The Certified Information Systems Security Professional (CISSP)

The Certified Information Systems Security Professional (CISSP) certification is one of the most prestigious credentials in the field of information security. Recognised globally, it is often considered a benchmark for cybersecurity professionals, demonstrating expertise and a thorough understanding of security best practices. However, many aspiring IT security professionals face a common challenge when attempting to pursue this certification: they lack the required professional experience in the field. According to (ISC)², the body that manages the CISSP certification, applicants must typically have at least five years of cumulative work experience in two or more of the eight CISSP domains.

But what if you are keen to pursue the CISSP without meeting these experience requirements? Is it even possible to obtain the certification without the necessary hands-on experience in information security? In this article, we will explore how to navigate the challenges of acquiring a CISSP certification when you do not have the required experience and the potential pathways you can take to bridge the gap.

Understanding the CISSP Certification

The CISSP certification is designed to validate an individual’s knowledge in a wide range of cybersecurity topics, ensuring they have the skills to design, implement, and manage a security program effectively. The exam covers eight domains, which are:

1. Security and Risk Management: This domain covers risk analysis, governance, compliance, and legal issues related to cybersecurity.
2. Asset Security: This focuses on the protection of assets, including information, hardware, and software.
3. Security Architecture and Engineering: Topics include security models, architecture, and system design principles.
4. Communication and Network Security: This domain deals with network security protocols, communication channels, and data transmission security.
5. Identity and Access Management (IAM): This domain is concerned with controlling user access, authentication, and authorisation methods.
6. Security Assessment and Testing: It covers vulnerability testing, security testing methodologies, and evaluating security controls.
7. Security Operations: This involves incident response, logging and monitoring, and handling security events.
8. Software Development Security: It focuses on integrating security into software development processes and lifecycle management.

While these domains are comprehensive, the CISSP exam tests both theoretical knowledge and practical understanding, which is why work experience is typically essential. The idea is that real-world experience enables candidates to contextualise security concepts, making the CISSP a certification that distinguishes seasoned professionals from newcomers.

The CISSP Experience Requirement

(ISC)², the governing body of CISSP, requires candidates to have at least five years of experience in information security, specifically across at least two of the eight domains. However, (ISC)² offers a degree of flexibility. If you don’t have the necessary five years of work experience, you can still take the exam, but the certification will be issued as an “Associate of (ISC)²” until the experience requirement is met.

What is an Associate of (ISC)²?

When you pass the CISSP exam but lack the requisite experience, you will earn the title of “Associate of (ISC)²”. This status allows you to demonstrate your competency in the CISSP domains and can be an important stepping stone towards the full certification. As an Associate, you have six years to accumulate the required professional experience in cybersecurity, after which your status will be upgraded to a full CISSP.

The advantage of becoming an Associate of (ISC)² is that you gain recognition for your knowledge and can start working towards the experience requirement while still demonstrating your qualifications to employers. The Associate designation may be useful in opening doors to entry-level cybersecurity positions that can eventually lead to the necessary experience to achieve full CISSP certification.

Strategies for Getting CISSP Without Experience

Although the experience requirement may seem like a barrier, there are several strategies you can adopt to work towards obtaining the CISSP certification, even if you don’t yet have the requisite professional experience. Below are some approaches that can help you navigate this challenge.

1. Leverage Education and Training

One of the most effective ways to compensate for a lack of experience is to focus on education and training. (ISC)² recognises certain academic credentials and professional development activities as part of the experience requirement. You can supplement your theoretical knowledge of cybersecurity by pursuing courses that align with the CISSP domains. This will not only strengthen your understanding of key security concepts but can also help you gain practical knowledge that compensates for your lack of direct experience.

• Formal Education: A relevant degree in information security, computer science, or a related field can help demonstrate your theoretical understanding of cybersecurity. While this won’t fully replace the experience requirement, it will reduce the gap and may count for some experience under (ISC)²’s waiver program. For instance, a bachelor’s or master’s degree in information security may reduce the experience requirement by one year.
• Training Programs and Bootcamps: There are numerous CISSP training programs and bootcamps that can help prepare you for the exam. These programs are designed to cover all eight domains of the CISSP certification and often include real-world scenarios that provide a practical understanding of security challenges. While training does not directly substitute for professional experience, it will prepare you more thoroughly for the exam and provide insight into real-world situations.

