Newbie here!
So, I've been in the industry a few decades, started with cracking software copy protection back in the BBS days, spent some years in the military (mostly infosec, sigint etc related), started a few technology companies and am running a couple companies now, including an MSSP, with security consulting on the side.
But... I have no certifications because I simply haven't bothered. However, that leads to embarrassing conversations nowadays, "We'd like you to do a presentation on X and consult on Y, what can we put down for certifications?" 😂
So it appears a good CISO should have CISSP/CRISC/CISM, and I decided to start with the CISSP since that seems to be the one that comes up most often in general conversation.
I feel like I know it all, (hah! that'll be the day!), but of course there's always the "unknown unknowns". I've taken and passed a number of practice tests, but before I blithely jump straight to the exam I thought I'd post here and see if A - anybody else was in my position before and fell flat on their face, and B - if there's any recommendations for Really Good practice tests (which I might not have tried), and/or freebie training materials that might have enough info to let me identify weak areas that need something formal.
Any and all assistance is greatly appreciated! 🤗🤗🤗
Use the following video resources (a few freebies) to find out if there are any gaps.
@jmpffff0000 wrote:
So, I've been in the industry a few decades, started with cracking software copy protection back in the BBS days, spent some years in the military (mostly infosec, sigint etc related), started a few technology companies and am running a couple companies now, including an MSSP, with security consulting on the side.
Back when I became a CISSP (2004) I was in a bit of a similar boat. The hardest part is codifying what you know into the language of the (ISC)2. You will also come across subjective things that people can insist are objective. Heck even the term "cybersecurity" rankles some people. A small example are the definitions of "data," "information," and "intelligence." How the (ISC)2 uses those words vs CompTIA, vs, say, the military can vary. You'll even find cases within their own materials that a certifying body may be very insistent on a word, and then a chapter later, they're using terms interchangeably.
That's where I think the Official Study Guide is helpful. Know the vocabulary. The other thing too is that you do realize that you really don't know it all. For example, you're going to be tested on anything from governance, to software development, to fire suppression systems in data centers. That was really the cool thing about the CISSP and the (ISC)2 - it was a very comprehensive exam, and you really felt your experience was being tested as much your ability digest study materials.
On that note, I see endless threads about people fretting over the exam or trying find tricks to it. They miss the whole point. It is a certification exam. Your ability to pass it should come somewhat naturally because you've been doing this stuff and doing it right for a while. Just as you shouldn't want to game the system to pass a pilot's exam, no one should look to just barely or cleverly become a CISSP - your wellbeing and that of others depends on your ability to perform, not be clever.
You need practice exams to condition your brain for the exercise. However, certainly in my time, and I think it is still this way, if you know the material, you will have ample time to complete the exam. There are some really bad practice tests/questions sets out there -- remember these are not written by the people who write the exam.
I was in the same position ... many years of industry experience and many years since I had taken any multiple-choice exam.
I studied harder than I probably needed to but since I was footing the bill I figured buying a few books was a good bet vs needing to pay for a retake.
In the end, my studies did not really teach me much that I did not intuitively know, but they aligned me to the industry terminology and indoctrinated me into the ISC2 group-think.
For example, in CISSP speak, I faced a risk of doubling my costs if I were to fail the exam. My risk appetite/tolerance did not include paying out-of-pocket a second time. I chose to reduce my risk by purchasing a few books and studying more. This reduced my likelihood of failure. If ISC2 offered free retakes, the impact to my wallet would have been reduced to just my time, which I am also willing to accept. Had my employer paid, I probably would have accepted the risk and just tried taking the exam because "its not my money". And nowadays, I could purchase "Pease of mind protection" to transfer the risk to ISC2. Or, I could avoid the risk altogether by not taking the exam.
Now, I am ready to be tested by ISC2 on "risk treatments" (accept, reduce, transfer, avoid) and also on risk measurement (risk = likelihood * impact).
if you ace the CC(you’ll know) then book CISSP and buy the new all in one CISSP. Read that thoroughly
Did good on the CC stuff, (thanks for the tip!), now trying to parse the above. It sounds like if I book the CISSP test then there's an option to buy additional study materials at the same time...? 🤔
ETA - aha, seems to be a reference to a book titled, "CISSP All in one Exam Guide", by Shon Harris and Fernando Maymí
Thanks everyone, this is all super helpful! 😁
How do you mean circumventing copy protection?
What is being circumvented?
@2FTerminator wrote:How do you mean circumventing copy protection?
What is being circumvented?
Reread the first sentence of the original post. Michael was making light of the OP's history.