Table of Contents
The certificate may have meant a lot when it first launched in 1994. But in a world 30 years later with much better CS literacy, it is questionable whether the privilege still holds.
Among all the mystery that cloaked CISSP, my favourite one is that no one can tell how difficult it is. Many said this was the hardest exam in their life while some said he managed to pass it after listening to several hours of podcasts while mowing his lawn (@CurtBraz)!
As my day job requires a CISSP-like qualification, I got a chance to experience the whole CISSP roller-coster thingy. I managed to pass the exam at the 100th question in Apr 21’ after two weeks’ preparation and I think it may be a good time to demystify CISSP from an engineer’s point of view.
And CISSP is here. Source: Security Certification Roadmap, Paul Jerimy
CISSP is different than it’s portrayed #
CISSP is not difficult (for engineers) #
IMHO, CISSP’s difficulty is somewhat overrated. The exam is based on a seemingly intimidating 1000+ pages textbook(“CISSP Official Study Guide”), and the sheer volume of information has created an illusion that “everything’s tested”. However, much of the text just helps illustrate the concept, which doesn’t intend to be used for word-by-word memorisation.
The fear of having to memorise everything has been further exacerbated by both the exam cost ($699 for every attempt) and the well-known All-in-One unofficial study guide (the “Shon Harris’ book”). Shon’s book is essentially an offline Wikipedia with you-only-see-once-in-a-lifetime terminologies and technical trivia. It may freak you out when reading through the jargons but trust me, just put it down. You don’t want to memorise the wiki page aren’t you.
Most CISSP study materials adopt a one-size-fits-all strategy and are written for non-technical readers with no computer science background. If you happen to be a software/security engineer, you’ll stumble across many chapters trying to explain what’s TCP/IP, HTTP, firewall, or agile development etc. in lengthy paragraphs. You can safely skip those.
CISSP in a nutshell is about CS fundamentals, basic security concepts, (US) policy and regulations, and security management know-how. I’m always surprised to see many mid/high-level job postings on Linkedin that unanimously “prefer candidates with CISSP”, which essentially translates to a couple of undergraduate courses. The certificate may have meant a lot when it first launched in 1994. But in a world 30 years later with much better CS literacy, it is questionable whether the privilege still holds.
(Apparently I’m not the only one who thought about it. Robert Graham has also written a great article on this controversial topic: CISSP is at most equivalent to a 2-year associates degree. The bottom line? Set a reasonable expectation on what you want to get out of this. CISSP can help you gain all-around security concepts, but it won’t make you a true technical professional/expert.)
CISSP = 70% management + 30% technology #
CISSP comprises eight domains with a good mixture of managerial and technical topics.
The managerial part (e.g.audit, process, framework, law, ethics) is heavily US-centric. Most contents are fact-based which sorely test memorisation. For instance, for GDPR you will need to know it has seven data protection principles. You should also be aware that GDPR has a supplementary EU-U.S. Privacy Shield Agreement that allows EU residents’ personal data to be transferred to the US for commercial purposes. It is the connection and differences between concepts (e.g. GDPR and EU-U.S. Privacy Shield), not the definition, that matters. This is the part where engineers won’t touch in the daily work, and may need to spend most of the time to familiarise themselves with.
The technical part is where engineers shine. You must have heard that CISSP is “a mile wide but an inch deep”. Read this as computer science, computer security, and cryptography 101. The engineering/CS background should help you skip a large portion of contents (e.g. what is public/private cloud, SSL/TLS) while grasping the rest in minutes.
Notice that CISSP still contains lots of historical references (e.g. how a US policy has evolved and changed many titles over 50 years) and the lost technology in the 90s (e.g. IDSN, X.25, frame relay). I guess those are kept in the textbook only because some government and banking sectors still rely on them. This is the part that I dislike CISSP the most. The syllabus focuses too much on the 90s and 00s technology while there’s little mention about modern security which many security professionals actaully deal with these days e.g. containers, zero trust, cloud security, just to name a few.
CISSP is essentially an English test with jargons #
CISSP is essentially an English test, said Larry Greenblatt. The questions are either phrased with ambiguious wordings or contains multiple seemingly feasible solutions in the choices. The devils are in the words.
On the other hand, CISSP’s terminology can be weird, or at least seldom or never used by engineers. Many of such terms originates from (US) federal stardards e.g. NIST which were only meant to be used in a federal agency or government contractor setting.
For instance, CISSP differentiates file deletion among erasing (simple delete), clearing (zero filling but recoverable), purging (non-recoverable but reusable like degaussing), sanitisation (remove hard disks before a retired computer is sold), and destruction (unusable like shredding). The concept is well-known but it’s the exact wording that matters. You’ll have to rethink things that you already know, and look at them again through the CISSP lenses.
How to prepare #
I wasn’t planned to rush into the exam until I learnt that there’ll be a syllabus update in May 21’. That’s about two weeks left! Considering it’ll take a long time for study materials/guides/write-ups to catch up, I felt I should take the last available old exam while the study resources are still hot. So I rushed to book the exam on the last day of April and jump straight to study.
Here’s what I did for preparation.
Establish a mind map on the topics
I started with this 200-page Eleven Hours CISSP by Eric Conard. It was neat, concise, and perfectly suitable for familiarising with the syllabus. I slowly went through the book cover by cover, searched terms that sounded foreign to me and kept that down in a note.
Why not start from the Official Study Guide or All-in-One? Because those books have low signal-to-noise ratios that make the key point buried among the trivia. Eleven Hours on the contrary, helps me to establish a mind map on things that truly matters to the exam.
Take per-chapter exercises and one mock test
Having had a rough understanding of the testable content, I went straight to the Official Practice Test and did the first eight chapters. Surprising, I only scored between 65% to 80%(see below). I felt like I was relearning every chapter as there were always a ton of questions caught me off guard: they either contain a new jargon, or is phrased in a weird CISSP-way, or has something that I misunderstood, or has some knowledge not covered by Eleven Hours (I learnt erasing/cleaning/purging the hard way). I marked both questions that I did wrong and those made me hesitate, then went through the answer keys to see how the author reasoned.
In retrospect, I felt I’ve learnt much more by doing the questions than reading the Eleven Hours book. By the time I finished all eight practices, I was surprised to see that I’d passed the first mock test with ease.
Skim through the official guide with more mock tests
As I still had a few days left before the test, I decided to quickly go through the Official Study Guide just to check if I missed anything. I did one mock test after reading the first four domains, and two more mock tests after finishing the books. There were still moments that I found I missed something, but it just got less and less frequent.
I was also worried if the actual exam’s gonna be more difficult than the official test book (it turns out to be another rumour!). But since there’s nothing much that I can do, I simply went through my personal notes again before the exam.
My Exam Experience #
My exam venue was at Pearson Singapore’s test centre. The staff were nice and professional, the registration was fast, the test room had desk panel partitions to block the view of the surrounding, and they even provide a 3M noise reduction earmuff (which worked really well).
How was the exam? I’d say it was exactly like the official practice test, if not easier. The format and the level of difficulties were about the same. The concepts and terminologies were within the official guide’s scope. The exam ended right after my 100th question after 2 hours. The proctor guided me out of the test room and passed me a letter that said congrats on passing the exam, and the rest is history.
As a security engineer, my view towards CISSP may be biased. But I wish my experience could show you that CISSP is not a behemoth. All you need is to know what the exam really wants, learn just enough to get you covered, and do enough practice to train your CISSP mindset.