Recently, I took the exam, and now that I can officially call myself a CISSP (the waiting time between the endorsement of work experience and the approval from ISC2 felt like an eternity), I would like to share some points I learned about this certification and my opinion on it.
For those who have never heard of the CISSP (Certified Information Systems Security Professional), this certification is considered the “Gold Standard” of InfoSec certifications and is very broad and high-level.
In fact, it is so broad that you have to learn about things like: what kinds of guards you can use to protect a building, or how high a fence needs to be to be considered a preventive measure rather than just a decoration! There’s a lot of other stuff, like fire classes, and so forth…
Now, what does all of this have to do with InfoSec? Well, all of this contributes to the overall security of the information your company hosts. Since our job is to protect information from all kinds of negative influences, we have to keep all of this in mind.
But of course, the CISSP also includes a lot of technical knowledge—from network protocols and databases to software engineering and DevOps. And what about cloud computing?
Of course, you will also find cloud topics in the so-called “Common Body of Knowledge (CBK)” that ISC2 maintains. However, the CISSP is by no means a cloud certification. It’s not even that modern. Because it is so broad, you also have to learn about some legacy technologies. Think of network technologies that I haven’t even seen in action my entire career!
There is a separate certification from ISC2 called the “CCSP” (Certified Cloud Security Professional), which is specifically aimed at cloud security.
Why didn’t I take the CCSP certification instead?
I think that as a Security Engineer or a Security Professional in general, you should have a high-level overview of the whole industry.
This is exactly what the CISSP offers. The CCSP is very focused on cloud security, but in a vendor-neutral way. Which isn’t a bad thing, but I think that a combination of vendor-specific certifications like the “Microsoft Cybersecurity Architect” and a vendor-neutral, general certification like the CISSP is worth way more than just a CCSP. Besides this, the CCSP is a lot less well-known, and this is a big deal because a lot of the value comes from the popularity of a certain certification.
Was it hard to pass the exam?
To be honest, I can’t really tell how well I did on the exam. And this is true for many people taking this exam. There are two reasons for this:
1. The exam often asks you for “the best” or the “most effective” solution to a certain scenario. This means that while there is often one answer you can eliminate because it’s certainly not correct, there are still three more answers that all could be correct, but only one of them is the ultimate answer.
2. The phrasing of the questions is insanely difficult. Even some native English speakers have issues understanding the questions correctly. Some people even say that the CISSP is more of an English exam than anything else, which often resulted in me not being sure if I understood the question correctly, and therefore not knowing if my answer could even be correct.
At the end of the exam (at least if you passed it), you get absolutely no information about how well you did. Not a single word! The only indication of how well you did is how many questions you had to answer to pass the exam. The fewer questions (could be anything between 100 and 150), the better you most likely did. But this is a very loose indicator since the algorithm of this “Computer Adaptive Testing (CAT)” is a complete black box.
However, I would say that someone who has worked in a technical IT Security role for a few years should be able to pass this exam with a reasonable amount of studying. Don’t take it too lightly, but also don’t overdo it. If you feel like you have good insights into all of the eight domains of the CBK, do not hesitate to give it a try. If you don’t feel confident on your first attempt, consider buying the “peace of mind” protection option, which will offer you a “free” second attempt.
How was the study process?
I had the luxury of attending a week-long training to kick off my study process, which my company paid for (thanks for that, by the way!).
This training covered all eight domains, but it was very fast-paced to fit everything into one week. Since I already had a lot of experience with InfoSec in my career and have been involved in it for several years, the amount of new information was quite manageable for me. However, there are some topics that most people studying for this certification probably struggle with. These include, for example:
- Block sizes and key lengths of various encryption algorithms
- Various U.S. federal laws and regulations
- A lot of theoretical confidentiality and integrity models
- And a lot more things to memorize
While reading about some topics to understand basic concepts and fill my knowledge gaps, I tried to learn and memorize as many of these things as I mentioned above. In addition, I took advantage of every opportunity to answer exam preparation questions in the Pocket Prep App. I highly recommend this app to anyone preparing for this exam.
If you want to use it as well, use this link for your registration and get 20% off. ← This is not an advertisement, as unfortunately, I get nothing from it 😉
Conclusion
The big question remains: Should you pursue this certification?
If you have been working in the InfoSec industry for some time and you want to get a certification that shows your knowledge is well-rounded and broad, the CISSP is an excellent certification to pursue. If you’re interested in strictly technical topics and want nothing to do with management, this might turn out to be very boring for you. As for me, I am very happy and proud that I was able to pass this exam, and I am sure that it will be beneficial for my career.
Leave a Reply to Manu Cancel reply