This webcast was originally published on September 4, 2024.
In this video, Jason Gillum discusses the comprehensive subject of CISSP certification, offering insights into its importance, study strategies, and the maintenance of certification status. He delves into the various aspects of preparing for the CISSP exam, including understanding the breadth of topics covered, effective study habits, and the utilization of practice tests. Additionally, Jason highlights the ongoing requirements to maintain the certification, emphasizing the continuous learning and ethical standards expected of certified professionals.
- The CISSP certification is recognized as the most comprehensive general certification in the Infosec field.
- Ethical standards and adherence to a code of ethics are crucial components of the CISSP certification.
- The CISSP exam covers a broad range of topics across eight domains, requiring a foundational understanding rather than deep expertise in any one area.
Highlights
Full Video
Transcript
Jason Gillam
Today, I’m going to be talking about probably one of the most boring topics in infosec, for a lot of people is the certifications. I’m going to be talking about CISSP.
I will try not to bore you too much. Hopefully, you’re interested in or you’re here today because you’re interested in learning a little bit more about it.
You’ve been maybe tasked with taking it. That happens a lot. or you’re, just curious and I will try to answer some of those questions, about, what’s in it, how should you study for it, what are the different options out there, that sort of thing.
So I’ll give you some initial guidance. Now, as part of Secure Ideas, we do a ten week mentorship program that is for studying for the CISSP and I think it starts up next week actually, for the current run.
So part of what I’ll be talking about is what we can do for you there. And that’s done through anti cast. So I guess the first thing I need to do is talking about me a little bit.
So my name is Jason Gillam. I am the CIO at Secure Ideas. I still on rare occasion get to do pen testing. That’s what we mostly do.
I’m an ions faculty member. if you’re not familiar with ions, they do like ask an expert type of services and other things.
I have my CISSP and I maintain it and currently that’s the only certification that I care to continue to maintain. so, and I’ll get into why that is later.
I am an OWASP project committee member, so if you’re into application security and have any questions about that, feel free to ask.
I’ve been into hacking things since about 2009 and prior to that I was software development for a very long time.
I had a Commodore vic 20 in the mid-eighties and of course the very first thing I did with that was program a dungeons and dragons character sheet generator because that’s what you do when you’re about that age and have a computer.
So yeah, I’ve been doing software development for a pretty long time.
So other things that I like to do, of course, because I like software development so much and I still do it. Automation is one of my big things.
Home automation, writing scripts to do things. I am the type of person that will spend hours trying to automate something that will save me a few minutes of work.
So, that’s, it’s fun. I enjoy it. Real question is, do I still have a D&D character gen?
I don’t think I have one now, but you could probably get an LLM to write one for you these days. So, might be kind of an interesting take on it.
Also because of the fact that I now have a greater, portion of my time spent managing a company. whereas previously I didn’t, Business strategy in general is something that I really enjoy.
I used to think I would hate business, and then over the last few years, I’ve kind of gotten more into it, which I know this kind of goes along line. Okay, here’s another boring topic to stack on top of the cis.
And I do like, I have some fun things. I really enjoy gaming. I like board games, I like video games. And, I also enjoy homebrewing. I unfortunately haven’t had a chance to do very much lately, but just, home brewing of, most types.
I haven’t made any like wine or anything like that, but I’ve done ciders and meads and various different ales. So.
Boring stuff. Pays well. Yeah, it does so well enough, I guess. So let’s move on. So what is the CISSP?
It is the certified information system security professional. Right. That’s, that’s the long form of it. So you can kind of understand why we always shorten it to CISSP or even more so, Cisp or.
I’ve also heard some people say “Cis-P.” But I usually just pronounce the whole thing as a single syllable. Just “Cisp,” so it comes from ISC2.
You’ll always hear me hesitate when I say that, because they were ISC squared for the longest time. And just, I think it was last year they switched to ISC2. so every time I say it’s like ISC2.
Right. Kind of think about that. and the, And it’s, So ic two, by the way.
So they’re a nonprofit body. They’re focused on training, certification and continuing education in the cybersecurity space in general. So they do have several different certifications today.
I’m talking about the CISSP, which is. That’s the, I guess sort of the entry level for leadership, type. It’s, as I said before, it’s that mile wide, inch deep knowledge scope on there.
And it is recognized, it is the most recognized certification in infosec. just as a general certification.
So, not getting into specifics, I saw somebody mention in the chat OSCP, which for pen testing, that’s a more specific domain, but for something that’s across all domains, it is the most recognized one.
and that’s, I can’t remember exactly where the data is to back that up, but I want to say it’s based on LinkedIn searching or something like that.
If you’re going to look to get hired by a company in to do any sort of cybersecurity job, it certainly doesn’t help to have this on your resume.
So, Yes, nonprofit doesn’t necessarily mean no money. There’s money. There’s money involved, for sure.
Okay, so let’s talk about prerequisites, right? So if you want to do, if you want to go through the, the, CISSP exam, and certification and get this, what do you need to be able to, what do you need to have before you get there?
