Rumors of the Certified Information Systems Security Professional (CISSP) certification's demise are greatly exaggerated. In January 2015, I published an article on this site titled CISSP: The crown jewel of security certifications, in which I argued that the CISSP credential was the cybersecurity field's premier certification.
At the time, I said that getting CISSP certified is "an almost mandatory rite of passage in the career of information security specialists and a prerequisite for many advanced roles in the profession." Much has changed in the security certification landscape over the intervening two years, but I stand by my assessment today.
Just looking at sheer numbers, the CISSP continues to thrive. Two years ago, there were just over 99,000 CISSP credential holders worldwide. Today, there are more 111,000 CISSP-certified cybersecurity professionals. That's at least 12 percent growth during the period of time that some assert the CISSP was in decline as a certification.
The number of newly minted CISSPs is likely even higher than the 12,000 these numbers indicate, if you're willing to assume that some CISSP holders retired from the active workforce, passed away, or simply decided not to renew their certifications.
If you're a mid-level information security professional, then you should still consider the CISSP a critical step in your career development. While the content on the exam has evolved over the past couple of years, the CISSP remains a critical qualification for many higher-level cybersecurity positions.
What's New with CISSP?
The CISSP underwent a major overhaul in April 2015 that changed the structure of the exam and its content. The 10 domains of information security familiar to generations of cybersecurity professionals were reorganized and replaced with a consolidated list of eight domains:
- Security and Risk Management
- Asset Security
- Security Engineering
- Communication and Network Security
- Identity and Access Management
- Security Assessment and Testing
- Security Operations
- Software Development Security
The new domains include much of the material previously found on the CISSP exam, but also incorporate several major new areas of knowledge, including an increased focus on security assessment and expanded coverage of current hot topics in the field, including cloud security and mobile devices. (Want to get a taste of these eight domains? I wrote a series of domain-specific CISSP quizzes that are posted at GoCertify.)
The CISSP is often described as an exam that is "a mile wide and an inch deep," and this characterization remains accurate for the current version of the exam. Candidates need to have a very broad range of knowledge across the eight domains of information security but will find that the test does not go into deep detail on any specific technical topic. That's the realm of other security certification programs.
The test itself remains similar to past exams. Candidates will have six hours to complete a 250-question exam. The vast majority of questions on the exam are multiple-choice questions based upon short scenarios or specific factual knowledge.
Each exam will also include some special format questions that (ISC)2 characterizes as being "innovative" in format: drag-and-drop and hotspot questions. The drag-and-drop questions typically ask the candidate to select all of the items from a list that apply to a given question and drag them to an answer area.
The hotspot questions typically ask candidates to correctly identify a component or location on a diagram. These questions don't require specific knowledge of any technology platform and are not interactive in the sense that candidates are not asked to configure systems or enter command syntax.
CISSPs On the Job Market
Perhaps the most important reason to earn the CISSP credential is the fact that, despite rumors to the contrary, it still reigns supreme on the job market. Job descriptions for information security professionals and leaders call out the CISSP by name, requiring it as a basic qualification for many positions in the field. Human Resources departments often use the CISSP as a screening condition for positions in the field and simply will not pass along resumes that don't meet this initial hurdle.
How extensive is the CISSP requirement in today's job market? I conducted an unscientific study by searching the positions available on a major job board for various security-related keywords. At the time of my search, the board listed 16,105 positions containing the keyword "information security."
Some portion of those likely included the keyword as part of a secondary job responsibility, but that gives us a good indication of the size of the job market today. Next, I searched the board to determine how many postings included the keyword "CISSP" and had a grand total of 11,057 results. If every CISSP job contained the keyword information security, that's 69 percent of the total available market.
Now, sure, it's easy to quibble with these numbers. Yes, there are probably information security positions that don't contain the keyword "information security" in the job posting. It's also likely that many of the postings that included the keyword "CISSP" mentioned it as a preferred qualification rather than a requirement or included it in a list of desirable certifications.
My only aim here is to impart a sense of the relative proportion of positions in today's job market that reference the CISSP certification.
The prominence of the CISSP cemented itself in my mind when I started checking the numbers for other certification programs. The next highest certification on my list was the Certified Information Security Manager (CISM) credential from ISACA with 3,266 postings.
The entry-level Security+ credential from CompTIA was mentioned in only 3,146 postings, while the respected Certified Ethical Hacker (CEH) credential appeared in 2,177. Rounding out my list were the SANS GIAC Security Essentials (GSEC) certification with 1,449 postings and the CompTIA Advanced Security Practitioner (CASP) with 1,004 postings.
The bottom line? There were more listings that mentioned the CISSP certification than the six other certifications I searched combined. The CISSP clearly maintains its position as the market leading cybersecurity certification program.
An important career cornerstone
CISSP certification alone isn't enough to land you a dream job, but neither is a college degree, related work experience, or superior social skills. As with any job qualification, CISSP certification is simply part of a whole-person mosaic that hiring managers evaluate as they whittle down their pool of applicants.
Earning your CISSP demonstrates a broad base of knowledge across the information security field combined with a commitment to the profession backed by real-world experience. The major difference between the CISSP and other job requirements is that it is a clean, easy screening criteria that HR departments can apply when awash in applications for a single position. If you lack those initials after your name, you may find yourself screened out before a hiring manager even looks at your resume.
If you satisfy the CISSP's experience requirement, it's a good idea to crack open the books, study up and take the CISSP exam. (Indeed, (ISC)2 has recently made a coordinated effort to assist potential exam candidates with its new CISSP planning kit.) Adding the CISSP certification to your resume signals to employers that you're serious about cybersecurity.