top of page

Stories of a CISSP: New CISSP Exam Updates



To my dear children reading this 30 years from now: this is a story of a life your father had a long time ago in a profession known as an "information security professional". It very well may have been the catalyst that has led you achieve all the great things you are doing right now.


Imagine you are studying for your CISSP exam since December 2020. You went through all the books, thousands of practice questions, spent hours of your day just preparing as perfectly as you can for your exam date on May 3, 2021. Then on March 2021, you hear that the CISSP exam syllabus is going to change and add new topics! Now you have to deal with these questions:

  • Should I hurry up and take the exam before May 2021? I really don't want to study new material all over again! I've put in too much time into this already!!

  • Will my books still be valid after May 2021? Or do I have to get the new books? I already spent so much money...

  • What are the new topics and how much of a change is there going to be?

The answers to all these questions can be found here, but these questions can eat up the life of a future CISSP who wants nothing but to just pass this exam and get it over with! Exam updates add an additional level of uncertainty, on top of living through a pandemic and shaky job market!


On May 1, 2021 the new CISSP exam syllabus and domain update took effect, as it does every three years. It was a tumultuous time for this CISSP instructor because I knew people were depending on me to provide answers to not only all the questions above, but also videos and practice questions on the new content! In this article you will find the following topics:


  • Creating hours of 2021 CISSP exam updated topic content

  • How I accrued over 35 CPEs in 4 months

  • Timing my COVID vaccine

  • Hand cramping and headaches


While everything didn't turn out as dire as I predicted, by putting enormous pressure on myself to create new content around the new topics and all that life threw at me, I learned a lot about myself - a lot about my discipline and focus - two things I first learned to manage while studying for the CISSP exam itself. 7 years of a being a CISSP, I am now more confident than ever that whatever life throws at me, I can handle it. And if other people close to me need help or just anyone else who needs help to pass their CISSP exam, I'll handle their problems too. No external forces will decide my path in life, I am full control of my fate.


The same is true for anyone reading this right now.


January 2021 - Patience

I knew the (ISC)2 would be making an announcement soon about the new CISSP exam topics because they usually do few months prior to the actual change. I thought about just guessing what the new topics could be, what new technologies or security measures have been prevalent the last few years?


Was mobile security still a big concern? Is the security of APIs and IoT still testable? Was IPSec and remote access security more important now than ever during a pandemic? What about the growing threat of ransomware? Was Industrial Control Systems going to be a new topic?


I didn't want to start guessing what new topics would come out, so I just focused on existing content for Study Notes and Theory i.e. basic network security, cryptography, how to think like a manager videos, risk management. I had more than enough work to do already!


For now, I just had to be patient! But I knew I had to prepare myself mentally to begin a 2-3 months hustle and grind. The future CISSPs of the world would be inquiring eagerly if Study Notes and Theory would have content on the newly updated CISSP topics, and I did NOT want to say "no" and let them down! The CISSP changes lives and I wasn't about to be the one to delay that for anyone!


February 2021 - CPE Credits

Due to the pandemic my company was no longer able to send us to 40-hour training seminars which easily netted a quick 40-CPE credits. I had to get 35 CPEs by May 1, 2021 - exactly when the new CISSP exam updates were going into effect. Great timing on my part...shouldn't have been lazy about progressively accumulating my CPEs!


I had to do a thorough risk analysis. Should I pay for a 5-day training session on my own, thousands of dollars? Should I just hunker down and do free courses and attend seminars that offered 1 or 2 CPE credits? What would happen if I let my CPE credits lapse? ::shudder:: I didn't even want to think about that!


The results of the analysis let me know that it is more efficient in the long-term to focus most of my energy on completing my CPEs right now, whatever the cost! Everything I do depends on maintaining my CISSP certification: being a CISSP instructor, a network security engineer, and overall security professional. If I lose my CISSP certification, then all is for naught and I'd have to take that awful exam again!


A Review of (ISC)2 Courses With Their CPE Credits

To gain the necessary CPEs and before spending a ton of money on training, I remembered that the (ISC)2 offered their own immersive training and other avenues to earn CPE credits through their Members Portal. Most of the courses offered 1-2 CPE credits and required listening to a lecture, watching interactive videos, and then taking a test at the end. Simple enough! But I needed a lot of CPEs really fast, so I looked for the courses that offered 4- 7 credits. These were the following ones I took:


GDPR for Security Professionals: A Framework for Success - 8 Credits, Group A

This was a GREAT course by the (ISC)2 on the main points of the GDPR. It took about 3 days to complete because it was a lot of information to absorb and the quizzes at the end were brutal! Some of the issues were related to the interface, but for the most part you really had to have learned a lot in the previous modules! Tough, tough course! Great job to the (ISC)2 on this one, I learned a LOT about the GDPR and picked up 8 easy CPE credits!


