CCT 005: CISSP Salary to Testing setting Expectations

cissp Feb 05, 2023

Shon Gerber from provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge in cybersecurity from being a Red Team Squadron Commander; Chief Information Security Officer (CISO); and Adjunct Professor providing superior training from his years of experience in educating people in cybersecurity. 


In this episode, Shon will discuss the salaries associated with the CISSP and other cybersecurity roles.  Also, he will discuss about setting the expectations as it relates to taking the CISSP exam.  


BTW - Get access to all my Training Courses here at:

Want to find Shon Gerber / CISSP Cyber Training elsewhere on the internet?

LinkedIn – -

Facebook -


Gain access to 30 FREE CISSP Exam Questions each and every month by going to and sign-up to join the team for Free. 


CCT 005_RCR 102 - CISSP Salary to Testing Setting Expectations

[00:00:00] Hey y'all. This is Shon Gerber. Thank you so much for listening today. But before we get started, I have a question for you. Would you like to finally pass the CISSP and get started building a lucrative and rewarding career in cybersecurity? I can help you over at CISSP Cyber with the resources and tools you need to pass the CISSP the first time.

At CISSP cyber, there's a vast array of resources available that will give you the guidance direction and training you need to pass the CISSP exam. As soon as you get done with this presentation, head on over to css p cyber so that I can begin helping you today to meet your CISSP goals and grow your career in cybersecurity.

All right, let's get started. Welcome to the reduced Cyber risk and CISSP training podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Shon [00:01:00] Gerber and I'm your host for this action packed informative podcast. Join me each week as I provide the information you need to pass the CISSP exam.

And grow your cybersecurity knowledge. Alright, let's get started. Let's go. Hey all is Shon Gerber with uh, CISSP Cyber Training and Reduced Cyber Risk podcast. I hope you all are doing well, this beautiful day and uh, just it's great here in Wichita, Kansas. So I love it. It's awesome. So quick question for you.

We are just today, we're just, uh, episode five. This is the ongoing series around, uh, how basically the, uh, CISSP cyber training got started. And, uh, we're just now rolling into this next podcast. We're gonna be talking a little bit about CISSP, expectations around salaries and so forth. But before we do, we'll kind of talk back about what we did and we, we discussed in the last episode, and it was around, Understanding the CISSP certification and preparing for the [00:02:00] future.

One of the points brought up is that if you are certified, you do run the, the ability to potentially make at least 22% more than being non-certified. Now, I, I've seen that article out there and I've, I've quoting that, but that at the end of the day, it really comes down to experience. So having the cert is extremely valuable.

However, having the experience is as much, if not more so. So just kind of couple and just consider as you're looking at. This, we talked about the CISSP and the requirements around it, as well as having the experience needed to become a CISSP. There's a, all the three areas, the three concentrations would be your architecture, engineering, and management.

And then we also discussed a little bit around the associate CISSP. And the additional certifications as it relates to Security Plus and Networks plus. So that was just kinda the last podcast in 0 0 4. And the, the ultimate point was just to kinda walk through these different areas and to give you an idea of where we're at.

So now as we're dealing with expectations around the c I s. P and and taking the exam. One of [00:03:00] the big things that you see I see online quite frequently is around the salary as it comes to being in the cybersecurity. Now, there's a lot of things that will break down the salary, and I've got training at over at CISSP cyber training.

I've got. A, an actual training specifically, and you might even see it on YouTube cause I'll put it out there where, around what can you expect based on the role that you're looking to do. And a lot of things, when you start off as a, an individual that's trying to get into security, into the cyberspace, your, your pay can change quite substantially depending upon the role that you actually take.

Now I pulled off of IC Square. They, they have a, an article there on their website and they're the ones that put forward the CISSP along with a lot of other certifications. But one of the things they bring up is kind of the breakdown in actual income based on where you're at. So, A, in the Asia-Pacific region, they're basically saying it's around 57,000 US dollars is what you would make.

Europe is around 81,000. [00:04:00] I think North America, they're saying around 120,000 is what you can anticipate by getting the CISSP. Now, I will tell you that that will range. And also the other thing is it really depends on the role. You can get the CISSP and be a security analyst and you'll be making 70 to 80, maybe $90,000 a year, which is this amazing, right?

I mean, that's really, really good income, but you also could be a CISSP being a chief information security officer and makes substantially more than that. So it, it really depends upon the role. Just getting the certification does not. Automatically include that you're gonna get paid that amount of money.

It's a great cert, but it's not that great of a cert. So kind of keep that in mind. Now also keep in mind that the pay will range a lot from location to location. As I'm out interviewing people for different roles, from security engineers to analysts, you name it, you know, you, you end up architects, you end up interviewing them.

