"Should I read the books and then watch the videos?"
"Should I watch videos after I read each CISSP domain?"
"When should I take practice questions? After reading the entire book, watching the videos, or after reading each domain?"
These are a combination of some of the common questions I get when a CISSP aspirant is just starting out their studies and wants a solid study plan.
The official answer is that there is no official answer, it all depends on your own style.
But if anyone needs an absolute answer, here are some suggested strategies:
Strategy 1 - Read a Domain, Watch a Video, Practice Questions
When I was studying for the exam, those thick CISSP books were really intimidating and looked like something I could never quite possibly finish. Just the Shon Harris 7th Edition book was the combined size of all the fiction books I read over the summer. Before seriously trying to read the book, I just skimmed through familiarizing myself with the basic flow and terminology.
There were some pictures, at least that made it slightly comforting. But that font was still pretty small, which was not so comforting. This was going to take a while and I found myself continuously exhaling deep sighs thinking I'd never overcome this challenge. I'd flip through a few pages, then flip through larger sections of pages, and then finally entire chunks of pages, but the book still had more than half left to finish!
After totally being done just flirting with the book, I started Domain 1: Security and Risk Management. Started reading about the differences between risk, vulnerabilities, threats and exploits. These were easy to digest, I could understand the basic message, this was no problem.
But I was totally at a loss when it came to terms like annualized loss expectancy (ALE), annual rate of occurrence (ARO) and return on investment (ROI). Then realized I was expected to take the formulas for these calculations and actually have to do some math! Was totally demoralized at this point. I didn't expect to do any math on the CISSP exam.
So I made a note to come back to it or at least learn more about it later. Right after I finished Domain 1, there were some practice questions at the end of the chapter. Now I knew I wasn't ready for these, I just kind of skimmed through the chapter to be honest. Like, I was reading to read, and not reading to understand. I was reading to get the chapter over with so I could feel some kind of false accomplishment. Personally, I knew I was not ready for these practice questions yet.
For the next few hours and days, I watched nothing but videos on how to calculate ALE, SLE, and ARO. Video after video of another person breaking down how to do these calculations and what the variables really mean. Videos created by not only CISSP instructors, but accountants, CPAs, or those working directly in risk management. The videos made it easier to correlate what was written in the book. It not only expanded on the topic but also provided a new perspective and fresh insight, this is a key element in your CISSP studies.
I did this technique for any other topic I did not understand in not only Domain 1, but every other domain. It's really important to build the discipline to self-study and look at external resources for the CISSP exam. Maybe you have over 15 years experience in direct security jobs and don't need to do this, but for those who may not, external research is essential.
Going back to the practice questions at the end of Domain 1, I didn't do well, but at least I wasn't clueless about what to do if there was a question which asked to calculate the annualized loss expectancy. Or about information classification levels or the Bell-LaPadula model or IPSec. By reading the sections in the book, watching the associated videos about the same topic, my knowledge doubled.
I read the books to get familiar, watched the videos to understand the concept and to get a different perspective, and then used the practice questions to prove if I learned anything at all.
This is the strategy that I used in order to be totally immersed in the CISSP material. It is the same strategy I use today when trying to understand complex firewall operations for my job. I can read about implementing a Checkpoint site-to-site VPN in the technical manuals, but it really took watching videos to know which buttons to press and make things work.
Strategy 2 - Watch Videos, Read the Book, Practice Questions
This strategy may work best for those who are visual learners. Watching something first to see how it works can make reading the textbooks a bit easier. If you can't picture how the books describe the different components of the OSI Model (and really, who can?), then a video will provide the exact clarification you're looking for. There are a TON of OSI Model videos on YouTube, from those just starting out in networking, to those preparing for their CCIE Security certification. I make one too here:
Quick Breakdown of OSI Model If you don't understand the difference between a worm, virus, Trojan, or rootkit, then the Internet has thousands of videos on each or all of them. Some show you the actual coding language used to reverse engineer them, while others show you cutesy animations using well-rendered 3D graphics. It's all out there visually for you to view if the books aren't doing it for you. It's almost like watching the video is the fun part of studying, but then the actual homework is making sure you read the book to learn what the CISSP wants you to know.
Because remember, all those videos may not be CISSP-focused, they may be just focused on network security or malware topics. Understanding a topic by watching videos is great, but making sure to read the CISSP books afterwards actually prepares you for what to expect for the exam.
Just wanted to say that make no mistake, watching just CISSP videos is not the best way to prepare for the exam. Reading is extremely important. Reading reveals the deep concepts hidden within the texts of the books and compounds the basic understanding of the topic. I go over the importance of reading here:
Reading helps to nail down the concepts which you need to learn in order to apply them during the actual exam. I work a lot with firewalls so my daily reading is mostly technical manuals for Checkpoint, Cisco, or Palo Alto. Each of these firewalls have different ways of implementing policies, NAT, VPNs etc. etc.
The thing is, with the CISSP especially, if you know the concept of NAT, then you can apply it on any firewall. If you know the concept of a VPN, you can configure it on any firewall. That's the beauty of concepts, they don't change. The other thing I read are the latest breaches within an organization, like the latest Marriot breach. I learned how the attack happened, what was the vector of attack, what control failed or wasn't implemented, and what the company will do to make sure it doesn't happen again. Reading this in turn gives you the necessary clairvoyance into what the CISSP content talks about, it is easily relatable. It is especially helpful when you're studying for the exam, it gives you real life experience if you lack it.
Conclusion
No matter what strategy you pick, there is just one other thing to do: repeat it all over again.
After you've read the book and watched the videos, read the book again and then watch the videos again.
After you've watched the videos and read the books, watch the videos and read the books again. If you have the Sybex, read it three times cover to cover. If you have the Shon Harris, reading it once cover to cover is good enough, and you can skim or reference it the rest of the time.
All the books have different information even in the same domain. The best way is to read all those books one after another or concurrently. Yes, it is going to take a lot of time management, dedication, and self-discipline - but that's what the CISSP exam is all about.
Which books do you have now? If you needed to know a list of books, here is a list:
As for practice questions, always do them, as many as you can and as much as you can. When you're about 2-3 months away from your exam, 50% of your studies should be reading and 50% should be doing practice questions.
Your reading should be linked to what practice exam questions you get wrong. If you didn’t know what the Tranquility Principle is, time to read up on the Identity and Access Management domain. If you didn’t know some elements of PKI, then it's time to hit up the Security Engineering domain. The same thing if you have any doubts about IPSec, AH, and ESP, hit Domain 4: Network Security. Any topic you find you do not know fully, focus right on that topic with books, videos, and practice questions until you get it.
Hope that helps, good luck, and may the Force be with you.