What is CISSP, how to get it, not to lose and why nobody needs it

So
It is an exaggeration to say that my road to CISSP began when I decided to study Cyber Security at my local University.  People at the age of 17 are generally very bad at planning their lives, especially when it comes to some new professions.

In fact, the decision to obtain CISSP was taken in 2017, when it became obvious that professional certificates of major vendors have finally ceased to fulfill their main function – to confirm the knowledge and experience of specialists. I have no idea whom to blame – online collections of dumps, the general level of questions in the tests, unscrupulous test centers and a lot of other factors.

I have always considered the process of obtaining certificates as an opportunity to tighten knowledge on the desired product or technology. Because there is no better way to fill in the gaps in education than to take guidance from the guru and read a book from cover to cover while doing exercises. And so it was for a while until the official manuals started to slide in the “Click the button in the top right corner to make it all work”, as well as an advertisements. The situation isn’t better in most training centers, but it is whole a different story.

What should I do?

In addition to the certificates from vendors, there are also vendor-independent certification systems, which I recommend to watch for everyone who have not abandoned the idea of self-development and professional growth.

In fact, I already had an experience of passing a similar exam in 2010, when I nailed CompTIA Security+. This is a very good option for a young specialist to assess their level and even expand their horizons on some issues. CompTIA Security+ It is a blitz of 90 questions in 90 minutes. The exam, by the way, is regularly updated since 2006 and to this day contains current trends in the field of cyber security.

So you’ve decided to become CISSP

Certified Information Systems Security Professional is a vendor-independent certification of cyber security from an organization called International Information Systems Security Certifications Consortium (ISC)². It is a non-profit international organization for testing and certification of specialists in the field of cyber security.

This certification was introduced in 1991 and is intended for consultants, architects and analysts.

CISSP, as you might guess, is among the highest certifications here =)

Besides, there are also CISA (Information Systems Auditor) and CISM (Manager in the field of Cyber security).

So, the decision is made, we begin to look for materials for preparation and discover several sources.

First of all there’s the official study guide – CISSP (ISC)² Certified Information Systems Security Professional Official Study Guide by James M. Stewart, Mike Chapple, Darril Gibson:

I used this book. In addition, there is an application for Android/iOS with a practical exam. These are not dumps, but they will help you evaluate and get the logic of the exam questions.

Next, there’s “CISSP All-in-One Exam Guide”, Shon Harris:

This is an informal guide, but a little more voluminous, and, in my opinion, very difficult to read.

An finally, there is a small book “Eleventh Hour CISSP ®: Study Guide”, Eric Conrad, Joshua Feldman, Seth Misenar:

This is just about 200 pages, which are very good to read just before the exam, to refresh memory mostly.

And besides, there are endless mind charts, abstracts, slides from other materials.

Main things that can be learned from these books by an experienced specialist are terms. What is difference between Preventive and Deterrent? What is ALE? How ARO relates to EF? What is the difference between Due Care And Due Diligence? Such questions will be answered in the process.

It’s time to remind you that all books, of course, are in English and in general the exam implies that you have 5 years of paid experience in Cyber Security in two or more domains (they are listed below). If you have such experience you’ll be able master 1000+ pages in English.

These five years, by the way, can be shortened for 1 year if you have a relevant education , or other relevant certificate (Comptia Security+ or MCSE for example. I have both, but only one of them counts).

Now about domains. All questions are divided into eight domains, i.e. areas:

1. Security and Risk Management
   All the theoretical basics is here: information security models, Biba/Clark-Wilson or Bell-LaPadula, “Triad of security”, analysis and risk management, management approaches. Issues of professional ethics and legislation are also addressed here.
2. Asset Security
   In this domain we are talking about assets and data. Main topics: Data management, classification, data owners, roles, access control, data storage and data destruction.
3. Security Engineering
   This seems to be the widest domain in terms of topics, because it’s about pysical security (alarms, barriers, fire extinguishing, etc.), cryptography, specific technical solutions, and even the architectural features of different access models and their implementation.
4. Communication and Network Security 
   Probably the most practical and understandable domain, where you have to recall SSL, TLS, HMAC, S-RPC, EAP and so on, if the data is transmitted over the networks, there is a question in the specified domain.
5. Identity and Access Management
   Here are all questions about the users of the system and their credentials. Remember how authorization differs from authentication and all of them together from identification. Then we’ll understand how the account management cycle looks, and how factor authentication can help us.
6. Security Assessment and Testing
   This domain discusses the practical issues of security testing. Why do I need security scanners? Who is OWASP? What about sanctions of the owner?
7. Security Operations
   This is the most boring of all domains, where the practical aspects with daily routine of the Security Department – investigations, processing of applications, marking the media, separation of duties, change management, etc.
8. Software Development Security
   The domain looks little strange among the others because its topics are all sorts of things like SDCLS, Pert, Agile and other software development models. But in fact CISSP must have competence in wide aspects of security, so there’s nothing wrong with it. Some specific programming skills are not required here, but who knows what one will have to do in the career.
9. I am really interested in my profession, and most of the topics did not cause any additional questions, except perhaps for the last domain. There’s nothing complicated about it, I just didn’t come across in my career.

