Almost 2 years ago I took the CISSP. I have to admit I have no test taking abilities, and the proctor staring at me for 6 hours killed me. I failed with a 685.  This was a very tragic moment on my life;  knowing that the pass rate is 70%,  I felt the stupidest person on the world. After a couple of weeks of “in the fuck it” mode I decided to do something about it. That is when I started my Masters on Information Assurance. I work for the Federal Government; and for some reason you could have all the experience in the world, but if you do not have a Cert or Credentials to back it up you do not get the job.

So here I am again, a couple of years after at it again.  The reason I did not take it again quickly was because of the 500 dollars lost. I wanted to make sure I would not fail again.  Now I want to review and help other people review for the exam.

This Blog for now is about CISSP but first I want to talk about other credentials in the market and their standing from my very personal point of view.

Legend:

Difficulty – How hard the test itself is, i.e. study-time needed, difficulty of material, etc.
Who – Who should be considering the certification.
Respect – Respect rating within the technical infosec-geek community.
Renown – How well-know the certification is throughout the industry.
Requirements – What’s needed to get the cert, e.g. prerequisites, exams, practicals, labs, etc.
Cost – What it’ll cost you (or your company) to get the credential.
Pros – Positive comments about the certification.
Cons – Downsides to the certification.

** Note: Numbers are on a scale from 1-10, with 10 being the highest

The Credentials: Security+
Sponsor: CompTIA
Difficulty: 2
Respectability: 2
Renown: 4
Requirements: Single Exam, +-100 Questions
Cost: $225 USD (discounts available online)

Who: This certification is for people just getting into the field. If you don’t have any other certifications, and your experience/skills are still developing, this is the certification for you.

Pros: It’s a fairly easy cert to get and I understand it’s getting a decent amount of recognition within federal organizations. It’s also a fair, solid test that asks decent questions rather than a bunch of vendor-specific garbage.

Cons: It’s entry-level and thus not strong as a standalone bargaining chip.

SSCP (Systems Security Certified Practitioner)
Sponsor: ISC2
Difficulty: 4
Respectability: 3
Renown: 2
Requirements: Single Exam, 125 Questions, 3 hours; 1 Year Experience
Cost: $350 USD

Who: The SSCP is for serious, dedicated information security professionals who are not quite ready to take the CISSP exam. Only one (1) year of experience is required for this exam vs. 3-4 (depending on if you have your bachelors) for the CISSP.

Pros: The SSCP is administered in a very professional fashion, just like the CISSP, and it thus carries some degree of the respect that goes along with that credential. It’s also from ISC2 just like the CISSP, so that helps it as well. It shows that you’re serious about your career.

Cons: Unfortunately, the certification that hurts the SSCP the most is in fact its older sibling — the CISSP. If you check the job boards, precious few jobs ask for the SSCP. The reasoning there is that the experience requirement for the CISSP is much of what makes it so respectable. To take that away and ask half the number of questions diminishes the value of the SSCP significantly.

CISSP (Certified Information Systems Security Professional)
Sponsor: ISC2
Difficulty: 5
Respectability: 4
Renown: 10
Requirements: Single Exam, 250 Questions, 6 hours; 4 Years Experience
Cost: $500 USD
Who: The CISSP is for serious, dedicated information security professionals who intend to stay in the field and grow. It says to employers that you are serious about your career and are familiar with the core basics of 10 separate areas within the field. In today’s market, managers and career professionals are expected to have this credential.

Pros: The CISSP is the undisputed king of infosec certifications. It’s the first infosec cert to receive ISO recognition — a great achievement not only for the certification itself, but also for the field as a whole. It commands a great deal of respect in many IT circles (and HR circles), and this can be clearly seen via job search results. It can help your chances greatly of getting high-paying jobs, and is an excellent addition to any resume. If you are only going to get one infosec certification, it should be the CISSP.

Cons: While the CISSP is the king of information security certifications, it suffers from being thought of as something it isn’t. Many still mistakingly view it as proof that someone is an expert in the field, and that couldn’t be farther from the truth. ISC2 has explicitly stated in the past that the test is designed to test a broad base of general knowledge, not to certify someone as a master of their field. Also, despite the rumors of impossibility, the exam also supports over a 70% first-time pass rate.

CISA (Certified Information Systems Auditor)
Sponsor: ISACA
Difficulty: 6
Respectability: 5
Renown: 8
Requirements: Single 200 Question Exam, 4 Hours; 5 Years Experience
Cost: $475 USD

Who: The CISA credential is ideal for anyone already doing, or looking at getting into information security auditing. If you’re not familiar with auditing, think of accounting. It’s basically ensuring that proper processes are in place and that people (and technologies) are doing what they’re supposed to be doing.

