PASSED 8/6 - Experience does count.
This is a post for the people who are lurking here like I did who read the posts about books and tests and said, "I can't do this. I don't have time. I have a job, I have a family, I can't do this for 2-4-6 months prior" and who have a chunk of prior experience in the domains. Yes, you can.
So, in order to keep with the format:
Materials I used:
Trainingcamp Bootcamp (you get a big CBK book and a trainingcamp book of slides and a login to their site that has some powerpoint and videos) that went from M-F and then a review and the test on Saturday. 8/10. Your instructor will make or break this - ours was wonderful. Personally, I think that materials he was forced to use (both of the books) could have been better formatted and presented by the people who created the books. He did a great job with what he had, giving us a VERY comprehensive review.
New CISSP Sybex questions. 5/10. I got these on Friday, the last day of the camp and I didn't go through the exams in the book, but I did scan the questions on the domains where I was feeling the most unsure. While I recommend this book for knowing what your overall knowledge of the "how" of the domains is, if I had only used this and the bootcamp materials for the exam and had no prior experience I would have been ill-prepared.
Materials I had but did not use:
- Shon Harris - her last 10 domain book. Back in 2015 when I was kicking around doing this, I read a bit on cryptography from it, liked it and life got in the way. My goal is still to absorb it a bit at a time, sometime when I have free time.
- The official CISSP big green book.
- Any online tests.
So - now my thoughts on all this.
People say the test is for managers, this isn't for managers, this was technical, this wasn't technical. It all depends on personal experience and I feel those are very subjective statements if you don't know where they are coming from.
FOR ME: Think like a manager was very useful, but I would add to that: Think like a manager who has managed: network engineers, sysadmins, forensic investigators, ethical hackers, programmers, project managers, bcp/dr professionals and auditors and who can have discussions with them at the break tables. Where they do most of the talking, but you aren't thinking, "What the HECK are they saying, I just want to go back to my office." Think like that and you'll do well.
But, your hash length may vary.
Where does my extremely subjective opinion come from? I've been in IT since the mid 1990s, but I worked on computers since the late 1980s. I've worked in everything from helpdesk to network engineering/administrator to systems engineering/administration to web design to BCP/DR and IRP to "cybersecurity" to IT/IS compliance in a highly regulated field. I've worked on a huge variety of *nix environments, Windows from 95 on up and Mac from OS 6 on up. I've been lucky, it was easier to wrap your arms around this earlier when everything was, well, smaller.
After a chunk of my super-technical jobs came a lot of management. Small supervisory things to a lot higher.
Okay, so after all that, why is that important?
Just saying, "I've managed IT helpdesk, I'll think like a manager" isn't going to get you as far as you hope. You DO need to know the domains in one way or another.
Look through the 8 domains in a book. Now look through some of the headers under them - can you recognize the majority of them? Can you talk about them for more than 5 minutes? Yes? I'd say you are well on your way. No? Start brushing up on them. Now, I'm not talking about memorizing every port number or being able to diagram a hybrid environment with eight VLANs, two DMZs, HIDS/NIDS, three firewalls and federating an overseas network in and then doing a comprehensive list of all the security access problems.
But, could you know the basics of the security problems of what was above and know what and how to prioritize them? If you saw that diagram, could you tell your engineers and administrators, "Nuh uh, we need to look at how that segmentation is going to work" or "That looks good, but tell me about how you've set up those rules on that firewall and why exactly is it placed there?" or after you get some SIEM reports have some justifiable indignation in your voice and say, "What the heck is going on that's causing these logs to be clipped?" and then run and stare sadly at a policy? What about looking at a risk assessment or configuration change request and being able to shake your head sadly, muttering, "No, this isn't comprehensive enough, you've missed these threat vectors..." and then proceed to have a long discussion with a security analyst.
Now, pass that along to each area in each domain.
I hoped that the CISSP was and still feel that it is a way to show the best processes for each of the domains. However, to understand the processes and procedure and the why, you have to know a bit about the how or it just is straight memorization and not understanding. That's why studying can be a huge part if you have a cone (or cones) of specialization and need to get that inch deep in other areas.
- Can you do intensive studying and pass this because you've gotten a bit of the how and then can absorb the why. Yes.
- If you know the how, is it a heck of a lot less to see the why? Oh yes.
- If you've only worked on the why and aren't really sure of the how? Brush up on the how - know enough of the how that you can justify the why beyond "laws, policies, business and zomg I'm the manager, just do it" - enough so you could get a technical person who was not a specialist in that field to agree with you.
