It’s one of the most sought-after certifications in the world of cybersecurity.
Tim Derrickson, Sr. Virtual Chief Information Security Officer (vCISO) and Director of IT and Security Services at One Step Secure IT, earned the certification earlier this year after dedicating nearly two years to studying for the exam, earning numerous other certifications, and preparing through the various IT roles he held professionally throughout his career.
“I found over the years that my mind is made for IT,” Derrickson said.
The CISSP (Certified Information Systems Security Professional) is an independent information security certification granted by the International Information System Security Certification Consortium (ISC).
Just over 152,000 people in the world hold the CISSP certification.
Established in the early 1990s, the U.S. Department of Defense recognizes the CISSP certification and it’s the equivalent of a master’s degree in Information Security in many European countries. The exam, up to 150 questions, is broken into eight domains — covering topics important to information security professionals all over the world.
“You have to have so many years of experience in each domain to understand what they’re even asking for. It’s a broad body of knowledge that you have to understand to even take the exam and figure it out,” he said.
Passing the exam is only a piece of the process. Those who set their sights on becoming a CISSP must have at least 5 years of industry experience, undergo and pass an audit, and be endorsed by another (ISC)² certification holder in good standing. In addition, CISSPs must follow a code of ethics and uphold their standards.
The CISSP exam approaches the technical aspects of cybersecurity from a managerial standpoint.
“If you think like a technical person, you’ll fail the test. But if you think like a manager and can see how these technical things affect the broad scope of the business – you’ll pass the test,” Derrickson said.
The exam places an emphasis on risk assessment and risk management within a network.
“I had to learn how to assess an environment. What are the risks that come along with that and how do I mitigate those risks?” he said. “It was a lot of looking at the overall infrastructure — business continuity planning. Every business I work with is unique so each time I learn something a little bit different about how things function.”
Derrickson must be wary of the cybersecurity direction he gives to others — knowing that any advice going against securing a company’s environment — could cause him to lose his certification.
Derrickson served as a journalist in the Navy. After an honorable discharge, he soon found his niche in the IT industry — working as a PC Technician, Systems Engineer, and then Director of IT/Operations for 22 years.
“Before taking this exam — I’ve done these same sorts of things but not as in-depth of an understanding,” he said.
The farther he moved up within a company the less technical the role became, Derrickson said, and he got to do less and less of the work that challenged him.
“I never wanted to lose my technical edge,” he said.
After joining the One Step Secure IT team in December 2021, Derrickson rediscovered the joy of discussing the more technical aspects of his work with the IT team and felt he could expand his knowledge more than he had been able to in the years past.
Derrickson said that it has “absolutely” aided him in providing better IT services to One Step Secure IT’s clients.
“I am much more confident in security overall,” he said. “Security is not convenient, and that’s something that I learned taking the test — security may not be convenient, but it is necessary. The exam taught me that I know what it takes to make sure that someone is secure and I’m confident in that,” Derrickson said.
“I am confident that, at One Step Secure IT, we know what we are doing to secure an environment. We can make your environment secure,” he said.
To maintain the CISSP certification, Derrickson must complete at least 40 hours of learning each year to keep up to date with the changes within the cybersecurity industry.
Working in the IT and technology industry since the 80s, Derrickson has experienced technology's evolution and massive advancements throughout the years. From floppy discs to data storage in the cloud, Derrickson views tech as comparable to matter in the universe — it doesn’t go away, it only changes form.
When he’s not solving client problems, Derrickson recharges by spending his free time far away from computers. He enjoys biking, kayaking, hiking around the United States, and traveling around the world. Volunteer work in Peru, hiking the Andes Mountains, and spending five years in Japan have been some of his favorite adventures.
“I find that working with my mind all day is tiring. Working with my hands is easy so I’ve always enjoyed doing something with my hands to get out of my head,” he said.
In addition to working toward obtaining an Offensive Security Certified Professional (OSCP) certification, Derrickson will head to East Africa this summer to honor his brother's birthday wish to drink a beer in Zanzibar.