CCT 004: Understanding the CISSP Certification

Shon Gerber from CISSPCyberTraining.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge in cybersecurity from being a Red Team Squadron Commander; Chief Information Security Officer (CISO); and Adjunct Professor providing superior training from his years of experience in educating people in cybersecurity. 

This is the first episode of CISSP Cyber Training.com.  In this episode, Shon will talk about his background and how he has been successful in cybersecurity.

BTW - Get access to all my Training Courses here at:  https://www.cisspcybertraining.com

Want to find Shon Gerber / CISSP Cyber Training elsewhere on the internet?

LinkedIn – www.linkedin.com/in/shongerber

CISSPCyberTraining.com - https://www.cisspcybertraining.com/

Facebook - https://www.facebook.com/CyberRiskReduced/

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

CCT 004_RCR 101 - Understanding the CISSP Certification and Preparing for the Future

[00:00:00] Hey y'all. This is Shon Gerber. Thank you so much for listening today. But before we get started, I have a question for you. Would you like to finally pass the CISSP and get started building a lucrative and rewarding career in cybersecurity? I can help you over at CISSP Cyber training.com with the resources and tools you need to pass the CISSP the first time.

At CISSP cyber training.com, there's a vast array of resources available that will give you the guidance direction and training you need to pass the CISSP exam. As soon as you get done with this presentation, head on over to css p cyber training.com so that I can begin helping you today to meet your CISSP goals and grow your career in cybersecurity.

All right, let's get started. Welcome to the reduced cyber risk and CISSP training podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Shon [00:01:00] Gerber and I'm your host for this action packed informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge.

Alright, let's get started. Let go.

Hey all is Shon Gerber with CISSP cyber training.com and reduce Cyber Risk Podcast. So how are you all today? It's a beautiful day here in Wichita, Kansas and it is an amazing, amazing place to live in a beautiful country that we live in the United States. It's awesome. No.

Hey all, this is Shon Gerber with the CISSP cyber Risk. No.

Hey y'all. This is Shon Gerber with the [00:02:00] CISSP Cyber Training and the Reduced Cyber Risk Podcast. Hope you all are having a wonderful, wonderful day today. So I'm having an awesome day here in Wichita, Kansas. It just, it's amazing. It's very nice. It's actually, the weather is beautiful. It's like 45 degrees, so it is a great day.

Well, I hope you all have had a chance to listen to my other podcasts as it relates to the C I S'S piece cyber training. And today, this is episode four. Four, we're gonna understand that the title of this is Understanding the CISSP certification and Preparing for the Future. Now, the last podcast, we kind of talked a little bit about what, how do you get into cybersecurity, what is the training path and so forth.

And this is kind of a follow onto that to kind of talk about the CISSP and why it's important. Now again, a little bit about myself, Shon Gerber. I've been in cybersecurity for 20 some years and I've got my CISSP and I've been doing this from a level of going from actually having no experience in cyber all the way to up to being a chief information [00:03:00] security officer.

So I understand this path and I've taught hundreds of people how to deal with cybersecurity from both, from learning how to be a hacker up to the point of G, getting their CISSP. So, I'm here to help you in your path. Well, one of the things that comes out of this is understanding how do you do this well, as we talk about how do you get your C I S P?

A couple things have come up from the conundrum around how do I get my training, how do I get into cyber? And we answered that in the last podcast around some of the questions they have. You know, most of my students that I teach in college, and I've taught in the past, they really come back and say, They have really no idea what are the next steps.

And so we went over that in the last podcast. What are the next steps and how can, what can you do to get past that spa, that space? The other thing is we had questions from business leaders around how do I find people and find open roles? Well, Again, how do we get there with the training that's tied to that and what can you do to [00:04:00] become successful?

And so we walked about that in the last episode, but today we're actually now gonna talk a little bit about how is, what is the CISSP and how does that specifically work? So, as you all know, the CISSP is one of the, the premier certifications that you need to get if you're gonna become a long-term professional in the cybersecurity space.

Now, it's not required, but in reality it's, it's held at such a high bar that most hiring companies really do want you to have the CISSP, and we'll kind of go into reasons why they think that and what's the purpose behind it, but, One thing to think about, if you get an IT certifications, one of the P things that come out of that is you say you've got about a 22% better chance of being, of getting more income than being non-certified.

