CISSP — Who needs it anyway, what’s the point?

The Certified Information Systems Security Professional

Having just completed and passed perhaps the most intense, compressed educational qualification of my life, I feel compelled to put a few thoughts down. These are my own thoughts and have not been pre-read or assessed by the course owner (ICS²) or the course deliverer (Firebrand).

Bottom line up front, I firmly believe this course should be the pre-requisite for any managerial position related to Information Systems or Information Governance / Assurance. I say that having been in this business now for much of the last 10 years and with the next few years already mapped out in the same area. It is not a “cyber" or deeply technical course, it is broad modern business management. What business does not have Information Systems in? If you have computers containing or accessing your business data then you must understand who, why and how it is managed, protected and recovered in the event of incidents.

This course is that.

But first, in the words of our Firebrand instructor, Gwen, “wow, what just happened?!” Simultaneously the slowest and fastest week on record. The days were very long but that week just flew by. Firebrand’s USP is being able to teach you at 40-50% faster than equivalents. Part of this comes from the very high quality of extremely passionate instructors, the other part comes from working late. Typically, the days ran from 0800 to 1900 with an hour for lunch. Sure, there are regular 5 min stops for coffee but you are deeply immersed in the subject matter for long periods. After 1900, at least another 3 hours of homework/revision, with dinner somewhere in there. Rinse, repeat for 5 days, and then a 3 hr exam on the Saturday. The first rule of CISSP Club though is that you don’t talk about CISSP Club…well, the exam anyway. We sign an NDA at the start of the exam and for good reason. This is the industry standard in this field and they expend considerable resource ensuring the credibility of their course and exam content. So I can’t give away exam tips or nod to what type of questions come up.

For those in the know, this is the ISO 27002 course, thoroughly and comprehensively covering the Confidentiality, Integrity, Availability (CIA) triad. Covering higher level topics such as Risk Management and Threat Methodology, Business Continuity/Disaster Recovery, Legal and Regulations, and Software Development Operations (DevOps) and the Information Life Cycle, the week also shallow dives in to the requirements for, and technologies of, asymmetric vs symmetric encryption, system and software vulnerabilities, threats and approaches to computer hacking, physical security measures and so much more.

Going through the course, what surprised me the most was a common theme from the participants that more “technical" types were on it than the higher management although that might just have been our week. This field is still regarded by many as something for geeks and techies when, in harsh actuality, it is the professional standard for C-Level personnel. I know of a few industries that would significantly benefit from getting their appropriate staff through this.

That said, the course does state certain pre-requisites of appropriate professional time, experience and qualifications in the field already (details readily found on the Firebrand site). While I didn’t have the official quals or experience by their standards, I was able to draw extensively on programme/project management quals (APMP), ethical hacking/penetration testing training (CEH) and even my coaching qualifications (CMI Level 5 Diploma). To go in to this week without those would have been a total failure and I wouldn’t have passed. The acronym soup alone puts even the UK MOD to shame but it’s more about the speed that you have to operate at during the week to cover the course content. I’d advise a pre-course preparation period for anyone going in fresher than me.

Throughout, the instructor was always on hand to revisit themes and topics, drawing on well over 30 years in the business and 17 years teaching this qualification. She provided a wealth of learning resources to cater for different people and wouldn’t move on until sure that everyone had understood the current topic. It was an impressive performance interspersed with considerable light-hearted humour to offset the sometimes oppressive intensity of the working day.

As I wrote earlier, this should be the basic pre-requisite for C-Levels and for anyone in a position of authority in Info Security, Governance and Assurance. To employ people in those roles without this qualification now feels a little negligent.

A top week, a qualification that I am immensely proud of, and skills that I will be bringing to bear in my own role immediately.