2. Pursue Cybersecurity Internships or Volunteer Work

If you’re looking to gain hands-on experience, an internship or volunteer position can be an excellent way to get started. Although these positions might not be paid, they can provide you with practical experience in cybersecurity, which is crucial for earning a CISSP. Even part-time or unpaid roles can help you build your skills and expertise.

Cybersecurity internships can expose you to a variety of environments, including network security, incident response, vulnerability assessments, and more. These real-world experiences will allow you to better understand the application of security concepts and give you a clearer context for the theoretical knowledge you gain while studying for the CISSP.

• Non-Profit Organisations: Many non-profit organisations offer volunteer opportunities in cybersecurity, including assisting with security audits or managing network security. Even small businesses or startups may be open to providing experience to someone willing to contribute their time and effort.
• Freelancing: If you’re unable to find an internship, consider offering your services as a freelance cybersecurity consultant. While freelance opportunities may not provide comprehensive work experience, they can help you gain hands-on experience with specific security tools and practices.

3. Certifications to Complement Your CISSP Journey

One way to supplement your lack of direct experience is to earn other cybersecurity certifications that can help build your credibility and demonstrate your knowledge. Many of these certifications focus on specific aspects of cybersecurity and can give you a deeper understanding of the field while boosting your resume.

Some of the most respected entry-level and intermediate certifications that can complement your pursuit of CISSP include:

• CompTIA Security+: This is an entry-level certification that covers foundational security knowledge, including network security, compliance, and risk management.
• Certified Ethical Hacker (CEH): The CEH certification focuses on offensive security techniques, such as penetration testing, which are crucial for understanding vulnerabilities and risk management.
• Certified Information Security Manager (CISM): This certification focuses on managing and overseeing enterprise-level security programs and is a good fit for those interested in governance and risk management.
• Certified Information Systems Auditor (CISA): CISA is a well-regarded certification for professionals focusing on auditing, control, and security of information systems.

While these certifications are not substitutes for the CISSP, they can help you build the necessary experience and knowledge base. Additionally, they can make you more attractive to potential employers and help you get into entry-level positions that will provide the experience you need for CISSP.

4. Start in Entry-Level Cybersecurity Roles

Getting an entry-level position in cybersecurity is one of the most straightforward ways to build the hands-on experience required for CISSP. Entry-level roles such as security analyst, network administrator, or IT support can provide you with the foundational experience needed to understand how security measures are implemented in the real world.

In these roles, you will gain exposure to various aspects of cybersecurity, including network security, incident response, vulnerability management, and risk assessment. Even though you may not immediately qualify for a CISSP-level role, these positions will help you accumulate the required experience and demonstrate your competence in the field.

5. Join Cybersecurity Communities and Networking Groups

Being involved in cybersecurity communities can help you stay updated on industry trends and learn from professionals who have already achieved CISSP certification. Networking with individuals who are already certified or working in the field can offer valuable insights into how they navigated their careers, and their advice may help you identify pathways to gaining the necessary experience.

Online communities, such as forums, LinkedIn groups, and Twitter, are great ways to build connections and stay motivated. Many experienced professionals in these communities are willing to offer guidance, share resources, and even recommend job opportunities to those looking to get started in cybersecurity.

6. Demonstrate Your Expertise Through Personal Projects

Another way to gain experience is by working on personal cybersecurity projects. Setting up your own home lab, conducting penetration tests on your network, or creating security tools can provide you with hands-on experience that demonstrates your commitment to the field. These projects also offer practical experience in areas such as:

• Setting up firewalls and intrusion detection systems
• Conducting vulnerability assessments
• Configuring secure networks
• Developing secure coding practices

Documenting your work on platforms like GitHub or a personal blog can further showcase your skills to potential employers, helping you stand out in the job market.

Conclusion

While obtaining the CISSP certification without direct experience in the field may seem daunting, it is far from impossible. By leveraging education, training programs, internships, certifications, and personal projects, you can compensate for the lack of experience and gradually build the expertise required to pass the CISSP exam. Earning the title of Associate of (ISC)² is another viable pathway, providing recognition for your knowledge and giving you time to gain the necessary professional experience.

Cybersecurity is a field that values knowledge, skill, and a willingness to learn. By following the strategies outlined in this article, you can work towards obtaining your CISSP certification and ultimately gain the experience required to become a recognised information security professional. Keep persevering, and you’ll soon find yourself well on your way to a successful career in cybersecurity.