Anyone here a CISSP?

[IAMZOMBIE]

I've been kicking around the idea of getting my CISSP.
I'm just curious if anyone here already has it.
My main first question is how hard is it to get enough CPEs every year.

[lupin]

I considered getting one for a while and decided against. First of all I didn't think Id learn anything useful from it. (I just completed a Masters degree in Information Systems Security in 2008 which covered all the useful stuff).

Second, apart from in jobs advertised by less up to date hiring managers its not a technical certification, and is mainly a benefit for those doing the documentation style IT Security tasks (risk assessments, system security plans, compliance assessments etc). The GIAC certifications seem to be the hot IT Security technical certifications at the moment (GCIH, GCFA, etc).

Third, the CISSP test is 6 hours long, scheduled only at particular times of the year, and needs to be done on paper . The certification would need to be REALLY good for me to put up with that.

[PeppersGhost]

Also, if you dont have InfoSec in you're job title for 4 years they won't even look at you for CISSP.

[lupin]

Also, if you dont have InfoSec in you're job title for 4 years they won't even look at you for CISSP.

They accept some related experience as long as there is some security component to the job, like system administration for example, but yes, its true that they also have a minimum experience requirement.

I think that point is actually in the certifications favour (it means that the cert holder has had some hands on experience and hasnt just passed the exam right out of a certification mill), and I do meet the requirement, but regardless Im still not going to get a CISSP.

[thorin]

Anyone here a CISSP?

CISSP, OPST, OPSA

I've been kicking around the idea of getting my CISSP.
I'm just curious if anyone here already has it.
My main first question is how hard is it to get enough CPEs every year.

This shouldn't be hard. Do a few webinars with vendors etc and you get some hours. Teach/take some courses or write some papers you get some hours. Proctor a few CISSP exams in your area and you get hours. Attend a industry conference or two get some hours (or days). It's pretty easy. But do keep in mind that it's min 20 a year but total 120 over 3 (unless they've changed that and I'm grandfathered).

Also, if you dont have InfoSec in you're job title for 4 years they won't even look at you for CISSP.

That's not true. Unless you like in some extremely harsh union shop almost any System or Network Admin has dealt with enough security stuff to qualify.

[lupin]

OPST, OPSA

I was looking at those last year when trying to determine the a good pen testing certification to go for. I finally went with GPEN (which I got in March this year) after looking at the available training, strength of the certifying body, etc. SANS is fairly well regarded here in Australia, the OPST and OPSA are less well known and only one training provider that I know of offers the training and certification (Pure Hacking in Sydney).

Im looking at doing the GWAPT from SANS later this year, the OSCP (Offensive Security) in a month or so and the OSCE (Offensive Security) early next year.

Did you do the training before taking the exams? What was the exam like, regarding difficulty, content covered, format and testing process, etc? Are employers asking for the cert in your location? What is the recertification process like?

[thorin]

@ lupin

I'm actually a OSSTMM trainer now. When I joined the company I'm currently with I did both the full OPST (with the company I'm currently at) and OPSA (with Pete Herzog himself). I was pretty happy with them. ISECOM's certs are very popular in Europe and Mexico but gaining ground in North America. For the OPST we usually do a full week (5d) course with the exam on the 5th day.

I've also been looking at doing my GWAPT (which replaced GWAS)...I had hoped for this year but in reality it seems like it's gonna wait till next year

[prowl3r]

I'm actually a OSSTMM trainer now.

Looking at your avatar, you seem to be a very demanding one

[thorin]

<evil grin>

[theprez98]

Also, if you dont have InfoSec in you're job title for 4 years they won't even look at you for CISSP.

You can take the CISSP without the requisite experience; you're just considered an associate until you get the experience.