CISSP is a comprehensive and in-demand cybersecurity certification
Many certification roadmaps include (ISC)2’s CISSP (Certified Information System Security Practitioner) as a crucial cybersecurity certification to consider in a career and education plan. One example is the CompTIA IT Certification Roadmap, which places CISSP in the “Expert” column of the Information Security pathway. The CompTIA roadmap of IT certifications is not alone in recognizing the importance and value of the CISSP.
CISSP is a widely desired indicator of knowledge, experience and excellence on the resume of many IT professionals. CISSP is not just recommended by industry groups—it has achieved its respected position as an important IT certification through practical observation. The drive to achieve this notable certification is evidenced by its appearance on a significant number of job postings. Performing a job search in any moderate or larger metropolitan area reveals an astounding number of IT and cybersecurity positions request that the applicant be CISSP-certified. And it always holds a spot in the annual 15 Top-Paying Certifications list.
A scan of resume posting sites also shows that many IT professionals are either currently employed or are job seeking include CISSP on their resume and/or profile to attract the attention of top job brokers and HR managers.
(ISC)2 asserts that as of 2021 there are over 142,000 CISSP-certified individuals in over 170 countries, and that number is growing at a steady pace. Those who hold the CISSP certification are employed at Fortune 500 companies, governments, small businesses, start-ups, and many operate as independent contractors.
According to the Global Knowledge 2020 IT Skills and Salary Report, CISSP-certified professionals have the third highest worldwide IT salaries ($119,170 USD) and rank fifth in the North America ($138,647 USD). The North America salary for CISSP professionals in 2020 was an increase of over 10% from 2019 and the ranking increased from 10th to 5th in only a year. CISSP is also listed as the second most common certification being pursued by IT professionals seeking to advance their career.
A few other observations from the annual Global Knowledge IT Skills and Salary Report is that job positions that require certifications are increasing in number as well as in their average salary. Thus, you will have more job opportunities and may be able to make more money with the right certifications, experience and skills. Cybersecurity, cloud, IT architecture and design, project and program management, and risk management are among the top-paying job areas, most of which require or benefit from a CISSP certification.
A 2020 survey by Certification Magazine reveals even further insights into the demographics of those holding the CISSP certification.
- Over seven percent of surveyed certification holders are women
- 70% of CISSP holders are aged 35 to 54
- 41.7% have a master’s degree and an additional 36.4% hold a bachelor’s degree
- 96.8% are employed full-time
- CISSP holders are often senior specialists (43.2%), managers (16.7%), directors (14%), senior managers (13%), specialists (6.5%), or executives (3.4%)
- 72.1% have worked in cybersecurity for over a decade
[Note: Visit certmag.com for the full details on the survey and their methodologies. All percentages are derivative of those who responded to the survey and may not fully reflect the entire worldwide status of CISSP certification holders.]
Five reasons why CISSP remains an indicator of cybersecurity expertise
- It is a certification that is not based solely on passing an exam. It also requires that the subject obtain sufficient experience in the field of cybersecurity and IT security management.
- TA candidate’s experience is verified by others in the industry who hold CISSP to confirm that new applicants are abiding by the experience requirements.
- Education and experience must continue to be accumulated while holding the CISSP certification. This is accomplished by requiring CISSP certified professionals to earn continuing professional education credits (called CPEs) every year.
- (ISC)2 is guided by a board of directors who are elected by the CISSP holders from amongst themselves.
- CISSP was one of the original certifications included in the DoD Directive 8570.1m (revised by DoD Directive 8140.01) and remains the dominant certification used/obtained for those in numerous cybersecurity positions, including Information Assurance Technical (IAT) Level III, Information Assurance Management (IAM) Level II & III, Information Assurance System
Architect and Engineer (IASAE) I, II, & III, and Cyber Security Service Provider (CSSP) or Computer Network Defense-Service Provider (CND-SP) Manager.
Certifications, especially CISSP, often result in an IT professional experiencing either an advancement in their job position or a raise of nearly 20% on average. Therefore, pursing CISSP and other certifications is often a worthwhile investment in time and expense due to the increased pay, job promotion, and prolonged benefit to a career.
More cybersecurity professionals are needed
Cybersecurity has become a key area of job growth in the last few years. According to the IT Skills and Salary Report, IT decision-makers stated that cybersecurity is their number most challenging area for finding qualified talent. Now more than ever, individuals with computer security skills are needed to fill jobs that are currently sitting vacant. All the while new job positions come into existence every month with few qualified applicants. There are tens of thousands of job positions sitting empty because there is a dearth of qualified applicants with the education, training, skill, or experience to take on the work. Global Knowledge’s report also found that 55% of hiring managers had two or three open positions they could not fill. As of the end of 2020, over 4 million cybersecurity job positions worldwide remain unfilled.
