Should I work on a CISSP ?

[stlbrah]

Calling out infosec people.

My background is basically a 2-year tech school degree, then working my way from the very bottom.

I did some help desk/tier 1 tier 2/pc tech. I was a windows engineer for low pay for a couple of years, then a hosted support engineer w/ lamp and linux/apache/tomcat/java setups for a year. Then a network administrator for 3 years at my first enterprise sized company, and recently moved into security. I basically run vulnerability scans and investigate the vulnerabilities. I kind of fell ass backwards into this position since I was the only guy in the networking group who knows linux. I also had a lot of security experience in the past from a techie perspective.

I have read online that the average salary for having a CISSP in the U.S is 110k. That is a significant salary increase to my current pay (~30k total increase). Midwest pays a little lower than other places, however. I am aiming to increase salary over time (not necessarily overnight), and increase the ease of moving to a new city. I feel that if I moved at this time to a new city, I would just be stuck going horizontally or even go backwards w/ another network admin or systems admin job.

Another thing that interests me is that it is not as much of a hermit-job as I have had throughout my career. I used to be extremely shy, so speaking with others in person helps me overcome this and become more well rounded.

If I decide to go through with it, I anticipate getting it sometime mid to late next year. I already have someone to endorse me.

My dilemma is whether or not the cert is "worth it." It seems to be somewhat common these days compared to how it was at the beginning of my career. I have a high paying side business in the medical field but the workload isn't very high yet - about 10-15 hours a week depending on how many clients my partner gets. If I could increase my salary at least 20 grand, this would be a better investment of time than taking no action and hoping for more clients on my side business.

I just wanted some opinions. Thanks

[SwordGuy]

I don't know of many employers in the corporate world who give a rat's behind about the CISSP certification.  I'm sure there are some (big banks perhaps) but I've never seen any mention of it in any employment advert.

Uncle Sam, however, likes it, so contractors who supply warm bodies to sit in contracted IT positions like it.    It might make the difference between getting the job or not, or getting a better job than otherwise.   

A security+ cert is pretty much required if you are going to work on Department of Defense contracts.  A CISSP is considered better than (but more importantly, acceptable for) a security+ cert.    Sec+ is one cert in that market that can completely determine whether you are even considered or not for a job.

[jlu27]

I think it depends on what you want to do in the Info Sec area.

CISSP has the benefit in that it forces you to learn the board spectrum of security including the non-technical elements (e.g. risk management, business continuity management, physical security, compliance/legislative considerations at a high level). While it is very board and the topics aren't covered in depth, but it gives you a bigger picture of how an organisation should be looking to secure itself, its people and information. Too often I see security professionals take a very myopic view and hard-line on their area of expertise but fail to take into consideration all the other facets of info security (kinda like having reinforced doors with strong locks, but not having any windows....)

If your focus is however on vulnerability management and your interest is on the technical side, perhaps a better way to increase your salary could be to look into whether you would be interested to get more into penetration testing. I have heard good things about Offensive Security course/test. I personally haven't done it, but I've heard it really forces you to really get your hands dirty (in a digital sense) and learn to 'try harder' [apparently almost a motto of theirs].

[Spork]

Security dude here with 25ish years of experience. 

Take with a grain of salt here... this is just "my experience."  Maybe it applies globally; maybe it does not.

I do not have a CISSP.  I don't particularly have anything against it... but... in my experience, the guys with CISSPs were just not doing stuff I was interested in.   The CISSPs I have known were generally not hands-on and involved in technical issues.  For the most part they dealt in compliance and audits and making policy.   Everyone I've known that had it also got it late in their career (which could attest for the 110k salary more than the cert itself.) 

My limited experience also seems to show...  (Again: grain of salt here.)
* big companies pay better than smaller
* public companies better than private
* larger cities more than smaller cities

If I did the math right, you're making about $80k after about 6-8 years of experience.   Depending on geography... that actually sounds pretty good.  When I moved from big city to small town, my salary went to a level lower than yours is now -- but, that's the downside of small town life.

I suspect if you stayed in your current track you'd eventually hit the 110k mark... and I suspect that CISSP won't make a huge difference there.