I'm looking at taking the CISSP exam but no one has been very clear with me on whether being an IT Security Project Manager counts as experience that will let me become a CISSP once I pass the exam. Does one need to be an engineer to meet the prerequisites for experience, or does my experience running IT Security projects for many years count?
I asked ISC2 and they just gave me a generic answer that they'd let me know after I passed the exam. I find that to be shady, by the way. "Pay for your class, pay for the exam, do all the work, and then after the fact we'll let you know if you wasted your time and money on all of this." Just be clear about the prerequisites up front. I do not want to be an associate. I want to be given the certificate I earn.
Any insights are very welcome. Thank you!
"Gain the Necessary Work Experience
To qualify for this cybersecurity certification, you must pass the exam and have at least five years of cumulative, paid work experience in two or more of the eight domains of the (ISC)² CISSP Common Body of Knowledge (CBK)."
The job title itself is irrelevant. Take a look at the subdomains within the eight domains and see if your job duties line up with the subdomains. It's really that simple.
I'm looking at taking the CISSP exam but no one has been very clear with me on whether being an IT Security Project Manager counts as experience that will let me become a CISSP
It was two decades ago when I went through the process, but I recall that part of it was having someone attest to your experience (e.g., a manager), and I think that is (likely) a big piece of it for your question. On the surface "IT Security Project Manager" sounds like it would qualify (has to be paid work experience), but I've interviewed people with job titles like "Senior Security Analyst" and it turns their job was really data entry and password resets. I would talk to the people you have worked for and see if they are willing to vouch for your experience as stipulated by the (ISC)2 - bonus points if they are a CISSP. At the same time, if there are CISSPs you know who know what you do, they could be additional support for you.
I understand your issue and frustration. It's just hard to map job titles to experience. At a high-level, we're basically a peer-reviewed organization. A CISSP who knows what you do for work should be able to tell you if it qualifies, and if the (ISC)2 review rejects it, I would think/hope that a CISSP vouching for such experience would prevail.
I'll add one more editorial comment: I think it has gotten increasingly difficult to build up the professional background because we have gotten so specialized and pigeon-holed in our jobs. As an industry, we are fearful of failure, but we have to recognize that's how people learn, create, and develop experience. I do think it is possible to be secure and encourage experimentation, but the knee-jerk reaction is more regimented. At hiring time, I find myself talking to candidates more about what they do/have done outside their work because, by their own admission, they aren't able to do such things within their work environment.
I wish we could review everyone's CV prior to you taking an exam, but unfortunately that level of review is processed after the exam has been taken. We certainly don't mean to be "tricking" you into taking the exam if you don't have the experience, but we can't approve your experience before the exam, unfortunately.
https://www.isc2.org/Certifications/CISSP/experience-requirements This page is your reference tool for if your experience qualifies. As said earlier, it's not the job title but the work you're doing. If you have a degree, or another relevant certification included on the link above), then you only need 4 years of relevant work to get certified after passing the exam. If you've worked in Security Operations and Identity and Access Management (for example) for 4 years, you'll be just fine. A description of your job role can show the work you're doing, if your title is not as clear as you'd like it to be for meeting the requirements. Supporting information from a supervisor is always helpful and you'll be able to provide that in your application after you pass the exam.
I hope this helps! and best of luck on your exam!!
If you have been running projects as an IT Security Project Manager with the emphasis on Project Manager (so keeping the project afloat, but not deeply involved in the Security matter itself), then you may not have enough experience that counts towards the 4-5 years you need. Reason for this statement is that I assume that only a part of the time spent on a project will be counting towards 'actual IT Security', as the majority will be project management.
Then again, I don't know how many projects and/or years of IT Security project management you have, and how much of this time is actual IT Security related.
Do that math per project, get someone to vouch for your calculation and experience, and see how much time adds up to real IT Security experience.
Good luck with your exam!