Expert Advice: Is CISSP Worth It?

CISSP, which stands for Certified Information Systems Security Professional, is the gold standard for security certifications and an internationally acknowledged benchmark for infosecurity professionals. As you might expect, therefore, becoming a CISSP requires a great deal of time and effort, from studying the Common Body of Knowledge and completing other training to gaining sufficient professional expertise to finally passing an exam that some people say is the most difficult test they’ve ever taken.

Are the CISSP value and benefits worth all that work? To find out, we asked three Netwrix clients who hold the certification for their advice. Here are their answers to the question, “To CISSP or not to CISSP?”

 

Phillip Collins 

IT Manager, Delta Plastics (the leading manufacturer and supplier of irrigation polytube for the agriculture industry, based in Little Rock, Arkansas, U.S.)

With CISSP, I finally got a job in IT security

 

I earned my CISSP certification in 2010, when I was working as a senior IT director and already had over 15 years of IT experience. Back then, I wanted to be able to prove to people that I had the required knowledge to do IT security, even though I had done security only as part of with my regular IT duties. But the benefits of becoming a CISSP ended up extending much further: Thanks to CISSP, I changed my career path and was able to achieve my long-term goal of getting into a role that was purely security.

Becoming a more hirable candidate. Four years after passing the CISSP, I became the Facility Information Security Official for a large hospital. The funny thing is that I was never called in for a face-to-face interview with the hiring authority; they considered my CISSP certification to be sufficient proof that I had the required knowledge, even though I had never worked full time in security.

I think it is easier to get a cybersecurity job if you have a CISSP cert. When I look at vacancies, I often see that CISSP is required or highly recommended. If I were hiring a person, I would also prefer someone with CISSP. Usually, certifications mean that you knew certain stuff on the particular day when you passed the exam, but it does not guarantee you did any of it in practice. CISSP is different, since you need five years of experience to earn the cert, and you have to continue learning to keep your credentials. I give a lot of credit to people who have passed the exam, and I consider CISSP to be the premier certification in IT security.

Getting a higher salary. Those who have earned their CISSP may also have a higher average salary. They can get raises by being promoted within their company or by getting another job as I did.

Improving IT security skills and enhancing productivity. I spent six months preparing for the exam: I reviewed study guides and training materials for CISSP certification, listened to podcasts, passed CISSP practice exam tests — it was quite intense. Moreover, while studying for the CISSP exam, I started getting more involved with security in general. My studies gave me an understanding of how this or that process operates, and I was able to leverage that knowledge to optimize my work. In some cases, I was then able to perform some functions myself and the company did not have to hire additional employees.

CISSP is a 100% must for anyone in a security role. And it’s valuable for the vast majority of IT pros — especially those who have generic IT roles in smaller companies. Most of those organizations don’t have dedicated security specialists so security falls on the shoulders of IT generalists.

Staying on top of cybersecurity trends. To remain a CISSP, I must earn CPE credits each year. Therefore, I attend training courses and conferences, watch webinars, read specialized media, and so on. That not only helps me maintain my CISSP, but also keeps me up to date on general trends on the market. You cannot keep moving forward if you do not learn something new.

Gaining credibility as a security expert. Thanks to holding the certification and without a master’s degree, I’m able to teach at the local college. My CISSP gives me credibility; people understand that I know what I am talking about.

In my case, the ROI for getting my CISSP was 100%. It was worth every single minute and I would never give the certification up.

 

Avi Solomon  

IT Director, Rumberger Kirk & Caldwell (a firm of about 100 attorneys representing corporate clients throughout the U.S.)

Now I have the expertise to talk about cybersecurity as a marketing opportunity

 

I earned my CISSP just recently, in February 2018. I work for a law firm, so one of my main reasons for getting it was that our clients wanted to know that we are protecting their data at the highest level. It was important for them that we had a certified security person in house. By getting my CISSP certification, I not only satisfied the need of our clients, but also earned respect within the community. So I see a big value in getting CISSP as a security professional.

Being trusted as a cybersecurity expert. Having passed the CISSP assists me in important conversations and presentations, such as ones with leaders of the firm. Now we can leverage marketing opportunities through our security posture. I also have more expertise to talk to our clients’ security teams directly: I am able to explain how information is kept securely, how their data is transmitted, and how policies and procedures are implemented. They give me more credit, thanks to my CISSP certification.

Gaining a wider view of the security industry. By requiring me to develop both a theoretical and a procedural understanding of information security, my CISSP training gave me better visibility into the greater security market. I use this information to eliminate security flaws that do not pose threat today but might become a problem tomorrow. It helps me make the right business decisions around security challenges. That’s why I think that CISSP should be mandatory for CIOs, as well as senior network administrators.

Moreover, as a member of (ISC)², I attend almost all monthly meetings and plan to take advantage of their conferences, online resources, workshops, blogs and so on. It’s not just about getting the credits required to keep the certification; it’s actually more about staying current on the security landscape, which is constantly changing. Their resources definitely help CISSPs stay on top of security.

Acquiring new skills. I’ve always believed that combining theory with hands-on experience is important. Before getting my CISSP, I spent 20+ years working in IT, and, of course, I learnt a lot in practice. CISSP added more theory to my knowledge and I became familiar with less intuitive security-related issues, structures and policies. It brought to my attention certain problems I never encountered, and now I’m grappling with them and doing it quite successfully. It is very enlightening.

 

Pierre Dehombreux 

IT Director, Whiteriver Unified School District (a school district in Navajo County, Arizona, U.S.)

The biggest CISSP value for me is that it made me a better IT leader

 

 

I acquired my CISSP certification in 2015 after finishing my MBA. I was looking for an IT job in the Middle East and needed a globally accepted certification that would confirm my knowledge, skills and experience to make my resume more appealing. I wanted to have proof for potential employers that I had the required skills. CISSP is not a skeleton key that opens every door — you still have to work hard. However, it helped me improve my skills as a leader.

Becoming a more effective IT leader. I would advise anybody who wants to become an IT leader, such as a CIO or an IT director, to acquire their CISSP certification. The knowledge that you gain while studying for the exam and renewing your CPE credits is not just about security; it is also about IT leadership, so it helps you become a better manager. For me, it is a management-level certification. For instance, it helped me to be much better at developing security program and policies for the school district that improve our security posture and compliance with local regulations.

Brushing up years of expertise. When I took the CISSP exam, I obviously knew the stuff, but preparing for the exam helped me to put it in more organized way in my brain. I also like being a part of the CISSP community and renewing my credits. It encourages to regularly listen to recorded webinars, and podcasts, and to read their magazine, which explores recent trends. These practices make the knowledge stick better in your brain.

CISSP benefits in a nutshell

So, is CISSP worth all the work? Phillip, Avi and Pierre all say it was for them. Here are the common benefits that the CISSP credential has brought them:

  • Improved IT security skills
  • Better job opportunities
  • Enhanced productivity
  • A wider view of the security industry
  • Encouragement to stay on top of trends
  • Ability to better manage IT security processes
  • Credibility as a security expert within the company and with clients

However, they all noted that CISSP itself does not guarantee you a higher position and a bigger paycheck. To succeed, you have to work hard and demonstrate your knowledge in practice.

If you’re ready to get started on your journey to CISSP certification, we invite you to visit Netwrix blog for a variety of free resources we’ve put together to help. Learn how to pass CISSP exam on your firts attempt, discover a list of CISSP exam changes effective April 2018, and much more.