And the reasons behind that, in many cases is because the HR folks, the individuals that are looking to hire you don't really know. What they're looking for. So they use a [00:05:00] certification as a bar, as a litmus test for you to basically get the role. Now, if you have lots of experience and you don't have the certification, well that's fine too in many cases.

But there are some situations where the HR or the hiring manager may require the CISSP not necessarily realizing what they're actually requiring. So that's why it's kind of important to get your CISSP. As you're getting your CISSP, there are some things you need to keep in mind. One is you gotta have at least five years of experience learning and understanding security before you can even become a CISSP.

And of that five years, you have to have full-time employment in at least two of these eight domains. That are tied to the CISSP exam. First one is I, I go through the domains and you all have probably heard these or dealt with these, especially if you're trying to get your CISSP. But for folks that have not really understand, what are those domains?

What are those learning [00:06:00] areas? Here are the eight. You have security and risk management, asset security, security architecture and engineering, communications and network security, identity and access management, security assessment and testing. Security operations. And software development security. Those are the eight domains that are tied to the CISSP exam.

So what they're saying is, is for you to get your CISSP, you can sit for the test pretty much at any time, but you cannot be a CISSP until you actually have those five years experience. And you have to have, again, full-time employment that deals with at least two of the eight domains. But you gotta understand that doesn't mean you have to be doing security necessarily in those eight domains.

You have to be able to understand what are the domains, let's just say asset security for an example. And let's say you are in IT management and you're dealing with various servers. And you ha are [00:07:00] responsible for those servers. You work at a, at an IT shop of some kind, right? And you are responsible for those servers.

Well, that's the asset. That's an asset security. You could understand how do I best protect those assets. The other part that comes into it is you could also have them tied into, maybe you have a development team that you work very closely with and they use those servers and you have, are able to work with.

Maybe the leader of that development team to help provide them guidance around software development and what can you do in that area. That would also be a way that those would be two of the domains. And again, there's a lot of, there's a lot of openness in that and it's not the fact that you pad your resume or you pad your knowledge, which basically means you don't basically say you have more knowledge than you actually do, but you look for opportunities in your current role to help touch.

In all eight of those domains, in as many of those as you possibly can. And then you just have to be able to describe that and demonstrate that on your resume to the person who's gonna be signing off [00:08:00] as the, the CISSP is gonna be signing off, saying, yes, Shon is qualified to become a CISSP, and that's something that I'd end up doing is if someone comes to me, I look at their resume, I do an interview of the eight domains, and I determine whether or not they actually have the knowledge they say they do.

So those are parts that you're gonna have to go into, but that's okay because there's so many ways you can learn and get knowledge in these eight domains. Now the next step is your, your concentrations. Now they do have a CISSP concentration and it's basically an add-on. Now, you don't necessarily have to do this, you can't just get your your CISSP exam, but if you feel confident that you want to have the ability to get an add-on after you get your CISSP, you can go and sit for a architecture.

Engineering or management Add-on to the CISSP uh, certificate. What it basically says is that you, the CISSP understands the large you. You have a good grasp [00:09:00] of that, but let's say you are really good at architecture and you enjoy that, and you want to have an additional CERT certification tied to that, you can go sit for the architectures.

Addon, and then you can become a CISSP slash architecture. Now, there'll be additional costs and additional CPEs, and that's continuing educa professional education training that you'll have to do. But at the end of it, it, it just, it's a personal preference. Is it needed? Not necessarily, unless the job that you always want is requiring it, but short of that, it's not a necessity that you have that completed.

Now the associate CISSP, you may have seen some information around that. Now the associate was designed to allow people to get into and start understanding the CISSP ahead of time and maybe get the test out of the way while they're building up their experience. Now you have to be a SEC practicing security professional.

How are you, how are you actually working in the security space within and, [00:10:00] and studying for the CISSP you now? And as you do that, they, they talk about having at least five years of full-time paid work experience, which we talked about to actually get the CISSP. But you can get a various. Other additional training that will help you with getting that requirement that five years.

So as the associate, you can go in, you can take the test, you got that out of the way. And then if you go to college, let's say for example you go to a four year school, you that will count for one year of the five years that you have going towards being a CISSP. Now the other part is, is. You can also take another certification.

