I first talked to a cybersecurity professional about CISSP certification in 2017 when I was writing an article about the Veterans Base Camp Training Center in Chaplin, CT for Neighbors Paper. That discussion ultimately led me to explore a new chapter for me in pursuing an information technology career. CISSP, also known as a Certified Information Systems Security Professional, is a cybersecurity certification program offered by (ISC)2, which stands for the International Information System Security Consortium, Inc.

Darrell Chaloult, CEO of the Veterans Base Camp Training Center, introduced me to his daughter, Christina Mazzone, from Boston, who has a CISSP. At the time, Mazzone was working as an Information Security Officer, at Partners HealthCare. She showed me the book, “CISSP: Official Study Guide”, and explained how cybersecurity uses the same skills as a journalist, such as researching, educating, and written communications. Before working at Partners HealthCare, Mazzone worked at Verizon in a telecommunications job. She transitioned into cybersecurity while working at Bright Horizons as a telecommunications manager. They wanted her to become CISSP certified so that she could be their senior manager of information security. After we first met, Mazzone went on to earn a master’s degree in Project Management in 2010, specializing in information security, from Northeastern University in Boston. She currently works as a cybersecurity risk officer for PTC (Parametric Technology Corporation) in Boston.

After our discussion, I earned several certificates of course completion for the industry certification track of CISSP made possible through a partnership between the Eastern Connecticut Workforce Investment Board, Metrix Learning and Skillsoft. However, I never took the CISSP exam or became fully certified. The certificates I earned included:

• CISSP: Security Assessment and Training
• CISSP: Risk Management
• CISSP: Communication & Network Security Design
• CISSP: Security Engineering Parts 1 and 2
• CISSP: Identity and Access Management

During that process, I discovered that while getting fully CISSP certified was a great path for Mazzone’s success in cybersecurity, it is not an entry-level certification. While someone can become an Associate of (ISC)2 simply by passing the CISSP exam, it is not the same as being fully CISSP certified. To achieve that goal, within six years of passing the exam, someone must have a minimum of five years of experience in two or more of the eight security domains, which include:

• Security and Risk Management
• Asset Security
• Security Architecture and Engineering
• Communication and Network Security
• Identity and Access Management (IAM)
• Security Assessment and Testing
• Security Operations
• Software Development Security

Earning a four-year college degree or regional equivalent or additional credential from an (ISC)2 approved list will satisfy one year of the five-year requirement. The CISSP is designed for security professionals who have spent a few years in the industry, are currently in an information security position, and want to study cybersecurity leadership and operations.

According to the U.S. News and World Report, the CISSP certification is intended for “experienced cybersecurity administrators, managers, and executives”. The six-hour exam with 250 questions costs $699. To pass it, one would need to score 700 out of 1,000 points.

Those who are looking at obtaining an entry-level cybersecurity certification should consider one or more alternatives as suggested by the Computing Technology Industry Association (CompTIA):

• CompTIA Security+, prerequisite: CompTIA Network+ recommended, price: $370, length: 90 minutes, 90 questions, pass score: 750 out of 900 points
• (ISC)2 Systems Security Certified Practitioner (SSCP), prerequisite: one year of cumulative paid, full-time work experience in one of the seven security domains:
  • Access Controls
  • Security Operations and Administration
  • Risk Identification, Monitoring and Analysis
  • Incident Response and Recovery
  • Cryptography
  • Network and Communications Security
  • Systems and Application Security

or earn a degree from an accredited college or university or regionally equivalent education program, price: $249, length: 3 hours, 100-150 questions, pass score: 700 out of 1,000 points 

• International Council of E-Commerce Consultants (EC-Council) Certified Ethical Hacker (CEH) prerequisite: two years of work experience in the Info Sec domain or attend an official EC-Council training, price: $1,199, length: 4 hours, 125 questions, pass score: 70%
• Global Information Assurance Certification (GIAC) Security Essentials (GSEC), prerequisite: no specific training required for any GIAC certification, price: $2,499, length: 5 hours, 180 questions, pass: 73%.

My recommendation for those new to information technology is to follow the path recommended by CompTIA, none of which requires work experience or college degrees as a perquisite. These certificates include:

• Information Technology Fundamentals (ITF+), introduction to IT
• A+, technical support and IT operations
• Network+, troubleshooting, configuring, and managing networks
• Security+, performing core security functions and pursuing an IT security career

Those with experience in cybersecurity looking to further their careers are advised to take:

• CySA+, Cybersecurity Analyst
• CASP+, Advanced Security Practitioner
• PenTest+, Penetration Testing

This is a guest post contribution by Corey Sipe. His interest in information security stems from a desire to help protect people from being victims. He has taken over 50 IT classes and webinars to date, on topics ranging from machine learning to blockchain.