So, first of all, you have to actually agree there’s a code of ethics. This is one of the few certifications that parts of it actually are an ethics, test.
And you’re agreeing to the, code of ethics that they have. And I’ll get into more details on what that looks like later, but that is a big part of it. So if there’s any part of the code of ethics that you disagree with, then you should forget about getting your CIsp, because it’s, you’re required to agree to it, for, in order to receive, the CISSP certification.
So even after you’ve done the exam, you have to have five years of, experience with, within at least two domains. Now, what you’re going to find, I’m going to show you the domains on the next slide.
There’s enough overlap between domains that most people who have been doing some sort of tech role, for at least five years have exposure to more than one of the domains anyway.
right. So you’re going to see that there’s quite a bit of overlap. So five, years, or, you can get that shortened down to four if you have a college degree.
I never really understood the, like, why that matters, but apparently it does. or four years of experience with an approved, security certification.
And the list on here is an example, right? So there’s CCSP, CIsm security plus, like, there’s, there’s, they have, on the IC two website, there’s a massive list of certifications that are supported there.
So it, doesn’t have to be one of those. it can be anything from the actual list that they have. and then if you don’t have any of the above, you can still take the exam, get what they call an associate of ise two.
and then you have six years to gain that five years worth of experience in total over that time. So that’s helpful. Let’s say you only have three years of experience.
You can go take your exam, be an associate, collect the remaining two years of experience, and then you would get your certification at that point in time.
So, those are the prerequisites. And then, yes. So there is an endorsement requirement as well. I don’t have that on this slide, but that’s, after you’ve passed the exam.
you do need an endorsement as well. It’s a good point. Okay, so I’m just glancing at Discord to see if there are any questions.
I don’t see any.
CJ Cox
Jason, if you want, I’ll keep an eye on that. I’ll bring them up to you if there’s something that doesn’t.
Jason Gillam
Yeah, that’d be great. Yeah. I’m sort of looking out of the corner of my eye, but it’s scrolling by so fast. I’m missing things, I’m sure. So.
All right, so let’s talk about the domains of. I know the text on this is a little bit of an eye chart, so I’ll go over it m in a little bit. So what I’ve done here is I’ve actually updated the percentages with the latest, I think it came out in June ish this year, the 10th edition of, the official cispennae, study guide and, and what the requirements are.
so there were some minor changes, I’ll go over, those later. but they’re in the actual content. But there were some minor changes in the 10th edition with the percentages on here.
It was really like a couple of shifting of 1% here and there. So nothing major. so going through these, these are the domains that you’re going to be expected to, I’ll say, master, you don’t have to know everything about everything in all the domains.
Remember, it’s an inch deep and a mile wide. So you need to have a good foundation in all of these domains in order to be able to, get your CISSP cert.
So the first one, starting with number one, security and risk management. This is going to cover things like governance, compliance, legal regulatory type stuff.
Ethics is in there as well. And just risk management in general is in there. and then the second one is about asset security.
Seems self explanatory. So we’re talking about data classifications, ownerships, retention, destruction, policy type stuff, privacy protection.
So a bunch of those types of topics, and then in your security architecture and engineering this is the domain that a lot of people dread because it has the security models and frameworks in it.
So the beba, and anyway all of those, I try not to actually get into actual content here, but yeah, so there’s a bunch of security models.
Traditionally we’ve had to do a lot of memorization on those and so that’s one of the reasons why people don’t like it, because it’s like hey, there’s this model out here, I’ve understand this model and I probably never actually refer to this model again.
You’ll use it but you just won’t refer to it by name, so why do you have to memorize it? but that is part of the, part of the exam.
Also in that section is principles of cryptography and I believe the physical security falls into this one as well into the third domain.
So rolling back years ago, there used to be ten domains and then they shrunk them down. I think it was ten domains, they shrunk them down. Physical security was in its own domain by itself and then it got moved into one of the others.
then we have communications and network security. This is probably what most people think of when they’re thinking of information security is the network security aspects.
You’re talking about the different components, get into firewalls, network architecture, segmentation, different communication protocols, all of that kind of good stuff.
The next one on here, number five is identity and access management. So authentication, authorization controls, various different access control models, the identity management lifecycle, all of that kind of stuff falls into into domain five.
And then in six we have security assessment and testing. so this is getting into that. Basically what we do right at Secure Ideas, which would be penetration testing, vulnerability, assessments, various different control testing strategies.
All of that kind of stuff falls into domain six and domain seven is operations. so we’re talking about instant management, business continuity, logs, monitoring all of the operational aspects of security.
And then last but not least, domain eight is software development security. that gets into It’ll be application specific flaws, secure coding practices.
I know, in the pre show banter, we talked a little bit about the software, development, maturity models and lifecycles and whatnot.
So a lot of that will fall in there as well. And then I think in there, also is. That’s where you’ll find the third, party, security management.
Like some of the supply chain stuff, I want to say that’s also in this domain. there’s parts of that in different domains. So like I said, there’s there’s a lot of overlap between these.
