The CISSP (Certified Information Security Systems Professional) is the cybersecurity industry’s fundamental standard and one of the top IT certifications.

The Bar Raised High

The original requirements to qualify for the certification are fairly high, which explains why many specialists are discouraged to give it a shot: applicants need at least five years of confirmed security background in at least two out of the eight areas covered by CISSP (we will highlight these areas as we move on).

The exam itself is pretty tough. I had passed 12 Microsoft certifications before, but they weren’t nearly as complicated and weren’t even close in terms of your competence in the domain. CISSP requires comprehensive security knowledge, ranging from physical protection of assets all the way to security management at the enterprise level.

This complexity predetermines the quality and value of the certification.

The likes of CISSP are among the main criteria for being hired as a technical executive in many countries. The “as-a-service” business model may have affected the general perception of certification as a continuous growth, with new functional forms starting to prevail over nonfunctional system attributes, including security.

What Are the Benefits of This Certification?

Let me share a little of my experience. At least 7 out of 15 years of my IT background were security-related (developing well-protected architectures, web security analysis, penetration testing, creating a custom intrusion detection system, live systems security management and consulting). Every single time a case came down to security, merchants and customers would ask the same question: “How can you prove your skills?” The first thing certification has enabled me to do is prove my expertise in the security domain.

Incidentally, I was surprised to find out that the attitude towards certificates in the Western world, including Great Britain, is somewhat unusual. People firmly believe in the power of CISSP. Developers and managers will  start asking specific questions on the matter or dwell on their awareness of certification. Merchants tend to mention that the company has a CISSP-certified specialist, whether it’s appropriate or not. Therefore, the certification itself has become part of a marketing strategy.

Speaking about security as a whole, it’s not enough to know specific technical details these days. The modern IT ecosystem additionally requires expertise in security management. Risk assessment and management, threat modeling, multi-layered protection, security standards and frameworks, business continuity and disaster recovery plans, data categorization levels — all of these spawn multiple guidelines, policies, procedures and the like.

For instance, according to GDPR (General Data Protection Regulation), if you cannot provide official confirmation of meeting a specific requirement, then it doesn’t matter how well your system is built — you aren’t GDPR-compliant, period. I have faced all of these issues before, but CISSP helps organize data on standards and their requirements.

Another nontrivial thing is that prepping for the exam helps you refresh the knowledge that you don’t need in your daily work and start forgetting. Who can recall from the get-go which symmetric encryption mode is appropriate for different scenarios: ECB, CFB, CBC, CTR or OFB? What are the differences between HMAC, CMAC and CBC-MAC in the context of ensuring message integrity? That’s the point. It’s not even remembering it all that matters (although you will have to do it for the exam) but it’s about knowing where to look in order to make the right decision in the future. Recalling what you forgot is useful now and again.

The Areas

As it has been mentioned above, CISSP covers eight security areas.

1. Security and Risk Management

Issues related to security standards and frameworks (ITIL, COBIT, ISO/IEC 27000, NIST, SABSA, etc.), regulations and acts (GDPR, HIPAA, PCI DSS, the Patriot Act, etc.), privacy, risk management frameworks (COSO, ISO 31000, NIST). Long story short, this one encompasses everything related to the world’s security practices and standards.

2. Asset Security

Data categorization, data lifecycle, responsibility levels in an organization, data storage policies, data protection and destruction strategies.

3. Security Engineering

Cryptography, key management systems, operating system protection mechanisms, data access modeling, physical premises security.

4. Communication and Network Security

Network topology and standards, network protection, channel protection, network threats and attack vectors, communication security management.

5. Identity and Access Management

Physical and logical access control, authentication systems and their management, biometric authentication, attacks against access control systems, intrusion detection and prevention systems.

6. Security Assessment and Testing

Security assessment techniques, penetration testing, vulnerabilities, data backups, reporting, business recovery in case of IT emergency, reporting.

7. Security Operations

Investigating security incidents, physical security management, incident management systems, change management, IT disaster recovery strategies.

