March 2024 ~ Ibrahim Ramku

During the last 10 months, I’ve been working on getting CISSP certified. It started as a natural first step after passing the CCIE and the Microsoft Cybersecurity Architect exams. I wanted to go after a management certification, which was not tied to a specific vendor. Initially, I considered the Certified Ethical Hacker (CEH) certification, but given my current management role, CISSP sounded like a better choice.

Fig.1 The CISSP confirmation mail

How I got here?

CISSP is considered to be one of the most respected security certifications in the industry. The first time I heard about it was while working on a project at Societe Generale in Albania about 12 years ago, where the CISO had these thick books on his table, similar to the ones I was used to from the Cisco world. Back then I was 100% Cisco minded, so that wasn’t tempting for me. As mentioned it was 10 months ago I really got into track.

Fig.2 My first LinkedIn Post about CISSP

Right after making my mind that this was the right way to go, I purchased the official certification guide along with several Udemy courses taught by Thor Pedersen. This was a no-brainer as everyone suggested those resources to start with.

In addition, I’ve spent a lot of time on developing our own Compliance Services, focusing on NIS-2, to assist customers of Critical Infrastructure in Denmark in protecting from cyberthreats.

Whenever I’ve found something interesting on the book, I’ve shared posts on my own blog or LinkedIn. You can find some of them at the end of this post.

Since CCIE took a lot of my free time, which I would otherwise have dedicated to my family, I decided to follow a different approach this time. I utilized any “spare” time, where I wasn’t doing anything with them. This was mainly watching Udemy videos while preparing dinner, and reading the certification guide before bed, instead of browsing 9gag. There have also been a lot of deviations from the standard, like using the time at the hospital, while we were expecting our second child, to read about 300 pages from the official certification guide, or reading several pages while sitting on the VIP lounge at home. 😉

Which resources did I use?

The primary resources for my preparation were:

Udemy CISSP videos from Thor Pedersen. He is the go-to trainer, when we talk about CISSP. He has the largest pool of students and the highest rating.
(ISC)2 Certified Information Systems Security Professional (CISSP) Official Study Guide, 9th Edition
There are many different standards you can read, but I focused mainly on CIS v.8, NIST, IEC62443 and the upcoming NIS-2.

Besides these resources, I have a lot of background info from the previous Microsoft Cybersecurity Architect Exam as well as all kind of different Cisco certifications I’ve been through over the years, which proved to be very beneficial on the exam.

How was the exam?

If I had to say it with one word, I would say confusing. Nothing compared to CCIE in terms of difficulty, but it still required a lot of focus when reading the questions. Many of them had several correct answers, requiring the selection of the most appropriate one. What worked for me was to “Think like a Manager”. This is one of the main reasons why I wanted to do CISSP in the first place, to shift my mindset from the technical solutions, to the strategy, design, governance. So, moving towards a helicopter view and focusing on what would benefit the business, instead of picking the right technical solution.

There was a ridiculous amount of questions which I went through in 3 hours, with very few of them where I was 100% certain to have provided the correct answer. I was kinda surprised when I saw the mentor smiling, after those mixed feelings while going through the exam. Then I looked at the paper, and it said “Congratulations”…

Why should you take the CISSP exam?

Here are some of the most important benefits according to me:

Changing your mindset from a technician to a manager
Absorbing a large amount of security topics in a short amount of time
Linking the technical solutions to the risk they address
Learning about physical security

Conclusions

CISSP has been a great training that has helped me in changing my mindset from technician to manager, as well as building our own compliance services. Going through such a large pool of subjects makes you understand how bread the security field is. CISSP may not be suitable as a first cybersecurity certification due to its high-level content and the requirement for at least five years of documented experience. You can find more relevant trainings from Cisco and Microsoft in the references below.