CCT 102: CISSP Salary to Testing Setting Expectations

Ever wondered if those hefty CISSP certification costs could actually catapult your cybersecurity career to new financial heights? We crack the code on how balancing certification with real-world experience and the right job role can significantly impact your earning potential. Our latest conversation takes a deep dive into the geographical salary differences for security professionals, shedding light on the variance between regions like the Asia Pacific and North America. But don't be fooled—while CISSP may sparkle with promise, it's your dedication to the craft that truly counts. Let's explore how this certification, blended with seasoned expertise, can serve as a robust foundation for a thriving career in cybersecurity.

Prepare to be enlightened by the tales of trials and triumphs in the journey to CISSP certification. I get personal, recounting the struggles with the rigorous exam—a testament to the importance of a strategic study plan. We dissect the prerequisites, the broad spectrum of knowledge it encompasses, and the 'sweat equity' required to master topics from security management to regulatory compliance. It's not just about passing the test; it's about gaining a wide range of skills that enrich both your professional capabilities and perspectives. So buckle up and join us for an episode that promises to arm you with the insights needed to navigate the complex path to CISSP certification and beyond.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

TRANSCRIPT

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started, let's go. Hey, all is Sean Gerber with CISSP Cyber Training and Reduce Cyber Risk Podcast. I hope you all are doing well this beautiful day and just said it's great here in Wichita, kansas, so I love it, it's awesome. So quick question for you. We are just today. We're at episode five. This is the ongoing series around how basically the CISSP Cyber Training got started and we're just now rolling into this next podcast. We're gonna be talking a little bit about CISSP expectations, around salaries and so forth, but before we do, we'll kind of talk back about what we did and we discussed in the last episode, and it was around understanding the CISSP certification and preparing for the future. One of the points brought up is that if you are certified, you do run the ability to potentially make at least 22% more than being non-certified. Now I've seen that article out there and I'm quoting that, but at the end of the day, it really comes down to experience. So having the cert is extremely valuable. However, having the experience is as much, if not more, so. So just kind of a couple of things to consider as you're looking at this. We talked about the CISSP and the requirements around it, as well as having the experience needed to become a CISSP. There's all the three areas. The three concentrations would be your architecture, engineering and management, and then we also discussed a little bit around the associate CISSP and the additional certifications as it relates to security plus and networks plus. So that was just kind of the last podcast in 004. And the ultimate point was just to kind of walk through these different areas and to give you an idea of where we're at. So now, as we're dealing with expectations around the CISSP and in taking the exam, one of the big things that I see online quite frequently is around the salary. As it comes to being in the cybersecurity Now, there's a lot of things that will break down the salary, and I've got training at over at CISSP Cyber Training. I've got an actual training specifically and you might even see it on YouTube because I'll put it out there where around, what can you expect based on the role that you're looking to do and a lot of things. When you start off as an individual that's trying to get into security, into the cyberspace, your pay can change quite substantially depending upon the role that you actually take. Now I pulled off of ISC Square. They have an article there on their website and they're the ones that put forward the CISSP along with a lot of other certifications. But one of the things they bring up is kind of the breakdown in actual income based on where you're at. So in the Asia Pacific region they're basically saying it's around $57,000. Us dollars is what you would make. Europe is around 81,000. I think North America, they're saying around 120,000 is what you can anticipate by getting the CISSP. Now I will tell you that that will range. And also the other thing is it really depends on the role. You can get the CISSP and be a security analyst and you'll be making 70 to 80, maybe $90,000 a year, which is amazing, right, I mean that's really really good income. But you also could be a CISSP being a chief information security officer and make substantially more than that. So it really depends upon the role. Just getting the certification does not automatically include that you're gonna get paid that amount of money. It's a great cert, but it's not that great of a cert, so kind of keep that in mind. Now, also keep in mind that the pay will range a lot from location to location. As I'm out interviewing people for different roles, from security engineers to analysts, you name it, you know you end up architects, you end up interviewing them and as you interview these individuals, you also have to keep in mind where they are at, in where they wanna live. If you have somebody that's in New York and they are going to stay in New York, what ends