Cert Review: CISSP

Still the Gold-Standard?

The Certified Information Systems Security Professional, commonly abbreviated to CISSP (some say C-I-S-S-P, some say ‘sissp,’ and others say ‘sis-p’), has been around for a long time, and for a good reason. To many, it is classified as a premier certification that many covet as a stepping stone between the foundational and the ‘big league’ certs. With its still relatively recent 2021 refresh, some speculate if it is still worth it today.

Back to Basics

There is a saying that alluded to many in combat arms about the high-speed, low-drag individuals who made up Special Operations. It was that the Green Berets weren’t super soldiers or trained in ways unbeknownst to us; more so, they were experts in the basics. Mastering them helps build upon their more technical skills, allowing them to be the tip of the spear they often are. That resonates a lot here, and to me, that is why CISSP is a vital stepping stone between being a cybersecurity professional and an expert.

CISSP represents the reiteration of the core topics that make cybersecurity function the way it does, breaking it down into the eight foundational objectives, known as Domains, to reinforce the goals and mindsets of security. I, myself, have referred to CISSP really as Security++, and mainly that isn’t an inaccurate description. Yet, it doesn’t thoroughly entertain the idea that a certification like CISSP truly is that same mile wide but an inch deeper, and that extra inch is profound in its content both from the 30,000ft view and the ground level.

The Eight Domains of Security

CISSP is broken down into Eight Domains meticulously constructed by The International Information System Security Certification Consortium, or (ISC)². These are:

1. Security and Risk Management - Topics in this domain center around the core function of cybersecurity: augmenting organizational operations to function securely and safely.

2. Asset Security - Topics in this domain revolve around adopting safe practices around data and physical assets.

3. Security Architecture and Engineering - A core function of building our networks and systems, this domain covers how we construct these designs and their philosophies.

4. Communication and Network Security - We wouldn’t be here as cybersecurity professionals if our systems didn’t communicate, and this domain covers how we design and manage these networks.

5. Identity and Access Management (IAM) - Growing as a pinnacle to secure design approaches (think Zero Trust), this domain covers how we perform authentication, authorization, access, and accountability.

6. Security Assessment and Testing - This domain speaks to the importance of assessments, audits, and their role in ensuring that our controls and designs function as intended, as well as giving us the ability to improve upon them.

7. Security Operations - My beloved domain, this covers topics surrounding how we conduct daily operations involving security, along with how we should be responding to security events and incidents.

8. Software Development Security - Finally, our applications are vital to perform efficiently and effectively without letting them cause gaps and holes in our security. This domain covers how we can approach secure coding practices.

Each domain represents a comprehensive and thoughtful convergence of topics, ideas, theory, philosophy, and practical implementation. While you likely won’t be asked on the test to review logs, tool outputs, or ‘find the bad stuff here,’ you will be tested on scenarios that involve the idea of doing such practices. It is important to note that, as I mentioned earlier, you will find yourself in a familiar place as taking Security+ on this exam. Yet, you will notice a lot of expected judgment implied from experience that many test takers might lack if they don’t have time in the seat in at least two domains, as ISC2 recommends and even requires. In other words, the questions might be stripped of tale-tell information that would be present in a more junior exam, expecting you to leverage that experience and knowledge instead to help answer questions.

It’s All In Your Head

To start, there is no virtual or remote testing allowed. All testing must be conducted in a Pearson Vue testing center near you. For anyone who hasn’t been to one, it’s a little uncomfortable, but not the end of the world. You will share a testing center with a variety of individuals from IT professionals to medical technicians taking exams in a quiet room monitored by proctors. Next, to be eligible to take the test as you sit at the testing station, you must agree to both the terms of service and the ISC2 Code of Ethics, and then you must sign a Non-Disclosure Agreement for the exam itself.

Finally, the exam begins. The biggest challenge to the test isn’t the content, given that studying helped me immensely, along with the experience I brought to the exam table. Instead, I think that the biggest challenge is the mental game the test plays with you. As I spoke above, the test does very well at leaving at more keen details that help you arrive at an answer, so you may be finding yourself sitting at a question reading it, reading the answers, rereading the question, and then breaking down each solution to its fundamental meanings, and then working your way out of the rabbit hole you’ve dug yourself. This happens while the clock continues to tick down; even worse, you don’t know how many questions you have left.

See, the exam implements a ‘Computerized Adaptive Testing’ model (for the English version). This means that the computer will issue you a minimum of 125 questions. During the process of answering those questions, it begins to calculate a percentage chance of how well you’re doing, and once you reach that 125 minimum, it assesses this score for a ‘Pass/Fail.’ It will finish the test there if it believes that you answered well enough in all eight domains (and if I understand correctly, each domain requires a passing score of ~70%, so an overall score doesn’t exactly matter). Likewise, If it believes there is no way for you to recover from a low score, it will also end. If it is somewhere in the middle, the computer will continue to issue questions until it can come to that conclusion. It will issue up to a total amount of 175 questions (so up to an additional 50 more from the minimum of 125). Even better, as it narrows in on content that trips you up, it will begin to press you on these topics to ascertain your proficiency of the content in that specific Domain.

In addition, there are no take-backsies. In other words, all answers are final, and you can’t go back or skip around, unlike other exams in the space. You won’t be able to flag any questions to return to later, so you must make each question count in terms of time and effort. This was an especially fun hurdle to overcome, as you will surely second-guess yourself. I know I did.

