IT Security continues to be a very important topic in the IT ecosystem, ensuring your Information Security is as good as it can be also makes good business sense, through the reduction of risk of loss and showing commitment to your customers of your organisation’s quality and capability.
Information Security doesn’t just come from technical controls; physical controls also matter, as do what this article shows, is that administrative controls, and specifically how personnel with their skills, understanding and actions they take are also important.
What is CISSP?
Having staff within your organisation who understand how to manage the security of your organisation’s information assets is key to ensure that you organisation, its partners, suppliers and customers can be kept safe. The CISSP (Certified Information Security Professional) is a certification that can give you as a organisation confidence that your IT Security staff have a broad understanding of the various facets of the management of the security of your Information Technology, not just in terms of hardware or software controls, but beyond that into the management of the supply chain, staff training/awareness and so on.
How can CISSP help you and your Organisation?
The security of your organisation is only as good as its weakest link. Sure, you might have fantastic firewalls, perfectly configured, giving you telemetry of usage and attack attempts; but if your staff don’t have incident management plans, or the processes and procedures that mean they are actively monitoring and proactively dealing with issues you’re leaving your organisation vulnerable.
When I studied for the CISSP I gained an understanding of the approaches required to manage information security for my organisation, identifying avenues for attack and how to remediate risks quickly and effectively. The CISSP is a broad certification that covers these 8 domains:
- Security and Risk Management
- Asset Security
- Security Architecture and Engineering
- Communications and Network Security
- Identity and Access Management
- Security Assessment and Testing
- Security Operations
- Software Development Security
Where to Start?
I completed the CISSP certification in October 2022. It was a long, tough, but ultimately rewarding experience, it gave me the skills and knowledge needed to know where to start to protect my employer’s information assets. But this isn’t about just starting to configure a firewall, its about starting with an understanding what you’ve got, where it is, who owns it, where their weaknesses lie and then what you need to do to remediate the issues now and on an on-going basis.
ISC2 have a number of certifications that specialise on particular facets of your IT infrastructure and systems, but the CISSP is a much more general high level certification and body of knowledge into which these more specialised fields of knowledge can slot. In my case I was looking for a more high level view of IT security and it’s management rather than very specific knowledge in a particular area.
I started my CISSP by first registering with the ISC2 website and creating an account. From this I found an overview of what is required for the CISSP domains of knowledge, where there are also pointers to where to find courses and study materials to gain experience.
I took the self study route, studying in my own time from video courses and materials. However there are in-person and on-line tutored virtual courses that I could have used. These are typically 5 days full-time courses, that provide everything you need to know in a short period of time, however what I found was the broadness of topics covered in the CISSP meant taking a course like this would need to be followed up with some self-studying just to ensure I’d taken in all the topics to a sufficient degree to have ensured i’d have been successful in both the CISSP exam but also to ensure I have what I need to apply what I’ve learnt in practice.
So What was Involved?
I studied about a minimum of 1 hour a day (2 hours a day at the weekend) for around 9 months with the following materials:
(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition (Chapple & Seidl)
Read this cover to cover, made a few notes as I went along, didn’t do the questions at the end of each chapter though on the first pass. Its dry material (although a few jokes here and there) but really is a very comprehensive book, in fact this will stay on my shelf next to my desk for reference from now on.
(ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests, 3rd Edition (Chapple & Seidl)
The book has 4 practice tests and then questions per domain. I read the OSG, then did practice test 1, didn’t do very well, looked at the areas where I was weak, then went back through the OSG reading and making notes on these week areas. Then did practice test 2, again looked at the weak areas, back to the OSG reading on these topics and making notes, repeated.
Once I’d done all 4 the practice tests, then went through the domain specific questions, again finding my weaker areas, reading those sections/chapters from the OSG and making notes.
Mike Chapple LinkedIn CISSP Course
Very much worth it, Mike is really good at explaining things, his Diffie Hellman explanation was really good. If I was starting again, I’d say do the LinkedIn course, it gives you a good overview of everything, then start reading the OSG to get the detail and context.
Sunflower CISSP Revision Notes
A went over these in the last 2 weeks, they are good summary of things.
LearnZApp CISSP App
For the money, which for me was fairly cheap, because I used my Google Play credit from answering surveys! I’d say this is a good app to just check on your knowledge and again identify where you are lacking, used this when I had a few minutes. The Custom Test Builder mode is great to just pick a domain (or domains) and test on these. These are seemingly the same question bank as the OSG Practice Tests book.
Think Like a Manager – Kelly Handerhan
https://www.youtube.com/channel/UCpH4t8k7Nv6yivV0IyK8gYA
What the practice questions give you is a way to identify your weak areas, experience in taking an exam and reading and digesting the questions at speed (this last bit I really struggle with), especially with the ticking clock!
Exam Preparation
TestMike Practice Test, for the price I think it is worth it for a good practice exam and to gauge where you are. Got 85% on this, about 3 months ago, its gives you a good view of where you have a good handle on things and where you don’t.
ThorTeaches Hard Practice Exams, i’m conflicted about if these were good or not, probably worth it and they certainly are an eye opener, they are difficult questions, sometimes made difficult by the obtuse phrasing of the questions, but this is actually beneficial to get you into the habit to really read the questions and understand what they are trying to ask. Most I got on these was 70%, on the other 3 I only got 60-63%.
Conclusion
Hopefully this has given you the overview of what the CISSP is about and how having certified individuals within your organisation can help your organisation reach its goals, and do it securely!
