CISSP Tips and Tricks | How to design your career and certification path

In this lecture, we’re going to talk about picking your career path and the certifications that complement the career path.
This is a question I get all the time.
Should I take this certification or I have passed this certification, should I do this one next?
And my answer every time is, I don’t know.
What do you want to end up working with?
What sounds exciting to you?
What is your end dream job?
Well, once we have that, well, then we can design the path backwards.
It’s the same when you do a goal for an organization.
This is where we are.
This is where we want to be.
And then we work backwards.
OK, so I am here now.
This is the job I want.
These are the requirements for that job.
How do I get those?
How do I get from point A to point B?
And to start out with that, let’s look at Cyberseek.org, you may have seen me talk about it before where I show there is 941,000 people working in cybersecurity in the U.S. right now, but there is also 521,000 open jobs, so less than a million employed and more than half a million open, crazy ratio.
I also normally mention over here you can see 90,000 people who are CISSP certified in the U.S. and 117, almost 18 thousand open jobs.
I’m going to assume that most of the 90,000 are already employed.
Crazy, crazy demand for CISSP certified individuals.
The same for CISM, CISA.
Really any of the certifications that list here is in high demand, making this an amazing time to get certified, even something like security plus an entry level certification.
A 177,000 people have the certification, 50,000 open jobs.
That is still an amazing ratio.
But for this video, the reason we look at Cyberseek.org is the career path.
Here, regardless of where you are in your career, you can still use this.
Let’s say you’re completely new and you are in networking and you want to get into cybersecurity, then they have a suggestion on, start with networking, these are the skills you need, these are the cybersecurity skills that you should add, these are the certifications they suggest, and these are the job titles.
Then you pick this is the entry position where I enter cybersecurity.
Let’s say you start as a cybersecurity specialist.
All right.
Well, then the mid-level role can be any of these, let’s say, you’re consultant.
Then you go to an administrator, then you go to a manager.
So really, this is a tool to show you if you are here, then go here.
And it does some what I talk about.
You want to be the manager?
Well, then get your CISM, your CISSP, Security +, CISA, any of those certifications are the ones that are requested.
Now, for example, here, let’s say you are a network engineer, you are heavy on security, but only in networking.
And your dream job is becoming a CISO– Chief Iinformation Security Officer.
So how do you get from point A to point B?
Well, first off, I would start with looking at what do they want in a CISO?
What is it that they have in job postings for CISOs, what are their requirements, what are the nice to have?
How can you get to that point?
So let’s look at some job postings I just found randomly on LinkedIn.
First off here, qualifications, that is the must have, bachelor’s degree, health care, security, leadership, some travel.
And then they would like you to have a CISSP, anything preferred is a bonus on the resume, but it is not required.
Let’s look at the next one.
And I’m just going to go through about ten of these.
Just to give you an idea.
Whenever you do this for yourself, you have your own specific dream job, so go look for that.
And if you don’t have the dream job, if you’re not really sure what you want to do, well, then maybe find the Midway job.
I’m doing this now. This sounds awesome in the future.
And once I get to that point, well, then I’ll look around again.
So here the degree, 10 years of experience, CISSP, CISM, CIPT, some soft skills, written, verbal, innovative thinking, experience with vendor negotiations and management.
So this video is really focused on the certification path.
So here again, degree and a CISSP or CISM.
Next one, they have some technical requirements.
You need to understand these topics.
You need to get a CISSP if you don’t have it already.
And this is actually a little uncommon for the US job market.
Once you get into C-level executives, CISO’s, chief information officers, most often they want a college degree, but apparently not here.
I personally don’t think they’re that important.
I think the experience is the most important thing, then the proof of your knowledge that is to some degree the certifications and then maybe a degree.
But the fact that I took an I.T. degree 20 years ago really means very little today.
But I understand there are people who think degrees are amazing.
Good for you.
It is completely a valid opinion.
And as you can see on most job postings, they are required.
Here again, a degree, experience, certifications, same ones as the last one.
Next one degree, ten years experience with all these different things, CISSP or CISM.
You get the idea by now right?
Here, they’re actually a little specific.
You must have a CISSP in good standing.
So I actually like recruiters who are more specific like this, if they know there’s such a thing as good standing, that means they also actually understand what the CISSP certification is and how it works.
Let’s just look at the last four here real quick, degree, experience, CISSP, CISM, CISA or similar.
So here any of those is a benefit.
I personally think that sometimes more certifications is better up to a certain point.
I have, I don’t know, 20 certifications.
I would never put all those on a resume.
If I was applying for this job, I would put the ones they ask for and the ones that are relevant.
I might not list all the CNNAs I have, maybe not even the CCNP, because this job doesn’t require me to know any of that stuff.
It’s good that a CISO has a very broad knowledge base, but give them what they ask for.
I also have my Security +, since the CISSP is way higher level, the CISM the same, I’m going to leave Security + out unless they ask for it.
CEH, Certified Ethical Hacker, this I might leave in because it is actually a security certification.
So when I did my certifications, the bulk of them I did in one round and I did it because it made my résumé look nice.
I really just wanted my CCNP and I wanted my CISSP.
But on the path there,
I took a bunch of different other certifications that were very similar to my end certifications and that made my resume look nice.
So on my path to my CCNP, I got my CCENT and my CCNA.
Once I was done with the CCNP, I started on my CISSP studying.
Here, I got my CCNA security, I got my Certified Ethical Hacker and I got my Security +.