Finally, much like other certification exams, you will be given unannounced unscored questions on your exam. These are designed as sample or test questions they insert into your exam. They do not let you know if they count but are used to determine future content that will be added to the exam. This means there is a chance you will hit a question you have zero clue how to answer because you didn’t cover it in your test prep content, adding to all the pressure already there.

What all of this means for test takers is that it is probably best for you to assume that you will have 175 questions in your four-hour window for the exam. This math breaks down to an average of ~82 seconds per question. However, this isn’t certain, and this adds a psychological layer to your exam, as you won’t know whether you pass or fail until it stops giving you questions. When you finish the exam, you must wait for your print-out from the Pearson Vue test proctor to determine if you pass, adding an extra layer of ‘did I pass?’ suspense to your day.

Post-Exam Endorsement and Membership

The fun isn’t over just yet, either. After you complete your exam, you have two options for obtaining credentialing. This is another unique thing about CISSP that sets it apart from other certifications, and the path you choose is based on your experience in the field. ISC2 requires those who wish to be CISSP certified to have four years of full-time and paid experience plus either a degree or a certification on their approved list, or you must have a total of five years of experience instead. In addition, that experience must match at least two of the eight domains of the exam.

• If you meet the professional and academic experience requirements, you move onto the Endorsement phase, where you either have a peer who already has CISSP verify you and endorse your experience, or you have ISC2 do it directly if you do not know someone with CISSP. This is a formality where a chain of trust is established so that you can become a member of ISC2 and obtain CISSP certification. You’ll be required to submit a resume-like form for your Endorser to verify you. If you have ISC2 do it, you may have to submit additional proof and verification documents with your application. Once you submit your Endorsement, it can take up to six weeks for ISC2 to review your submission, verify you, and credential you.

• If you don’t have the required experience, you can still apply for membership with ISC2 and become what is known as an ‘Associate of ISC2’; however, you do not obtain CISSP credentialing. Instead, ISC2 gives you a six-year timer once you receive your passing verification to get the required experience to do the above process. It’s also important to note that the Associate designation is NOT a certification but rather a membership. You cannot claim you are a CISSP, CISSP Associate, Associate of CISSP, or another variation involving CISSP designation. Claiming CISSP without conducting the credentialling process can actually cause you to be barred from ISC2, and you lose your status. You can read more about this meaning here.

What I Used to Study

My exam prep consisted of three things for the version I took, v2021:

• Mike Chapple’s CISSP (2021) Exam Prep course on LinkedIn Learning

• Mike Chapple’s CISSP Last Minute Study Guide & 1 Practice Exam Bundle

• ISC2 Official Exam Prep App

I spent approximately three weeks working on this material. I chose it because Mike Chapple is one of the authors of the Official ISC2 Study Guide, so I used his video series that covers the same topics since I prefer video material to book material. In addition, I wanted to have the best practice possible on taking the exam, so I used practice tests to get familiar with question design and content. I think this was more important than studying itself; however, don’t let that convince you not to take the video course or read the book. There was plenty of material I either had to learn from scratch or brush up on in order to be proficient during my exam.

Also, I don’t recommend crunching this all in just three weeks unless you know what you’re doing. I dug my grave on this with timing, but if I could do it again, I would always recommend at least a month with any certification prepping.

Who Is This For?

CISSP, in my opinion, is the perfect example of a mid-career certification and still earns its name as a gold-standard cert. It is a reiteration that you mastered much of the craft of basic cybersecurity knowledge and are moving from a ‘Professional’ level to an ‘Expert’ level. What this means for most is that you’ve had a good journey thus far and are ready to go into more specific cybersecurity focuses and become specialized, or you are prepared to move into a leadership role in which you will be directing your specialists.

Either way, CISSP is worthwhile for those looking to set themselves apart. Much like how Security+ is for entry-level, I believe that CISSP is just as meaningful for those in mid-career, and ISC2 reinforces that idea with the educational and professional experience requirements since you can’t even get the credential unless you meet those requirements.

For those thinking about this credential at the entry level, I would caution you. There are more new-mind-oriented certifications and training out there that are both cheaper and more effective for just starting your career. Likewise, there is a risk in taking a Professional level certification like this at the start of your career. It may unintentionally leave you with knowledge gaps or misconceptions that you must go back and repair later due to its broad nature and expectations that you have some experience. However, if you’re already a few certs in and are looking to up the ante, this isn’t the wrong place to go next, but do be warned you can’t claim CISSP until you meet the experience requirements. That’s why I generally won’t recommend it for folks just starting out.

This leads me to my final note: There is the worry that CISSP is overstressed in many cybersecurity job postings, which causes some of the more junior of our industry to become skewed and misaligned to proper career growth strategies. If you see a recruitment post for a junior or even a just-above-entry-level cybersecurity position and they want to see CISSP, I would look elsewhere. Either the recruiting staff is not appropriately aligned with mission needs and industry standards, or the hiring manager is grossly overestimating the talent pool and is about to underemploy some poor soul. No matter what, these organizations need to self-correct and fast because an expected resource for many newcomers is job post researching, and seeing a common theme of certification requirements is how many can plot their career growth. This comes full circle as it becomes dangerous when we ironically expect our junior and less-experienced folks to have five years of experience, CISSP, a Masters's Degree, and a Letter of Recommendation from Kevin Mitnick. This sets unrealistic expectations and builds a barrier to entry into the field that just shouldn’t be there.