Here we attempt to answer the common questions we are asked about earning the Certified Information System Security Professional certification.
Disclaimer: This transcript was automatically generated using speech to text software. It’s imperfect, and we recommend listening to the actual video over reading this for the most accurate presentation.
Hi everybody. This is Sid and Chris again from Everblue to answer more questions about passing the CISSP exam. So one of the questions that we’re frequently asked is, “Am I qualified to earn a CISSP?” So Chris, can you talk us through some of those experience requirements?
The CISSP exam covers eight domains and you have to demonstrate at least five years of experience in at least two of those.
So that could be that you’ve been in the working world for 10 years and you did the first five years solely in one domain and the next five years solely in another domain, but in reality the domains overlap substantially.
And you could have what is more likely if you’ve been in the world you’ve been working more for five years and in those years you’re crossing two, three or four of those domains so you can demonstrate that experience in five years.
My experience is that on the one hand a lot of people sort of underestimate their qualifications and say “You know, I’m not gonna bother to take the exam because I don’t have the five years.”
And I think the reason why that’s short sighted maybe, I don’t know what the right word is, use is but in practice the acceptance of what ISC2 will accept is broader than what a lot of people anecedotally that I’ve encountered estimate.
I’ve met people who have several years experience in the military who come out and work for a cybersecurity firm for another several years and say, “I don’t have the experience.” Are you crazy? Of course you have the experience. You’re the definition of the experience when you’re that person.
Another thing that I sell for a lot of people is that if you’ve gone to college, you can count your degree regardless of what the degree is towards one of those years of experience which really cuts it down to four years of experience.
And the final thing is let’s say you go and take your exam, and because you don’t demonstrate your experience until after you pass the exam.
You sort of don’t get an answer to that question until then and so that’ll scare a lot of people off.
In a worst case scenario, let’s say you go you take the exam pass you submit all of your experience documentation. Again, I think the acceptance is broader than what people popularly believe.
But let’s say that they say, “Sorry, you only got three and half of the five years of experience.” Well then you get the Associate of ISC2 credential, you still have a credential, and then you wait another year and a half and you with that and submit it again showing your additional experience.
Presumably if you’re going to earn this credential you’re staying in the same employment universe and you’re going to continue to earn years of experience. So, in a worst worst case scenario you’ve got six years to earn that five years of experience.
And so what so you’re short then just wait another year and you have a credential in the meantime. You have the Associate of ISC2 credential. Then you just resubmit documention.
And that six years from when you take the exam, right?
Six years from the exam, correct. Thank you for clarifying that.
Again if you’re fresh out of college or there is a case where it’s clear cut you’re not qualified, that’s fine. Even for those folks you can still go and challenge the exam because you’ve got the opportunity to earn the Associate of ISC2 credential
I see people who would otherwise earn their CISSP credential and kind of talk themselves out of it for fear of the experience requirement.
I think that the way that the standard set up is very reasonable. Again it’s very broadly defined.
It’s a pretty accepting standard even in the cases where it is and you have you know have all this time afterwards to continue to document and demonstrate compliance.
And some of those experience requirements I think the misconception many people have is that it’s very technical and very focused on cybersecurity whereas there’s opportunities across the domains for management of experiences that is a lot more general.
Yeah, so sometimes you run into people who say, “Well I don’t have five years of IT experience.” Don’t get me wrong, there’s certainly a technical aspect to this exam. But there’s also a lot of a lot of the content is covered on the exam.
By the standard is its focus on administrative standards which have very little to do with anything technical or physical security standards such as a security guards controlling access or fences around the property and stuff like that. It’s not in any way technical in nature and so folks can you know have a lot of that relevant experience from their time in the military or other roles they’ve played in their career that is in some way relevant to the CISSP exam.
Now there is a technical component to it, so I don’t want to understate that, but the overall purpose of the exam is a managerial credential to assess basically are you an experienced decision maker across several different domains.
A lot of that is technical but not all of it is technical and that’s another area where people will devalue their experience. If you actually go and look and read the definitions of the eight domains and you start to pick through your career you say, “I had no idea that time of mine in the military or this other thing that would definitely count toward that” and then you submit the application.
So bottom line is don’t discount yourself ahead and figure out a way to make it work submit it and let them tell you no.
Exactly. I generally tell people to be aggressive.
Worst case you know you have six years to five years of experience so you should take the more expansive approach.
And if you apply up front at least you’ll know what’s your response back what you’re working with. So you may have two years knocked out and have three to get versus spending the next five years doing a job so that’s and then find out you could have had that full certification several years earlier.
I think the hard part honestly is passing the exam.
It’s a challenge exam and not to be underestimated, but to not even attempt to challenge the exam because you think you don’t have the experience requirement is kind of missing the point.
You’re taking yourself out of the race.
Exactly. You miss 100% of the shots you don’t take and I think that’s the case here.
Right thanks Chris.