It’d be very rare for someone to only have experience in a single domain. So going back to the prerequisites, it’s pretty easy to have domain experience across more than one.
and so the barred entry is not that difficult if you’re an actual security practitioner.
CJ Cox
Sorry Jace. mouse asked us how far up the ladder should you go before you get the CISSP. So what’s your overall recommendation?
Jason Gillam
I don’t know that you need to go up the ladder to get it. So that’s it. It’s a good question. I think that once you get. Once you’re at a point where you are, I don’t know, like middle management, at least you should definitely be looking to get it.
But I also think that there are benefits to getting it. Even if you’re an individual contributor on a team, it gives you a better understanding of security, at whole within an organization.
And that is only going to be able to help you in your job and your career progression going forward. and it’s like I said before, it’s also a really great point to have on your resume.
So if you’re in a position where you’re switching jobs, having the CISSP on there, will definitely help, you get your foot in the door.
CJ Cox
I totally agree with all that. I always thought that it was good to have the big picture and I thought it was really great when they put out that associate, where you can like be working towards the experience, so.
And obviously gets a ton of attention on your resume. So. Good stuff.
Jason Gillam
Yep. All right. Okay, so I’ll keep moving here. I. I don’t have tons of slides, but I also have never presented this deck before, so I want to make sure I get through all of it.
So, the code of ethics. So this is what’s on there. There’s a preamble. Okay. So all of this to me makes sense and I fully agree and support the IC two’s code of ethics, the, safety and welfare of society and the common good, duty to our principles and duty to each other require that we adhere and be seen to adhere to the highest ethical standards of behavior.
one thing that I’d just point out is that that little bit at the end that I put emphasis on and be seen to adhere, that’s really important in our industry. Right? It’s not just, are you doing the right thing by the letter?
Are you also. Is that what it appears that you’re doing as well? Because if you have the appearance of unethical behavior, because of the manner in which you’re doing something, then that tarnishes us as information security, professionals.
And I think that being, in the, especially in the domain of penetration testing, where we sell ourselves, as in black hills, is the same boat, right?
We sell ourselves as, hackers for hire. That even makes that even more important that we do that, and that everything that we do, we show that, hey, all of this is aboveboard.
we’re not doing anything shady. yes, we think like attackers. we think like the bad guys, but we do that in a very professional manner, and an ethical manner.
And I think that’s really important that it be seen that way. so, next part. Therefore, strict adherence to the code is a condition of certification. So the cannons and the order of the canons is important.
So they’re actually ordered from the highest priority to the lowest. Not to say that the lowest priority is not a priority. It definitely is, but, protect society, the common good, necessary public trust and confidence in the infrastructure.
Act honorably, honestly, justly, responsibly, and legally provide diligent and competent service to principals, and advance and protect the profession.
So that covers the ISC2 code of ethics. Now, if you are doing the exam, I think I talk about this later as well, but, the.
The code of ethics will be the first thing you see in that exam. Once you go into it and you have a. There’s a, like a countdown timer, and you. You have to accept the code of ethics before that time’s out, or you’re done, your exam is over, and you fail.
I have actually heard of a case where this happened where it wasn’t intentional. The person, like, you get, a. Like a whiteboard. It used to be a pad of paper or something that you could jot down some notes.
So things that you’ve memorized and you want to just get them down on paper while you’re nervous before you actually start answering questions. And so what’ll happen is people would sit down, start writing out all of their notes and everything.
It would take them a little more than five minutes, and then they would turn to the terminal to start the exam, and they will have timed out that first question, which is, do you agree to the code of ethics?
So, that’s a really bad scenario. and it happens. So if you take it, just remember that. Do that first, then write down your notes.
CJ Cox
Jason, real quick. It sounds like you actually, like, put some emphasis on that. Whereas I think a lot of people treat this as sort of a, yes, you have to sign the user agreement.
Jason Gillam
well, yeah, I mean, hopefully going in there, you will have already read the code of ethics, so what it’s going to say. I’ll go beforehand, and I don’t see anything in here that you shouldn’t agree with, but, if you do have.
Yeah, I don’t know.
CJ Cox
I think it’s non trivial, though. I mean, our society, we tend to have put things like this. I commented in the chat earlier about oaths and things. We tend to just kind of sweep them like it’s a formality you have to do.
Jason Gillam
But it’s not in this case. No, it isn’t. you will actually, if you’re. If you are in violation of this code of ethics, you’ll lose your certification. Oh, yeah.
CJ Cox
Lawyers tend to put a big thing on this, too. I guess that’s one of the things where it comes from. But this is like the code of chivalry, right? Like if you’re out fighting the good fight for good, and then this is.
It is almost trivial that you accept it, but it’s very serious and foundational.
Jason Gillam
So it is, yeah.
CJ Cox
Off soapbox.