A 2016 Federal Cybersecurity Workforce Strategy memorandum stated:
“Both Federal and private sector executives cite the lack of professionals with the requisite knowledge and skills as a significant impediment to improving their cybersecurity. However, there simply is not a enough supply of cybersecurity talent to meet the increasing demand of the Federal Government. Recent industry reports project this shortfall will expand rapidly over the coming years unless companies and the Federal Government act to expand the cybersecurity workforce to meet the increasing demand for talent.”
Nearly five years later, the situation has not significantly improved. For those who are willing to obtain the knowledge and expertise, there are jobs and careers waiting to be filled. You can become a qualified applicant for a wide number of cybersecurity jobs that will start you on a long, profitable, and exciting career in IT security. A career as a network security or cybersecurity expert does not limit you to only working for an IT company. Every organization across every industry is in need of security experts to support and improve their IT security infrastructure.
Take your next career step into cybersecurity
Are you already working in an IT position, do you have an interest in computer security, or are you still working on completing your education? If you can answer yes to any of these questions, then you are a prime candidate for switching your career path to become a cybersecurity expert.
For many of you, changing your focus to IT security will simply be a minor course adjustment of your career or education. For a few of you, it may be a complete reassessment of your education or career path. Even if you must undertake a major venture to refocus your efforts on becoming a cybersecurity expert, the long-term rewards, benefits, and job stability are worth the effort you may need to expend. And, you will find that the change is not as significant as you might first expect, no matter what your current career path or education track is aimed toward.
Still not convinced? Then please read my paper “10 Reasons You Should Consider a Career in Cybersecurity” where I highlight 10 key reasons or issues that you should consider when thinking about a career in cybersecurity.
A career in cybersecurity is a promising and rewarding opportunity, no matter what your general area of experience, interest, or expertise. If you live in the modern world, you are already on a solid starting line of a future IT security career. Shifting gears to focus on cybersecurity is not as much of a transition as you might first think. Plus, the cybersecurity field is broad, deep, and always changing. The job you focus on initially may not be the same that you end up with. You will have to constantly refocus your attention and efforts as the realm of IT security changes. This field might not be for everyone, but if you are in any way interested in computers, security, the internet, smartphones, or how businesses operate in the modern world, you are already a prime candidate for a cybersecurity career.
Landing any job in any field can be challenging. But having the right initial qualifications will go a long way to getting you hired. Be qualified. Be available. Be an asset that cannot be passed up.
Finding a great cybersecurity job position with a CISSP certification
The field of cybersecurity is growing quickly. So quickly that there are positions sitting open waiting to be filled by qualified individuals. Are you one of those people ready to make a change in your career towards the future?
Cybersecurity is the arena of technology, methodology, and practice which focuses on protecting electronic information and the systems supporting it against compromise and attack. As a society, we have all become heavily dependent on computers, network, and data stores. This has exposed us to the risk of loss or compromise of those data systems. The need for personnel knowledgeable and experienced in security implementation and management has never been greater, and the need is growing.
As with anyone seeking out a new job or a change in career, the first step is to discover what opportunities exist in the marketplace. Performing an initial assessment of offerings will provide you with a better understanding of what positions are available and what the minimum requirements are for each type of job.
I usually recommend starting with a job search site, such as indeed.com (a search engine of "all" job sites), and use keywords such as "cybersecurity", "cyber security", or "security". These terms will locate most jobs related to the concept of cybersecurity. Take the time to look through many of the job listings uncovered by this search. After some review, pick a position or title that seams appealing to you, such as cybersecurity manager, database security administrator, security policy chief, security trainer, or security systems quality assurance. Then, search again with your selected title or position. Find at least 20 different organizations requesting applicants for that position and then take note of several items:
- Required certifications
- Required specialty education
- Required experience
- Starting and potential salary and benefits
Certifications get you to the door, but YOU are the key
As an instructor, I'm often asked what certifications are required to get a specific job. Unfortunately, that is a question that does not have a universal answer. Every organization will have their own requirements when selecting a potential new hire. You need to know what the marketplace seems to be requesting to get an overall sense for what is common and reasonable as requirements. Many of my students seem to want the answer that a single certification on their resume will get them the job of their dreams. Unfortunately, that is almost never the case. Most individual certifications are just part of the overall picture of what a company is seeking in a new applicant. Thus, performing a real-world position survey will give your expectations a solid dose of reality.
