My CISSP story
What is CISSP, why you should become one, how to become one, and some thoughts about the process.
Extra content consists of blog-like posts where I allow myself to post thoughts or relevant life stories.
What is CISSP
Alright, let me tell you what it is not:
- Coalition Internationally Supporting Simian Patriarchy (sorry King Kong)
- Chronically Infected Splinter Syndrome Prevention (sorry Teenage Mutant Ninja Turtles)
- Champion In Smelling Super Poopy (sorry my kids)
I could do this all night. Fun with infosec acronyms is my Twitter gimmick.
More seriously, CISSP stands for Certified Information Systems Security Professional. The certificate is issued by the private organization International Information System Security Certification Consortium (ISC2). In the infosec field, I see its reputation as comparable to an MBA or a CPA credential.
CISSP is earned once a professional obtains five years of relevant experience in all of its 8 common bodies of knowledge (CBK), passes a super hard exam, and signs a code of ethics. In June 2022, I successfully passed the exam and became a CISSP a few weeks later.
Since the bodies of knowledge are so vast, the CISSP is often defined as "knowing the whole ocean one foot deep". No mention of plancton.
Why did I get the CISSP?
I got into infosec because of the TV show Mr. Robot. Of course, my initial idea was to become a pentester! While ethical hacking was enthralling, I quickly discovered my knack for delivering awesome risk assessment reports thanks to my love of writing. When faced with the choice of either being a good hacker versus an excellent Governance, Risk, Compliance (GRC) specialist, the latter was obvious. Ā Ā
All 3 facets of GRC require a thorough understanding of an organization, therefore the mindset and knowledge of CISSP are the most sought-after skills for proficiency. In other words, CISSP is sort of what you do when you get into GRC and that's that.
To be honest, I went into the studies sort of backwards, feeling CISSP was over-rated. Let's face it, any Security Analyst job postings from companies who don't know better will add the CISSP as a requirement for good measure despite the tasks requiring none of the skillsets. CISSP doesn't make you an endpoint security architect, application security specialist, or incident responder. Yet, your old buddy CISSP is always getting squeezed into the listings... Plus, everybody in the infosec world has a story of that CISSP who spent so much time writing security policies and control maturity matrices that he doesn't know what an Active Directory is. The stereotype is so prevalent that I overhead the name "CISS-Papy" ("papy" in French meaning "grandpa").
Turns out "over-rated" is a poor choice of word. "Misunderstood"? Absolutely! Looking back at what I learned in my studies, especially during the last 8 weeks of the marathon, CISSP is exactly what it needs to be. Coming out of it, the training taught me an extremely valuable mindset: think high level or, as it's spelled out in some books: think like a manager. More on the subject below.
How did I get it
Let's get the "exam prep" part of the way before we discuss the real fun part of CISSP training. I kind of went at it "Rocky Balboa" style, with a full 2 months of prep at 3-hours a day, 7 days a week.
- Read thoroughly the Shon Harris 1,200+ page book. If I had to do it again I'd use the official book instead. The Harris book feels more "scholarly" rather than, well, an exam prep, if I'm making sense.
- Did the Thor Teaches courses on udemy. With discounts going to -90%, you get excellent courses for about 40$ total. Worth your time.
- Used the PocketPrep app. The mobile experience is amazing, but you will go through the 880 questions in a week or two. I use mobile a lot because life is full of these 5-10 minutes holes where you wait for your pasta to boil, your turn to come at the cashier, or your poop to finish.
- Used the official CISSP app. 2200 questions is much better and I felt they were rather close to the exam all things considered. The user experience is so-so and the "gamification" mechanic is a bit boring, but for $10/month it is a must.
- Used the Boson simulation exams. I was pretty advanced and had a moment of panic when I scored a 69.5% on one of the "sims". When reviewing the incorrect answers, almost all of them came from unofficial sources (Microsoft, Cisco, RFCs, etc.) Be careful with these, as they are both very technical and not relevant for the exam.
