I want to obtain the CISSP certification, however I am not actively employed as a security analyst. I work as a web application developer. I am training and obtaining certs to become a security expert on my team of developers. My goal is to obtain this credential (among others) in order to validate my knowledge in this space. I have already obtained Google Cybersecurity Cert and Security+. I interviewed a DevSecOps with his CISSP and he recommended I do CISSP.
Can I still qualify and take the exam, even if I am not in an active security role?
Thanks!
@0xDEADBEEEF wrote:Can I still qualify and take the exam, even if I am not in an active security role?
I think you would be looking at being an associate. That said, I would assume some of what you are doing qualifies as experience in Domain 8 (Software Development).
The CISSP is more a capstone credential than stepping stone. It is intended to validate knowledge and experience gained over several years, across a range of domains, mostly directed at management-level professionals. If you're looking at an analyst role, I suppose there is no harm in taking the exam and being an associate, but I'd focus on broadening your experience. It will not only help accumulate years toward being a CISSP, but the exam content will make a lot more sense if you have real-world familiarity with the content.
It might also be worth looking at the CSSLP certification as that's specifically about software development. From what I recall it covers the material, but is structured in a more traditional way.
@0xDEADBEEEF To add to what others said.
CISSP is NOT an entry level infosec certification, hence the requirement of 5 years of experience>
In addition to the CSSLP cert, take a look at the CC as well as the Sec+ from CompTIA first.
Great topic and one that I can learn from as well. On my end and I do welcome some feedback. I am an older person transitioning into Cyber Security. My background has been in Sales, although I am fighting hard to stay OUT of sales. I have been going through a slue of certifications over the past 18 months and as a result, my school placed me into the CISSP program. My background is NON-technical and I am non-degreed. However, I have picked up my LSSGB, Agile Scrum, ITIL, COBIT2019, PMP and a few MS and Cisco certs. My first attempt exam for the CISSP is June 26th. If needed, second attempt will be in August. The challenge for me, is finding a solid employer who is willing to take on an older (56) entry level security professional. I need to get the day to day experience on the technical end, while having years of management experience. I believe having the cert will be helpful, even if it's only (Associate). Any tips from the community on how to get buy in from employers to take on older entry level professional. I do believe that my advantage is in being able to communicate with all levels of management and employees. I believe that some challenges is being older, some are either intimidated, thinking I am after their job, while others just think I am too old to get the trends. It's an interesting dynamic, but I am up for the challenge. As for the CISSP, I enjoy the vast spread through the 8 domains and the impact on management, while I truly want to get into the weeds, I will wait until after I complete the cert to gain very detail knowledge. Thank you in advance, I am looking for your own tips and advice on how an old guy can break into the Cyber Security field after obtaining certs.
@JamesPrince If you are not already, I highly encourage you to be networking with infosec people in your area. Look for local chapters of ISSA, ISC2, ISACA, or local infosec groups. These connections may help you get technical experience and maybe lead to a job, maybe getting around the HR gatekeepers. Also look for Security BSides conferences in your general area, as they often will have a career track that can helps as well.
@JamesPrince wrote:Any tips from the community on how to get buy in from employers to take on older entry level professional. I do believe that my advantage is in being able to communicate with all levels of management and employees.
You may want to talk to auditors or consultants who do IT/security audits. Your product experience might be helpful and you may work well for customer/client-facing work. While your sales experience may not be technical, I assume you do know certain products well. If you know people who use those resources, that can be a good hook. At hiring, I always had in mind the question "Can this person do the job?" That might seem obvious, but a lot of hiring managers get blinded by the upside potential/presentation of a candidate and look past the obvious: can they come in and use our tools and do the job? Truthfully, especially at the entry level, a lot of the security you are teaching as manager. Part of that reflects the specifics of your environment. Honestly, the credentials can be hit or miss. Sometimes when you see someone with a bunch of certs, it means they're really good at ripping through content and checking boxes. Good security work is often the opposite, being able to slow down, measure twice, consider all the possibilities, ask for help, etc. Certs are helpful, but being coachable, having good communication skills (especially when things go wrong), being reliable, those things go a long way.
Networking is important to securing a position. I recently advertised a mid level position and received c. 200 applications. Having contacts may help you navigate the HR screeners better than a flashy resume or having further qualifications. It may also play better to say you've achieved a certification and are still studying for a more advanced certification, so I'd look at the sec+, CCSK etc as well as what ISC2 have to offer.