How to get a CISSP Without Experience: Pros and Cons

How to get a CISSP Without Experience

The CISSP is one of the most sought-after cybersecurity related certifications that exist, employers want you to have it and employees want to get it. 

Unfortunately, the CISSP has a steep prior experience requirement, you need to have 5 years of work experience within two of the eight CISSP domains.  This can be reduced to 4 years of work experience by having completed a 4-year security-related degree or by gaining a certification approved by ISC2.

However, even without this experience, you can still study for and pass the CISSP.  

No matter if you’ve never touched a computer in your life, if the film Hackers is your only experience of Cybersecurity or if you’ve just decided that you need to stop playing WoW and start doing something with your life.  You can take the CISSP.

There are people from all sorts of walks of life that have decided to study for and pass the CISSP without any experience, and they’ve succeeded.  

The problem is, it’s going to be hard, hard, without prior industry-related experience.  It is not something I would recommend, but you can do it.  

Another issue is you’re not going to become a CISSP after all your hard work, instead, you’re going to become an Associate of CISSP.  You’ll need to gain the relevant work experience before being granted a CISSP.

The upside is having the Associate of CISSP might just be enough to help secure the jobs that will grant you the prerequisite experience. 

How to get a CISSP Without Experience

If you want to gain a CISSP without having any prior experience, you’re going to have to work hard to understand the eight domains thoroughly.  

I would normally recommend between 60 and 120 hours of study to pass the CISSP, but that’s when you have the minimum work experience.  You’re likely going to need to at least double the hours of study to get a decent grasp of the topics.

To begin with, I would suggest starting out with something like cybrary.it.  They have a great (and free) CISSP course which will give you a solid foundation to work on.  

If you have no prior IT security experience, then please dig into any topics you’re unfamiliar with.  Youtube is a fantastic resource and is bound to cover everything you’re likely going to need.  

From this point I would stick to the study outline I detailed in this article. 

What to do Instead of a CISSP if you have no Experience?

There are plenty of people out there who have attempted the CISSP with 15 – 20 years of experience behind them and still struggled.  Be under no illusions, it’s a hard exam.

I dive into what makes it so difficult in this article, and that’s when attempting it with 10 years of relevant industry experience.  

I would discourage anyone from attempting the CISSP without the required work experience.  There are better certifications out there that might give you the foot in the door that you’re looking for.

For example, the SSCP requires one year of professional paid work experience within one of the relevant domains.  Which is far more attainable for most people.  The exam is also far easier and will provide a solid foundation you can build upon for the CISSP.

What Happens If You Pass the CISSP Without Experience

400;”>Before we dive into what happens if you pass the CISSP without experience let’s look at what happens if you pass it with the required experience. 

A couple of days after passing the CISSP you’ll receive a letter from ISC2 which will congratulate you on passing the CISSP exam, you’ll then be invited to complete the endorsement process. 

The endorsement process involves submitting evidence that backs up your work experience claims, you’ll also need to nominate an existing CISSP to verify your claims. 

Once all that’s done CISSP will take up to 6 weeks to verify everything.  Once they do you’ll receive an email and a swanky looking certificate in the post.  Time to update your CV and LinkedIn profile.  

Without a doubt, it’s an in-depth process.

If you don’t have the relevant experience, then you still site the exact same exam, you’ll still need to pay the membership dues and provide evidence of CPE credits earned every three years, but you don’t need to provide work experience.

At this point, you have 6 years to gain the 5 years of work experience within the eight domains covered by the CISSP.  

It might seem like a long time to gain the relevant experience, but don’t delay, apply for those cybersecurity jobs as soon as you can. 

ISC2 basically says that having the associate of CISSP certification will make it easier for you to gain the job that will give you the experience that you need. 

Once you’ve gained that experience, you can begin the endorsement process as normal and begin using those letters in your CV and emails.  

Final Thoughts

The CISSP is not only about studying for and passing an exam, but it’s also about having demonstratable real-world experience to back up the theoretical knowledge picked up from studying.  

While you can study for and pass the CISSP without experience, you can’t officially designate yourself as a CISSP until you’ve gained that real world on the job experience.  

I’m a big fan of real-world experience, I believe it trumps almost all other learning.  There’re aspects to cybersecurity that you can only learn by doing.  

Much of what you learn in during certifications or from degrees is based on best practices and ideal scenarios, while in practice business requirements might make those decisions harder in the real world.  

Learning how to work with colleagues, other business units, and how to build relationships is a big part of cybersecurity and needs to be experienced rather than taught.  

That’s not to say that studying for certifications isn’t important.  Ideally, you’ll want to strike a balance between the two, real-world experiences coupled with learning from courses and books. 

This sort of learning will produce the most well-rounded security professionals that have both the theoretical know-how and business savvy to make smart decisions that meet security requirements and business needs.