Shon Harris advises novice security practitioners on the value of entry-level certifications -- and good, old-fashioned experience -- in preparation for the CISSP®.
Not ready to step up to the plate for the CISSP exam? This is understandable. The exam is daunting for even the most experienced security practitioner. If you're new to information security, there are a couple options available to you – and a word of caution -- while you work towards your larger goal.
The CISSP® exam is difficult for two main reasons. It covers 10 full domains of security knowledge, and the questions that make up the exam are far from straightforward. Many security practitioners are familiar with 1-3 domains of the Common Body of Knowledge (CBK) that the exam covers. Most people are not as familiar with cryptography, physical security, or law and computer crime investigation. The sheer amount of topics and concepts that must be studied and understood to pass the CISSP exam can be overwhelming, but the knowledge gained by doing so is valuable. Security professionals worth their weight should have a broad understanding of security from many different angles.
Security is a hot market and many people are flocking to this field because of the expansive amount of opportunities that are available. Many of these people do not meet the requirements to sit for the CISSP exam. To be eligible, you must have at least four years of working experience in one or more of the domains that make up the CBK, or three years of experience and a college degree.
Pre-CISSP certification options from (ISC)2
For those who are not eligible for the CISSP, (ISC)2 offers two options. The Associate of CISSP allows candidates to take the CISSP exam even if they do not have the necessary years of experience or a college degree. Ideally, these candidates have the book knowledge and are working to accomplish the experience requirements. Individuals who pass the exam and gain the necessary experience requirements then send in the necessary documentation to (ISC)2 and are awarded the CISSP credential. Unfortunately, this waters down the "gold standard" that the CISSP certification is supposed to hold.
The prerequisites to take the CISSP exam were developed to ensure that the CISSP does not become a "paper certification," in other words, people can read a book and pass the exam without any true experience in the field. Although many of the questions in the CISSP exam are tricky and confusing, they are more confusing to people who have no context for the security concepts they learned from a book.
(ISC)2 developed the Systems Security Certified Practitioner (SSCP) with the goal that it would hold the same weight in the security technical world as the CISSP does in the security managerial world. This goal was never achieved because there is a great deal of overlap between the two. The SSCP is basically a subset of the CISSP and is often perceived as CISSP's little brother. Many people take the SSCP exam because they do not meet the requirements for the CISSP. They see it as a stepping stone to prepare them for the CISSP. However, the SSCP has been floundering in the industry since it was developed. It has achieved no real industry recognition because (ISC)2 cannot figure out what this certification should really be when it grows up.
The CompTIA Security+ certification exam was created specifically for those individuals just entering the security field. It is an entry-level exam that does not require as much from the test taker as the CISSP exam. It is recommended that candidates have two years of networking experience with an emphasis on security. The exam's 100 questions cover many of the same topics as the CISSP exam, such as infrastructure, access control and authentication. Although there is a degree of overlap between the CISSP and Security+, the CISSP covers more topics and is more managerial in focus, while the Security+ is more technology focused.
If you're new to the security industry, I recommend the Security+. From there, you should work to gain the experience and knowledge, and then take the highly sought after and highly recognized CISSP.
A word of caution
People want certifications to open the doors of opportunity. Individuals want them for job promotion and to qualify for better career opportunities. Many organizations selling security products or services want their employees to have certifications for bragging rights. If a company can tell a potential customer that 80% of their security staff has their CISSP credentials, this instills a level of confidence and may tell the customer that this company is serious about its security services and knowledge base. This is all perfectly natural and understandable, but keep things in perspective. Microsoft, Novell, Cisco and others make a lot of money offering certifications and training. These vendors' goals are about getting a large market share trained on their products so that they can sell more products. As a result, there are a ton of paper MCSEs in the market. Novell and Cisco also have their share of paper certifications.
CISSP is also big business. (ISC)2 and training companies make money on each and every individual who takes a class and sits for the exam – even if they are not qualified. As more and more people who are not truly qualified achieve this certification, its weight in the industry will decrease. This is inevitable, but not devastating.
Information security is a burgeoning field, and certification holders are qualified for better career opportunities. But don't cheat yourself by cramming and memorizing facts and terms to achieve the CISSP credential. If you are looking for a serious position in the security profession, the knowledge you will obtain by truly studying for the exam will carry you a lot further than any credential. A credential is nice to have, but with no real experience and knowledge, it's just a paper certification and a waste of time.
About the author
Shon Harris is a CISSP, MCSE and President of Logical Security, a firm specializing in security educational and training tools. Shon is a former engineer in the Air Force's Information Warfare unit, a security consultant and an author. She has authored two best selling CISSP books, including CISSP All-in-One Exam Guide, and was a contributing author to the book Hacker's Challenge. Shon is currently finishing her newest book, Gray Hat Hacking: The Ethical Hacker's Handbook.
CISSP® is a registered certification mark of the International Information Systems Security Certification Consortium Inc., also known as (ISC)2. No endorsement by, affiliation or association with (ISC)2 is implied.
This was first published in May 2005