Jason Gillam
Okay, so the exam overview. so it’s offered in several different languages.
there’s actually two forms of the exam. and the main one. So they have the cat or the computerized adaptive, testing, and then they have what they call, I think it’s called the linear exam.
and the linear is like the old way they used to do it. and that’s still available for. For example, if you, if you are taking it in a language that the cat form doesn’t support, then that that is still an option for people.
But for. For most people, you’d be taking, the cat version. so it’s a minimum of 100 questions, a maximum of 150, and you have 3 hours to do that in.
So you can kind of math that to figure out, okay, it’s about, if you keep a pace of 50, answering 50 questions every hour, then you’ll have enough time to do it.
Even if you go to the maximum number of questions, it’s adaptive. So it is possible that you’ll get to question 100, and the exam will have determined at that point, you really know your stuff.
So you’re past or you really don’t know your stuff. There’s no way that the remaining 50 questions is going to make a difference.
So you can fail at that point, or it can go all the way to the 50. and I’ve heard the same thing from almost everyone who’s taken this exam. I didn’t take the cat.
I took the older one. but everyone has taken the cat. they got to the end, and it doesn’t matter if their end was at 100 questions or 125 or 150, and they walk out of there very insecure in terms of, geez, I really don’t know how I did.
Did I pass or not? And then they find out they passed. so, if you’re well prepared, then don’t worry about that aspect.
Don’t worry about. Don’t let it bother you that, oh, it ended at a certain number of questions go through until you’re done and just plan on there being 150. If it ends early, that’s probably a good thing.
So, there are 25 unscored questions in there, too. So you won’t know which of the 100 to 150 questions are actual questions that are scored. so what they do is they have any new questions that they bring in, they kind of test them.
and so that you’re not actually scored against those, that helps them evaluate how effective the question was. So, you don’t really find out which items you passed and which ones you didn’t.
it’s just pass or fail. Right. So. Okay. let’s talk a little bit about the question types.
because the other thing, too, and I don’t think I mentioned this on here, is there’s no going back. So you should answer every single question you can’t pass and come back to it later.
If you don’t answer the question, you’re automatically going to fail that question. So most of the questions are standard multiple choice. that’s four options.
Pick an answer. that maps a lot to a lot of the practice questions that you get, because, obviously, if you’re reading practice questions out of a book or, online or whatever, then those are not going to be adaptive.
so that’s probably not going to help you there. Although I will say this. I found that an interesting strategy to test yourself against a certain chapter or something in the book is to go to, an AI, like chat, GPT or cloud, and, and you have it quiz you and then score how you did.
and if you word the prompt right, you can have it actually ask you open ended questions. So it’s actually testing how well do the topic rather than how well do you answer multiple choice.
So that’s actually a pretty neat study hack there. so some of the questions will require, select two, select three, that sort of thing.
Those can be difficult because you’re trying to figure out, okay, what are the best options? Or what are the least worst options? And then some are a little bit m more innovative, like drag and drop type things, but most of them are going to be multiple choice.
CJ Cox
Someone commented earlier saying that the answers are subjective. And I’m like, well, I guess that’s somewhat true, but you have to learn their rope.
You can really pick that up out of the books. And I’m sure in your mentoring, you guys help on that test taking strategy, right? What is the best answer?
Which is.
Jason Gillam
And that’s exactly it. There are many cases where there’s a list of answers and more than one of those answers is technically correct.
And, one thing that we drill into our students during the mentorship is that as soon as your brain starts going down that path of, well, technically, you need to take a step back, put your manager hat on and think, okay, from a manager perspective, which answer is correct because one of those is better than the other answers or is the least worst answer?
CJ Cox
And, the overthinking thing can just kill you. And. Yes, and the bad thing is when they don’t give you the test results. Right. You don’t know. Well, did I get that right or wrong?
Jason Gillam
You just never, never know. You will never know. Yeah, you’re absolutely right.
CJ Cox
Awesome.
Jason Gillam
Okay, so, let me talk a little bit about. So if you’ve, if you’ve looked previously, like I said, I think I want to say it was around June, July this year, the 10th edition came out.
and I might be wrong on that, but I know that it was sometime within the last few months because it was after the last time we did our mentorship program.
But, there were actually some adjustments I went through. I didn’t read cover to cover the new one, but I did go through all of, the study points at the end of each chapter and did some comparisons between the 9th and 10th edition.
So if you have the 9th edition, you’re wondering, hey, do I need to buy a new book? I’m not going to tell you yes or no, but I will tell you what’s changed. So, the 10th edition, there’s the minor change to the domain weights.
I mentioned that before. I think a couple of things moved by just 1%. So really that’s not really enough to worry about. There, there’s no major changes to domain content that I saw.
There was nothing that like, hey, there’s this whole brand new topic on there that was never covered before. and it’s brand new to this edition.
There may be subsections in places and some adjustments on specifics. but I didn’t see anything that was like, hey, there’s this whole brand new topic in there.
Overall, I think the changes look really good. It seems to be a general shift towards understanding the concepts better and away from memorizing stuff.
Not that you won’t have to memorize stuff. There’s still going to be things that you’re going to go, don’t get this, I’m going to have to memorize it. That’s going to happen. But I think that the emphasis on here is less on memorization.
just as a key point on that, I talked about the security, models earlier because I went back through and flipped through that whole chapter because it’s like, okay, security models, one of everyone’s favorite topics.
they’ve actually removed several of the specific security models, in the 10th edition, they’re just not there anymore. They have some of the main ones in there, bell, epidula and bipa, for example.
Those are still there. There’s still a couple of others, that are distinct, but it seems like they’ve moved more towards the concepts that drive those models and understanding those instead of focusing on just memorizing the model.
so that seems to be a positive change there. I don’t know how that’s going to affect the questions in the exam. I have no way to know that, but I’m hoping that it drives more towards just understanding those foundational concepts.
There’s also a little bit of restructuring, of content, to group some concepts together that were previously, a part, and, little less emphasis on the minutia, the formulas.
there’s still some in there. There’s still some math that you have to do, like if you’re looking in the encryption chapters, it’s still going to have the various different bit wise math that’s on there.
so you still have to understand the basics of and, and, or, and xor and all that. and yeah, I think that covers everything.
CJ Cox
So someone asked one of the questions, the people who are about to start in your new cohort, is that going to be get the up, the newest book?
Jason Gillam
Yeah, yeah, that should be with the newest book.
CJ Cox
And then there’s a general question about there. What are the best study resources?
Jason Gillam
well I have a couple slides coming up that might cover that. So let me go through that first. And then yeah, so first training options. So if you’re looking at like all of the options that are out there, the main ones that people will use is self study.
Okay, so use the official study guide, practice tests, and go to a study group and forums, that sort of thing. and you can use a combination of these of course, but self study is cheap.
You’re paying for the books and then you’re finding free resources. there are several forums out there, that I mean it’s a pretty common topic.
I haven’t looked. I imagine there is a subreddit for it. I know there’s one for infosec. I don’t know if there’s one specifically for cis, but I would be surprised if there wasn’t.
ISC2 has a couple of options, directly. One is an online self paced course, and I think you pay for access to it and I don’t know what the cost is, but I think you pay for access to it by number of months.
So you can get like a one month or three month or six month subscription to that. and then there’s also online instructor led, that they do as well.
There’s also a variety of boot campsite, and ISC2 partners with organizations that will run those boot camps, under the ISC2 brand, and theres also others third parties that you can go to for boot camps.
I personally I did a boot camp. I think theyre okay for a review period but its really a massive cram session. Its not very pleasant at all. So its not my preferred way of doing this.
and then we have through anti siphon we do our professionally evil CISSP mentorship program and that is, I was talking about it before, so it’s, I’ll just do a quick rundown on this.
I think it’s a good option, but I’m biased. We do ten weeks, of basically it’s reading assignments and then study groups.
So we do a two hour review, session, and we typically will have two instructors. We rotate people around depending on their strengths and availability, and so, we’ll have two people lead that, and then we also have a slack channel.
And the other really cool thing about this one also, it is a pay what you can through anti siphon. The other really cool thing is it’s repeatable. So once you like, if you decide to join for this one, this one coming up, this fall, and then you get partway through it, you get too busy and you decide, hey, I’m not going to be ready for my exam, or maybe you go through the whole thing.
You say, I’m studying, but I’m not quite scoring high enough, I’m not comfortable. Then you just, you can re enroll at no additional cost into the next one, and then come back through again with us.
So, one thing that a lot of our students have mentioned about this is that they really liked, it wasn’t just that we were giving them the information and telling them, what they needed to learn in CISSP.
We told them some of that, but we were only doing a two hour review session, each week for ten weeks. So really they did a lot of the work themselves, but we kept them on a schedule.
Right. So it’s a, you have this, we’re going to do this, right. We have this commitment, we get through it and and that seems to be very helpful for our students.
So some combination of those. It’s pretty much what you have now. okay, so I have study tips and then I actually have a slide that goes over some of the other resources available to you, including practice exams.
So first of all, you need some sort of schedule. it really depends on the individual, what works. But just recognize that the official study guide, if you can see this, it is, over 1100 pages long.
There’s a lot of content in there. I am a slow reader, so I’m going to take a bit more time to absorb content.
And I mean, even if you say, hey, I’m going to spend an hour studying on this every day for 30 days, that’s pushing it for some people.
you m probably need longer than that even. so maybe you’re doing an hour of study over 60 days or something like that, but create a, schedule, stick to it.
practice the sample questions regularly. Right. At the end of the day, you’re going to be doing an exam of these questions. And so really, you’re basically not just studying the content, but also studying to be able to take that exam at that pace.
And especially if you’re like me. I mean, I went to college years ago, quite a long time ago. That’s the last time I did any real exams. Right.
other than the occasional certification. And so it’s not something that I’m, accustomed to at all. Not like being back in college, I was in engineering, so I was doing many, exams every semester and, I learned very well how to cram for them and be able to answer them.