up happening is is their pay is probably gonna be substantially higher. However, if they were in Wichita, kansas, their pay might not be as high as it would be in New York City. Now you go to Asia, you go to India. Now the pay compared to US standards would be lower, however, in India it would be substantially higher. So, again, it really depends on the geographic location and where you're at. It's all relative. It really truly is. So you need to keep that in consideration as you're looking at getting a job, some location. The other thing that comes into is if you're looking at working in New York, the odds of finding, of having more competition is higher. So therefore, the role that you may wish, that makes the income that you want may not be available to you unless you have the experience to back it up. So it isn't just again, it's not a meal ticket. You don't just punch it and you win. That's not. This isn't the lottery. However, if you do accomplish these different goals, you set yourself up for extreme success, both short-term and long-term, because this, again, this isn't a short-term game. This is a long-term future that you wanna do for you and your family and your career. So therefore, it's extremely important that you think that way. Don't just look for the fast money. Another option, as it deals with making money, is the fact that, as you can end up commanding a very significant amount of income based on what you're willing to do. Now I was talking to other CISOs that are in my position, and one of the aspects came up is he said we were talking about compensation, and how do you look at compensation for other security officers? What would be the norm? And it will, again, it will vary from position to position. However, one thing he did bring up is he said, if you're willing to do some things that other people aren't willing to do, you obviously could make a lot more money. Now, again, one thing you gotta think about is the ISC squared and being a coming CISSP. It's gotta be ethical, it's gotta be moral, it's gotta be something that you would do and that you have to be able to hang your name on. Now you can go out and be in criminal and you can make a lot of money, but that is not where you wanna go. Okay, short-term, short-term, the money may sound great, but let's be realistic. There's a lot of downsides with that, besides being ethically wrong. First off is, if you get caught that the downside is you break big rocks into little rocks. Your is not a good option, but, that being said, if you are an expert in what you do, you can then be an individual that would go to a company who may have been hacked, for example and we call it the dumpster fire situation, where they have a total dumpster fire going on right. This company just got hacked, their security person is out, they maybe they don't have a security person. You now would be parachuted in and you can help them with their situation, and by doing so, you could command a very significant income from that. Now, that being said, there's a lot of risk with that as well. If there's risk, if there's reward, right, you gotta decide is the reward as high? Is the risk high? Maybe, maybe not. But, that being said, you could come in, you could make a large salary, you could help them, protect them and then maybe move on and do your own thing, and that's more of a consulting type gig. The other option is is that you can go potentially hang your shingle. You're basically I'm open for business on Upwork or other contracting type websites and you can say I'm willing to do X, y and Z. A good friend of mine that is in when I was an aggressor at the 177th Information Aggressor Squadron. He was my counterpart with the Active Duty Air Force. Yeah, I talked to him just the other day and he's got a consulting company and he does that right now out of his own consulting business and he's done very, very well. Now the downsides of that obviously are the fact that you've gotta have a good plan. You've gotta have money set aside, because when jobs come, they don't all come in at a very programmed time. It's either feast or it's famine. So you've gotta have a good plan for that, but there are options, right? So when I throw out these numbers at you, keep in mind this is based on a workforce. You can make a lot more than this if you're willing to do different things that are both legally and ethical. Okay, just setting that expectation. So, as we go into jobs, what are some different ways that you can understand how that works? Okay, so I'm gonna throw out some titles and I'm gonna put out some sample jobs that are out there, pulling off numbers from glass door up work and other areas. So let's just go a cloud security engineer. Now. A cloud security engineer can range anywhere from 70,000 to 120,000 US dollars. Now I'm gonna put all this in US. If you're listening to this in India, obviously, look at Rupees and figure out how you wanna convert that. But Again and that would also be different in India, the pricing obviously is about 30% less if you're in India, but the overall buying power is about the same. So your cloud security engineer is around 70 to 120,000 US dollars. Again, depending upon your experience, will get you more income. The cert will help, but the experience is what makes you. The more money. The architects, in all variations of this will range between 90 and 180,000. I know there's people that have talked on YouTube that they make 200,000, plus as an architect. You can I mean there's bonuses that are included in there you can