You might be surprised by what you discover when performing this investigation.
Having a one or two certifications under your belt is rarely sufficient to landing a new job position. And those job positions that can be obtained with minimal certification are unlikely to pay at the marquee level. Salary surveys over the last year or so often indicate that some cybersecurity jobs pay in excess of $100,000 per year plus benefits. However, if you fail to read the fine print on these eye-catching headlines, you might miss that fact that the top-paying careers could require several years of specialized secondary education, may require dozens of certifications, and often mandate 10+ years of relevant experience.
Be realistic. Top pay is given to those with the knowledge and ability to solve problems and improve an organization's security stance. Standing out from the crowd with excellence and a proven track record is what awards you with higher compensation. Find a position you can land now, then seek out that which is necessary to move up your career ladder toward your dream job. This often includes obtaining more knowledge, acquiring additional certifications, developing new skills, and taking on challenges at work to prove your capabilities to management.
In your survey of available security positions, you may see several certifications commonly requested. Among these you are likely to see prominently is the requirement for (ISC)2 's Certified Information Systems Security Professional (CISSP). The CISSP certification has been one of the top-requested certifications for over two decades and remains so in the security industry today.
One of the cybersecurity industries or sectors that is growing the fastest is that of government and military. Many such job positions may require education, certification, and experience to achieve, while others may offer on-the-job training as part of the position. You might find that working for your government or being a part of the military is in line with your career goals. It is also likely that there is ample room for advancement within the public sector far beyond what you might experience in the private sector. Government and military cybersecurity positions often include specialized training and experience that cannot be obtained in the private sector. A government or military job position could be your chosen career path, or a means to develop relevant experience for a future private sector career. Many companies will offer higher compensation packages to those who are ex-military or former federal employees based on the unique and proprietary training and experience they may have received. You are likely to discover that holding a CISSP certification will provide you with opportunities that you would not encounter otherwise.
How to obtain and remain CISSP certified
The CISSP certification is designed for experienced IT professionals. To fully achieve the certification, you need to have five years of cumulative paid relevant work experience in two or more of the CISSP topical domains. There are some options of substituting one year of experience for a recent IT or security-related college degree or another authorized certification from a list of over 50 qualifying options.
Your experience will be confirmed by another person holding CISSP in good standing. This process is called endorsement. You have nine months after passing your exam to complete the endorsement process and achieve the CISSP certification. If you fail to be endorsed by that deadline, you lose your exam passing status and will have to re-take the exam.
If you don’t have five years of relevant experience, you can still take the CISSP exam, and then you’ll have up to six years to obtain or finish obtaining the five years of required experience. This pathway to certification is known as the “Associate of (ISC)2.” It means you will take the same CISSP exam, but the endorsement deadline is extended to six years. During your exam registration, one of the last questions you are asked is about whether or not you are pursuing the “Associate of (ISC)2.” If you are unsure about your experience, go ahead and select the “Associate of (ISC)2” path. There is no requirement to wait six years to complete the endorsement, and you can still perform it the week after you pass the exam if you do have five years of relevant experience.
Do not claim to be CISSP-certified in conversations, in email, or on your resume until you have received the welcome packet from (ISC)2. This welcome packet will be sent to you after you have met all the requirements and your endorsement is accepted. This welcome packet will arrive by postal mail and will include a certificate of achievement suitable for framing along with instructions for how to take advantage of the many benefits of being CISSP certified.
Take the (ISC)2 Code of Ethics seriously. If you are found to be in violation of the Code of Ethics, (ISC)2 can strip you of your certification and bar you from ever taking one of their certifications again. As long as you are an ethical and law-abiding individual, this should not be a concern.
Don’t forget about your need to earn education credits to maintain your certification. Every three years you must earn 120 continuing professional education (CPE) credits to maintain your CISSP certification. Details about CPEs are also available in the (ISC)2 Continuing Professional Education (CPE) Handbook. Additionally, you will have the privilege of paying an Annual Maintenance Fee (AMF) of $125 for your CISSP certification. Your first AMF is due immediately upon achieving certification, then it is due each year on your anniversary date (typically your endorsement completion date). The details regarding AMFs are available the (ISC)² Member Policies Portal in the section “(ISC)² Certification and Membership Maintenance Policy” under heading “4.2 Annual Membership Fee (AMF) Requirement”. Once certified, you will have access to the members-only area of the (ISC)² web site where you can keep track of your earned CPEs and pay your AMFs. Failing to meet either requirement will result in the suspension of the certification and if not resolved within two years, termination of the certification.
How hard is it to achieve a CISSP certification?