Responding to a Breach - 5 Credits, Group A

This was really good because it went over a lot about the manager's perspective! A breach isn't just a computer with data that can't be used anymore, the security professional has to think about company reputation, incident response, handling the media, and reevaluating current security controls and awareness training.


CISO's Guide to Success - 4 Credits, Group A

The part I liked most about this course was the host! He was knowledgeable, realistic, and provided a holistic process-oriented view of what it takes to be a successful CISO. The most notable part of the course was what the CISO had to do at the very beginning: take inventory of what resources and processes are important to the organization, and then allocate time, money, and resources to those functions and processes appropriately.



Assessing Application Security - 4 Credits, Group A

The idea of threat modeling or even how to prepare for it was always a bit confusing, but this course did a good job to clear it up! It's just an overall and clean way to really understand some core software development security concepts.


Cloud Basics - 4 Credits, Group A

It's not going to help you ace the CCSP exam, but it will go over the basics of cloud computing, the roles and responsibilities involved, and methods to determine what type of cloud model and service is best for your organization. Also has some good information on Cloud Access Security Broker (a new CISSP exam topics) !



A Security Professional's Guide to AI - 2 Credits, Group A

It feels terrible to say, but I barely remember anything about this course! It was a lot about big data, analytics, and things about structure data in relational databases. It was heavy on database constructs - not exactly something really exciting for me! Also, since it was just 2 credits, I probably just wanted to fly through it and get it over with.



Building a High-Performing Cybersecurity Team - 5 Credits, Group A

This course had it all as far as getting heavy insight into the "administrative" security controls category! Employee background checks, resume verification, team-building, collaboration built around the business functions, and most important of all: following a process. This course will just make you feel good and ready to take your teamwork to the next level and show them how a CISSP really gets things done!



Finished Reading "The Imitation Game" - 5 Credits, Group A

You can also read books and write a quick 250-word summary, it counts for 5 CPE credits. For this, I chose Alan Turing: The Enigma !


To write a 250-page summary about the Alan Turing book does not do it justice. I finished half the book and put it down as I got busy, but raced to finish it once again for the CPE credits. While the actual machine to break the German codes was called Enigma, I think the real enigma was Turing himself. The book sets you up from his childhood beginnings where he deals with both bullying and his devotion to mathematics. He was figuring out equations and theorems at an early age and trying to go against top mathematicians at a young age, this is how legends are made! All his work earns him the road to join the ranks of the code breakers at Bletchley Park, and the rest is history! Just to put it into perspective, if you are reading this on a desktop, laptop, or cell phone right now, Alan Turing made it possible!


Now I had chosen all the courses I was going to take, the book I was going to read, and pressed on to make sure all the above got done before May 1st, 2021!



March 2021 - Announcement of Upcoming Changes + COVID-19 Vaccine

Finally around early March the new syllabus was released! And the flood of emails to my inbox, to my Facebook direct messages, Instagram messages, LinkedIn requests, Twitter DMs, and public posts to the Study Notes and Theory Facebook group started coming in by the droves! Literally at least 50 people a day asking me these same questions:

  • What are the new CISSP exam topics?

  • Do we have to wait until we buy the new books or are the old books enough?

  • Will your portal be updated with the new content?

It got to the point that I had to just start copying and pasting responses I gave to others! It felt truly disingenuous at first, but I promise it was for time management!


I had my work cut out for me! I had to make videos, practice questions, and flashcards on the following new topics before May 1, 2021:

  • Investigation Types

  • Kerberos Exploitation

  • Li-fi

  • Just-In-Time Access

  • Breach Attack Simulation

  • User and Entity Behavior Analytics

  • Security Orchestration, Automation, and Response

These weren't all the new topics, but I felt these are the ones that needed the most attention as they truly were new things to know. I had my work cut out for me! My plan was to do a cross-domain correlation video about how the topic of "asset security" would apply to all these new topics. Cross-domain correlation is a CISSP study technique I created in which you take a single topic from one domain, and then see how it relates to topics in the other domains. It really is a great way to see the bigger picture and look at security at a truly high-level concept! You can see an example of it on one of my YouTube videos by clicking here.


I spent most of March extensively researching all of the above topics. The technical aspects, the high-level, the businesses they support, real-life examples, and the security concepts they follow along with whether they uphold confidentiality, integrity, or availability.