And as you interview these individuals, you also have to [00:05:00] keep in mind where they are. At in their, where they wanna live. If you have somebody that's in New York and they're going to stay in New York, what ends up happening is, is their pay is probably gonna be substantially higher. However, if they were in Wichita, Kansas, their pay might not be as high as it would be in, in, in New York City.

Now you go to. Asia, you go to India. Now the pay compared to US standards would be lower. However, in India it would be substantially higher. So again, it really depends on the geographic location and where you're at. It's all relative. It really truly is. So you need to keep that in consideration as you're looking at getting a job, some location.

The other thing that comes into is if you're looking at working in New York, the odds of finding of having more competition is higher. So therefore, the role that you may wish that makes the income that you want may not be available to you unless you have the experience to back it up. So it isn't just, [00:06:00] again, it's not a meal ticket.

You don't just punch it and you win. That's not, this isn't the lottery. However, if you do accomplish these different goals, you set yourself up for extreme success, both short-term and long-term, because this, again, this isn't a short-term game. This is a long-term future that you want to do for you and your family and your career.

So therefore, it's extremely important that you think that way. Don't just look for the fa, the fast money. Another option as it deals with making money is the fact that as you can end up commanding a very significant amount of income based on what you're willing to do. Now, I was talking to other CSOs that are in my position and one of the aspects came up is he said, we were talking about compensation and how do you look at compensation for.

Other security officers, what, what would be the norm? And it will, again, it will vary from position to position. However, one thing he did bring up is he said, if you're willing to do some things that other people aren't willing to do, [00:07:00] you obviously could make a lot more money. Now, again, one thing you gotta think about with the ISC squared and being becoming a CISSP, It's gotta be ethical, it's gotta be moral, it's gotta be something that you would do and that you have to be able to hang your name on.

Now you can go out and being criminal, and you can make a lot of money, but that is not where you want to go. Okay? Short term. Short term. The money may sound great, but let's be realistic. There's a, there's a lot of downsides with that, besides being ethically wrong. First off is if you get caught. The, the downside is, is you break big rocks into little rocks.

You are is not a good option. But that being said, if you are an expert in what you do, you can then be an individual that would go to, uh, a company who may have been hacked, for example. And we call it the dumpster fire situation, where they have a total dumpster fire going on. Right. This company just got hacked.

Their security person is out. They maybe they don't have a security person. You now would be parachuted in and you can help them with their situation. [00:08:00] And by doing so, you could command a very significant income from that. Now, that being said, there's a lot of risk with that as well. If there's risk, whether there's reward, right?

You gotta decide as a reward is high, is the risk high baby? Maybe not. But that being said, you could come in, you could make command A, a large salary. You could help them protect them, and then maybe move on and do your own thing. And that's more of a consulting type gig. The other option is, is that you can go potentially hang your, your shingle.

You're basically, I'm open for business on Upwork or other. Contracting type websites and you can say, I'm willing to do X, Y, and Z. A good friend of mine that is in, when I was an aggressor at the one 77th Information Aggressor Squadron, he was my counterpart with the Active duty Air Force. He, I talked to him just the other day and he's got a consulting company and he does that right now out of his own consulting business and, and he's done very, very well.

Now, the downsides of that obviously are the fact that [00:09:00] you've gotta have a good plan. You've gotta have money set aside because when jobs come, they don't all come in at the, at a very programmed time. It's either feast or it's famine. So you've gotta have a good plan for that. But there are options, right?

So when I throw out these numbers at you, keep in mind this is based on a workforce. You can make a lot more than this. If you're willing to do different things that are both legally and ethical, okay. Just setting that expectation. So as we go into jobs, what are some different ways that you can understand how that works?

Okay, so I'm gonna throw out some titles and I'm gonna put out some sample jobs that are out there pulling off numbers from Glassdoor, Upwork, and other areas. So let's just go a cloud security engineer. Now, cloud security engineer can range anywhere from 70,000 to 120,000 US dollars. Now I'm gonna put all this in us.

If you're listening to this in India, obviously look at rupees and figure out how you want to convert that, but, Again, and that would also be different in India. The [00:10:00] pricing obviously is about 30% less if you're in India. But the, the overall buying power is about the same. So your cloud security engineer is around 70 to 120,000 US dollars.

Again, depending upon your experience. We'll get you more income. The cert will help, but the experience is what makes you the more money. Security architects and various, in all variations of this, will range between 90 and 180,000. I know there's people that have talked on YouTube that they make 200,000 pluses.

An architect. You can, I mean, there's bonuses that are included in there. You can definitely make over $200,000 doing it, but. Again, on the flip side is, is there's pros and cons for that. Not everybody does that. Let's be real. Not everyone makes $200,000 as a security architect. Now, there's many that make in the a hundred and fifties, a hundred and sixties, and.

Coming from a guy that was broke, right? I mean, I have seven children and I have no money. One of the aspects that came up, if I was making a hundred thousand dollars a year, [00:11:00] I counted my blessings and I was very happy. And that was, uh, even making a hundred thousand was extreme life changing for me and my family.

So, That, that's huge, right? Security analysts will make anywhere from 60 to a hundred thousand and then a Chief Information Security officer can make 110 ish to two 50 or more, depending upon, again, bonus structures, other types of activities, and what you're willing to do. Talked about contract work with Upwork and as one example is, I'll just give you an example that I saw in Upwork and they go, I need a CISSP to implement tsa, which is Transportation Secur or Safety Act.

Or Security Act, I don't know, requirements you. You could also have someone comes in and says, I am part of CFAs in the United States, which is the chemical facility anti-terrorism standards. I need someone to help me implement that. I have a government contract to help me do that. There's cmmc. Which is the, uh, cybersecurity maturity model certification.

I need people to help me get my business up to the CMC [00:12:00] standards. There's lots of ways you can use that, your CISSP to help you moonlight on the side, even if you have a right a job right now, doing something else. Again, doing that is a great way to build your resume. It's also a great way to, for you to get a new opportunity.

So there's lots of ways to do this. The hardest part is getting started, making a decision. And get started. In most cases, these are set up as hourly, right? You'll get paid a certain percentage or a certain amount for your time that you work. You're also gonna have to get, you'll learn during this process, especially if you're doing like an Upwork type event.

You'll figure out what is your time worth and what are you willing to commit? You may be willing to commit, say, 20 hours at a much lower rate to get the job. Because you need the experience and you needed to put it on your resume, then maybe someone who comes in who has all that experience already and really doesn't need it and is willing to take, wants to take more money because their time is valuable to them.

So there's lots of different things you can think about in that [00:13:00] regard. Now, as it relates to CISSP certification costs, one thing to keep in mind is around what is it gonna cost to do this to get certified. Now there, I mentioned before, in past episodes, the free option. But like everything there is nothing free.

What you're gonna have to do is you will have to buy a book. Okay? I guess you can rent it or you can go ahead and look at it from the library. But in reality, I marked my book up. I made copies. I made notes. I stuck sticky tabs. You just just break down and buy the book. I mean, realistically, you're talking a hundred dollars that you're gonna have to invest to buy the book.

Now, you're also gonna want to get some practice questions. Now there's practice questions on CISSP cyber training. I have some available for you. You can go out and find other practice questions online that are free, but you also can go out and buy some. That are better curated and that will give you a much better experience.

And so those are options you need to consider. So your study guide, your study questions are a hundred dollars. Your practice [00:14:00] questions will go from a hundred to 300. So right now you're all in at around four to $500 before. Honestly before you take your test, but this is now, you're gonna spend your equity, we call it sweat equity in learning to do, to get the your CISSP.

And that's what you're gonna need to invest in, is you spend the extra four to 500, which it can be very challenging to find that money. I know. Been there, done that, got the t-shirt, but. You may have to do that to be able to then put your sweat equity into your business to be able to make the money you wanna make so that you can have the life that you really truly want.

This is attainable. The only thing that will stop you from making your dreams and a reality in cybersecurity is you. You are the person that has to make that decision, and you're the one that has to do the work. Now the free training is out there. Again, I come back to this, it's, you get what you pay for.

Now there's some really, really good free training there truly is, and I will tell you some of the networks Plus, and security plus and a plus training, I saw it [00:15:00] on YouTube, is amazing and I, I recommend it. And actually some of the curated stuff that I've, I've got in my site is to recommend that training for you.

But what really will help you is the fact that having somebody keeping you accountable and helping you walk you through this process is a really important factor. Again, we talked about the paid specialized training. You can get that in various locations, either if you wanna drop the money on a bootcamp, you know, five, six, $7,000 or more, or if you want to do it a little bit more cost effective by going through CISSP cyber training or other type websites out there.

Bottom line is you need to consider one of those options. The boot camps, they will run anywhere from five to seven days, and boot camps will cost anyone the upwards of five to seven, potentially even $10,000, depending upon if you're gonna be in person or online. If you're gonna be in person, you gotta pay for hotels, food, transportation, so on and so forth.

