My Blueprint to achieving ISC2 CISSP and CCSP certifications

A lot of colleagues, partners and customers have been asking how I prepared for the CISSP and CCSP certifications, I’ve been sharing my tips and tricks for both certs for the past 2 years and I thought I should create an article to share my experience with anyone who would find it useful.

My view on certifications

First, I would like to share my personal view on certs, and for this I need to go back to where it all began. My first job right out of TAFE (technical undergraduate program before a degree) was as a helpdesk analyst, as it is for many IT professionals out there. I was part of a small team that supported a fairly large organization in Australia and I met what I consider one of my first mentors in this field (thank you @Ian Rolston). He introduced me to certifications, I remember he explained how he planned his studies to achieve MCSE and CCNA- I wasn’t very interested on the Microsoft certs but I was passionate about networking and I understood I needed to get the CCNA under my belt. I enrolled at Swinburne University because they offered the CCNA subjects as part of the curriculum (what Cisco called the Net Academy I think) and I managed to get the certification before I even completed the university subjects. With this experience I understood that you do not need a lot of work place experience to pass a certification, but you need to be passionate and dedicated, and a certifications would certainly help open doors.?

The journey

At every stage of my career as soon as I started working on a new piece of technology, I was already studying and preparing for its accompanying certification, and it was the certification track that allowed me to learn and get depth on the technology and get the most of it at work. Along the way I discovered firewalls, one day my manager put an ASA on my desk and asked to install it at a customer that same weekend- I remember failing on my first attempt but I also remember that great feeling of achievement after installing something new. Getting the experience and then getting the certification meant a lot at that time.?

Fast forward a few years and I am in the security field, not implementing technology but selling technology and trying to find new ways to sell value to customers, not simply throw the technology at them. A way to do that has always been putting myself in my customers shoes, I tend to talk to people from all levels in an organization, from technology operators to people that are responsible for the security or infrastructure of an organization, people that care more about return of investment or how to reduce risk or how to frame a security strategy and align the right technical controls. I thought the CISSP was the right certification to obtain knowledge in those areas, to have the skills to put myself in their shoes. A lot of people would agree that the CISSP is most challenging certification in the industry, mainly because it is not all technical, but focused on areas that aren’t necessarily your day to day, depending on your background or job, eg, risk management, business continuity, software development, etc. I certainly felt I didn’t have the right experience in all domains, I think most people feel that way, there’s a lot of respect for that exam.?

CISSP

At some point I felt that even though I did not have experience in all domains, I certainly had enough knowledge and experience to prepare for the CISSP exam. If the requirements have not changed, there is a requirement of 5 years of experience to take it. My first advice is to make sure this exam is for you, that you are obviously in the security industry and your role has something to do with consulting and that of course have the experience required by ISC2. Read the blueprint and make the decision, its either go or no go.

The decision

If the decision is to pursue the exam, then it’s time to prepare. Unlike any other certifications, this is a big one- in the sense that there are 8 different domains and there’s a certain depth in content for each one of them. You might have a lot of experience in some domains and would find it easy, but for some, like in my case, it required a lot of study.?

With work and life commitments, I felt I didn’t have the time to study so I decided to sign up for a full week of instructor-led classes. First mistake- the content is just so broad that a week of classes was never going to get me ready for an exam. While it certainly helped me to understand what the exam was about, to understand what my strong points and weak points were and to get an idea of how much time and effort I needed to invest.

The resources

So I went for the best resource I could get to study, the official certification guide- a book bigger than a Bible, my second mistake. I was falling asleep every time I attempted a chapter and was losing my passion and drive to pursue the exam.??Mostly because the topics I was reading were new to me or I didn’t understand the why reasons behind what I was reading.

In all these years I learned that the best way for me personally to consume content effectively is by watching videos, to listen to someone that is more knowledgeable than me explain how something works. There was no point reading about a solution if you don’t understand the problem it’s trying to solve, so I went on the quest of finding the right video resource and complement those videos with the official cert guide. I found that Kelly Handerhan’s (cybrary.it) videos were just awesome, I’m a big fan of her now. I got really sucked in with her videos and got my passion back to prepare of the exam along with a new book - the “All In One” CISSP book. In my opinion I would say the way it is written is far more user friendly than the official cert guide, for myself at least and I wasn’t falling asleep with every attempt. My plan was to watch a video on a certain topic and then read about it, I had finally found the right combination of resources.

Divide and conquer

I was learning effectively, but I never had time to study as in my current role I support 2 countries in presales activities, therefore it felt like I didn’t have extra time to study. I knew that if I wanted to get to the goal I was really going to need to put a lot of effort in.??It felt like when it comes to going to the gym, getting into a routine is hard but once you have the routine it becomes easier. Going forward I started scheduling time on my calendar, either early in the morning or after work in order to find the right cadence, I spoke with my wife and she supported me all along the way. I think this is key, managing family time, work and study is not easy - everybody has different commitments and is at different stage of life.

