Thanks to Wala for this valuable CISSP advice!
CISSP preparation resources, how much is enough?
CISSP - you all know - like no other test in the field and requires unique preparation plan, enough resources and of course the right experience.
But how much resources is enough? Is it only the Sybex book or is it the AIO, the CBK maybe? Or sum of these resources altogether? Do I need to attend a $$ boot camp, how many questions to practice?? All of these questions and more are always popping up on the mind of those who are preparing for CISSP. Well, before answering these questions, consider this: if you want to raise your chances to nail the CISSP exam (and of course you do!), then you first need to know, what will be there in the exam! That’s natural, and to know what there will be on the exam, you can do it either:
-By asking someone who did the exam to dump you the contents (and I promise you, you will never find a CISSP who would walk this walk of shame with you!), so forget that!
- By broadly letting a CISSP also - and without breaking the NDA - to enlighten you to the kind of the mindset of the exam writers without going into specifics and revealing details. And in this post I will try to attack this point on which - hopefully - you will find the answer to all these questions.
At first we need to establish a common ground and agree that - the CISSP - unlike many other exams in the Cybersecurity field especially the IT field in general - is the broadest exam you’ll ever see (notice - the broadest and not necessarily the deepest!). The key is that you need to load your brain with literally hundreds of concepts on the security field whether at technical or high managerial level to crack it.
This is not to say that you should fill your library with tens of books and master them all to crack the CISSP, although this would be helpful in a way; however it’s impractical and this is not the case (you can stick to only one resource and still nail this thing). ISC2 are expecting that, you’ve already got your self familiar with these topics in the CBK given that you’ve got the appropriate experience (beside the good preparation of course). So to narrow the CBK topics down and organizing it for easy digest, numerous CISSP publications (Sybex, AIO.. you name it) are there for help, although these resources might be a major contributor to your success but they are not in this alone!
I know there are many debates on the quality of some CISSP resources here and there; some prefer Shon’s writing skills and her funny comments throughout the book, other say that she’s great and everything, but her book is way, way too detailed!
But we know that every CISSP resource is written by subject-matter experts and elites with tens of years in the field. The answer to what should your main resource be is “any one of them!!”
But the real answer of what should be your main arsenal for the CISSP is totally dependent on who you are. What method do you prefer? Are you fan of visual delivery? Or you might be enjoying listening to podcasts while commuting?
So this question’s answer is not as we said “any one” but instead it’s totally dependent on your preference, you might be reading the review of those who passed recommending this resource over that, and you would still ignore it because you simply tried that resource before and just didn’t like it!
Some of you have already been there and failed and planing to re-test, you can agree with me that the CISSP exam questions are very mind blowing; despite the fact that they are all CBK related (you wouldn’t see a question on the specifics of running scripts or configuring this Cisco router or that Palo Alto firewall for example).
However and from within the CBK you have to expect things - at first - seems to be totally new to you; because you haven’t attack this particular subject enough before sitting for the exam (and this is the heart of this post, and the message I want to convey to you all). The message is that - despite the resources you are committing your self to - you need to broaden your knowledge curve and at the same time narrowing your surface of preparation for the CISSP and make it within the scope of the CBK regardless of the resources you have!
It’s about changing the mentality to eat, breathe and sleep CISSP, never shy up to read white papers on different security topics. Register to cyber SEC forums and participate, to discuss various topics in security with your friends and coworkers - by these you are studying for the CISSP (it’s not only about reading the book).
To avoid ‘scope creep’ and stay focused you need to at least have a clear plan on the extent of resources, you need to commit to in your study plan. Add and remove resources as necessary according to the preference theory, diving through OWASP top-10 when you are having issues grasping some of the web app attacks, walk through NIST SP for specifics on SDLC and the like. Watch YouTube to get the idea of how buffer overflow works ; watch the ‘Imitation Game’ to have idea about crypto during that period!
I’m trying to be practical here and not only throwing you general ideas on what to do, so here is prepared list of companion resources you need to walk through during your CISSP journey and treat them like any other resources you deemed important:
NIST documents (almost NIST have SP for every single domain on the CISSP) but here are the ones I think important:
-SP 800-34 Rev. 1
Contingency Planning Guide for Federal Information Systems
Technical Guide to Information Security Testing and Assessment
-SP 800-88 rev1
Guidelines for Media Sanitization
-SP 800-64 Rev. 2
Security Considerations in the System Development Life Cycle
OWASP Top-10 project.
-SANS archived webinar (related to the CISSP) and many more.
Click here for "CISSP-Related NIST Documents"
Regarding the NIST SPs in specific, numerous sources have cited that these are the closest to what you’ll see on the real thing in regards of the language, topic coverage and such.
NIST is major contributor when it comes to the CISSP contents, although ISC2 doesn’t cite this thing directly - you as a prudent CISSP should come to aggregate and infer this thing! Who else in the US feeds the global cyber community with such high level standardization and publications free of charge written by the elites on the field! NIST does!
These publications shouldn’t be ignored at all, practice your due diligence as a potential CISSP and go get them, but at the same time don’t totally abandon your main resources (Sybex, AIO, etc...), these are - by definition - the core resources while the others are supplementary resources.
Good luck in your journey. I’ll be more than happy to reach out with you any time for any support - just ping me and I’ll be there when I have time.
Wala - CISSP (provisionally passed)