So that can add up quite substantially over a period of a week. The exam fees are usually included in them, and many times they do guarantee success. They, they [00:16:00] have, their instructors have been teaching the test law enough and know well enough. What are the exact questions that are gonna be asked of you?

So they will give you a pretty good understanding of what you need to be paying attention to. However, that being said, just because like I've mentioned before, you, because you get the test, does not mean that you're going to just automatically. Get everything you need to be successful in cybersecurity.

So I'm just telling you, it, it's, it's, I, the boot camps are great. I'm not knocking 'em. I think they're a great tool for the right people. Just, the fact is though, is just because you get to cert doesn't mean you're gonna get the job. Trey, I think I've beat that horse to death enough. I hope I haven't. I probably have, uh, anyway.

Trade schools, trade schools, universities. Again, another way that you can make the money or get the training you need. But they do cost more money and there's, if finding good instructors can be a challenge. Okay, so some questions around the CISSP. The CISSP. There was a question that came up that I looked online is the CISSP A hard exam.

[00:17:00] Yes, it's a hard exam. It is not easy. Consider it like taking a Master's program in security. Some people may get it faster than others, but it doesn't matter. It's a tough exam. It's computer aid testing, which means it learns. If you do poorly on a couple questions, it will ask you more. Questions like that, that are just as hard, if not harder.

And the purpose is, is to weed you out early. You get six hours to complete this and it may not take you that long, but you're allowed that specific amount of time. There's 250 questions, and again, the exam is pretty expensive. It's at least two times. Uh, the other exams you're gonna see out there, like I talked about.

So it's about 700 to $800 US dollars to take it. I don't know what it's costs in other countries, but just assume it's gonna be. Pretty high there as well. One thing I think is important for you to know as you're listening to this podcast, the pa, the pass rate for the CISSP is for the first time, the pass rate.

The first time is only 20%, so only 20% of the [00:18:00] people who sit down and take that test. We'll pass it the first time and I'll raise my hand because guess what? I was one of those that did not pass it the first time. So, and that, I'll tell you that, that's a brutal, it hurts your, your, your mentally, it hurts you financially.

And y it's a, it's a kick. It really hurts. So again, you wanna set yourself up for success and do the best you possibly can so that you pass it the first time. Now is the CISSP for beginners? What was the question? No, it's really not. It's not a good test for the beginners be because of the work requirements, because of the endorsements, because of the fact that you really need to have a good understanding of networking and understanding that aspect of it.

It is probably one of the most hard certifications out there. It's not the hardest, but it's, it's a very challenging cert, so it is not for beginners. You need to focus on getting the skills you needed to go and you can get those at cyber cisp cyber I gotta put the plugs in, just gotta. But that will help you with getting your path to success.

So again, [00:19:00] CS s P is not for beginners. Now, how long does it take to become a Ci s s P? We talked about that before through the podcast, about five years of experience, full-time employment, and at least two of the domains, which we mentioned. Of those eight domains that asset security identity and access management and so forth, there's, there's many different domains.

Eight total, but. The point is you gotta have full-time employment in those college courses or certifications will give you an extra year towards that five year work requirement, which basically means if you take go to school and or you do the cert, you'll be able to, you'll have four years to get the knowledge you need to be able to get your CISSP.

Now as far as preparing for the test you need to self-study is about three to six months. I'll just be honest with you all. There's guys out there that'll say, I'll help you get it in 30 days. I'll hope you get it in 60 days. Uh, again, you have to listen to it and see if it's worth it to you. If you know, I'll tell you from a guy who's got 21 years experience, can you potentially pass this thing in 30 to [00:20:00] 60 days?

Yeah, you can. If you dedicate everything you can in the next 30 to 60 days to to study for that test, you probably can do it. I, I, I feel confident you can do it. However, it would not be a fun ex, uh, event. You would not be happy, and I, I personally feel that all you would do is you would just regurgitate the information.

Pass the test and you dump it. Not to say that that's a bad thing. I'm just telling you that to really truly understand the CISSP and to understand some of the concepts, it's going to take you three to six months with having a life outside of studying. If you have a family, if you have a job, it will take you a good three to six months.

Everybody I've talked to that has done it, it's in my world. They will all say the same thing. Okay. Again, C I S P cyber training. I got resources that can help you with that to, again, if you're gonna spend the time, let's help you walk through it. Boot camps are available, and again, they do help compress that timeline so you can get this thing done in a week, right?

Uh, but you'll just gotta spend $10,000. They're great for [00:21:00] the short term, but the other thing that comes out of that is, is if you don't have a long-term plan to keep that knowledge going, you'll remember it and then you'll forget it. So one of the other questions that came up was, what does A CISSP do?

