What’s it really like to take the CISSP exam? Here’s the inside track from a Saint Leo professor who recently earned cybersecurity's hottest certification.
So you’re thinking about getting CISSP certified? Good move.
In addition to earning a master’s degree in cybersecurity, it’s one of the smartest things you can do for your career. (Saint Leo’s master’s degree program in cybersecurity is currently available on-ground at University Campus and will be available totally online in Spring 2015.)
According to a report from Burning Glass Technologies, over a two-year period between 2011 and 2013, the number of jobs requiring Certified Information Systems Security Professional (CISSP) certification jumped from 19,000 to 29,000.
In fact, CISSP was the most requested certification – by a long shot.
That comes as little surprise to security experts, who have long considered CISSP the gold standard among information security certifications. The designation signals an individual’s deep knowledge, extensive work experience and high standards.
Administered by the International Information Systems Security Certification Consortium, known as (ISC)2, CISSP certification is considered the hardest security title to get, and the most well regarded. The exam covers critical topics in security today, including risk management, cloud computing, mobile security, application development security and more.
A “killer” test
“The test is a killer,” says Michael Moorman, professor of computer science at Saint Leo University, who recently became CISSP certified. “It’s both broad and deep.”
But it’s more than a test, he explains. Candidates must have a minimum of five years of paid, full-time, security-specific work experience in at least two of the 10 security knowledge domains covered by the test (four years if the candidate holds a bachelor’s or master’s degree in information security). In addition, candidates must be endorsed by a CISSP who can attest to the candidate’s experience and qualifications.
“The standards are very high and they are maintained by people who met those standards,” he says.
CISSPs today hold job titles including: security manager, IT director, security auditor, network architect, security analyst, security systems engineer and chief information security officer.
Why seek certification?
Moorman served 21 years in the U.S. Air Force as an instructor pilot before moving into academia, where he has been ever since. For the past 25 years, he has been a full-time faculty member at Saint Leo and a professor of computer science since 2003. He holds a bachelor’s degree in science, master’s degrees in mechanical engineering and business administration, and a doctorate in adult education and computer science.
His decision to become CISSP certified was twofold.
“You have to have some credential beyond academic degrees to have credibility in the field of cybersecurity,” he says. “It’s not just knowing how to do it, but actually doing it. The most meaningful certifications are the ones where you have to pass the test and do the work.”
“And I wanted to set a good example for my students and colleagues,” says the teaching professor known for working with students to broaden their knowledge and prepare them for the real world outside of academia.
How to prepare
Moorman enrolled in an intensive week-long training program, or boot camp, to prepare for the rigorous 250-question, multiple-choice test. The program, he says, covered “excruciating details, information and scenarios” centered around 10 knowledge domains:
- Access Control
- Telecommunications and Network Security
- Information Security Governance and Risk Management
- Software Development Security
- Security Architecture and Design
- Operations Security
- Business Continuity and Disaster Recovery Planning
- Legal, Regulations, Investigations and Compliance
- Physical (Environmental) Security
“The whole field is minutiae; you have to be able to dig through the levels,” he says.
Being able to dig through it all and achieve certification has its benefits.
“It says you know what you are talking about and confirms that you are committed to the field,” he says. “It’s a career differentiator. It’s good for marketability and opens the door for advancement.”
Test day: what to expect
All the hours of studying didn’t prepare Moorman for the level of security he’d find at the test site.
“They take your palm print and your thumb print before you walk in the door. You have to empty your pockets and put all the contents in a locker. When you walk in, they check your palm print again.”
The 6-hour test “is grinding,” he says. “If you’re not up to date and not in the field, you wouldn’t pass the test.”
But that shouldn’t come as a surprise. CISSP certification signals a level of competence that’s head and shoulders above the rest, according to Moorman, who adds that it is required for all IT employees and contractors in the government sector. Holders of the title must get re-certified every three years, and meet continuing education requirements annually.
Advice for test candidates
Having lived through the entire CISSP experience – preparing for and taking the test – Moorman offers a few tips for information security professionals considering certification:
- Sign up for a boot camp.
- Take the test within a week of finishing the course.
- If you don’t get something right during training, look it up.
- Be prepared to show your ID and empty your pockets at the test site; leave your cell phone and anything of value at home.
- Expect the test to be difficult – it is.
While you can take the test before meeting the 5-year work experience requirement (an Associate status confirms you have passed the exam, while offering an additional five years to meet the work experience requirement), Moorman suggests getting at least a few years’ experience before attempting certification.
“Without hands-on experience, most people won’t pass – even with a boot camp,” he says. “You need the experience to understand what you are being asked.”
Even with experience, Moorman concedes the test is exhausting.
“It’s rigorous, but it’s doable.”
If you'd like to learn more about Saint Leo's master's degree program in cybersecurity, contact an enrollment counselor at 800.707.8846.
National Cyber Security Awareness Month
This post is one in a series in recognition of the 2014 National Cyber Security Awareness Month. Since 2004, the Department of Homeland Defense and the National Cyber Security Alliance have designated October as National Cyber Security Awareness Month. For more information, visit StaySafeOnline.org.
Image Credit: Pedro Miguel Sousa on Shutterstock
Other posts you may be interested in reading: