CISSP

September 18, 2024 - 5 mins read

3 Year Update

I’m quickly approaching the 3 year anniversary since earning my CISSP. I just completed my CPEs, and paid the maintenance fee, so it was time to revisit my review. My previous review based on my experience with the exam, and my preparation. When starting out I felt ambivalent toward it, initially pursuing the certification just to have it. I wanted to knock it out because it seemed like a necessity in the field, just to beat the HR filter. I was happy to earn it, but I was certainly over it after the endorsement process. My opinion has certainly shifted since. The positive side is in its name recognition. “I have a CISSP,” generally communicates a respectable level of knowledge to folks outside of infosec. In this review I’m going to revisit my exam experience, in addition to all that’s happened since.

Exam Prep

I didn’t get too crazy with exam prep. There’s plenty of material out there that’ll have you covered. I started with the Sybex official guides, and practice tests. That covered most of it. For general practice, I grabbed the CISSP Pocket Prep app. I found that to be a decent solution for additional practice. Of course, I have to thank Kelly Handerhan.

Exam

I didn’t care for this exam, not that anyone enjoys taking them. You hear things like, “A CISSP is a risk advisor, not a problem solver.” It’s true for the exam, maybe not in the real world. Adapting to that mindset is challenging if you’re more hands on in your work. It is not uncommon for me to be a risk advisor, solution architect, and engineer all at once. Sometimes questions feel a bit silly with semantics too. “Gotcha,” questions don’t serve to validate anyone’s knowledge. My advice is to read the question thoroughly. If you’re well prepared, and you miss a question, chances are you missed a word that gave it away.

Positives

Coming from a technical background, digging in to risk management really helped me out. When I started in security, I was not equipped to discuss in terms of financial impact. Risk management for IT folks rarely involves the financial impact, rather we concern ourselves with the technical impact. We’re concerned with keeping systems up, but we’re often not privy to conversations around income, and operational expense. Telling an executive we need to spend \$100,000 to replace some EOL hardware, because we’re going to see vulnerabilities pop up is not effective. Framing that as, “This hardware protects \$10M a year in revenue,” makes it much easier to get budget approval.

“Prestige”

Let’s call it prestige for a lack of a better word. The cert has name recognition. To paint the picture, I am young, bearded, and long haired. I pretty much only wear band shirts, jeans, and Vans in public. I’ll be real with you, I get wide eyes when people meet me for the first time. I’m not usually very public facing within the org outside of emails. I don’t particularly care that I don’t fit the mold, but having some weight in my qualifications helps offset the dirty hesher look.

Go make friends

You don’t need a CISSP to join any professional network, but I never really bothered before. I encourage you to do so, whether that’s your local ISC2 chapter, OWASP, or a random local group you found on Meetup. Once you get certified, you’ll need CPEs, and that’s a plus. I’ve met quite a few mid, and senior level folks that I can rely on for candid advice. As mentioned before, you’ve got 8 different domains. I’m certainly weak in some of them, and it helps to have friends who aren’t. Even if it’s just a sanity check buying tools/solutions. Paraphrasing a recent conversation:

Me: “Hey man, I’m looking for a solution for X. I’m looking at vendors A, and B. Have you tried either?”
Colleague: “Oh, A sucks dude. Absolute garbage. We ripped them out after three months, had to get legal involved. We put B in right after, we’re happy with it.”

The Negatives

Passing the cert says, “I know a little about a lot of things.” There are 125-175 questions to validate your knowledge of 8 separate domains. You won’t pass without understanding these domains, but it’s hard to be an expert in all of them. While I’m glad I spent time learning, I absolutely have forgotten half of what I studied. If I had to sit the exam tomorrow, I might not pass. That problem isn’t inherent to the CISSP. If you’re not using something every day, you will lose it. It’s supposed to be a capstone cert, by the time you reach it, you should be well rounded enough to make educated guesses.

Final Thoughts

Overall, I’ve grown to appreciate the cert a lot more. When I initially pursued it, it was mostly to say I had it, and beat HR filters. These days, I use a lot from it. As I’ve become more senior, I find myself leaning into those risk management skills. Learning to speak executive was a huge gain. That being said, it was a SLOG, so I’m intent on not letting this one expire.

AOTD: Black Tusk - Passage Through Purgatory