RE: CISSP without experience

["NetEng" <NetEng () EliteMail Org>]

The only issue with taking the certification without experience is that
questions asked on the exam rely on your experience as a Security
Administrator, with depth (four years).  Look at the CCNA and other
certifications that are now fairly devalued quite a bit (thankfully they
have been revamped), but overall the CISSP stands out for integrity and
above all experience in several domains of Information Security.  There is a
reason why the CISSP is one of the highest respected certifications in the
InfoSec arena.

How can you call yourself an ISO Information Security Officer and not have
the valuable experience required to handle such a position?  By doing so,
you could easily place your entire organization at risk because of your lack
of practical knowledge.

The best way to pass this exam is to STUDY.  To gain experience in InfoSec
means to work in a role such as a Network Engineer, or Systems Administrator
with Security as a "second" focus to give you the experience you need until
you can get promoted to InfoSec full time.  You will find that a majority of
the best ISO's have network, systems or even desktop services backgrounds on
their resume.  It is important as an ISO to understand all functions of
Information Technology (business flow) because of the recommendations for
security you will recommend and enforce!

InfoSec is a long journey and isn't meant for people who don't know or
understand even basic concepts of how to handle risk assessments, securing
of infrastructures, or incident handling etc.

When it comes down to it, knowledge and experience is going to be fully
required when there is a security incident - for which you won't be prepared
to handle.  During an interview with a real ISO, your weaknesses will be
discovered and your certification won't be worth the paper it is printed on,
such as a paper MCSE was back in the Dot.Com era.  During a technical
interview (which more and more companies are using to weed out less
qualified candidates), you will be tested and grilled on not just concepts -
but overall knowledge which could only have come from experience.
Therefore, memorization of the ten domains and questions/answers won't help
you at all.

Do the InfoSec industry a favor and please re-think your career choice.
There are many ways to get to InfoSec, but not any real short cuts.