Being my first cybersecurity management certificate (the CISSP), taking this differs from most of my earlier cybersecurity certifications, which focused around various skills in offensive security (penetration testing, exploit development e.t.c.)
To some extent, I had to take this with a different approach — one with a stronger foundation in conceptual knowledge, and to a large extent, being precise with language.
One of the most underrated aspects of a cybersecurity professional’s development is in communication skills — both verbal and written. At the junior level, where most of their work comes from individual execution, often as a direct instruction from the boss, the junior cybersecurity professional tends to deflect communication matters to a more senior member of the team.
But one must eventually interact with more stakeholders than simply their direct superior. These include:
- Internal stakeholders: your direct reporting manager, your juniors and ancillary business functions within your organisation (unless you founded your own firm)
- External stakeholders: customers (all of us must get paid), regulators, and possibly those that look at your LinkedIn profile and ask how they can follow in your footsteps someday.
In all of these cases, precise communication, as well as interpreting others accurately and precisely are important skills. This is the fundamental premise of the CISSP.
Enough of the Preface. How Do I Study for This?
Having a copy of the latest edition of the Sybex text is useful. But do not be confined with simply textbooks. You’ll want to have:
- A good teacher (I relied significantly on Thor Pederson‘s course on Udemy, which is extremely cost-efficient for an instructor)
- Thousands (I mean it) of questions.
- The discipline to go through at least 175 questions per day as you lead up to D-Day.
First, I went through Thor’s course and took copious amounts of notes. It is OK to go slow here. Do the thematic tests, and go through the incorrect answers in detail. Pay attention, especially to the phrasing of the question, but do not memorise the answers; the scenarios on the exam, and the wording can both differ.
At some point, once you have completed your domains, go through the question bank. My own strategy:
- Use some blocks of 175 questions (some question banks pre-split these questions) as mock tests. Keep them aside.
- Drill topically, until you are able to answer questions at an average cadence of 1 minute per question and reliably score 80% on easy and mid questions.
- Drill with the hard questions. Your score will drop, and your average cadence will slow down. Continue to train to 1 minute per question and 80% accuracy.
- Then, use the mock tests to assess your readiness.
I cannot remember the exact number of questions I went through, but I easily went through 3,000 questions. The quantity is not as important as the ability to read for both depth and breadth, and make a decision in a minute. But you may ask, does the CISSP not have easy and mid questions? Why be so strict?
Adaptive Testing
If you take the CISSP exam in English (as of time of writing), you will be subject to Computerised Adaptive Testing (CAT). CAT can be simplified as follows:
- The more correct answers you have, the harder the questions become, and vice-versa.
- Hard questions are worth more points than easier questions.
- You can pass the CISSP in as few as 125 questions, but as many as 175 questions.
It is beneficial to obtain hard questions on the exam. With higher point-scoring questions, you can possibly pass the exam quickly. But that means the need to deal with many scenario-based questions, as is the case for hard questions.
WARNING: You cannot go back to check answers you have submitted in a CAT exam. This is why the cadence is extremely important. You want to keep up with a slightly faster cadence than what is required for 175 questions in case you freak out since skipping questions is a bad idea.
Know Your Strengths
The CISSP is not an entry-level certification. Usually, the CISSP is taken by those who have some experience in a security domain. For me, my own background as a penetration tester allowed me to breeze through Application Security, and my prior experiences teaching the basics of cybersecurity (as basic as CIA) and performing threat & risk analysis allowed me to take a few other domains with ease. But not all eight domains to me were smooth-sailing; I had to work very hard to overcome the innate disadvantage I had having not been in a SecOps role, or a network engineer role.
Strategic, Tactical, Operational Views
In an ideal world, all three views are consistent, and people who work at different levels of cybersecurity all understand one another. But this is almost always not the case in the real world. Let us illustrate this with an extreme example.
A security analyst observes an excessive amount of traffic on TCP 10443 on a public-facing PHP storefront your business controls. The documentation for said application has not been updated in 5 years. There also appears to be at least 200 GB worth of outbound traffic to unknown IP addresses using TCP port 8443 on the same host to IPv4 domain in a country which your business does not typically operate in. The outbound traffic is encrypted. What will you do first?
Sample question. Not to be taken as representative of the exam.
- Consult best practice guidelines on NIST on how the servers should be secured.
- Review the hardening configuration of the host to verify if TCP 10443 and TCP 443 are allowed ports for communication.
- Take the server offline.
- Use the documentation to troubleshoot the host.
This extreme scenario clearly has “active cyberattack” written all over it. From an offensive angle, it would appear that an attacker is likely using the PHP application on TCP 10443 to issue commands to exfiltrate data on a different port (in this case, TCP port 8443). Encrypted outbound traffic of this type usually does not belong to the organisation, but could be the attacker establishing their own HTTPS tunnel to disguise their traffic as legitimate web application traffic (unless you perform an inspection on the certificates used). This is likely as TCP port 8443 is indeed a commonly used port.
It would then sound rather ridiculous to perform a strategic or tactical action. This is quite likely operational, requiring immediate action through a triage process, and escalation to the necessary teams to perform the appropriate remediations (e.g. taking servers offline, writing emergency firewall rules).
But, the CISSP also has questions which require a different view, such as assessing the readiness of a business to adopt a series of policies to upgrade the overall cyber-defence posture of the business. Here is an easy question to provide an idea on what I mean.
A managed security services provider (MSSP) has recently required help from your consultancy. They would like to assure their customers that customer data can be safely on-boarded. Which is the most important assessment/audit to assure their customers?
- ISO/IEC 27001
- SOC 2 Type 2
- SOC 2 Type 1
- All three assessments/audits are equally important
In your country, there may already be regulations that define a minimum standard MSSPs need to adopt to. For example, in Singapore, MSSPs will likely have to apply for a Security Operations Centre (SOC) licence. But the exam does not assume Singapore compliance. One has to think about what the tactical objective is: assuring customers of a MSSP that operational security controls are in place. This leans towards a SOC 2 Type 2 assessment. SOC 2 Type 1 focuses on security design at a snapshot in time, and ISO/IEC 27001 is not necessarily the most precise assurance specific to MSSPs, even if your home country might use ISO standards as a baseline.
Zooming In and Out: An Essential Skill
Part of a manager’s task is to oversee a collection of different projects. They are likely at different stages in the project lifecycle, and likely have different types of problems requiring different levels of attention. The ability to quickly switch to a different activity, and apply the right focus is a different ability from undivided attention on an engineering/ethical hacking assignment. This can partially explain why many who enjoy great success in a previous cybersecurity job/domain struggle in a more management/risk-based certification. But the more important point is to encourage the CISSP student who is currently struggling with not understanding the notes or the exam. It is an exam that assesses your ability to pick the right type of lens and focus to answer cybersecurity issues and scenarios.
Concluding Remarks
One final comment I would like to add is the following: cybersecurity is a field that is both extremely broad and deep. There are so many aspects to look at, and many different skill sets are required. Do not be discouraged should you find a broad-based exam like CISSP intimidating. I myself was intimidated at the sheer breadth of the material. But the right mindset will set you on the path to CISSP glory. This mindset may differ from the mindset I used when embarking on the OSCE3.