So if you’re not, unless that’s still familiar with you, you’re going to want to be able to, get yourself reaccustomed to answering questions and staying on a cadence and actually staying alert enough to do this for 3 hours straight.
so those are the types of things that you want to get yourself some practice on. there’s lots of resources out there.
there’s the official study guide, which I just held up. you can buy a bundle of that study guide along with. There’s actually, I have that book here, too. there’s a official practice tests.
So those are both from ISC too. And that’s what we use in our mentorship because we want to make sure that we’re studying off of the official materials.
but there are lots of other books somebody had mentioned, Eric Conrad’s 11th hour, book. That one’s also very good. I think that it doesn’t go into quite as much depth.
at least the last time I looked at it, it didn’t. But, it explains things in simpler, terms. in many cases, it’s a little bit easier to digest.
and it’s a really good, maybe that week before you’re taking the exam, use that as your review all of the material, make sure you understand it all. Type, of book instead of trying to reread 1100 pages of the ic two official guide.
Right. so you want to focus on understanding concepts, not trying to memorize all of the things.
If you’re having trouble understanding concepts, have a conversation with other people. there’s so many people who get their CISSP, they want to help other people get it as well.
So, Don’t be afraid of this. Hey, I’m not getting this concept. I feel stupid just ask, ask for some help.
People will help you. I recommend that for those things that you’re having trouble understanding because there’s always going to be something. I mean, you have eight domains, there’s tons of information in there.
There’s going to be some things that you’re like. I just don’t really see a concept here that I can grasp, but I could memorize it. I would start writing those out in your own cheat sheet.
Just the act of writing it out is going to help you memorize and help you just grasp it better. That’s what I do. But you want to do what works for you.
I mentioned study groups, study partners. and the last point, of course, really important, take care of your physical and mental health. Like some people run themselves into the ground while they’re trying to study for the Cisp and that really doesn’t help you.
So, if you’re unable to actually stay awake when you go to take the exam because you’ve been studying that hard, okay, so I see a question about endorsement.
How do you find someone to endorse you? now that’s a bit of a trick, isn’t it? most people who are in infosec know somebody else with the CIsp who would be willing to endorse them, right?
So it’s basically just saying, hey, I know this person, I know they work in information security or cybersecurity, and you’re done, right?
That’s basically all that is. But if you don’t know anybody, at all, you’re brand new to the field or what have you, then it gets a little bit harder.
what I would suggest at that point is, involve yourself in the community. There are information security, either through work is one thing, but in the community we have conferences like every weekend.
It feels like there’s an infosec conference somewhere and so the likelihood that there’s one in your area is pretty much 100% that there’s something nearby.
so, and I happen to know that Black Hills has some kind of conference coming up too. So you, you could go to that one.
Okay, on to the next. So practice exams, there’s, like I said, you gotta, you wanna go through and get yourself custom those.
So the way that this is, I would recommend that if you don’t have other resources readily available, that you get the official practice test book I was shown earlier because, it has four complete tests in it and then it has a bunch of extra questions on it and then it also has a bunch of domain specific tests so you can study the chapters for a particular domain and then test yourself on just that domain.
So it has lots and lots and it’s also from ISC to the same company that’s actually issuing the exam. So it really makes sense to get a copy of that book.
and then also in the study guide itself there’s lots of questions at the end of each chapter. So that’s a really good set of resources there.
I know that there are question banks online as well, there’s flashcards, and I think you get access to the IC two set of flashcards through their materials normally that’s how that works.
And then I just haven’t checked with the 10th of edition if anything’s changed there. yeah, and so I mean you can search around, I’m not going to point out specifics on here because it’s a common enough certification that there’s plenty of resources already out there.
And then there’s also the chat GPT or cloud AI type trick I mentioned earlier. If you write out some of the basics of a requirements for a particular chapter or something like that, into a prompt, then you can have it quiz you on that knowledge.
so that’s one way to do it as well. one thing I would recommend is when you’re doing the practice exams, m not, maybe not necessarily the smaller ones, but when you decide hey, I’m going to sit down and do a full one actually time yourself, don’t stop at 3 hours.
If it takes you longer, I would still go through and finish it, but that will help you gain a feel for what sort of cadence you need to be answering the questions at.
sometimes you’ll look at a question, it’s like yeah, I know the answer to that and you get it and it takes you 15 or 20 seconds total, but then you’ll have others that might take you a couple of minutes to think through.
So but the overall cadence, that’s what you’re aiming for there is to have a good understanding of that. You don’t want to get to the end of your time before you’re done your questions.
So Okay, so my scoring guidelines, what I’d like to say is that when you are about midway through studying for your CISSP, you’re on track if you’re scoring somewhere between 40% to 60%, like it’s that low.
now I say 40 to 60 because part of it’s going to depend on whether or not you’re covering domains that you’re already familiar with or domains that you’re completely unfamiliar with, and that’s probably going to affect your overall score.
Like if, for example, we know that the software security one is the last domain and that was a strength for me. So I was naturally scoring a little bit higher halfway through because I hadn’t covered that domain yet in the book, but I still intuitively knew a lot of the answers.
