Certifiably Secure: Experience and the CISSP
The Certified Information Systems Security Professional, or CISSP, certification remains a highly-coveted infosec credential, despite the presence of over 50 other vendor-neutral and more than 20 vendor-specific infosec certifications in today’s somewhat crowded marketplace. Above and beyond the broad and comprehensive coverage of the subject matter in the ten domains of the certification’s Common Body of Knowledge (CBK), one of the biggest reasons the CISSP continues to rise to the top of so many IT professionals and employers “must-have” lists for infosec certification has to do with the credential’s experience requirements. That is, infosec professionals want to demonstrate that they have such experience, and employers want to ascertain that such demonstrations are both valuable and meaningful. That’s why we look more closely at the experience requirements for this credential in today’s newsletter.
A bald statement of those requirements only scratches the surface of what’s sought from CISSP candidates. This can be succinctly summarized as four years of professional experience in the information security arena, or three years of professional experience plus a college degree. Also, a Master’s Degree in Information Security from a National Center of Excellence in Information Assurance Education (college programs recognized by the NSA as of significant merit in this field) may be substituted for one year of working experience.
It’s obvious that the organization’s definition of “professional experience” is what’s key to understanding the requirement, so I quote it verbatim as a bulleted list here:
- Work requiring special education or intellectual attainment, usually including a liberal education or college degree.
- Work requiring habitual memory of a body of knowledge shared with others doing similar work.
- Management of projects and/or other employees.
- Supervision of the work of others while working with a minimum of supervision of one’s self.
- Work requiring the exercise of judgement, management decision-making, and discretion.
- Work requiring the exercise of ethical judgement (as opposed to ethical behavior).
- Creative writing and oral communication.
- Teaching, instructing, training and the mentoring of others.
- Research and development.
- The specification and selection of controls and mechanisms (i.e., identification and authentication technology). (It does not include the mere operation of these controls.)
- Applicable titles such as officer, director, manager, leader, supervisor, analyst, designer, cryptologist, cryptographer, cryptanalyst, architect, engineer, instructor, professor, investigator, consultant, salesman, representative, etc. Title may include programmer. It may include administrator except where it applies to one who simply operates controls under the authority and supervision of others. Titles with the words “coder” or “operator” are likely excluded.
With the more detailed understanding that this definition provides, it’s clear the parent organization (known as the ISC2, pronounced “ISC-squared”) behind the CISSP is seeking to identify individuals with significant knowledge of information security who regularly use that knowledge in a serious, meaningful way in the workplace. This helps to explain some of the cachet that the CISSP still clearly commands.