I was told by an industry professional that I was in a good place to start with the CISSP. Fresh out of Security+ certification, I have been surprised by how much my approach has needed to change to accommodate the differences in style and material.
The exams each have stated purpose.
According to CompTIA, “Security+ focuses on practical, hands-on skills to tackle real-world challenges”. The next step for many would be CySA+, which “…validates a tech professional’s expertise in incident response and vulnerability management processes…”.
ISC2 is notably different. They state that CISSP is intended to validate a security professional’s “…abilities to lead an organization’s information security program.”
You could argue the difference is between training to be a soccer player, and training to be a soccer coach. So naturally, the drills and skills are different, even when the sport is the same.
Studying for Security+: Listen & Write, Review, Apply.
My very excellent networking teacher at college many years ago introduced me to the work of the equally excellent Professor Messer. I have used his videos to study for the A+, Network+, and Security+, and passed them all- although I am currently only Security+ certified. Videos like his are, to me, the most effective resource for studying material broadly rather than in depth; providing information, sources for further research, and exceptions in a succinct and memorable way. Part of the formula is that I find taking notes from audio an excellent way to retain information. Since Security+ focuses heavily on functional knowledge, like understanding the security mechanisms that mesh with operational concerns, and validating the need for everyday security, it is well suited to that broad type of review.
Although Prof. Messer does not go beyond Security+, I am using similar coursework as I review and study for Linux+ and CySA+, and I feel those differences keenly. Already a fairly proficient Linux user, I am finding video review and notetaking an excellent resource in preparing for Linux+. However, even reaching the level of CySA+, I am beginning to feel the inadequacy of video review. Many of my notes end up with stars and caveats, more things to look up and projects to bring to the lab to cement knowledge.
Studying for CISSP/ ISC2 Associate: Read, Review, Apply, Revise.
In contrast, I am currently using the ISC2 Official Study Guide for CISSP, by Mike Chapple, James Michael Stewart, and Darril Gibson.
It is excellently written, and also beautifully suited for the task it sets out to do. It is powerfully in depth, and a wonderful companion to the practical experience that is built into the guidelines for CISSP. Well-organized, documenting exam objectives, and building upon itself, it grows from information familiar to any Security+ graduate to Diffie-Hellman algorithms, security models and the weeds of implementations. Flashcards and labs confirm your learning as you build a strong foundation.
However, it’s extremely clear that each step is only a foundation. It’s a wonderfully formatted text, but it absolutely emphasises that the only way out is through. No overview would cut it.
So as I go through, I am adopting the aforementioned procedure:
-
Read on a subject
-
Review the subject with provided flashcards or written labs.
-
Apply (when possible) in labs or projects.
-
Revise again, and make note of places where I lack understanding or nuance.
And move on to the next. I’m not very far, but I am feeling confident with what I have learned .
Testing and what’s next
Wanting to understand rather than simply pass, I am taking my time. In the meantime, I am casually moving through coursework for both Linux+, and CySA+, open to taking either or both as opportunity presents itself. As always, I am looking forward to learning.