So, and then what I say this is, these are my own guidelines that I, this is what I tell people and what I recommend. Don’t, don’t plan to take your exam if you are not able to consistently score, at about or just above 80% on the practice tests.
If you’re, if you’re still scoring in like the low seventies, you’re probably not ready, you’re going to really struggle on it.
Okay. And then practice across all the domains regularly. So don’t just focus on domain 1234-5678 and then decide, week after week and then go take the exam without going back and revisiting the other ones.
I mean, to me that seems, pretty obvious, but needs to be said.
Okay, last one. And then, I guess I’ll open, I’ll see if there’s any more questions. so once you get your CISSP, it’s a certification that you have to maintain.
From a monetary perspective, it’s annual, there’s an annual maintenance fee or an AmfDa, currently $135. and then you also have to maintain cpes.
And the cpes, it works out too. What they want you to do is 120 credits over three years. Understanding that some years you might be able to get more than others, but it has to work out to 120 credits over the three years.
Most of those credits have to come from actual domain expertise. You can get a, some, and I don’t have the breakdown, but there are some, other, there are a few other, some credits you can get through, like non domain expertise, like we just took out like a management or a leadership class or something like that.
That’s not specific to infosec that can give you a little bit, but most of it is going to be through, through domain expertise. So, everything from webinars, reading things, writing things, so writing blogs, reading blogs or books, attending training events.
you don’t get credit for teaching. so if you’re an instructor, you don’t get any credit for teaching. But you do get some credit for preparing your materials for teaching.
and it’s, but it’s limited. so it doesn’t equate to like if it takes you a whole, like if you’re teaching it like a day long class, you’re not going to get a day’s worth of cpes for that.
You’re going to get probably an hour or something. I can’t remember what it’s. They have a chart. So volunteering, at events, infosec events can get you, actually no, it’s not events.
It’s It, they have a ISC to, has a specific program. There’s probably other things that can qualify as well. their program is.
I can’t remember the name of it off the top of my head, but it’s, it’s designed for, for like reaching out to the local community and helping people, better understand how to protect themselves.
so think like elderly kids, maybe, neighbors, that sort of thing. so, and they, there’s, so there’s a program that you can get involved in there for the volunteering.
and then there’s, yeah, there’s multiple other options on there too. Okay. So yeah, a credit isn’t as typically equated to an hour.
So that’s, that’s all I have for today.
CJ Cox
So it’s a lot, right? I’m having flashbacks. I took it 22 years ago and I studied for twelve months and I was the master of overkill.
I got three different textbooks. I went to the Eric Coles class. I went for sans back in the day. I took like three different practice test things.
I made flashcards, I did everything. Cause I’m a sweat grenade. I think it was dollar 250 then, but that was a lot of money back in the neanderthal age.
And I just. It’s your risk aversion. I was like, be over prepared. Try everything. Everyone’s different. What works, you’ve got to know you, but to me, you better be prepared.
Jason Gillam
Yeah.
Deb Wigley
It covers so much.
Jason Blanchard
Thank you so much for doing this. Thank you for sharing your knowledge. I know some people signed up for your class while this is going on. It’s a pay what you can class. and so if anyone’s interested in doing that, there’s the anti siphon website.
You can sign up for Jason’s class on CI CISSP. and it’s a pay what you can. I think the minimum is. Do you recall the minimum for that?
Jason Gillam
I want to say it’s 100. It’s 100.
Jason Blanchard
Yeah.
CJ Cox
look at the options out there and pay fair market if you can, if you’re a starving student. Okay.
Josh Mason
Okay.
Jason Blanchard
But I did want to talk about, so we are using a service called accredible. So accredited, like a credible. that is where we send our certs to you for attending these webcast.
And so if you have not received a cert from us, you get one every time you attend an anticast or webcast. maybe m check your spam filter, looking for a credible.
And we keep track of every single one that you attend. So it’s tied to your email address. so if you go and check your account, you’ll see all the things that you’ve attended as far as anti casko, and then you see all the things that you’ve attended.
Black Hills goes and active countermeasures. so we’re trying to do the best we can to assemble that into one place so that way you can go and grab your cpes that you need from your certs in the future.
So just something that we’re doing, and it’s newish.
Jason Gillam
Go ahead.
Josh Mason
Well, someone said I’ve got credible and then, like, 30 Gutenberg. So it used to be Gutenberg, and we just switched to incredible. And we’re working on loading in all of the past Gutenberg certs into incredible.
So they’ll all be together.
Jason Gillam
Yeah.
Josh Mason
But as you can imagine, it’s a lot.
Deb Wigley
Yeah.
Jason Blanchard
Imagine there’s an intern who’s like, okay, so you’re going to sit here today and you’re going to do this long time. And they’re like, and I get paid for this? Yes, you do.
Jason Gillam
Good job.
Josh Mason
Why do I want to get into cyber? It doesn’t feel like I’m doing cyber stuff.
Deb Wigley
Yeah, that’ll happen a lot.
