Julian Tang is Chief Information Officer (CIO) at Tennenbaum Capital Partners in Santa Monica, California. A seasoned security professional with over 20 years of industry experience and more than a half dozen certifications, Julian enrolled in InfoSec Institute’s Certified Information Systems Security Professional (CISSP) Boot Camp to get ready for his CISSP exam.

Julian offers a wealth of knowledge for security practitioners at all levels of their careers. In the following Q&A, Julian shares why he picked InfoSec Institute as his training partner and several professional development tips for aspiring information security professionals.

Why Did You Decide to Earn Your CISSP Certification?

Julian: I achieved my first CISSP back in 2003, but due to career demands, I was not able to maintain the certification. I enrolled at InfoSec Institute to renew the certification and refresh my knowledge of the domains. Throughout my career at Mail2World and Tennenbaum Capital Partners, I’ve leveraged the knowledge of the CISSP to build and maintain their cybersecurity programs. As the CIO for Tennenbaum Capital Partners, it’s also my responsibility to encourage professional development of my team and increase our asset value. Certifications are just one of the many tools we use to show executive management our value.

When I first got my CISSP, the industry was still developing. Now the industry is at scale and as technology professionals, we need to be at the top of our game. Certifications are not a silver bullet, but experience plus certifications are a killer combination that is good for your career. I can always tell the difference when I’m interacting with someone who has just hands-on experience, certifications, or both. A professional who has both certifications and hands-on experience always operates at a higher level than anyone who does not.

Why Did You Choose InfoSec Institute as Your Training Partner?

Julian: I chose InfoSec Institute as my training partner because of its long history of training technical professionals, especially in cybersecurity. InfoSec Institute trains thousands of students every year, so I knew they’d be able to tell me what to expect on the exam and what topics to focus on most. I also spoke with previous students who gave very positive reviews of the training for the CISSP and other certifications. I also like that students have the option of in-person or online training. I prefer in-person training, but if your circumstances only allow for online, it’s still worth it.

You Already Earned Your CISSP Once. Why Did You Decide to Take Training Before Sitting for the Exam the Second Time?

Julian: There was a handful of different reasons, but it primarily came down to timing and efficiency. I wear 50 different hats in my role and needed a compressed, to-the-point training course that would make sure I was ready for all the exam domains at a technical level. I knew InfoSec Institute could not only help me hone in on domains covered in the exam, but also topics certified professionals are expected to understand on the job. I needed to pass my exam on the first attempt, so I decided to enroll into the boot camp.

How Was Your Client Support Experience?

Julian: My rep, Steven, was great. He focused on getting me the information I needed and was not pushy. Steven shared a lot of good advice about what certifications others in my role are seeking and how certification has helped them in their career paths. I also asked him for references, and he put me in touch with students who went through the program and passed their certifications. This really helped a lot because I was able to talk with others in roles similar to my own. They were very positive about their experiences and open to sharing how have they been able to leverage their own certifications since.

How Did You Prepare for Your CISSP Exam?

Julian: I went through about a third of the videos in the InfoSec Institute Flex Center before starting my CISSP boot camp. I was familiar with all eight CISSP domain concepts, but I didn’t know all the definitions or exact specifications by heart. While in class, I gave it my all. I sat through eight hours of class each day, read four chapters of the Sybex book each night and did all the practice tests recommended by our instructor, Robert. This was about four to five hours of studying per night after class. It was not easy, but I stuck with it. My approach paid off — I passed my exam at 100 questions in about two hours of the three hours allotted.

If you already work in the industry, you do not need a ton of resources or over 12 months of preparation to pass the CISSP. In addition to attending class, I used the Sybex book provided as part of my course and reviewed the video material in the InfoSec Institute Flex Center. Before attending your boot camp, I recommend going through all the videos in the Flex Center and getting familiar with the material. If you have the time, also take a few of the practice tests. Reviewing material in advance means you don’t have to work as hard when you are at the boot camp.

You will put in a lot of effort and time to get your CISSP. It requires you to know a lot of technical information and how it is used with risk, governance, legal and best practices for cyber security. If you get your CISSP, you should consider getting one or more of the CISSP concentrations and the CCSP because there is domain overlap. With all the domain information in your head and a better understanding of how (ISC)2 tests, getting the other concentrations or the CCSP should come easier.

Describe Your Class Experience.

Julian: Class ran really smooth. We had really good engagement between both online and in-person students, which was pretty amazing to see — I didn’t expect to interact much with the online students. At the end of the day, we’d work through sample questions and teach each other why one answer is more right than the other. This showed we were really learning the material because we were able to teach it back to other students.

We stayed after class each night for study sessions. Our instructor, Robert, would go through the same concept sometimes five different times to make sure we understood everything on the test. To see someone who started with zero understanding actually grasp the concept on the fifth explanation was really cool. This extra time really let us take a deep dive into the CISSP domains and the different scenarios you might encounter as an IT or security manager.

Our instructor was also exceptional at maintaining an effective tempo for the class. He could read our energy levels and see if we needed a break or if it was time to mix things up with a relevant story from the field. Since he’s earned so many certifications himself, he was also great at pointing out where there was domain overlap, making it easier for other certified students to learn the material faster.

How is the CISSP Exam Different From Other Certifications?

Julian: The CISSP exam isn’t about all the technical definitions you know. It proves you understand security concepts, theories and how to apply them in business scenarios to achieve a common goal. Think of it as having a technical conversation with your non-technical mom. If you need to achieve something techinical from that conversation, you are going to have to put technical knowledge in layman’s terms to achieve your objective. This is just like  communicating with a non-technical leadership team about the role of technology in business strategy.

As CIO & Hiring Manager, What Value Do You Place on Certifications?

Julian: We look for a combination of experience and certifications, and always prefer candidates with certifications. This is especially true for our systems, networking and security positions. Again, it’s a combination of both. But if all other qualifications are equal, I prefer the candidate with certifications.

Do You Need a Computer Science Degree for a Security Role?

Julian: In the past, it hasn’t necessarily been a need. We weren’t always looking for someone who could code their own exploit fixes or automate testing. In today’s time, however, it’s really changing. Security is a really mature market — having someone with a developer background helps you customize the tools you’ll use to defend your enterprise. I would love to see more developers getting into the security side of things. Being able to code your own remediation is a huge asset.

What Recommendations Do You Have for Aspiring Security Pros?

Julian: I would first get your feet wet with a few basic certifications like the CEH or Security+. You want to make sure you’re really interested in security — getting this early exposure will help you make that decision.

I also recommend you spend some time on LinkedIn. Look at the top 20 companies in the field you want to work for and see what they’re doing. Get an understanding for their culture and the positions available within those companies. Next, find out who works at those companies in your ideal role. Research how they got to where they are — this is your roadmap of how to get to those positions. Then, you can go on the job boards and start searching jobs at your target companies. Find out what skills they require and add those to your career roadmap.

Would You Recommend InfoSec Institute Training to Your Peers?

Julian: Definitely.