How To Become a Certified Information Systems Security Professional (CISSP)
The demand for capable security pros continues to grow — and it isn't going to slack off any time soon.
Corporate America and the U.S. government have been sounding the alarm bell for a few years: there's a significant shortage of skilled security professionals in this country. Although numbers vary among various sources, it's safe to say the U.S. is lacking upwards of 200,000 security professionals, and the global shortfall is at least 1 million. The global number is expected to reach 1.5 million in a few years.
In 2015, U.S. employers posted nearly 50,000 jobs requesting a CISSP. The number of CISSP holders was about 65,000 at the time. This clearly points to a need for skilled infosec workers, and CISSPs in particular, which is great news for aspiring CISSP candidates.
A Certified Information Systems Security Professional (CISSP) is a seasoned employee or consultant, usually with a title like Security Manager, Security Analyst or Chief Information Security Officer, to name a few. This person has been on the job for 5 or more years, and has thorough knowledge of the IT threat landscape, including emerging and advanced persistent threats, as well as controls and technology that minimize the attack surface. A CISSP also creates policies that help set the framework for proper controls, and can perform or oversee risk management and software development security.
Here's what you'll need to become a CISSP:
- Obtain 5 Years of Security Work Experience — You must be able to show proof of 5 paid full-time years of work experience in at least 2 of the 8 CISSP CBK domains, such as Identity and Access Management, Security Engineering, Security and Risk Management, Security Operations and more. On the job experience is crucial for both the exam and the certification process.
- Prepare for and Pass the CISSP Exam — Complete the CISSP exam with a minimum score of 700 out of 1,000. The exam is 6 hours long and includes a mix of multiple-choice, drag-and-drop and hotspot questions. It currently costs $599. The (ISC)2 website offers a download of the exam outline as well as a link to the Study App (available through the App Store and Google Play for about $10). You can also obtain the official textbook and test your knowledge with CISSP Flash Cards. If you need more than self-study materials, (ISC)2 and a lot of third parties offer CISSP in-class and online training. Training costs vary widely, but the online course costs about $2,500 through (ISC)2. In-class training will cost appreciably more. Before scheduling your exam with Pearson VUE, make sure to go over the background qualifications, which might exclude you from for the exam.
- Get Endorsed to Become a CISSP — Once you complete the CISSP exam, you'll have to subscribe to the (ISC)2 Code of Ethics and complete the endorsement form to become a CISSP. The endorsement form must be signed by another (ISC)2 certified professional who is able to verify your professional work experience. You must submit the completed form within nine months of passing your exam to become fully certified, as passing the exam doesn't automatically grant you certification status.
After you become fully certified, you'll have to maintain your credential by recertifying every 3 years. CISSPs are required to pay an $85 maintenance fee during the 3-year cycle ($255 total). They must also submit 40 continuing professional education (CPE) credits each year, for a total of 120 CPEs. For more information on the steps to becoming a CISSP and maintaining your certification status, visit isc2.org.
Other Certifications That Can Help You Reach the CISSP
If you are certain that the CISSP path is right for you but you have no relevant work experience, look into becoming an Associate of (ISC)2. The program is ideal for students and career changers, and will allow you to take advantages of educational opportunities, forums and peer networking offered through (ISC)2. Another approach is to get the entry-level A+, Network+ and Security+ certifications from CompTIA. With that foundation, you can apply for a security-related position and get some much needed hands-on experience in the IT arena.
If you've been working in IT security for a year or two, consider pursuing the (ISC)2 Systems Security Certified Professional (SSCP) credential. Although it's not an official prerequisite, the SSCP is considered a precursor of sorts to the CISSP, covering many of the same topic domains. In theory, achieving the SSCP can also lead to the kind of security position needed to fulfill the CISSP work experience requirement.
Beyond the CISSP
It seems that go-getters are always looking for a way to move on or up. Once you get your CISSP, you might be interested in specializing in architecture, engineering or management, perhaps for another boost in pay. The (ISC)2 program offers concentrations in those areas for CISSP credential holders, called ISSAP, ISSEP and ISSMP, respectively.
And, because cloud computing and virtualization have become extremely important in the IT space over the last few years, there's one more advanced-level (ISC)2 certification to consider: the Certified Cloud Security Professional, or CCSP. This cert, formed in cooperation between (ISC)2 and the Cloud Security Alliance (CSA), aims at folks who procure, secure and manage cloud infrastructures or who purchase cloud services. The CCSP requires 5 years of relevant on-the-job experience, but you can use the CISSP to substitute for the entire requirement.
To that end, you might want to dig into these cloud and virtualization certification guides to learn more about the available credentials:
Be sure that a CISSP is the route you want to take, and that you can complete the credential, before embarking on this long and expensive journey. However, if you set realistic certification targets, and manage your time wisely, you can't help but succeed.