't try to cover the waterfront. For hands-on skill and knowledge development, I suggest you look at SANS and their competitors for quality training, rather than throwing more time and money at (ISC)2 just because you are a member here.  Check the job ads; maybe a CEH will help you more than another (ISC)2 credential.

 

Good luck and keep learning!

 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
sarita_basnet
Newcomer II

Congratulations...!!!

 

CISSP-ISSAP Information Systems Security Architecture Professional: CISSPs who specialize in developing, designing, implementing and analyzing security solutions/programs and providing management with risk-based guidance to meet organizational goals.

 

CISSP-ISSEP Information Systems Security Engineering Professional: CISSPs who specialize in the practical application of systems engineering principles and processes to develop secure systems.

 

CISSP-ISSMP Information Systems Security Management Professional: CISSPs who specialize in establishing, presenting and governing information security programs, in addition to demonstrating deep management and leadership skills.

CyberLead
Newcomer III

Congratulations on passing the CISSP exam. As to your query regarding the most "sought after” certification, I believe it is organization specific. A search of online job postings won’t turn up too many that specify any of these three concentrations, so I’m not sure that they’ve caught-on, so to speak, with employers. However, regardless of what the demand is, if you believe that pursing a concentration is of value to you personally, then Dr. Shelton has laid out a very good response to your query, and I appreciate him taking the time to do so.

 

I am also considering pursuing one of the CISSP concentrations, but haven’t decided yet as to which one is the best for me at this time in my life. In my approach, the certifications are “post experience.” In other words, I only sit for a test after I’ve gained many years of pertinent experience in the subject. This, as you know, is not always a requirement from the certifying authorities.


It is here where I disagree somewhat with Dr. Shelton. Of the three motivations for earning certifications, his second one states: "You want to collect professional certifications like merit badges in scouts, so you can have a long list on your resume and in your e-mail sig file.” My disagreement is not with the words quoted here, for he writes the truth; my disagreement is that I don’t believe this is a “legitimate reason to seek the certification.”


I became a Certified ScrumMaster (CSM) after attending a three-day class and passing an exam. I had several years of experience but it wasn’t a requirement for the certification, which cheapens it to some extent, because someone can pass the exam and earn the same certification, yet have no experience in Scrum, or know anything else about Agile. I sought the certification as a way of validating both my knowledge and years of experience; in reality, it only confirms that I passed the exam. With that said, it turned out the the certificate is sought by many employers, so there was real monetary value in having earned it.


Conversely, because I never went to college, I had to document 7,500 hours of project management experience before I could sit for the Project Management Professional (PMP) examination. (A person with a college degree only needs to document 4,500 hours.) In my opinion, those experience requirements are important toward emphasizing the credibility of a certification. There was real monetary value in this one too, as with the CSM, it allowed me to increase my bill rate to about $20K USD per annum for each certificate I brought to the table.


I believe that to ensure certificates have credibility (ISC)2 adds experience requirements, and I applaud them for doing so. I would like to see more experience requirements. Dr. Shelton makes a valid point about the importance of this in his example, noting that, "Just  passing the ISSEP exam without ISSE experience will not make you a valuable ISSE.” 

 

Prior to sitting for the CISSP last year, I had over 20 years of experience in all of the 8 domains. Consequently, I finished the exam in 3 hours and 3 minutes, including the time I took for breaks, which was approximately half of the allotted 6 hours for the previous exam. This fall, I sat for the CCSP and passed it in 2 hours, again half the time. I have over 8 years experience in virtualization and cloud technologies, so the test was merely questioning me on the things I work with everyday, and there were only a handful of questions that I truly had no idea what was being asked. (Although it’s been nearly 2 months since passing the exam, and my CISSP was automatically picked to satisfy the prerequisites, the endorsement review is still ongoing, so I can’t officially list myself as a CCSP at the moment.)


I’m providing this background to support my belief—and it is just that, my belief, I do not speak with authority on this subject—that any certification exam is “easy” if you know the subject from all angles and work with the material everyday. The years of experience that are required to get you there vary from person to person of course, so it’s difficult for a certifying body like (ISC)2 or PMI to come up with a universally valid number of years or hours. One person may master a subject like virtualization in a year, another may take a few years to reach the same level of proficiency. Thus my advice is to gain whatever number of years of experience are necessary for you to have absolute mastery of the subject. Then, and only then, should you sit for the exam, which will be quick work, since most of the questions will be on topics that you work with everyday.


However, to begin your journey, and not waste time walking in circles, kindly consider Dr. Shelton’s first point about seeking a structured curriculum. Being largely self-taught (I left home as a teenager, with little formal education) I typically seek the authoritative source, or body of knowledge, as my guide when I embark upon learning something new. In this regard, the CBKs are often one of the first places I turn to. However, in my opinion, nothing replaces the tacit knowledge gained with hands-on experience, so the CBK, or similar artifacts of explicit knowledge, are essentially reference material.


Today we have an ever-growing wealth of information on the web, but care must be taken to ensure that the information is valid. My message here is to take advantage of various sources of knowledge that you can afford the time or money to invest in, but do so carefully and selectively.
For many people, another point from Dr. Shelton is also good advice, "Keep the full list on your generic file resume, but never submit that resume for a specific job; cull the list so the list is only the ones directly relevant to the specific job you are seeking. When some of us see a sig file or profile with more than three or four certifications, we wonder how that person has time to actually get real work done, while juggling the exams and continuing education for so many sets of alpha characters to keep up. (Alternately, in a few cases we may wonder of the list is the truth.)”

 

There may be some exceptions to this guidance, depending upon your work. I’m a U.S. Government contractor, and our email signatures double as a form of advertising. The listing of our individual and corporate certifications is used to send—or reinforce—our knowledge base and achievements. We are encouraged to display our certificates on the walls of our offices and cubicles for the same reason. In theory, it helps win additional or new business, a never-ending necessity if we want to stay employed, since many contracts are renewed annually. It also helps show the broad range of knowledge and experience that we hold.


Another thing to consider is diversity of knowledge and experience. Although I’m the Program Manager for Cybersecurity at a large agency, my certifications are not just in cybersecurity, they cover fields such as the Information Technology Infrastructure Library (ITIL) – a requirement in most U.S. Government IT shops, the Capability Maturity Model Integration (CMMI) framework, and I’m a certified Lean Six Sigma Blackbelt (LSSBB), also valued at certain government agencies. Learning and achieving a certain level of certification in these subjects, sometimes with little or no direct link to IT, indicates a well-rounded background; a person who “isn’t just a geek” but can understand and improve the business from different aspects.


I do agree that for a person with a large number of certifications, it may be overkill to put them all on your resume. I always list the “top” 6 to 8, ranked in the order that I think will appeal to the hiring manager. I also list the certification numbers so it’s easy to validate them with the certifying authority. I note that I hold approximately two-dozen technical certifications in various products and tools, or niche specialties, like RFID Security, but I don’t list them on the resume, I tell them the list is available upon request.


As for my future, I have many years of experience in all three concentrations, and I literally work in each area as part of my day to day activities, so the choice of which one to pursue first is a difficult one.


Lloyd Diernisse

ISC2 Authorized Instructor and Learning Tree International Certified Instructor
Lean Six Sigma Black Belt | CISSP-ISSMP | CCSP | CGRC | PMP | CSM | CMMI-A | ITIL-Fv3