definitely make over $200,000 doing it. But again, on the flip side is there's pros and cons for that. Not everybody does that. Let's be real. Not everyone makes $200,000 as a security architect. There's many that make in the 150s, 160s and coming from a guy that was broke I mean I have seven children and I have no money One of the aspects that came up if I was making $100,000 a year, I counted my blessings and I was very happy, and that was even making 100,000 was extreme, life changing for me and my family. So that's huge right. Security analysts will make anywhere from 60 to 100,000 and then a chief information security officer can make 110-ish to 250 or more, depending upon, again, bonus structures, other types of activities and what you're willing to do. Talked about contracts, work with up work and, as one example is, I'll just give you an example that I saw in up work and they go. I need a CISSP to implement TSA, which is Transportation Security or Safety Act or Security Act. I don't know requirements. You could also have someone comes in and says I am part of CFATS in the United States, which is the Chemical Facility Anti-Terrorism Standards. I need someone to help me implement that. I have a government contract to help me do that. There's CMMC, which is the Cyber Security Maturity Model Certification. I need people to help me get my business up to the CMMC standards. There's lots of ways you can use that your CISSP, to help you moonlight on the side. Even if you have a job right now doing something else Again, doing that is a great way to build your resume. It's also a great way for you to get a new opportunity. So there's lots of ways to do this. The hardest part is getting started making a decision and get started. In most cases, these are set up as hourly. You'll get paid a certain percentage or a certain amount for your time that you work. You're also going to have to get. You'll learn during this process, especially if you're doing like an up work type event. You'll figure out what is your time worth and what are you willing to commit. You may be willing to commit, say, 20 hours at a much lower rate to get the job because you need the experience and you needed to put it on your resume. Then maybe someone who comes in who has all that experience already and really doesn't need it and is willing to take, wants to take more money because their time is valuable to them. So there's lots of different things you can think about in that regard. Now, as it relates to CISSP certification costs, one thing to keep in mind is around what is it going to cost to do this, to get certified? Now there I mentioned before in past episodes the free option, but like everything, there is nothing free. What you're going to have to do is you will have to buy a book. Okay, I guess you can rent it or you can go ahead and look at it from the library, but in reality, I marked my book up, I made copies, I made notes, I stuck sticky tabs. You just just break down by the book. I mean, realistically, you're talking $100 that you're going to have to invest to buy the book. Now you're also going to want to get some practice questions. Now there's practice questions on CISSP cyber training. I have some available for you. You can go out and find other practice questions online that are free, but you also can go out and buy some that are better curated and that will give you a much better experience, and so those are options you need to consider. So your study guide, your study questions, are $100. Your practice questions will go from $100 to $300. So right now, you're all in at around $400 to $500 before, honestly, before you take your test, but this is now you're going to spend your equity we call it sweat equity in learning to do to get your CISSP, and that's what you're going to need to invest in. Is you spend the extra $400 to $500, which it can be very challenging to find that money? I know, been there, done that, got the t-shirt but you may have to do that to be able to then put your sweat equity into your business to be able to make the money you want to make so that you can have the life that you really, truly want. This is attainable. The only thing that will stop you from making your dreams and a reality in cybersecurity is you. You are the person that has to make that decision and you're the one that has to do the work. Now the free training is out there. Again, I come back to this you get what you pay for. Now there's some really, really good free training there truly is, and I will tell you some of the networks Plus and Security Plus and A Plus training I saw on YouTube is amazing and I would recommend it, and actually some of the curated stuff that I've got in my site is to recommend that training for you. But what really will help you is the fact that having somebody keeping you accountable and helping you walk you through this process is a really important factor. Again, we talked about the paid specialized training. You can get that in various locations, either if you want to drop the money on a boot camp you know five, six, $7,000 or more or if you want to do a little bit more cost effective by going through CISSP, cyber training or other type websites out there. Bottom line is you need to consider one of those options the boot camps. They will run anywhere from five to seven days and boot camps will cost anyone the upwards of five to seven, potentially even $10,000, depending upon if you're going to be in person or online. If you're going to be in person, you got to pay for