19

I am a recent graduate and would like to move into the IT Security field. My degree was just straight CS with no particular security focus.

I have recently acquired a copy of a CISSP study guide and have started to work through it. Having discovered that candidates with less than 5 years experience can only sit the exam as an associate, I'm wondering: is it worth it at this stage in my career? Are there other certifications that would be more suitable for recent graduates?

sjp
  • 345
  • 1
  • 2
  • 11

7 Answers7

17

The CISSP certification is intended to demonstrate two things:

  1. Knowledge of the material in the ISC2 CBK, and
  2. Significant real-world experience in the field

To an employer, a CISSP on a resume is supposed to mean that the application knows what s/he is doing and has demonstrated it with years of experience.

Note that an employer looking for a CISSP for an entry-level position does not know what they are doing. It's like requiring 10 years experience with Ruby on Rails, which has only been around for 7. Also, requiring a senior-level cert for an entry-level job probably means the compensation won't match the job's responsibilities.

While you could take the exam now and become an Associate of ISC2, that doesn't buy you much. An alternative could be to take the less rigorous SSCP exam, which only requires one year professional experience, or the Security+ exam which is a good starting point with essentially no prerequisites.

Andrei Botalov
  • 5,267
  • 10
  • 45
  • 73
Justin Morgan
  • 436
  • 2
  • 6
  • Thanks, this is helpful; however, the CompTIA site recommends two years experience for Security+ - in your experience, is this really needed? – sjp Feb 13 '11 at 11:53
  • 2
    As I understand it, the 2 year recommendation is just that: a recommendation. It is not a requirement. If you have serious studied IT security and cryptography in your undergrad courses, you probably know enough to sit for the exam right now. That said, it's worth flipping through one of the books first, and maybe taking a practice exam to see where you are. – Justin Morgan Feb 13 '11 at 12:36
  • 2
    @sjp - The CompTIA exams are *very* entry-level, and Security+ is no exception. None of their certifications actually *require* any amount of professional experience, like CISSP does. For CompTIA, you just pass the test and that's it. If you're confident you can do that, then go for it. For the CISSP you must: Provide proof of 5 years' professional experience (as I understand it, you essentially have to submit a resume with references), pass the test, *and* be endorsed by someone else holding an ISC2 certification who can attest to your professional experience. – Iszi Feb 13 '11 at 17:34
8

From the perspective of an employer I would say yes - in terms of giving instructions to recruitment agencies, having a CISSP tick box can help to narrow down the number of applicants significantly. Later on in your career it may not count for so much, but as an indicator that someone has a reasonable grasp of the basics, in some IT and some procedural areas, it is pretty good.

As others have commented on for other questions, it does depend on what you want to do. If you are very technically proficient, you may wish to aim specifically for the SANS route, but CISSP is a simple common starting point for both security management and technical security streams.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • 2
    I'm not so sure how much an entry-level position is expected to have the CISSP checkbox... Also, I find the CISSP exam to be much easier after a few years experience... – AviD Feb 10 '11 at 19:51
  • @AviD - admittedly my answer was from the perspective of having to narrow down the hundreds of applicants for roles at one of the big 4 consultancy firms. For most companies I think you're right. – Rory Alsop Feb 10 '11 at 21:55
  • 6
    I'm not a CISSP but have many years of experience in security, and my lack of security certifications is a recurring theme in interviews. I recommend you just get the certification (whichever ones you can) as it's one less thing that can be held against you. – Alex Holst Feb 11 '11 at 10:03
  • +1 to Alex. While certifications are no substitute for real-world experience, the CISSP is almost always only going to help in an interview. – Justin Morgan Feb 13 '11 at 12:38
  • 2
    CISSP is secret code for HR bypass. SANS is better (and offsec is better still!), but CISSP has more clout, especially with government-focused customers. They just don't know any better... – devnul3 Dec 07 '11 at 14:37
2

The CISSP does not really provide any practical knowledge, so if you are looking for something that is about half an inch deep than the CISSP is the right choice. From a recruiting perspective they may ignore you because of the lack of experience on your resume and they just assume that you cheated( talking purely from a recruiting standpoint I am not declaring that you did cheat). Typically on postings that ask for a CISSP they also ask you to have ~5 years of experience in security as well. So overall the CISSP is not that useful, you would be better off getting a masters and some work experience.

Woot4Moo
  • 889
  • 6
  • 10
2

One one side, as a recent graduate, you've been passing a lot of tests. CISSP is just another test, so some might think you're just after scoring all the certs you can, and the certs is not representative of your actual knowledge. On the other hand, a lot of organizations require you to have a CISSP to hold any security-relevant position.

So while this doesn't guarantee you instant employment, it could potentially be a proverbial 'foot in a door.'

Marcin
  • 2,508
  • 1
  • 15
  • 14
1

I'm a Security Executive for a company. I'm part of the recruitment team as well.

Personally, I'd prefer to see a CEH certification on the CV than a CISSP. Don't get me wrong, CISSP is a super course. I'm certified in both, but if I had to choose, I'd go for Ethical Hacking, no doubt.

Cornelly
  • 11
  • 1
  • 1
    CEH != CISSP != ? The OP was asking about CISSP, where does the comment about CEH come from? The appropriate cert to obtain is the one is aligned with goals. OP said nothing about pen testing or the defensive side. I know CISSPs who deal nothing with networking... there are other aspects to CISSP and security. – user1801810 Mar 21 '14 at 14:32
0

Obtaining a CISSP is supposed to require work experience. Your sponsor is supposed to vouch for your work experience. Obtaining a CISSP without experience will hurt you and your sponsor when you walk into an interview with a CISSP who has experience and don't do well in the interview. If reported you and your sponsor could be subject to scrutiny and penalties.

OhBrian
  • 59
  • 1
  • Sure, I had no intention of trying to gain it without first having some experience. What kind of penalties? A quick search on http://www.isc2.org brings up no matches. – sjp Feb 15 '11 at 18:24
  • The penalty to you is simply that you don't have real world experience yet. The penalty to the sponsor is the risk of losing their CISSP if ISC2 finds the candidate doesn't meet the requirement. Not speaking for any CISSPs other than myself but I am not willing to risk it for somebody else. – user1801810 Mar 21 '14 at 14:27
0

I am not really confident if going for CISSP at this stage of your career will be any beneficial for you. Eligibility criteria for CISSP exam is:

Minimum five years of direct full-time security professional work experience in two or more of the ten domains of the information systems, OR

Four years of direct full-time professional security work experience in two or more of the ten domains of the CISSP CBK with a college degree, OR

If you don’t have experience, then become an Associate of (ISC)² by successfully passing the CISSP exam and earn six years of experience to become a CISSP.

Though if you want to make a career in IT Security, there are other options like CEH. I would suggest you to read various articles or blogs available on IT Security to know more about the field and how it will help you in your career. Good Luck!

Manki
  • 1