The Certified Information Systems Security Professional (CISSP) is a very well regarded qualification from (ISC)2 ("ISC squared") that, importantly, seems to hold its value.  I attended a six day intensive training course for the CISSP run by a company called Firebrand, and was privileged to have my costs paid by my employer thanks to some funding made available by the Local Government Association.  This was a residential course and, given the pandemic times we live in, I made a point of checking the venue was "covid secure" before I travelled.

What do you mean "holds its value"?

Qualifications can see their value drop over time, the same way that a car's value depreciates.  In the case of technology qualifications it can be as simple as the information from the qualification is largely no longer used, for example a Windows NT4 MCSE [1].  The CISSP teaches processes and methodologies, rather than literally how to accomplish a specific task, so doesn't devalue in the same way.

I can say that I've seen old CISSP exam style questions that did test you on how to preform a specific task and that did have me concerned.  During a practice test I saw a question about the pop up blocker in Internet Explorer, a browser I've not used in anger since IE6.  Fortunately that seems to be gone now.

OK, but what is the CISSP?

There are eight domains in the CISSP certification that you must show proficiency in, listed below.  It should be noted the CISSP is a management qualification and not a technical one, so while there are technical elements you're not taught how to build a secure system but are shown how to design one.  That sentence probably worked better in my head but hopefully it makes sense.

Importantly, the CISSP teaches you that the security team is there to facilitate the needs of the business, not to hinder the business.  Sadly IT and security teams are often considered blockers to business goals and I've certainly had to adjust from saying "no" to "yes, but I recommend you do it like this".

The domains are:

  1. Security and risk management
  2. Asset security
  3. Security architecture and engineering
  4. Communication and network security
  5. Identity and access management (IAM)
  6. Security assessment and testing
  7. Security operations
  8. Software development security

Pre-study

While not mandated by Firebrand I took it upon myself to do some pre-course study.  As a subscriber to Pluralsight I'd found a good CISSP course path by Kevin Henry so I spent some time watching those videos.  I was a passenger for some long car journeys so was able to use the time studying rather than watching the world go by at 70 miles per hour.

I'd also been studying for Cisco's Certified Cisco Network Associate (CCNA) which helped with domain 4 (communication and network security) and worked as a network & security engineer in my previous role.  Courses as part of my Master's degree also helped with a number of the domains and I have lectured in some of them as well so I was feeling reasonably confident.  Quite by chance I'd proofread a book on DevSecOps at the end of August[2] which helped with domain 8 (software development security).

Timetable & pace

Arriving on the Sunday night I attended the opening lesson where we were handed our books, stationery[3] before cracking straight on with domain 1 (security and risk management).  After that lessons started at 08:00 and finished at 18:30 with one hour for lunch.  Don't be fooled by what looks like a nine-and-a-half hour day though; the expectation is that you study further in the evening.  Revising the previous domain, or two, is certainly recommended.

Progress during the course itself was swift so for those that don't work in security you may want to opt for either a lot of pre-study or avoiding an intensive course.  There wasn't a lot of time to go back over material during lessons but the tutor did make himself available in the classroom each evening to help with that.

Training material

As part of the course we were each given the official (ISC)2 student guide, a behemoth of a tome at over 750 pages.  It's a weighty book, as demonstrated to my daughter by dropping it on the floor when I got home - it made a reassuring thud.

The green and white front cover of the Official (ISC)2 Student Guide.

Also provided were some revision questions, the first set we were actually asked to do before we properly started the course on the Monday.  I was pleased to score in the 60% range.

The exam

From the experience of past colleagues I knew the exam was likely to be tough, but fortunately it's changed since they sat the paper.  The exam used to be six hours long and included time for you to go back and review your answers.  That's no longer the case for people doing the exam in English[4] as the exam is now adaptive.

An adaptive exam is one that changes the questions based on your previous answers.  For example, if you answer a question on domain three incorrectly your next question on that domain will be easier.  Conversely if you answer correctly your next question in that domain will be harder.  As a result you cannot go back.  This caught me out once (that I know of) when I clicked submit and then realised I'd picked the wrong option.

It's widely said that you'll feel like you're failing during the exam and I definitely fitted into that bracket.  You sit a minimum of 100 questions and a maximum of 150 and 25% of the questions you answer won't count (they're beta questions for future exams).  Your exam will finish when you either have enough points to show you're proficient in each domain, run out of questions, run out of time (3 hours) or the software determines that you cannot pass with the questions remaining.  I finished dead on 100 questions and assumed I'd failed, only to be told I'd passed.  Moreover, I'd passed in 75 questions as 25 of them wouldn't have counted.  Happy days :) .

Isn't the CISSP American?

(ISC)2 is an American organisation but the CISSP has very much diversified to cover more than just American law.  European topics such as GDPR are covered in the syllabus, for example.

Working through some practice papers courtesy of the CISSP Official (ISC)2 Practice Tests (available on Amazon) there were a lot of practice questions on US law but this didn't seem to be the case for the actual exam I sat.

Exam tips

Obviously I can't discuss the questions in detail, I'm bound by non-disclousure agreement and the (ISC)2 code of ethics, but some tips I can share:

  • You definitely need experience of working in the field - the book alone is unlikely to pass you
  • It's worth knowing about some laws (e.g. Sorbanes Oxley Act (US) and the GDPR (Europe)) and the difference between trade secrets, patents and copyright
  • Don't argue with the question[5], it may not be what you'd do in practice but you need to follow the (ISC)2 scenario
  • If the question asks what's the first thing you'd do, the answer could be to assess the situation (a tip from our tutor)

Endorsement & annual maintenance

Once you've passed the exam you're not certifed until you've completed the endorsement process.  A requirement is that you have a minimum of five years paid work experience in at least two of the CISSP domains.  As part of the endorsement process you have to pay an annual maintenance fee of $125 (about £96 at the time I paid) and you'll then hear if your certification has been approved, at which point you'd become a member of (ISC)2.

Each year you have to gain 40 points of continued professional education which can include attending events, online training or writing professional blog posts.  I'm hoping some of my posts on this blog will count (technical ones, not ones about my pen collection!).  If you've not amassed the correct number of CPEs over three years (120) you'll need to resit the exam.

Conclusion

I certainly enjoyed getting my teeth into the course although it was definitely hard work.  In theory the CISSP will stand me in good stead for future jobs and the certification tends to command a higher salary in England (no bad thing) but I doubt I'll see a change in my wages at work.  I've certainly had to change some of my thinking away from being in "the team that says no" to "the team that helps them be safe for themselves" - a useful lesson in itself I feel.


Banner image: Part of the official (ISC)2 CISSP student guide.

[1] Microsoft retired the NT4 exams in 2000.

[2] I'll release details on that once it's published, but for now I'm under a non disclosure agreement.

[3] Regular readers will have correctly guessed I took my own fountain pens and paper with me.

[4] For speakers of other languages the exam is still "linear" meaning you have a maximum of six hours.

[5] A tip from my non-CISSP boss, because he knows what I'm like!