So as an example, if you go get your security plus CERT certification and there's a whole laundry list of various certifications that you get, if you can get one of those that will also knock off a year from your five year requirement. The other thing about the associate program that is kind of important is that it allows you to get, take six years to complete the five [00:11:00] year requirement.

So it's designed for people that are maybe going to college and you end up, you don't have time to get your, you're spending a lot of time in school and you don't have that time to get your five years. You can then go out and take the test, be part of the associates program, and then it gives you basically an extra year.

Now, one thing you can't do is, is you can't use both the certificate or the certification process, like security plus and then the college degree. You can't use 'em both to count for one's for one year, one's for another year, you, and that would be two years. You can't do that the most. You can shave off.

Of the required time that you have to have before you can actually become a certified CISSP is four years. Okay. That's the, I actually say most you can shave off is one year, and so it does require you to have four years experience at a minimum if you have an additional certification or if you have gone to a school and therefore bypassed that product now.[00:12:00] 

So that's an important feas thing to think about. Now the associate CISSP I, I'll tell you point blank, I'm not a big supporter of it. I don't think it's really useful other than it allows you to take your test early and, but it adds a lot of complications to, to things. So you just gotta decide. If there's a situation where it may benefit you, then maybe you should do it.

But that's really a personal decision at that point. Now the CISSP endorsement, There's a key thing you need to keep in mind as it relates to once you get your CISSP or once you start studying for this process, is you have to be endorsed by a currently in good standing CISSP person, right?

Like myself or somebody else. They will have to then fill out the paperwork and help you fill out the paperwork, and they will also have to do an interview of you. They'll do an interview, they'll look at your cv, and then they'll say, yes. Bill Smith or Jenna Thompson or whoever is, has done all the requirements to be a C I S P.[00:13:00] 

They've taken the exam, they have the credentials, they have the resume, they have the work experience, so on and so forth. Okay. So that's an important fact that you have to do and, and, and so it must be in written form. And the ISE does acknowledge though that conversations are the best method to ensure you're qualified.

So one thing to think about with that, I have that little note. To make sure I bring up, they understand that you could do this via email. However, they do recommend that you have a f a formal conversation with the person. Personally, unless I know the person very closely, I would want a personal conversation with them just to kind of talk about what do they know and where are they at, because.

Getting a, getting the CISSP exam and passing it, that's just one step. And I, and like I've mentioned before in the previous podcast, you, somebody may come in and just take the test, or I've even seen it where people have taken the test for another individual. And that doesn't prove that you actually know anything.

All you know how to do is take a test. And so if I'm gonna [00:14:00] sign for somebody, I wanna make sure that I know that they have the information they need to be successful. And I'm not gonna cheapen the whole experience. You'll need your last name, your member id, and again, you'll then you'll wait for approval.

But bottom line is there is a process by which you have to get a sign off. Now one thing we talk about is the CISSP, how important it is and it's, it's a very important certification and as you're relating to the overall training path with the CISSP, I consider it to be like a master's level program, and it really is because of the concepts that I teach.

At the C I S P level in many cases are beyond what is taught at most four year colleges. So it the overall concepts. Now, bits and pieces of the CISSP are taught at the four year schools. However, many of the things that are in the master's programs are tied into the CISSP. So if you do get it, I do firm firmly believe it is like having a master's program.[00:15:00] 

But there are some additional certifications that would be Val, extremely valuable for you prior to getting the CISSP because you don't have to do this, but I feel that it, it will help you not just getting the the certification, but also helping you with your long-term career. A plus that's dealing with hardware.

Now. Many people just kind of scoff at that, but it's really important because hardware has changed dramatically from when I did it many, many years ago to where it is today. So having a firm grasp of hardware and how does hardware talk to each other is an important piece. Then it rolls into the CompTIA network.

Plus kind of training. So you have Comp TIAs a plus, and then networks, plus very good networking capability. It teaches you how to do networking and the basic understanding of networking. It also teaches a little bit around security, but mostly around how do networks communicate, how do they talk? What is the differences between all of them.

