top of page

How To Improve Your Weakest CISSP Domain

The Problem

You have worked in risk, project management, software development, or a security analyst role. You have no idea about networking, subnetting, firewalls, VPNs, or the OSI Model. Network security has just never been part of your role. But now suddenly you're taking the CISSP exam and you have to learn about network security. It's making you nervous....especially since Domain 4 is a huge part of the exam, and also the longest chapter in the CISSP study guides.

It is a rare thing for anyone to have experience in all 8 domains of the CISSP Common Body of Knowledge. Someone who is a technical person may not have had any experience as a software developer. A software developer may not have had any experience in physical security. And someone in physical security may never had any experience in information security risk management at the senior level. But all these individuals are going to take the CISSP exam where they are expected to know about all the other domains in which they have not worked.

What is the best way to effectively study CISSP topics in which we have zero experience?

Self-driven external research.

The Solution

Let's say you don't have any experience with one of the topics you have to know for the CISSP exam: virtual private networks, VPNs.

You start reading your Sybex 8th Edition book and it states:

"A virtual private network (VPN) is a communication tunnel that provides point-to-point transmission of both authentication and data traffic over an intermediary untrusted network."

As a network security engineer who works with firewalls all day, this makes perfect sense to me, it's an accurate high-level explanation of a VPN. But if I knew nothing about VPNs, and was just left even more confused by this definition in the book, it's time to take action. And this is how it starts:

Take a look at the first 10 search results and you should get a better idea of exactly what a VPN is and what it does for us in terms of securing our data in motion. The web links are not associated with your CISSP books, they are not there to help you study for the CISSP exam, and they are going to explain it with terms which are not in your study guides. Regardless, this is exactly the type of exposure and self-driven external research which is required if you want to learn about something for which you have no idea.

Don't restrict yourself to the CISSP study guides. Here is a cold trust about the CISSP exam: it includes questions and choices using terms and vocabulary which are not found in ANY of your CISSP study guide books. The books and practice questions are just meant to help you understand the concepts at a high-level. The exam itself exists to test you on the ability to apply these concepts. This isn't the Security+ or CCNA exam, what you study isn't what you get...the CISSP exam is a different type of exam.

Now suppose you figured out and understood what exactly a VPN does, next you want to find out how it works.

You go back to your Sybex book and it states:

"A VPN link can be established over any other network communication connection. This could be a typical LAN cable connection, a wireless LAN connection, a remote access dial-up connection, a WAN link, or even a client using an Internet connection for access to an office LAN."

Even I'm a little confused by this definition and I work with VPNs everyday. But I have a little bit more insight into how VPNs work through experience, so I know how to narrow my external research.

Since VPNs are commonly created between firewalls, I want to now see how they are setup on different types of firewall vendors. This is going to give me the BEST idea on how they work, how they are setup, and what all goes into creating them:

The search results will yield multiple videos and articles on how VPNs are setup on a Checkpoint firewall. You can even change the firewall vendor from "Checkpoint" to "Palo Alto" or "Cisco" or "Fortigate"- these are all popular firewalls.

I'd go as far as reading the admin guides if necessary.

Some of these videos and articles can get really technical, but that's the point of all this: to give you that real life experience which you do not have. The greatest way to obtain the real life experience you need in an unfamiliar domain is to read about how things are done in that domain beyond the CISSP books.

By now, if you've read about VPNs, then you will have also learned about firewalls in the process. You didn't have any real life or direct security experience with VPNs before, but by consulting external sources, you will now have the knowledge, or at least better insight than before.

The search results used in the above two examples are the same search results I use at my professional job in order to learn about VPNs. So what you're doing is reading the same things a technical person would read in order to better do their job. You may not understand it to the point of a technical person, but at least you have a better idea of the implementation. Instead of having no clue about VPNs and how they work, at least you have more than you did before.

And the only way to do it is through self-driven external research.

Now I will say, in order to understand how VPNs apply CISSP concepts like authentication, confidentiality, integrity, and securing data in motion, then the study guide books are just fine. If you want to go beyond the books, then external research is required.


The above process is tedious, time-consuming, and can be frustrating. But security isn't for those who need constant motivation, you need to wake up in the morning and want to do this thing. All this extra preparation, sleepless nights, and constant studying for the CISSP exam is just getting you prepared to face the reality of what it is like to be in the security profession.

My weakest domain was Domain 8: Software Development Security because I had zero experience in programming. Frankly, I didn't want to learn it either, coding just isn't for me. But in order to pass the exam, these were some of the search terms I plugged into Google when I did my own self-driven external research:

Domain 8 External Research

  • "components of a relational database"

  • "software development model used by microsoft"

  • "real life demonstration of cross-site scripting attack"

  • "do we always need a primary key and foreign key?"

  • "technical breakdown of different types of malware"

And here are some other examples of what to search for in the other domains which go beyond the books:

Domain 1 External Research

  • "how breached companies deal with risk"

  • "what if a company doesn't have a security program"

  • "what is my job as senior management in security"

  • "companies which use zachman framework"

  • "sample acceptable use policy"

  • "NIST business continuity"

Domain 2 External Research

  • "what are corporate classification levels"

  • "how secret is "top secret""

  • "does a ciso report to the ceo"

  • "examples of data owners"

  • "asset protection best practices"

Domain 3 External Research

  • "how does a computer CPU work"

  • "different types of computer memory"

  • "ram rom sdram cache memory differences"

  • "operating system vs security kernel"

  • "cryptography explained in simple terms"

  • "can you use biba and bell-lapadula at the same time"

Domain 4 External Research

  • "elements of basic network security"

  • "how to design a secure network"

  • "devices and protocols in the OSI model layers"

  • "benefits of fiber optic cables"

  • "tcp vs udp vs icmp"

  • "how to troubleshoot network connectivity over the internet"

Domain 5 External Research

  • "technical breakdown of kerberos"

  • "what is a race condition in information security"

  • "stronger iris or retina scan"

  • "types of biometrics and weaknesses"

  • "oauth vs saml vs openid with examples"

  • "what does it mean for tacacs+ to separate authentication and authorization"

Domain 6 External Research

  • "how to perform penetration testing"

  • "tools used by pen testers"

  • "NIST vulnerability"

  • "how security awareness can help a company"

Domain 7 External Research

  • "soc 1 soc 2 soc 3"

  • "physical security NIST"

  • "how mantraps work"

  • "the world's most secure data center"

  • "how to pick a lock"

  • "internet of things compromises"

There has never been a better time to pass your CISSP exam than now. There are a ton of organizations and websites providing their resources including Study Notes and Theory

And it's not just the CISSP, it's everything. There is more information on the planet right now in this point of time than ever before in history.

Our members portal has videos, practice questions, flashcards, PDF notes, and a private Telegram group to help you go beyond the topics in the books. More information along with free previews of the member's content can be found here:


bottom of page