CISSP Journey

Welcome to Security

In the Spring of 2016, I started my new journey as a full-time security professional after being a Desktop | Infrastructure |Enterprise Engineer for all of my previous tenure in IT.

I was super excited as I had been eyeing moving over into Security from a position of someone in charge of creating images, hardening, creating group policy, software packages, administering SCCM, and everything typically associated with the Windows Infrastructure side, to now being a dedicated Risk and Threat Manager!
Of course, when moving over I did not understand exactly what being a security professional would entail. There are a myriad of skills, task, functions, domains, paths, scopes, and all the other wonderful terms used to group or categorize a set of activities into a neat little bucket of fun. Not only is there getting caught up on the terminology and lexicon of a security professional, but the very roller coaster ride of finding your balance when it comes to understanding what an “emergency” is versus a “non-emergency.” What is an event and what is an incident?

Time to go for it

After being baptized by fire and moving through the ranks I soon was in a position that I had enough experience across of all my tenures to be eligible (experience wise) to take the CISSP exam. I had put it off early in my Security Career as there is a 5-year experience requirement to qualify as a CISSP if you were to take and pass the ISC2 exam. While I had experience in various domains in all my previous roles, it was unclear to me if you needed to be in a full-time “ Security Title” designated role or was it possible to have gotten that experience in other roles that had security functions. (Turns out it is across any 2 of the 8 domains for 5 years before education waiver of (1) year (eligible certificate, or degree. matter of fact here, just take the official link! https://www.isc2.org/Certifications/CISSP/experience-requirements ))

Back then the issue of whether contract work (that was 40 hours or more a week) also qualified as full-time work experience was a question, as the wording in some of the requirements is a little ambiguous and can make someone such as myself question the meaning of a statement if it can be interpreted multiple ways. Least to say, I decided to concentrate on learning as much as I can in actual day-to-day work versus breaking down the intricacies of the ISC2 requirements. I figured that what I was able to learn/do as a professional was more valuable and deserved more of my meandering attention (versus stressing about if I hit qualifications for a certification that at the very least was asking for 5 years of experience in Security when I wasn’t even at my official 2nd in my Security role.)

What worked out for me is although I was not looking to take the test early in my role, I did read through material to prepare for the exam. Over the course of a year I had completed the Official Study Guide ISC2 CISSP seventh addition. I would take a domain every couple of months when I had the time, and when I official started preparing for the Exam in November 2018, I had a pretty good grasp of all the topics between my day to day over the last 3 years and covering the entire study guide
In November, I set out to take and pass the exam by the middle of January 2019: The materials I covered between that declaration and my exam are listed below:
CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide 7th edition.
CISSP Study Guide: Third Addition – Eric Conrad, Seth Misenar and Joshua Feldman
Eleventh Hour CISSP: Study Guide – Eric Conrad

Practice Questions by:
CISSP Official (ISC)2 Practice Test, Mike Chapple and David Seidl
Boson CISSP Exam SIM

Realizations

There is truth to the idea that you will look to answer in the way that a manager would answer a lot of times. My experience as a Security Manager for almost a year played a key role in allowing me to deductively look at answers to certain situations or questions. Going from an analyst in IT Security to a Manager colors the lens of what you see when answering questions. Where I was (and still do lean to a more technical side) understanding the implications of Strategy, Tactics, Operations, ROI, Cost Benefit, Risk Management & Assessments, Compliance & Regulatory obligations, and the ways that other programs such as Change Management and Architectural Review boards integrate into what a Security Program is trying to accomplish allowed me to understand when questions or scenarios were looking for technical answers or answers about the management of a Security Program.

I will say that I do not believe that all the materials I used covered 100% of what was expected on the exam ( that’s probably why there is a 5-year experience requirement!) There were a lot of questions that I felt I knew the answer to just based on GUT exposure to scenario’s, principals, and situations that I had come across as a professional. The material does allow for you to gain a deeper understanding of some of the topics and gain a contextual bases for knowing why you may go one way versus the other. However, I will say that I think the more experience you have as a professional the better foundation you will have in this exam, and that isn’t a leap to say, and quite obvious if you research others experience and what ISC2 says itself about the requirements and who the exam is aimed at. So, in that regard, it is true to its word.

In Summation

All in all, I would say I learned more in taking the actual exam then I did preparing
for it. The exam was in no way easy, and I was really nervous and did not feel confident at all that I had passed the exam when I finalized my test.

In my opinion a lot of that could have been do to the fact that all of your preparation is in your control, but once you actually take the exam, you have no control over the questions, or how they are worded, or the scenario’s. Naturally you will feel apprehensive in your confidence if you understand the insecurities of human beings and the imperfection of memory.

The domains I covered have helped me to get a leg up on other exams I plan on taking in the near future (CCSP, CRISC, CISM.) Having the experience of taking the CISSP has been great for understanding how the specific subjects of those exams tie into the overall Security Program. I am 4 weeks into the 8-week endorsement process and eagerly awaiting confirmation on if I am fortunate enough to be a full-fledged member of ISC2 and a certified CISSP.

Coming Soon

My CCSP exam is in two weeks, and I am hunkering down on trying to prepare myself as well as I did for my CISSP. If the last test is any implication, no matter how many books I read, the test will be a test, and I need to bring my A game.