Josh Mason
Yeah, exactly.
Jason Blanchard
CJ, did you see any other questions that you wanted to ask?
CJ Cox
There was a whole bunch of people asking, and I think a lot of the community answered things. What websites do you like? It’s like, I haven’t found any of them that I thought were terrible or awful.
Look at reviews on books and things those matter. I’d always did multiple. I did at least two of the 1100 page books. And the ISC squared material isn’t as good.
Jason pointed out that Eric Cole kind of says it in a way that’s. That’s helpful. Right. the ise squared stuff is pretty much just the facts. Ma’am.
so, again, you’ve got it. You gotta find what works for you.
Jason Gillam
Yeah.
Jason Blanchard
I also wanted to share. Not everyone knows this exists. Right? Like, we do a lot of things and not everyone knows. If you go to poweredbyhi s.com, you’ll find the recordings for all of these videos.
You can also find them on YouTube. but if you go to poweredbybhis.com m comma, you’ll see the recordings of the past webcast and anticast and all the upcoming webcasts and anticast and six hour trainings that active countermeasures does.
So powered by Bhis. And we’ll put that in dISCord also here inside. I think if you go to the resources tab, inside zoom, you click on resources, you go to links. You should be able to find that link there.
Deb Wigley
Yeah.
Jason Gillam
Oh, good.
Deb Wigley
someone asked, why do you keep this as your only cert? Did that get answered? Did I miss that? I’ve got an answer. For me.
Jason Gillam
Yeah, that is a good question. well, for one, some of my previous certs are, sans, and I just didn’t want to keep giving sans, and giac more money.
so I let those lapse. and other than that, I’ve just never really been big on certs.
I think that overall, experience counts for more. And so once you have that under your belt, the, certification, I mean, it’s okay to go out and get one, but getting one and then maintaining it indefinitely just to have more letters in your signature to me, some people like to do that.
I don’t see any value in doing that. the CISSP. again, it’s like we said, this is the leadership broad, mile wide, inch deep type of.
I know a little bit about everything in infosec. I think it’s worth keeping that one. Yeah.
Jason Blanchard
And I think you brought up a good point earlier where, like, if this is, like, the bar for the law industry or, like, it’s good to have a baseline.
So this feels like the baseline.
Jason Gillam
So.
CJ Cox
Yeah. Oh, go ahead, Josh.
Deb Wigley
Yeah, that’s my take. That’s, one of the big reasons I keep it. I teach it. And so I feel like if I wasn’t current and on my cisp, that’d be.
Jason Gillam
I don’t know, that might actually be a violation of the code of ethics. Right?
Deb Wigley
I do believe it is. so, like, that’s one thing. the other is, I do think it’s the closest we have to trying to get there with, like, a professional organization and whether we need a.
You can’t practice or you can’t do this thing. the same way that accountants are the bar, like, if you try to represent yourself as a lawyer in court and you’re not on the bar, like, then you can be prosecuted for that.
I don’t think we need that. there’s arguments that people could have, but I just don’t. But I do believe, as a voluntary thing, there’s power in that and that there’s value in that.
I get to be part of ISC, too, and participate in my local, group. And I don’t know, I want to be representative of what we’re doing with the community in ISC, too.
so that’s why I keep mine also, if I needed it, like, needed, needed. Like, someone’s like, oh, are you up to date? I don’t want to go back and have to try to fix that by taking the exam again.
It’s a really hard exam.
Jason Blanchard
All right, CJ, we’re running out of time, so I’m going to. CJ. If you could wrap up everything you heard and everything you want to say in one sentence, what would it be?
CJ Cox
CISSP is hard, but it’s good. And you need help. Get help.
Jason Blanchard
Okay, Jason, if you could wrap up everything that you talked about today, and one final thought, what would it be?
Jason Gillam
Come and do the CISSP mentorship program with securities and anti siphon.
Jason Blanchard
I agree with that. Hello, everybody. Oh, man. well, everyone, thank you so much for joining us today on this.
I wasn’t sure I was going to be here today.
Josh Mason
Yeah, we were planning on it.
Jason Blanchard
You plan to be here today? So plan to be here next week? There’s going to be an anti cast next week? And the week after and the week after that. Week after that. Cathy’s planning them out throughout 2025, and so we would love for you to return.
We do not send you emails that are, spammy or about advertising. We send you emails about upcoming anti, cast. So please join us for future anti cast. Jason, thank you for sharing your knowledge, and hopefully people sign up for your mentorship class.
That sounds great. CJ, thanks for being here helping with Q and A, and for everyone that joined us for pre show banter, thank you so much for doing that. We’ll see you next pre show banter. Next thing to catch a Ryan kill with fire.
Josh Mason
We’ll see people tomorrow, too.
Jason Blanchard
Oh, yeah, the bhis webcast.
Josh Mason
Oh, yeah.
Jason Blanchard
Kill it.
Josh Mason
Just kill it.
Jason Gillam
Fire.
Jason Blanchard
Fire. All right, Ryan kill it.