Register for the exam
The exam is taken in Pearson VUE test center, just like Cisco or Microsoft exams. However, the thing is that not every test center is available. In St. Petersburg, for example, there’s only one test center for this exam. The thing is, that the test centers taking the CISSP exam have more stringent requirements than usual. For example, at registration in the test center it is necessary to pass palm vein pattern authentication so the test center must have the appropriate equipment. You can’t take anything with you to the exam, except for the necessary medications and perhaps something to eat. And don’t forget identity!

On the exam
On the appointed day you come to the test center, pass the formalities and sit down at the computer. The test consists of 250 questions for all domains. You have 6 hours, no breaks. And, practically there are no questions on knowledge of any concepts, facts or definitions. The questions are mainly aimed at testing the knowledge of the best practices, methodologies and standards. i.e. the question may have all the answers logically correct, but only one of them meets the standard. For example, if there is anything in the answers about “ensuring people’s physical safety,” then this answer is always correct.

It took me somewhere about 3.5 hours to pass, and it is quite good, because after two hours of hard work the attention slowly dissipates, and the logic fails. You have to relay on common sense and experience to discard notoriously false answers and choose the most accurate one.

So, we get to the last question, press “Finish”and finally…  nothing happens. You need to approach the administrator of the test center, who will issue a printout with results. If you fail then it’s all over again – you will have to pay a 699$ for another attempt. The printout will also indicate how many points you have and what went wrong.

If you pass the exam, then it’s just “Congratulations” with no details.

I’ve passed the exam at the first attempt, while all the training took about three months. I’ve read many stories about people tried to pass this exam 3-4 times and still failed, so I was ready for this scenario. However, everything turned out to be much easier.

My disappointment with the “complexity” of this exam was shared by several foreign colleagues. And, each for its own reason: someone was upset with the simplicity of the exam (so much time spent on acquaintance with international legislation, GDPR and amendments to the U.S. Constitution, and there were only 3 questions on this subject), and someone’s detachment from real life (not a single lab!).

But it’s not the essence of the exam! It is intended to be “a mile wide, but an inch in depth.” The candidate has to understand what business processes are behind the ticks in the Active Directory settings and which policies are implemented with routing tables. CISSP is an cyber security pro who thinks like a manager,  in the best sense of the term.

What’s next
So, the exam is over, and you’ve become a CISSP (haha, actually, you’re not). Your experience should now be confirmed by another CISSP. It can be a colleague, a friend or even a complete stranger – your relations aren’t specified nowhere in the rules.

Next, you need to accept the Code of Ethics (ISC)² (https://Www.Isc2.Org/Ethics), wait for another letter with confirmation and finally get a cherished status. Just for a year. The fact is that the CISSP status must be confirmed every year. You do not need to take the exam again, but you have to submit CPE (Continuing Professional Education). In order to maintain CISSP status , it is necessary to participate in the cyber security community:  write articles, participate in events, or even listen to podcasts. For each type of activity points are awarded. It is necessary to get 40 every year, only then the status be will be extended.

So what’s wrong?
It turns out that the existence of CISSP is known to you and a couple of colleagues. These cryptic letters do not appear in job titles unless it is of course a foreign company where CISSP is often a prerequisite for an interview invitation. This is not good nor bad, it is the reality of the Russian job market. We do not have such certifications here, and the only relevant document is still the Diploma of Higher Education.

However, the prestige of the profession is gradually declining, and entrants prefer more promoted and socially attractive specialties, and graduates of higher education institutions, coming to the interview cannot formulate what exactly they were doing for the last 5 years in their Alma Mater.

The paradox here is that the number of certified CISSP, CISA And CISM In Russia gradually grows, and therefore not all is lost I guess.