The month of March 2021 was just for research. I would use all of April to make sure the videos are recorded, edited, and ready to go! Did I mention I also had to create over a hundred practice questions and flashcards? Once again, I had to call on my old friend, the one that helped me get work done, the one that gave me a lot more time in the day, and that friend is known as: 5 a.m.


It was also during the middle of March that I received an email from the CDC stating that I was eligible to get the vaccine. I've taken vaccines all my life due to all the international travel and it was nothing new, no reason to worry or be hesitant. I don't worry about the efficacy or risk to the vaccine because people 100x smarter than me with many more meaningful letters after their name have already done their due diligence. What I did worry about, was that if the side effects were severe, it would delay the editing of the new CISSP videos!


Should I risk foregoing the vaccine and finish up the videos? Or take the vaccine and risk feeling tired and fatigued and causing a delay to the videos? I once again did a full risk analysis.


I remember that there is one thing we have to value above all else when it comes to CISSP concepts: that human life is the #1 priority. I used this measure of the CISSP to go get my 1st shot of the vaccine. Things went fine! No reaction, no side effects!


But I just never thought that I'd be so dedicated to such a thing like the CISSP that I would even think twice about not getting a vaccine for a virus that caused a global pandemic! This was a vaccine that millions around the world did not have access to and desperately sought to get it, and here I was debating whether to get it or not! I'm not quite sure when, but this was also around the time that massive numbers of the population of India were dying from COVID-19! Just some of the most saddening news to see every day. I decided never to even make that decision again, and always put human safety first. Also, JAI HIND!


With all this going on, I was still plugging away at the CPE courses and creating more content on new CISSP topics, managing multiple social media accounts, and be a family man to two kids. But it was okay! I woke up at 5 a.m. every day and got it done. Waking up at 5 a.m. is like a cheat code that you can enter to give yourself more time in the day.


At this point I had written about 50 pages of script for the CISSP videos, with long hours of my day going into researching the new topics.


April 2021 - Health Issues

While I was in denial at first, I slowly came to the realization that my hand was cramping at this point like I was a professional piano player who kept playing even after everybody had left. This was in part due to:


  • Replying to 50 emails a day

  • Writing scripts for new content videos

  • Updating social media

  • Troubleshooting multiple firewalls concurrently and doing packet captures at my professional job

At the same time, I was getting a lot of headaches, and needing to take afternoon naps. I thought some Tylenol would help it out but it continued for over a month! I went to the doctor and was ready for the worst: an MRI or cat scan. But the doctor, an elderly South Asian man, looked at me asked "Do you work with computers?"


I laughed and said "Yes, quite a bit."


"People like us, a lot of South Asians, due to our skin color we need Vitamin D. Your blood test is going to confirm, but I believe you are low in Vitamin D. I will write you a prescription for it."


He was exactly right! Not even one day after taking the Vitamin D prescription did my headaches start to subside. I guess with being inside the house and in front of the computer, I was lacking in an essential vitamin! This was a year ago, I have since taken up tennis and am now constantly getting good ol' sunshine!


May 2021 - Anniversary

I finished all my CISSP videos and editing around April 26th, earlier than expected. I finished submitting all my CPEs. I finished some various small things that needed to done. I finished everything I said I was going to do.


Was there a rush of people subscribing go the Members Portal because I had content on all the updates? No.


Did I really have to put myself through so much work day and night to get all the content out? No.


Was it worth it? Always. Every bit of CISSP content created helps, whether it is for beginners or those with advanced knowledge.


It was around this time and I also glanced up at my wall at my framed CISSP certification and noticed the "Certified Since" date: May 1, 20xx.


Maybe my conscience was missing the rush of the CISSP exam and wanted to once again go through what it feels like to have an important impending date that may decide my destiny, and see how it feels to put in all the work to have a successful outcome.


From 2016-2019 I have put in 80-hour work weeks, dealing first with my professional job as a network security engineer, and then coming home to continue the CISSP work. If you stuck with me through this blog post and this platform, thank you. I will always make sure to provide new CISSP content no matter how tired, frustrated, or busy I am - you deserve that.


Thank you for reading an example of how I spend my time in my own CISSP-built mental asylum! But let's not go around telling everyone Luke Ahmed is a crazy person though, that's just between you and me.


CISSP Take-Away Concepts


Domain 1: Security and Risk Management

  • CISSP Code of Ethics: Advance and Protect the Profession

Comments


119159849_10158061653118813_5314694876572739015_n.jpg
bottom of page