hotels, food, transportation, so on and so forth, so that can add up quite substantially over a period of a week. The exam fees are usually included in them, and many times they do guarantee success. They have their instructors, have been teaching the test long enough and know well enough what are the exact questions that are going to be asked of you, so they will give you a pretty good understanding of what you need to be paying attention to. However, that being said, just because, like I mentioned before you, because you get the test does not mean that you're going to just automatically get everything you need to be successful in cybersecurity. So I'm just telling you it's in. The boot camps are great. I'm not knocking them. I think they're a great tool for the right people. Just the fact is, though, is just because you get the cert doesn't mean you're going to get the job. I think I've beat that horse to death enough. I hope I haven't. Probably have, Anyway, trade schools, trade schools, universities again another way that you can make the money or get the training you need, but they do cost more money, and there's finding good instructors can be a challenge. Okay, so some questions around the CISSP, the CISSP. There was a question that came up that I looked online. Is the CISSP a hard exam? Yes, it's a hard exam. It is not easy. You have to consider it like taking a master's program in security. Some people may get it faster than others, but it doesn't matter. It's a tough exam. It's computer aided testing, which means it learns. If you do poorly on a couple of questions, it will ask you more questions like that that are just as hard, if not harder, and the purpose is to weed you out early. You get six hours to complete this and it may not take you that long, but you're allowed that specific amount of time. There's 250 questions and again, the exam is pretty expensive. It's at least two times the other exams you're going to see out there, like I talked about. So it's about $700 to $800 US dollars to take it. I don't know what it costs in other countries, but just assume it's going to be pretty high there as well. One thing I think is important for you to know as you listen to this podcast the pass rate for the CISSP is, for the first time, the pass rate the first time is only 20%. So only 20% of the people who sit down and take that test will pass it the first time, and I'll raise my hand because, guess what, I was one of those that did not pass it the first time. So, and that I'll tell you that that's a brutal. It hurts your mentally, it hurts you financially and it's a kick. It really hurts. So, again, you want to set yourself up for success and do the best you possibly can so that you pass it the first time. Now, is the CISSP for beginners? Was a question. No, it's really not. It's not a good test for the beginners Because of the work requirements, because of the endorsements, because of the fact that you really need to have a good understanding of networking and understanding that aspect of it. It is probably one of the most hard certifications out there. It's not the hardest, but it's a very challenging cert. So it is not for beginners. You need to focus on getting the skills you needed to go and you can get those at CISSP cybertrainingcom. I got to put the plugs in. I just got to, but that will help you with getting your path to success. So, again, cissp is not for beginners. Now, how long does it take to become a CISSP? We talked about that before through the podcast about five years of experience, full-time employment, at least two of the domains which we mentioned of those eight domains that asset security, identity and access management and so forth. There's many different domains eight total but the point is you got to have full-time employment in those. Such courses or certifications will give you an extra year towards that five-year work requirement. Which basically means if you go to school you're going to get a full-time and or you do the cert, you will be able to. You'll have four years to get the knowledge you need to be able to get your CISSP. Now, as far as preparing for the test, you need to self-study is about three to six months. I'll just be honest with you all. There's guys out there that'll say I'll help you get it in 30 days, I'll help you get it in 60 days. Again, you have to listen to it and see if it's worth it to you. If you know that I'll tell you from a guy who's got 21 years experience can you potentially pass this thing in 30 to 60 days? Yeah, you can. If you dedicate everything you can in the next 30 to 60 days to study for that test, you probably can do it. I feel confident you can do it. However, it would not be a fun invent. You would not be happy and I personally feel that all you would do is you just regurgitate the information, pass the test and you dump it. Not to say that that's a bad thing, I'm just telling you that to really truly understand the CIISSP and to understand some of the concepts, it's going to take you three to six months. With having a life outside of studying, if you have a family, if you have a job, it will take you a good three to six months. Everybody I've talked to that has done it. It's in my world. They will all say the same thing Again CIISSP, cyber training. I got resources that can help you with that. Again, if you're going to spend the time, let's help you walk through it. Bootcamps are available and, again, they do help compress that timeline. So you can get this thing done in a week, right, but you just got to spend $10,000. They're great for the short term, but the other thing that comes out of that is, if you don't have a long term plan to keep that knowledge going, you'll remember it and then you'll forget it. So one of the other questions that came up was what does a CIISSP do? So this is a question that you'll see online is what does a CIISSP do? Well, the certification will help expose you to various concepts that you may or may not have in your current role, and that's the ultimate goal so that you look at something with a different perspective. As an example, I was talking to my intern and we were talking about how security is set up, and some of the concepts that I gave to him around information rights management and protecting data through encryption was a total changer to him and he looked at now from a different perspective. That's the ultimate goal of it is to provide you that knowledge. Another one is around secure development lifecycle. I was talking to my security, my developers, a few years back and mentioned secure development lifecycle. They had absolutely no idea what I was talking about, but as I brought it up to him and explained to him, that makes sense to them. The other part is around like security and risk management. One aspect of this is the TSA, cfats, china, cyber Regulations. That falls under governance and regulatory requirements. If you are in security at all, if you feel that you won't ever deal with regulations, I'm sorry to tell you but you're wrong. Now you may not deal with them right away when you get first. Get started as much as you will as you get more time in with the security space, but you're going to deal with them, so you're going to have to understand them. And I don't like them. I really don't. But it's one of those things that if you don't like, you better do more of, so that you end up do liking it. And I will tell you that I've gotten really good at it. Not because that I'm a genius by any stretch of the imagination. I'm a small guy from Iowa. I mean I live in a, I was a pig farmer, I mean that's where I came from. That doesn't mean anything about intellect, it just means that's what I was exposed to and I'm pretty good at regulations. And it's because of the fact that I have focused very strongly on it, because I know that all this cyber stuff is great but the governments whatever government is can come down and totally crush you if you don't have these things in place and if you're not paying attention to it. So better pay attention to it. Now, that's really all I have today for this part of this podcast. Now, this podcast again was over CISP salaries, testings and also setting expectations around the CISP. I'll say going forward, you're going to have more podcasts out there. We're going to be focused primarily on the CISP, the different domains. I'll pull out a domain as a just giving example. The one coming up next is dealing with compliance requirements and how you have to worry about that for the CISP, and those compliance requirements will be going over. What are some things you need to be concerned about and what are the things that you have to be worried about from a security professionals perspective? I'm going to deal with data remnants, identity and access, management, logging and monitoring, cybercrime. All of these aspects I'll be taking out of each domain and I'll be talking about specific pieces of this, both from my training that's, at CISP, cyber training as well as my knowledge in what I know. So all of that stuff you're gonna be seeing from now on You'll also be getting it'll be coming out in these podcasts exercises, right? So your exam questions. So I'll grab an exam question and I'll read through that exam question and then we'll dissect it and we'll talk about it. Now the ultimate goal is I'm doing this through a podcast. I do put this out on YouTube and you'll see some videos. They may not all have video in them, they may just be audio, but at the end of the day, my goal is to provide this much information as I can so that you can become successful in your cyber career. Or on the other side, you realize I don't want nothing to do with this and this is not for me. I'd rather have you figure that out now before you spend a bunch of money and time getting into the cybersecurity space. It's not for everyone. Just because the money may or may not be there, or because it sounds sexy or NCIS or whatever is out there, it's not for everybody. So it's better to find it out now before you invest a bunch of time, energy and money into it. Okay, that's all I've got for today. Thank you so much for joining me on this podcast Again, the CISSPcybertrainingcom. Go check it out. There's a lot of really great stuff there. You'll totally enjoy it. It's building. So as you get there you'll see hey, there's lots of information here, but maybe there's a little bit more coming. Every single week there'll be more information coming to you. So definitely check it out. Get on my email list, because then I can send you information, such as met with a gentleman just yesterday talking about his resume. I'll be having some tips and tricks about that as well, and so go check it out. Also, go on to iTunes and these other places, and give me a thumbs up or like me, or whatever that is, or leave a comment as well. I really wanna help you all and I know you'll be successful. Just let me help you, either through the podcast or through my website. Give you what you need. All right, have a wonderful, wonderful day, and we'll catch you on the flip side, see ya.