It's a really important factor because when you're trying [00:16:00] to secure your network, if you don't understand networking protocols and how they work together, then it makes it, you're a bit of a disadvantage. Then there's the COMPT Security Plus program. I do recommend that as well. That gives you the basics of security with layered on with the network's capability.

So you got a plus. Networks Plus and security, plus all three of those will really put you in a great position for a good future. I mean, I did all three of those and that was a while ago. And the point comes back to is even talking to some of my students, they don't understand networking because they don't really know, and this is students that are coming outta high school.

This is also students that are coming out of college. If you're just trying to get into the cybersecurity field, it also is a really good way for you to understand. If you really want to do this, because if you enjoy those three things, Then odds are high, you'll be very successful. If you don't enjoy them, then you will not be happy doing any of this.

So I feel it's really a good point that you need to kind of [00:17:00] look as a prerequisite before even thinking about taking the CISSP or even getting into the cyber space career field. Now, the cool part about all of that is, is most of that stuff is online and it's free, and you can gain access to it.

Just go to YouTube. Now I'm gonna kind of break down a little bit around Networks Plus and what it can give you. So networks plus there's various domains similar to the CISSP and it breaks into network concepts, infrastructure, network operations, network security and network troubleshooting tools.

Those are the main domains that are tied to networks plus, And you're dealing with wired and wireless networks, i P V four, V6, network availability, cloud connectivity, which is a big deal even more. And so it is a really important factor. It gives you those foundational aspects to, cuz I deal with all of those topics on a daily basis.

All of them. Every one of them. And so it's important for you to really understand and get the foundations of how they all work, especially if you're coming into this really [00:18:00] new and green to the entire event. The exam will cost you about three 50 to $400, and then your passing score is about a seven 20 is the minimum passing score, and this is from 100 to 900 is the, is the overall range again, so you need to understand is that, do you need to take the test?

You don't necessarily have to take the test, right? There's no requirement to do it. Now they ask for a required experience. There really isn't any requirement. They do recommend that you have between nine and 12 months of networking experience. So if you started off in a small business and you were doing networking for them, much of this would actually help you.

You'd be able to understand it a bit better, but you don't have to have any sort of networking requirements to sit for the test. Again, you decide whether it's a certification you want to do or don't wanna do. Security plus the purpose of it. It's meant for people with red are relatively new to the field of security and they want to pursue it.

It talks about attacks, threats, and vulnerabilities. Architecture, design, implementation, operations [00:19:00] and incident response. And then governance. We call it grc, which is your governance risk and compliance, which is a huge factor, right? So you've got all of those aspects that are in the security plus area.

Well, guess what? I deal with those on a daily basis. So it is it, they would be very, very helpful. A plus network, plus security, plus extremely good and foundational. And to be blunt, that's what I taught. Our folks that were working as maintenance people with the B one, that was the same path that I taught them is A plus, networks plus and security Plus, because it did, it helped them understand whether or not they really truly wanted to get into the security world.

Now, some topics obviously as your incident response processes, your governance and risk and compliance are key factors. Those are some of the topics you'll deal with. The Costes are between four and $450 US dollars 90 multiple choice, and your score is, uh, seven 50 is what you have to have for passing, and that's 100 to 900 is the the range [00:20:00] itself.

Multiple choice questions. So again, you just need to pass the test if you really want to do it, but there is no specific requirement for the security plus environment. Now, as you look online, there's some various aspects. People will say, well, what should I get the CISSP versus security plus, what should I do?

Now as we've just kind of talked about here, security plus is a good foundational thing to begin with. It gives you the core skills you need for any cybersecurity role, and it is a foundational aspect it to understand cybersecurity language. I like to use. The analogy is, is if you have a shark and you have a dolphin, They don't talk the same language.

Well, you need to have a way to be able to get that shark to understand dolphin. Now it's probably a bad analogy. Maybe it's a whale and a dolphin because they're both mammals. But at the end of the day, you need to have a way to communicate. The nice thing with security plus is it does give you that initial language to understand security conversations.

Again, no requirement for sitting for the test. It's [00:21:00] also a great way to help you determine if you like cyber right. There's lots of self-study products out there to help you pass the test with very little help. Again, that's so you, you can do this or you really can. The C I SS P, on the other hand, it's like getting, like I mentioned before, a master's degree in cybersecurity.

