What it takes to become a CISSP

What does it take to become a Certified Information Systems Security Professional?

The Certified Information Systems Security Professional (CISSP) credential is one of the most recognized in the industry. Still, it takes a lot of work to earn.

Cybersecurity has long been considered a purely technical discipline whose roles are largely solitary. However, today's reality is very different. Everyone who works with digital systems is a potential target for threat actors. Thus, these individuals should, at the very least, possess a basic understanding of cybersecurity. This is also why any good cybersecurity strategy starts with strong leadership and a continuous drive to educate, inform, and upskill employees.

The Certified Information Systems Security Professional (CISSP) credential, provided by the non-profit ISC2, validates the broad range of skills and capabilities needed to drive an effective cybersecurity strategy. It goes beyond the technical aspects to encompass managerial skills, regulatory compliance, risk management, and policy development expertise. It also requires five years of experience before candidates can even enroll in the exam.

Advisory and managerial skills of CISSPs

Contrary to popular belief, many cyber threats are not particularly technical. Phishing scams, for example, rely on social engineering and manipulation rather than malware or other technical attack vectors. Phishing scammers simply use platforms like email, social media, or instant messaging to carry out their attacks. Their technical knowledge is often no greater than that of the typical layperson. However, almost all cyberattacks involve a phishing element.

The non-technical nature of such attack vectors means that cybersecurity professionals must also understand basic psychology. They need to understand how attackers like social engineering scammers think in order to identify threats and communicate them to their teams effectively. This is why the development of soft skills is essential to anyone interested in becoming a CISSP. After all, many CISSPs work in advisory roles and are involved in training and raising awareness throughout their organizations.

The CISSP exam covers a vast range of subject matter. Although the sheer amount of content covered in the associated Common Body of Knowledge (CBK) may seem overwhelming, one of the most significant advantages of becoming a CISSP is that it opens up many potential job roles. CISSPs coordinate and collaborate with business leaders and decision-makers across various areas, from risk management to thought leadership to policy development.

Typical job positions for CISSPs include Chief Information Security Officer (CISO), Director of Information Security, IT Director, and Security Manager, to name a few. All these roles are multidisciplinary, hence the broad scope of the CISSP exam content.

Computing and technical skills of CISSPs

Naturally, technical expertise is vital in any cybersecurity leadership or advisory role. Indeed, CISSPs must exhibit a range of soft and hard skills. As a result, the exam is seen by many as highly challenging.

CISSP encompasses the full range of cybersecurity domains which, in turn, covers technical and managerial skills. Becoming a CISSP requires excellent familiarity with advanced security measures and systems, such as identity and access management, network security, and operational security. A basic knowledge of advanced defensive measures, such as ethical hacking and penetration testing, will also go a long way towards becoming an effective security leader.

As the CISSP credential aligns with managerial and decision-making roles, certificate holders must also understand how technology works in a business context. In the old days, security leaders were widely viewed as people who prevented innovation for fear of adding risk to their organizations. However, today's security leaders face the challenge of constantly balancing business value with risk and innovation. They must understand and appreciate the importance and need for digital transformation. This means they must have extensive knowledge of emerging technologies, such as IoT, machine learning and AI, and the security risks and business opportunities they present.

What are the CISSP exam requirements?

To enter the CISSP exam in the first place, candidates must have a minimum of five years of cumulative paid work experience in two or more of the eight domains defined by the CBK. A four-year college degree will count for only one year of experience, and internships also count as valid work experience. One year of work experience can also be satisfied by earning one of the lesser credentials approved by the ISC2.

There is far more to becoming a CISSP than learning a wide range of technical skills. Success requires adopting a specific mindset – i.e., that of a managerial role in which collaboration and communication are essential. For those interested in a more technical or solitary role, earning a qualification in an area like ethical hacking or penetration testing might be more suitable.

It takes a particular type of personality, in addition to technical expertise, to become a CISSP. However, accredited professionals can expect to step into a six-figure job salary, and demand grows yearly.

Certified Information Systems Security Professionals (CISSPs) play a vital role in protecting today's organizations against the rising tide of cyberattacks. The credential shows a high level of expertise in modern cybersecurity systems and moderate capabilities in managerial roles. Here is what it takes to become a CISSP.