Pros: The credential is highly recognized and sports even more hits than the CISSP via Monster.com and other job searches. It’s highly sought after due to the myriad of regulations hitting the infosec industry. Considered a “professional” certification, it seems to borrow some respect from the CPA/Accountant arena.

Cons: Again, many jobs that request CISA also will take a CISSP. Certain jobs ask for CISA specifically, but most are just looking for this “class” of cert, and will accept a CISSP in its place.

CISM (Certified Information Systems Manager)
Sponsor: ISACA
Difficulty: 6
Respectability: 5
Renown: 7
Requirements: Single 200 Question Exam, 4 Hours; 5 Years Experience; 3 Years Security Management Experience.
Cost: $475 USD
Who: The CISM credential is for information security managers. It’s for those who wish to show that they can manage an enterprise information security program.
Pros: The credential comes from ISACA, which is a respected organization, and the position of information security manager is so important to companies that any credentials that speak to one’s competence will be helpful.
Cons: Once again the CISSP is still the leader in this area, and while the certification can definitely help, anyone hiring for an ISM position is going to be looking at a lot more than certifications.
Comments: Anyone wanting to get into an ISM position needs to be looking at this credential, but it doesn’t have the power of CISSP in my view. I think that out of the two big ISACA certs, the CISA offers more of a punch, albeit not necessarily for managers.

GSEC (GIAC Security Essentials Certification)
Sponsor: GIAC (SANS)
Difficulty: 7
Respectability: 7
Renown: 7
Requirements: Two 100-Question, Open-book, Open-Google Online Exams

Cost: $800 USD (Cost of exam without training)

Who: The GSEC is for highly-technical, serious information security professionals who actively work with the technical side of infosec on a daily basis. Those who are looking to show considerable technical knowledge over a large number of infosec subjects would be well-served by attaining this credential.

Pros: The SANS organization is universally recognized as a top-notch infosec training and certification organization. Any certification from them commands a decent degree of respect, both with engineers and increasingly with human resources as well.

Cons: The CISSP still owns the majority of the spotlight in this arena. Relatively few employers are aware of the GSEC, and even of those who do recognize it, most view the CISSP as just as (or more) valuable.

GCFW, GCFA, GCIA, GCUX, GCIH
Sponsor: GIAC (SANS)
Difficulty: 8-9
Respectability: 8-9
Renown: 5
Requirements: Two 100-Question, Open-book, Open-Google, Online Exams
Cost: $800 USD (without training)

Who: These various certifications represent the “hardcore” SANS offerings. They are more in-depth and difficult than the GSEC, and they focus on one area specifically. GCFW is for firewalls and VPNs, GCIA is for IDS/IPS, GCUX is for Unix security, GCFA is for forensics, and GCIH is for incident handling. These are just a few of those that are offered, and these are geared towards veteran infosec professionals who have already specialized in an area. If this sounds like you, these certs are the way to go.

Pros: The GIAC (SANS) organization is universally recognized as a top-notch training and certification organization. Any certification from them commands a decent degree of respect, and these specialized certs say to an employer or client that you are truly skilled at what you do.

GSE (GIAC Security Expert)
Sponsor: GIAC (SANS)
Difficulty: 10
Respectability: 10
Renown: 4

Requirements: Must have three (3) GIAC certifications (GSEC, GCIA and GCIH) with GIAC Gold in at least two; must pass a proctored GSEC exam with average scores of 80 on both tests; 23 hour onsite testing process consists of a mix of open book written exams, research, hands on exams, group work and an oral presentation.

Who: The GSE is for those who have literally mastered a number of areas within information security, have superior talent, have a love of difficult-to-attain credentials, and a lot of time on their hands.

Pros: If you encounter anyone who knows what all the exam involves, you’ll be instantly acknowledged as a world-class information security expert.

Cons: You aren’t likely to find any of those people. Plus, anyone with these skills doesn’t need the certification anyway.

It is very important to understand that there are a lot of certifications out there, there are some that are more technical than others. My perspective is manager wise.  Most of the time managers get the better position within the company and better salary in the industry. My purpose for the CISSP is because it is required for most Chief of Information Security officer positions in the federal government and military.  So the purpose of this blog is to accomplish that.  I am hoping to get help and to help others and make this experience a good one.