Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

05:00 PM
Curtis Franklin Jr.
Curtis Franklin Jr.
Edge Articles

C-Level & Studying for the CISSP

One CTO tells us about his belated pursuit of a foundational infosecurity certification -- why he wanted it and what it took.

Why does an IT professional seek a certificate in IT security? For many, it's a way for junior and mid-career pros to advance their careers and improve their "personal brand." For others, it's a requirement of their existing job. So when a C-level IT industry executive — one without security in his job title — decided that he needed a cybersecurity certification, Dark Reading asked why.

(image by cirodelia, via Adobe Stock)
(image by cirodelia, via Adobe Stock)

Tim Titus is chief technology officer at PathSolutions. With a job title that seldom requires new certifications, he nevertheless decided to pursue a CISSP. The Certified Information Systems Security Professional (CISSP), a certification granted by the International Information System Security Certification Consortium (ISC)², is one of the major certificates employers use to determine whether someone is qualified in IT security. Along with Certified Ethical Hacker (CEH), Certified Information Security Manager (CISM), CompTIA Security+, and SANS GIAC Security Essentials (GSEC), the CISSPs' combination of experience and examination is intended to provide assurance that someone knows what they're doing when it comes to IT security.

The 'Why'
Titus acknowledges that most people who would volunteer to bury their noses in test prep guides until their vision prescription changes are doing so merely to improve their employment opportunities.

In his case, however, it was to improve his professional knowledge and to benefit his company. Staff (even C-level executives) who hold professional certifications are seen as more credible and authoritative than those who don't.

Why the CISSP instead of another certification program? Titus says that peers and friends in the industry told him the CISSP is respected as a broadly based certificate in the field. It doesn't focus, he says, on any one vendor or area of concern, requiring testing on eight different areas of interest for each candidate.

"The CISSP is about teaching you how to think about security," Titus says, and to think about it within the context of the eight CISSP security domains. Security and risk management, asset security, security architecture and engineering, communications and network security, identity and access management, security assessment and testing, security operations, and software development security are the eight domains in which CISSP candidates will have to demonstrate knowledge before they pass the exam.

The Process
There are many different ways to prepare for the CISSP exam: self-study books and online courses, for example. Titus, however, went for a full emersion.

"I signed up for a boot camp, a $3,000 training camp, that was referred to me by one of the CISSPs I was friends with," he explains. The Monday to Saturday camp was, he says, a very high-quality experience.

Even before the bootcamp, though, Titus began working on the exam. He says that the bootcamp sent out their study material about six weeks before the actual camp; material that included the official (ISC)² study manual. Titus praises the quality of the material found in the manual and says that,

"I went out to Monterrey, got a hotel and I sat in the hotel for three days, effectively going cover to cover in that book," he says. The ability to spend 100% of his time focused on the material made his time in the course much more valuable, he feels.

The Knowledge
The material in the study manual was, he says, enlightening.

"The CISSP is all about helping you understand the risks, render the proper judgment, and gather the proper financial resources to rally around those risks," Titus says. He makes the analogy that the CISSP isn't about how to program an access control list (ACL) into a router — it's about knowing the risks the network faces and how an ACL might figure into an overall security strategy.

The Exam
Titus was able to get a timeslot for the exam five days after completing the bootcamp. He wanted to take the test soon after the course so the material was still fresh in his mind when he sat down in front of the computer. But before he took the test, he went through one more step.

The practice exam. "The reason for getting that sample test is that it allowed me to sit down and run through each of the domains in a testing environment and see, OK, how do I score," he explains, continuing, "if I find that I'm scoring less than 70% than I need to brush up in those areas."

On the other hand, he says, scoring more than 90% on a domain means that you can probably need to spend any additional study time. A retest is allowed (within a specific time period) so you have the opportunity to catch any issues and fix them before taking it again. Lay that material aside to concentrate on your weaknesses. It's the strategy he used to go in and pass the test on his first attempt.

Being able to put "CISSP" after his name on a business card is good, Titus says, but far from the sole benefit of the process.

"The thing I loved about this whole experience was that I learned it's not just about firewalls, antivirus, and anti-malware. It's not about technology. It's about process and judgment on putting the process together," he says. "And if you don't have a good process, you're throwing money left and right at various risks that you might not even encounter."

Related Content:


Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/4/2020 | 11:44:40 AM
C-Level and Cramming a CISSP for the sake of a qualification...
There is a VERY strong argument that a CISSP that has been aquired by cramming information during a "boot camp" is both wasted and ineffective, esepcially if this is a certification that is outide of your professional scope.

CISSP/CISM/CISA qualifications should be used as a validation of your existing expertese within the Security industry.  Its also important to note that if people have not been directly working within one of the security domains for a minimum of 5 years, then it is likely that they are stretching the truth when it comes to attesting their eligability.  

Too many people are jumping on this nowadays trying to get a Cyber paycheck when instead they should focus on doing what they are doing, and doing it well.  This results in poor cyber professionals who learn "by the book" concepts as apposed to the pragmatic application of security concepts.

Its honestly undermines a certification and execs should be VERY wary of this as the industry starts to mature.

Also, for all the people who crammed andallowed their CISSP/CISM to lapse - please take this off of your resume if you arent going to maintain your experience and knowledge...
Flash Poll