I found that I could cover the topics of one domain in one week- that was only watching the videos and reading the text book. Certainly, there were times that I didn’t make it, because of work, because we went out on a weekend or something came up but I was trying to stay on track as hard as I could. So in 2 months give or take I had covered all the content- it was time to review and start testing myself.

Domain reviews

With the official cert guide came a 2nd?book, the “official practice tests” books, I could go onto the Sybex portal and access all the practice questions that came with the book. The platform can record your progress and explain the right answer if you get the question wrong. I remember I broke down all the questions into the exam domains and started reviewing domain by domain. With the domains I had experience with and found them easier, I was achieving around 70% and with the ones that were new to me or didn’t have much experience I was getting a miserable 50%. I would take notes on all the content that I was failing and then circling back to the videos and the book, with this round I would also review the official cert guide. I think it took me more than a month to review all the chapters, the key here was consistency- I had to do this every day.??I was feeling pretty good once I was hitting 80% or so on every domain and then if I got a question wrong at least I understood the why. I knew I was getting close, but I didn’t feel ready for the exam, this was a pricey exam and I didn’t want to fail.

Final review

As I was researching on others experience with the exam I went back to googling- I knew that I was going to face a different type of exam, behind the scenes I was against a ML algorithm that was going to throw more questions at me if I didn’t know my stuff or was going to free me early if it was convinced I passed. I certainly wanted to be ready. So, I stumbled across a couple of resources on the internet that really helped complete my preparation:

-???????Cybervista- they had videos on youtube using lightboards explaining particular topics (eg SDLC, BCP, BIA, IRP) and?

-???????IT DOJO, another set of videos on youtube with a really cool guy throwing questions and then explaining the right answer

Something I found definitely helped me was listening to other people explain stuff I found hard. I tested myself with mixed questions several times and I was hitting around 90%. The best advice I found was from Kelly Handerhan- when you face a question you don’t know the answer or there are multiple right answers, think like an advisor, not like an engineer. I knew I was ready, and there was no way I was going to fail that exam.

The exam

I really hate the proctored exams, I’ve sat different proctored exams before, and it’s always a draining experience. You feel anxious no matter how well prepared you are, sometimes even if it’s an exam for work that you have taken before and you know you will pass it but you still feel anxious.?

I can get very competitive sometimes, at work I’ve learned that I can win or lose a project or deal but as long as I gave everything I got and I know I couldn’t have done anything else, I can sleep well at night. With the exam I knew I had prepped well and really couldn’t have done anything more. This was the longest exam I had ever taken, I think I got to question 105. I was always confident I was doing well and then when the exam finished I didn’t get a result on the screen but I had to wait for my printout. I had to hold in my excitement since I was still in the proctored area. Time to celebrate the big milestone, sharing it with my wife, colleagues, and friends.

Intro to the Cloud

I remember the company I work for purchased twistlock, a security company that focused on container security. I had no idea what a container was- my day to day was selling firewalls and endpoint security, and most of our customers’ investments in the cloud were SaaS, some were starting to build infrastructure in the cloud but barely migrating onprem applications or building VM based apps. I felt that containers, cloud native technologies and DevSecOps weren’t for me.?

The company then hired an account team to start driving the cloud security business in the region and I started making sense of the opportunity the cloud brought, we had the chance to eliminate vulnerabilities and adhere to best practices and compliance early in an application development life cycle. The technology was awesome but I wasn’t yet clear on how cloud technology works, yet how to secure it.

Big shout out to @Alexandre Cezar, a Brazilian colleague that pointed me in the right direction when I needed it. First understand cloud, once you do, you can understand the risks and how to secure them. So I went on the journey of understanding cloud infrastructure, playing with cloud and getting AWS certified, I would recommend that before even looking at any other cloud, history tells us AWS changed everything with an IaaS model.

CCSK

Once I understood the vast use of SDN in the cloud, the separation of control of data planes, the shared security responsibility model and how it varies between cloud offerings, the value of microservices and their immutability. I was ready to learn how to secure the cloud and the Cloud Security Alliance does a great job at this, I wanted to go for the CCSK cert. I had a good previous experience with the “All In one” book when preparing for the CISSP and Graham Thompson had written a CCSK “all in one”. I read it, chapter by chapter, using my divide and conquer strategy- and everything just clicked. I think this is probably the best resource I have ever used, very well written in an easy-to-understand language. I passed the exam in no time, and it was open book.

CCSP

There’s certainly big-time gaps in between these certs, I don’t spend all my time studying but I really felt getting these certs would help me in my day to day work and they certainly have. I can provide a lot more value to my customers now. With the CISSP and the CCSK under my belt I felt it was the right time to prepare for the CCSP- this one wasn’t easy because my daughter was just born, however we were in the middle of a Pandemic and we weren’t going anywhere so it made sense to prepare for it. I went back to Kelly Handerhan, she had just released a CCSP video track, and I got myself the “all in one” book. I didn’t buy the official cert book this time, only the practice tests to review. I would say that half of the content of this exam is like a review of the CISSP, and the other half was a review of the CCSK, honestly with those 2 certs under your belt, the CCSP should be a piece of cake. I divided and I conquered.