That might not seem like much. How can an exam be super hard if all it takes is 2 months of answering quiz apps on the john? I have the chance of encountering in my day-to-day many of these concepts, all I needed was to fill in the gaps (layer 2 protocols, USA federal government methodologies, Bell-Lapadula access control designs, fire extinguishers types, all that fun stuff).
As a matter of fact, the most interesting aspect of studying CISSP for me wasn't acquiring that new knowledge (get lost, Fiber Distributed Data Interfaces!); it was unlearning some of my reflexes.
If you are getting ready to pass the CISSP, I urge you to watch the below video. It is the most useful piece of content to understand what the CISSP is all about:
All the questions I was failing were because I was fixing problems. You notice a laptop making simultaneous connections to China and USA, what should you do? Well, their creds got owned, let's quarantine the machine and run a scan! Not so fast, cowboy! First, you have to validate whether the behaviour is truly anomalous, then activate your Incident Response Plan. But I'm wasting time! You are a risk advisor, you do not fix problems. You put on a suit and a tie and you tailor your PowerPoints to the client's brand.
CISSP lives in a world where a perfectly managed top-down organization makes decisions based on risk assessments that every member of higher management maniacally oversees. Your role as risk advisor is to help the organization optimize security investments based on threats against assets by targeting appropriate technical and administrative controls, which will be selected, assessed, and monitored frenetically. This world is called "theory", and theory matters.
Nevertheless, I found acquiring the mindset absolutely fascinating because, despite being theoretical, it does enable you to think at a higher level and adopt the posture of "IT security manager". The CISSP opens you up to assets, classifications, criticality, risk, and cost, in a manner that is truly unique.
What about the "CISS-Papys"? The CISSP mindset is made as a theoretical jump-point and shared knowledge of what truly works. The grandpas simply never left theory. They failed to personalize the approach.
Pictured: not a CISS-Papy
Criticism of the CISSP
The one criticism that I will make of the CISSP contents is that it assumes an absence of labour scarcity when calculating the costs of security controls. Let me break that down:
- Opportunity costs are underestimated. "Fuzz testing" is a practice of sending random inputs to an application to detect crashes and security holes. Everybody agrees: fuzzing matters. And not just because "fuzzer" sounds like a cool job title. What CISSP will not teach you, in my opinion, is the impact of hiring a fuzzer on your time to market (TTM) which, in for-profit sectors, is the most important metric of all. Want your developers to fix a vulnerability? We need that new Pokemon mini-game yesterday in our app. The fuzzer gets no buzzer. Or Bulbusar.
- Privacy Invasiveness is not factored in. This is the one theme where I was the most irritated. Web proxies that do internet traffic inspection, frequent drug screening, fingerprint analysis, and social media monitoring are, for me, borderline belittling practices that blur the line between security and control. I feel the CISSP study material adopts an approach to labour that seems too "USA-centric". Laws and practices are very different in Canada and Europe from a privacy perspective. This leads to...
- Impacts on employee experience are neglected. I gave up on this one. These are the prep questions where I was answering the "correct" thing while screaming at the phone "BUT NOBODY'S GOING TO WANT TO WORK FOR ME!" I do not know about the LinkedIn ads on your feed, but the ones I get are pretty unanimous at starting with "Tired of C-sharp and ASP.NET?" Blocking users from installing different web browsers or development environments, blocking the use of new programming languages, or forcing repetitive standard operating procedures will absolutely hurt your hiring potential, especially if they are coupled with the aforementioned invasive measures.
To summarize, sure, the study material will warn you against the "inconvenience" of security controls. But I believe the problem goes deeper: skill is the most valuable commodity in the market. To thrive, you must be attractive, especially in relation to software development, which requires creative space. I don't think this component is sufficiently outlined in control costs.
In Conclusion
I highly recommend the CISSP training. Not only do you have the opportunity to memorize 1,200 pages of subject matter, but you learn to think like a manager, opening up a whole new perspective.
Just make sure you remember this is the basic theory, not the gospel.