8. Software Development Security

Security practices integrated in development workflow, change and configuration management, repository protection.

Obviously, the certification itself covers a vast domain of security and has a lot to do with management and calculation as well as security procedures and standards.

How It Goes

Now, a few words about the steps of passing the exam.

1. Find a CISSP with a valid certificate who can prove their background and qualification. You need a reference from an actual CISSP before taking the exam — the person is supposed to vouch for your expertise. If you cannot find such a specialist on your own, you can request one from ISC2.

2. Purchase the online exam at Pearson VUE, an IT services management company focusing on computer-based testing.

3. Prep for the exam. The main knowledgebase was the CISSP All-in-One Exam Guide, Seventh Edition. However, thinking that you’re guaranteed a pass if you read this book is way too optimistic. Here’s why:

  • It’s 1,300 pages of somewhat abstruse text full of abbreviations
  • I additionally had to search online for quite a bit of information provided there
  • As far as I remember, one of the questions at the exam had merely one short sentence dedicated to it in the book

What’s great about this knowledgebase:

  • Clear-cut structure and presentation of the contents
  • Specially crafted for the exam
  • Contains a list of questions at the end of each section covered so that you can check your knowledge
  • Continues to be a must-have book when it comes to security

A few tips in terms of preparing for the exam:

  • Don’t waste your time looking for questions that may be asked at the exam and memorizing them — they get scrambled all the time, and no one gets the list of questions after taking the exam
  • Be sure to study the Code of Ethics as there will definitely be some questions on it

Ethical Hacking Training – Resources (InfoSec)

4. Take the exam. Try to relax and be as prepared as possible before you go in. Everything appears to be strict and serious in the certification center: they take your fingerprints, search your pockets and make videos of what’s going on. You’d better use earplugs, because other people will be taking their exam nearby.

The whole thing takes six hours, and there are 250 questions, which means you have roughly two minutes per question. So, you really shouldn’t leave any questions unanswered — perhaps you won’t have the time to get back to them. Rely on your expertise and follow your intuition. You might want to mark the questions you aren’t sure about.

The specificity of the exam is that all the answers in a multiple-choice list can be correct, but you need to pick the most appropriate one. Therefore, the method of excluding obviously incorrect answers may not do the trick. Keep in mind that human life is always the most fundamental asset, so make sure you choose it if it’s among the answers.

It took me five and a half hours to complete. I tried to go over the questions I wasn’t positive about, but hardly changed anything.

You get the verdict whether you’ve passed the exam or not right away. At least 75% of the answers need to be correct. If you have passed it, they won’t even tell you the percentage of correct answers.

5. CISSP certification. Having passed the exam, you are only halfway through. Next, you need to confirm your expertise: at least five years of background in at least two domains. Moreover, you need to prove it with official documents — that is, provide copies of contracts or the record of service indicating your position.

For example, I have worked as a Chief Technical Officer for the last seven years. I described all of the eight areas in a separate document, sorting them by the degree of my proficiency in each one. I attached this document along with the other scan copies to the application form. In the form itself, I covered my entire background in a nutshell.

The first confirmation of your expertise needs to be done by a CISSP from step one above. Then the ISC2 committee will vet the information once again and make a conclusion whether or not you are worth having the CISSP title. This stage takes up to 6 weeks.

I passed the exam on December 12, 2017, and it wasn’t until February 13, 2018, that the committee confirmed my certification.

6. Keep the CISSP certificate valid. Passing the certification is not enough: you have to maintain it. You need to earn a certain number of continuing professional education (CPE) credits annually. Furthermore, maintaining the certification will cost you about 85 USD per year.

Conclusion: The Bottom Line

Whether you like it or not, the modern regulations, including GDPR, require technical and organizational measures to protect data, so security management issues are going to be everyone’s concern.

Serious certification requires thorough prepping, so don’t rely on luck.

Never stop refining your security expertise. It should be a continuous process.

And remember: The problem isn’t as big as it seems. If you really want it and take the right efforts, you’ll pass the exam.