Then of course, I ended up with getting my CISSP.
But now my resume has seven certifications, not just two.
There was maybe another five, 10% extra effort involved in getting those extra certifications.
And while just having my CISSP or my CISM for this application, that would be fine.
But if I have both, then I as a hiring manager, would think you looked slightly better.
And that really is what you need to do, not just the certifications, but also your experience and definitely when you make your application tailor it to exactly what they are asking for.
All right.
Done with that.
Right.
Let’s look at the last ones here.
Experience, must have CISSP, oh another one with good standing, CISSP required, CISM preferred in any other SANS certification is a plus.
Again, this is a recruiter that actually knows their stuff.
Same thing here, degree, now a degree if you have it, amazing.
If you don’t, sometimes you can get away with having a ton of certifications.
I have done that myself.
I have had interviews with really big companies like Google and they don’t care that I don’t have a degree because I have a ton of experience, which is the most important, and then I have a ton of certifications.
That ton of certifications kind of put a Band-Aid on the lack of a degree.
Now, with that said, there are many places where a degree is a hard requirement.
The higher up you get in an organization, the more of a requirement it becomes.
It is just like your certification studying, an investment in yourself and your career.
Last one here, track record, the willingness, the ability and willingness to roll up your sleeve.
When I read that, I read, you must be able and willing to work a hundred hours a week and not complain about it.
So if this was me, I would probably avoid this company.
That said, most of the other requirements would have seen specific information about which kind of experience you need and a CISSP.
And I think for the CISO, CISSP is really the end requirement.
That’s one of the ones that you just have to have.
If you don’t have it, you should be willing to get it.
And again, this is just the example that I picked out of a hat.
Now let’s go back and look at the Cyberseek and finish up this CISO example.
So let’s say I am a network engineer and really this stops before CISO, right?
The cybersecurity manager is probably the federal you have before the CISO, let’s say networking, then technician, then analyst, then manager and go through each of these steps, see here.
OK, what should I learn here?
What should I know for this role?
Because, it’s now going to be you’re going to come into networking and then be a CISO, you’re going to have those three, four different job titles before you get to CISO.
So you’re now the specialist, then again here, if you know you’re going for CISO, I would get the CISSP as soon as you can and you really can get it whenever you want.
The only difference here is you will not be fully CISSP certified until you have the required job experience.
If you take the exam before you have that, well then you are an associate of ISC2.
But many job postings that I have seen have both of those listed, CISSP or associate of ISC2.
Now, you’re not going to see it on the CISO job because at that point you really need to have that 10, 15 years of cyber security experience.
But for any of the jobs before that, the specialist, the analyst or consultant, the manager, all of those most jobs will list both.
And even if your dream job is not one of these here or something else in cybersecurity, these are still amazing tools that can give you some sort of input into what should you look at?
And then when you go and find your perfect job, well then, research what they ask for.
If you don’t want to be a CISO, well, then find your amazing dream job.
Figure out what do companies ask someone in that position to have?
What are the hard requirements?
What are the soft requirements and what are the nice to haves?
Once you have all that, well, then you can start working towards being that person.
But also understand, if this is five, 10 years down the line, then this plan is something that needs to be adjusted because the requirements for a CISO now and the requirements for a CISO in 10 years is going to be very, very different.
So every year, every two years, go in check, find 10, 20 job ads.
Is there anything significantly new in here?
And if there is a move towards that, learn that skill, research that area.
And I’m not saying you can’t change direction all of a sudden, you can’t change your career path.
I have done that multiple times.
It is completely OK that what you want now is different from what you wanted 10 years ago.
I mean, many kids wanted to be firemen or policemen or nurses or whatever when they were growing up, when they got a little older, that changed.
It’s no different when you are an adult, any plane you have should be an adaptive plan.
As you move along, you change it slightly or very much.
I worked in Web design for many years and at some point I hated it.
I was just not happy doing it.
So I changed path completely.
Before that, I worked in politics and I mentioned the same thing when I talk about my study plans, it is a living document and the goal might change and then you adjust the plan.
But I think it is important to have that document, to have your plan, this is where I am now.
This is where I want to be.
How do I get there?
And not just for your career, your career should be a part of your overarching plan.
This is what I want for my life.
And I think also here it is good if you can be that three year old that asks, then what?
Then what?
I hear a lot of people saying I want to make one hundred thousand dollars a year.
It’s like, OK, then what?
What do you want to do when you do that?
Well, then I can afford things.
Yes, I understand that.
But then what?
I understand that being financially independent is amazing, but also understand that once you reach your goal, then what, what is it you want to do when you have achieved it?
And then some people say, well then I want to spend more time outside.
OK, I think that’s a very valid and good plan.
Why don’t you start that now? Is there any reason you can’t spend time outside and still work towards your goal of making a hundred thousand dollars?
So what I’m trying to say here is have the plan, have the overarching plan, have the career plan, have all that.
But also be clear on why is it you want to go to that destination?
What is it you’re going to get when you get there?
And when you get there, then what?
What’s the next step?
What do we do from here?
So have that planned both your life and your career as a living document that as you move along it, it evolves, new goals get added, all goals get taken out.
But you still know what it is you want.
And with that, I think we’re done with this lecture.
Thank you for hanging in there.
I know this is not one of my normal lectures on either the study materials or the actual curriculum of the certifications I teach but I still think it is important that you know where you want to go and how to get there.
And with that, thank you.
And I will see you in the next lecture.