CISSP prep

February 7, 2008

I know I’m going to catch some flack for this from some of my colleagues at Foundstone, but I’ve actually gone out and bought a book prepping for the CISSP exam, and talked myself into biting the bullet and actually following through and taking the exam sometime this year.

I’ve been quite vocal in that I really didn’t want to do this - my main argument being I have letters I can put after my name that are more meaningful (and still don’t use them), and that the CISSP doesn’t give me anything (I believe in my instance at least) that signposts any security competence in the areas that I work in other than what you can already see on my resume.  I’m all for continuing education (I’ve considered an MBA or JD at night school, although can’t dedicate the evenings with all the other work that’s going on at the moment), but this just feels like "prescribed learning" rather than the "learning the how’s and why’s" of traditional education so you can build from (first) principals if needed.  Anyway, I thought I’d write a post on my experiences so far.

So, first up, why am I even bothered about getting my CISSP.  Mostly, I look towards education as an opportunity to learn, or in some cases for reinforcement.  I really don’t think I’m going to learn all that much through this so it really comes down to showing a minimal competency in the security area.  This helps Foundstone in some ways (some clients ask for CISSP’s in an RFP) and helps myself (an "extra" qualification that helps if I do go looking for another job at some point).  People in management that I’ve talked to, both in Foundstone and our clients, say it’s something they look for, so I guess there’s some benefit there.

Both of these don’t exactly sit well with me though, as using any kind of qualification as a barrier for entry often can reject good people, and vice-versa - experience (and applied knowledge) IMHO counts so much more.  I really don’t feel that CISSP (and I’m not just picking on this - MSFT, CISCO, Sun, etc, "qualifications" are the same) are any way similar to a degree, research, or otherwise, which isn’t only about the knowledge you obtain but transferable skills.  Perhaps the industry needs qualifications of this type so that employers can get at least some "feel" of what they are getting at a minimum, but I’ve met plenty of CISSP’s that don’t have a clue, and most of the leaders of the security field seem to be non-CISSP’s.   In any case, if it’s something that isn’t going to take a huge amount of effort, why not (which is what most people have been telling me).  Having a CISSP does not equal security knowledge, but with security knowledge it should be pretty easy to get a CISSP.

In order to get a grasp on areas that I need to focus on, I’ve been trying the sample questions in books and online.  The StudISCope online practice tests are the "official" ones from (ISC)2, and apparently mimic the exam itself, so I’m using that to practice and find areas that I need to read up on a little more.  I’ve currently taken 3 practice exams (100 questions each), and (thankfully) passed each time :)  The exam is of the multiple-choice variety, and mostly the answers are common sense.  There are quite a few that look for specific knowledge (e.g. security calculations with acronyms like SLE, ARO, ALE which probably mean nothing to you unless you’ve been studying), but generally if you go for the "discard the two that obviously aren’t correct and choose the best fit from the others", seems to be a good strategy.  Interestingly, one of my lowest scoring categories is application security, which is funny as that’s what my speciality is!  I guess I shouldn’t read into the questions too much.

For the actual studying, I’ve got The CISSP Prep Guide by Krutz and Vines.  A lot of the books on CISSP seem to be very expensive, and this is no exception at $80.  I suppose there are others out that that are more "official", but I feel that after going through the questions, all I really need is to skim and pick out the "intention" of the domains that I’ not as strong at and learn the jargon.

Finally, I’ve been reading into what you must do to continue to keep your CISSP once you have it.  During each 3 years you have to earn "120 CPE credits" (whereas it didn’t matter when you did them, now it seems you have to get a minimum of 30-40 per year).  Getting credits doesn’t seem that difficult to me - I do a lot of writing and training anyway, so I think I can get most of my CPE’s that way.  Also, I’m a regular attendant of BlackHat/DefCon, so it gives me leverage to go to them each year

So, that’s my feelings behind CISSP, and my approach.  Wish me luck in taking the exam sometime in the future and I’ll write back here on how things go and my experiences with that.

Posted in Misc