It's more complex and challenging. The test is very challenging. There's specific requirements for passing the test and maintaining the certification. These are CPEs, you're, I just lost it, but. Basically you're continuing professional education, right? So you, those things are there that you're gonna have to continue the, the certification is required by many hiring managers, whereas the security plus the certification really isn't a requirement by anybody.

You have. Traditional self-study can be a long and problematic, especially for the CISSP because it is realistically a four month process to pass the cis s p if you do not have. Security background and you do not have a lot of the experience and you're just trying to take the test. I'm just gonna be [00:22:00] blunt.

Taking the CISSP without having much experience at all is a be a bit of a challenge. You could do it, but it would be very challenging, and having a security plus background and having a little bit of experience would go a long way in helping you pass that test. Okay, so at CISSP cyber training, I have three options to help you with your CISSP.

You have your self-paced training, that's, that's basically all the domains that are there, one through eight. For the CISSP, it's going to give you all the questions. It's gonna help you with questions. I've got multiple questions there. I've got curated content and so forth in a step-by-step study guide.

It's there over 20 some hours of video content. It's all available for you through the self-paced training. The Taylor training piece of this is the membership and it's a monthly membership, but it's designed to give you all the content that you would have with the self-paced aspect, but you do get additional content as it relates to the CIS P supplemental exam questions, as well as the podcast that I have curated and available to you.

You also have the ability to ask me [00:23:00] questions and have them answered each week. Then the last one is the personal coaching and membership or mentorship. I have that in place. It's a full membership. It's available for you for a year. It gives you 12 scheduled meetings to meet with me for at a period of time, and we will actually talk back and forth.

It's a really good way to get your endorsement and also to help you with resume and interview prep. Now, I will tell you it's a great deal what it is, because the fact is, is that right now if I meet with an outside, Company to talk about cybersecurity, like to do an evaluation of a product for them, I charge anywhere from three 50 on the low end to up to $500 an hour to visit with them.

So this is a really good deal if you want, if you're that place in your life where you want to actually be able to talk to them. So to talk to somebody and help with mentorship. So again, that's, that's, those are the three options that I can help you with at the CISSP cyber training. Now, bottom line is you have to decide what is best for you and how you want to do it.

But when it comes to the [00:24:00] CISSP, the certification and preparing for your future is not hard, and I would recommend that, but it takes time and it takes effort. I shouldn't say it's not hard, it is challenging, but it's not. Insurmountable. What you want to do is decide, do I want to do this? If you want to do it, then I'd highly recommend at a minimum, if you don't wanna do a plus and Networks Plus, just to really understand.

If you like cyber, then maybe just look at Security Plus and go through and sit through a course that's on YouTube and try to understand it. If that really interests you and you like that, then I would recommend looking through the a plus Networks Plus and security plus videos that you might see. On YouTube, Udemy, wherever you're, wherever there're else, and try to get up to speed on that at the minimum.

Then at that point, if you really, truly want to go to study, take for your CISSP, reach out to me at CS P cyber training, or even before then if I can help you with some questions that you may have around. Studying for the A plus, uh, networks Plus or Security plus just come out to my [00:25:00] [email protected] and, and log in and just basically send me an email and I'm happy to help you with giving you some guidance and direction around that.

Again, at the end of the day, I want you to be successful. I've helped a lot of people become successful. I've been doing this for a few years, and I know what it takes to be successful in cyber, so let me help you do that. All right. That is all I have for today. We're gonna be next, uh, podcast. Actually, I shouldn't, before I leave, I want a next podcast.

We're gonna be talking about the CISSP salary and as it relates to the, the expectations for what you should be dealing with on a role and what does that look like. So again, that's, we'll get into salary. The overall cost or the, the experience you can receive from, from income. All the way down to bonuses and so forth.

That'll all be available to you in our next podcast, and that will be number five. So short of that, that is all I have for today. I hope you have a wonderful day wherever you are at in the globe, and we will catch you on the [00:26:00] flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes, as I would greatly appreciate your feedback.

Also, check out my videos that are on YouTube. Just head to my channel CIS s P Cyber Training and you will find a plethora of content to help you pass the C I SS P exam the first time. Lastly, head to cissp cyber training.com and look for the free stuff that is only available to our email subscribers.

Thanks again for listening.