Okay, so this is a question that you'll see online is what does A CISSP do? Well, the certification will help expose you to various concepts that you may or may not have in your current role, and that's the ultimate goal, so that you look at something with a different perspective. As an example, I was talking to my intern and we were talking about how security is set up and some of the concepts that I gave to him around, Information rights management and protecting data through encryption was a total changer to him, and he looked at now from a different perspective.

That's the ultimate goal of it, is to provide you that knowledge. Another one is around secure development lifecycle. I was talking to my security, my developers a few years back, and mentioned secure development life cycle. They had absolutely no idea what I was talking about, but as I brought it [00:22:00] up to 'em and explained to 'em, they, oh, that makes sense to them.

The other part is around is like security and risk management. One aspect of this is the TSA CFAs, China cyber regulations that falls under governance and regulatory requirements if you are in security at all. If you feel that you won't ever deal with regulations, I'm sorry to tell you, but you're wrong now, you may not deal with them right away when you get first, get started as much as you will, as you get more time in with the security space.

But you're gonna deal with them. So you're gonna have to understand them. And I. Don't like 'em. I really don't. But it's one of those things that if you don't like, you better do more of, so that you end up do liking it. And I will tell you that I've gotten really good at it, not because that I'm a genius by any stretch of the imagination.

I'm a small guy from Iowa. I mean, I'm, I live in a, I was a pig farmer. I mean, that's where I came from. That doesn't mean anything about intellect. It just means that's what I was exposed to. And I'm pretty good at regulations. And it's because of the fact that I have focused very [00:23:00] strongly on it because I know that all this cyber stuff is great, but the governments, whatever government is, can come down and totally crush you if you don't have these things in place and if you're not paying attention to it, so better pay attention to it.

Now, that's really all I have today for this part of this podcast. Now, this podcast again, was over CISSP, salaries, testings, and also setting expectations around the CISSP. I'll say going forward, you're gonna have more podcasts out there. We're gonna be focused primarily on the CISSP, the different domains.

I'll pull out a domain as I, just to give you an example, the one coming up next is dealing with compliance requirements and how you have to worry about that. For the CISSP and those compliance requirements will be going over, what are some things you need to be concerned about and what are the things that you have to be worried about from a, a security professional's perspective?

I'm gonna deal with data remnants, identity and access management, logging and monitoring, cyber crime. All of these aspects I'll be taking out of each domain. [00:24:00] And I'll be talking about specific pieces of this, both from my training that's at CISSP cyber training as well as. My knowledge and what I know.

So all of that stuff you're gonna be seeing from now on, you'll also be getting, it'll be coming out in these podcasts exercises, right? So your, your exam questions. So I'll grab an exam question and I'll read through that exam question and then we'll dissect it and we'll talk about it. Now the ultimate goal is I'm doing this through a podcast.

I do put this out on YouTube and you'll see some videos. They may not all have video in them. They may just be audio. But at the end of the day, my goal is to provide this much information as I can so that you can become successful in your cyber career or. On the other side, you realize I don't want nothing to do with this, and this is not for me.

I'd rather have you figure that out now before you spend a bunch of money and time getting into the cybersecurity space. It's not for everyone just because the money may or the May or may not be there, or because it sounds sexy or N C I S or [00:25:00] whatever is out there. It's not for everybody. So it's better to find it out now before you invest a bunch of time, energy, and money into it.

Okay, that's all I've got for today. Thank you so much for joining me on this podcast. Again, the cissp cyber Go check it out. There's a lot of really great stuff there. You will. You'll totally enjoy it. It's building. So as you get there, you'll see. Hey, there's, there's lots of information here, but there maybe there's a little bit more coming every single week.

There'll be more information coming to you, so definitely check it out, get on my email list, because then I can send you information such as Met with a gentleman just yesterday talking about his resume. I'll be tapping some tips and tricks about that as well. And so go check it out. Also, go onto iTunes in these other places and give me a thumbs up or like me, or whatever that is, or leave a, leave a comment as well.

I really want to help you all, and I know you'll be successful. Just let me help you either through the podcast or through my website, give you what you need. All right? Have a wonderful, wonderful day, and we'll catch you on the flip [00:26:00] side. See ya.

Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes, as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube. Just head to my channel CISSP Cyber Training and you will find a plethora of content to help you pass the CISSP exam the first time.

Lastly, head to cissp cyber and look for the free stuff that is only available to our email subscribers. Thanks again for listening.


CISSP Cyber Training Academy Program!

Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification? 

Let CISSP Cyber Training help you pass the CISSP Test the first time!