CISSP is often mentioned as one of the more difficult certifications to achieve. It is regularly compared to Certified Information Systems Auditor (CISA) from ISACA in terms of the range or breadth of material covered which directly relates to the difficulty of the exam. However, many IT professionals that hold several certifications report that achieving the CISSP certification does not seem as daunting if they already have several other introductory or intermediary security certifications, such as CompTIA’s Security+, PenTest+, Cybersecurity Analyst (CySA+), and CompTIA Advanced Security Practitioner (CASP+); ISACA’s Certified Information Security Manager (CISM); or even Certified Network Defender (CND) or Certified Ethical Hacker (CEH) from EC-Council.
Preparing for the CISSP exam
In order to prepare for the CISSP exam, there are several resources or paths to consider.
I highly recommend attending a CISSP preparation training class. Global Knowledge offers a CISSP Certification Prep Course that provides in-depth coverage of all eight domains required to pass the CISSP exam.
Instructor-led classroom or virtual classroom courses will immerse you in the concepts and details of CISSP material. A training course will focus your attention on CISSP for the duration of the class and give you the opportunity to interact with other students and the instructor to gain a deeper understanding of topics, as well provide an opportunity to get your questions answered.
Another preparation path is self-study. For some who already possess strong core skills in the area, this may be a enough to prepare for the CISSP exam. However, I would recommend assessing your abilities and knowledge base early. In the event you are not able to obtain the knowledge on your own, plan on attending a formal training class. To assess your preparedness, you need to use a 100- to 150-question practice exam that covers the full range of CISSP topics. If you score 80% or better, then you are likely able to self-study for the exam.
Even if you are taking an instructor-led prep course, self-study should complement it. Either way, there are several resources I recommend. A good study guide is always an excellent starting point. The CISSP Study Guide 9th Edition (https://amzn.to/38EomK5) is a great choice. It is the book used by Global Knowledge in their CISSP training classes, and I am one of its three authors. It includes coverage of every topic listed on the official Certification Exam Outline, plus many other subjects that support the main topics, relate to the main topics, or that round out your knowledge and understanding of the main topics. This book includes end-of-chapter questions which are also available online through a testing engine. The online resources include the end-of-chapter questions plus an additional 500 questions grouped as four 125 question practice tests that do not appear in the book, as well as a large glossary and over 1,000 flash cards.
For additional practice questions, I recommend the following:
- The CISSP Official Practice Tests 3rd edition (https://amzn.to/2XF3kEW)
- The quiz engine at skillset.com
- The quiz engine at cccure.education
- The practice questions from Boson
However you elect to study, regularly review the Certification Exam Outline to make sure that you fully understand every listed item. You also want to round out your preparation by taking numerous full length (100 –150 question) practice tests and seek to consistently achieve 80% correct. This should indicate that you are well prepared to take and pass the CISSP exam. I’m sure that with some directed study and being armed with the information from this paper, you are sure to be able to successfully pass the 2021 revision of the CISSP exam. The CISSP certification is a solid addition to your resume, it may earn you the respect of your peers, and it may even expand your wallet. I wish you diligent studies and a successful attempt at the CISSP certification exam.
- CISSP Certification Prep Course
- GK Polaris Discovery
- Includes the CISSP prep course and other cyber courses
About the Author
James Michael Stewart has been working with computers and technology for over thirty years. His work focuses on security, certification, and various operating systems. Recently, Michael has been teaching job skill and certification courses for over 25 years, such as CISSP, ethical hacking/penetration testing, computer forensics, and Security+. He has taught hundreds of classes accumulating over 20,000 hours of instruction. He is the author of and contributor to more than 80 books on security and certifications. His most recent publications include the CISSP Study Guide 9thth Edition and Security+ Review Guide 5th Edition (SY0-601). Michael has also contributed to many other security focused materials including exam preparation guides, practice exams, video instruction, and courseware. He has developed certification courseware and training materials as well as presented these materials in the classroom.
Michael holds variety of certifications, including: CEH, CHFI, ECSA, ECIH, CND, CEI, CASP+, CySA+, PenTest+, Security+, Network+, A+, CTT+, CISSP, CISM, and CFR. Michael graduated in 1992 from the University of Texas at Austin with a bachelor's degree in Philosophy. Despite his degree, his computer knowledge is self-acquired, based on seat-of-the-pants hands-on "street smarts" experience. Michael is an independent contractor (i.e., a cybersecurity mercenary) who is available to provide training for your personnel or for the crafting of custom content. You can reach Michael by e-mail at firstname.lastname@example.org or visiting impactonline.com.