- If you've worked on the how and the why I would say you will do well - just make sure you know the how and the why of each domain.
My 2c, again, your hash length may vary, and take it with a pinch of salt.
So, in order to keep with the format:
Materials I used:
Trainingcamp Bootcamp (you get a big CBK book and a trainingcamp book of slides and a login to their site that has some powerpoint and videos) that went from M-F and then a review and the test on Saturday. 8/10. Your instructor will make or break this - ours was wonderful. Personally, I think that materials he was forced to use (both of the books) could have been better formatted and presented by the people who created the books. He did a great job with what he had, giving us a VERY comprehensive review.
New CISSP Sybex questions. 5/10. I got these on Friday, the last day of the camp and I didn't go through the exams in the book, but I did scan the questions on the domains where I was feeling the most unsure. While I recommend this book for knowing what your overall knowledge of the "how" of the domains is, if I had only used this and the bootcamp materials for the exam and had no prior experience I would have been ill-prepared.
Materials I had but did not use:
- Shon Harris - her last 10 domain book. Back in 2015 when I was kicking around doing this, I read a bit on cryptography from it, liked it and life got in the way. My goal is still to absorb it a bit at a time, sometime when I have free time.
- The official CISSP big green book.
- Any online tests.
So - now my thoughts on all this.
People say the test is for managers, this isn't for managers, this was technical, this wasn't technical. It all depends on personal experience and I feel those are very subjective statements if you don't know where they are coming from.
FOR ME: Think like a manager was very useful, but I would add to that: Think like a manager who has managed: network engineers, sysadmins, forensic investigators, ethical hackers, programmers, project managers, bcp/dr professionals and auditors and who can have discussions with them at the break tables. Where they do most of the talking, but you aren't thinking, "What the HECK are they saying, I just want to go back to my office." Think like that and you'll do well.
But, your hash length may vary.
Where does my extremely subjective opinion come from? I've been in IT since the mid 1990s, but I worked on computers since the late 1980s. I've worked in everything from helpdesk to network engineering/administrator to systems engineering/administration to web design to BCP/DR and IRP to "cybersecurity" to IT/IS compliance in a highly regulated field. I've worked on a huge variety of *nix environments, Windows from 95 on up and Mac from OS 6 on up. I've been lucky, it was easier to wrap your arms around this earlier when everything was, well, smaller.
After a chunk of my super-technical jobs came a lot of management. Small supervisory things to a lot higher.
Okay, so after all that, why is that important?
Just saying, "I've managed IT helpdesk, I'll think like a manager" isn't going to get you as far as you hope. You DO need to know the domains in one way or another.
Look through the 8 domains in a book. Now look through some of the headers under them - can you recognize the majority of them? Can you talk about them for more than 5 minutes? Yes? I'd say you are well on your way. No? Start brushing up on them. Now, I'm not talking about memorizing every port number or being able to diagram a hybrid environment with eight VLANs, two DMZs, HIDS/NIDS, three firewalls and federating an overseas network in and then doing a comprehensive list of all the security access problems.
But, could you know the basics of the security problems of what was above and know what and how to prioritize them? If you saw that diagram, could you tell your engineers and administrators, "Nuh uh, we need to look at how that segmentation is going to work" or "That looks good, but tell me about how you've set up those rules on that firewall and why exactly is it placed there?" or after you get some SIEM reports have some justifiable indignation in your voice and say, "What the heck is going on that's causing these logs to be clipped?" and then run and stare sadly at a policy? What about looking at a risk assessment or configuration change request and being able to shake your head sadly, muttering, "No, this isn't comprehensive enough, you've missed these threat vectors..." and then proceed to have a long discussion with a security analyst.
Now, pass that along to each area in each domain.
I hoped that the CISSP was and still feel that it is a way to show the best processes for each of the domains. However, to understand the processes and procedure and the why, you have to know a bit about the how or it just is straight memorization and not understanding. That's why studying can be a huge part if you have a cone (or cones) of specialization and need to get that inch deep in other areas.
- Can you do intensive studying and pass this because you've gotten a bit of the how and then can absorb the why. Yes.
- If you know the how, is it a heck of a lot less to see the why? Oh yes.
- If you've only worked on the why and aren't really sure of the how? Brush up on the how - know enough of the how that you can justify the why beyond "laws, policies, business and zomg I'm the manager, just do it" - enough so you could get a technical person who was not a specialist in that field to agree with you.
- If you've worked on the how and the why I would say you will do well - just make sure you know the how and the why of each domain.
My 2c, again, your hash length may vary, and take it with a pinch of salt.