Guest Post by Santa Clara Law colleague, Kim Wallace
What is the CISSP?
The Certified Information Systems Security Professional credential, CISSP, is a cybersecurity certification developed and administered by the non-profit International Information Systems Security Certification Consortium, a.k.a. (ISC)2. While security certifications proliferate today, CISSP was the first and remains the most well-known.
Two things make the CISSP unique in the cybersecurity certification market: a five year occupational experience requirement, and a focus on comparatively high-level decision making rather than the day-to-day technical details of security engineering or IT practice. An applicant can take the exam before she meets the professional experience requirement and receive an Associate designation that can later be converted to the full certification without retesting once work experience has been accrued.
The CISSP body of knowledge is broken out into 8 domains: security and risk management, asset security, security architecture and engineering, communication and network security, identity and access management, security assessment and testing, security operations, and software development security. The domains include nuts and bolts like cryptography, basic networking, and physical security controls as well as organizational-level processes like auditing and disaster recovery planning. The certification requires occupational experience in two or more domains.
Conveniently, CISSP-relevant activities that lawyers are most likely to participate in — intellectual property work, risk management, breach response, business continuity planning, etc. — are spread across multiple domains, so a lawyer working in a cybersecurity practice or some in-house roles should be able to accrue appropriate professional experience pretty easily.
Why bother with the CISSP?
Generally, I see two reasons a law student might pursue the CISSP.
For students coming to law school from a security-conscious development or IT background, like me, the certification can be a “capstone” that gives us top-of-the-resume shorthand to indicate the expertise we bring forward from our past experience. CPE requirements are also a good motivator and framework for staying in touch with security practice.
For students who are interested in cybersecurity law and don’t have a prior technical background, the process of studying for the certification can provide a broad overview of information security history and practice, as well as a common vocabulary for talking to security professionals.
For people transitioning from a development or IT role into a privacy practice, with or without a law degree, the CISSP replaces one year of experience towards the IAPP’s Fellow of Information Privacy designation. FIP only requires 3 years of privacy experience, so this is really only useful for people who already meet the CISSP occupational requirements.
Preparing for the CISSP exam
How you prepare for the CISSP exam will depend on where you start, how you learn, and, to some degree, how much money you want to spend.
Much of the material in CISSP prep products is designed to give you a baseline understanding of the technical and operational issues you need to know to make high-level risk assessment and management decisions about security, with varying amounts of history and trivia thrown in. It’s a good idea to evaluate a couple of books or videos and see whether you feel that the content is appropriate to the goal for you. Since copying exam questions too closely is a violation of (ISC)2 ethics, practice problems can vary pretty widely between tight focus on the details and more general best-practice type concepts but generally won’t mimic the exam.
If you are an experiential learner or don’t have a security background or both, I strongly recommend videos. Mike Chapple’s videos on Lynda.com/LinkedIn (available via a one-month free trial as I write this) are pretty good and include progress quizzes after each domain. Kelly Handerhan’s videos on Cybrary.it are popular and free. With so much content to cover, watching a video series is a 15-20 hour time commitment; don’t jump into them expecting a last-minute study tool.
Several books are well regarded. I used the All-in-One Exam Guide, but some students find that it goes deeper into technical detail in some areas than necessary, and it’s unclear whether the quality will stay high in future editions now that the principal author, Shon Harris, has passed away. (ISC)2’s official study guide, published by Sybex, and Eric Conrad’s 11th Hour CISSP Study Guide are popular.
Just as you should have done for the LSAT, it’s a good idea to take practice tests. Sybex publishes an (ISC)2 official practice test book that has two multi-domain 250 question tests as well as in-depth practice tests for each domain, and an app that presumably uses the same question pool. Sybex’s questions tend to be very straightforward and geared towards evaluating mastery of domain content, rather than preparing you for the style of questions on the exam. Practice tests on the Boson.com platform are also pretty popular and provide convenient performance metrics.
If you have more money than time, various online and in-person bootcamps exist. Personally I would only pursue this option if an employer foots the bill, but your mileage may vary.
My background is an unusually close match for CISSP content, so I don’t want to hold myself out as an example of how to structure a study program. The main piece of advice I can give is to take practice tests, read the explanations in the answer key, and use your results to help prioritize the domains for further attention. As you learn technical concepts, think about the context in which you might use that information to inform management decisions.
The CISSP exam
In the US, the CISSP exam is administered in a computerized adaptive testing format at Pearson VUE test centers. With a three hour time limit, the test-taker will be presented with between 100 and 150 questions, 25 of which will be experimental. The test-taker needs to demonstrate proficiency in all 8 domains; if you decisively pass or fail within 100 questions the test will stop there.
Most questions are multiple choice, with a few in more funky drag-and-drop type formats. The multiple choice questions should feel pretty similar to a law school exam, albeit with a different kind of fact pattern. The same good exam-taking practices such as carefully reading and answering the call of the question apply.
Physically speaking, the test workstation and UI did not seem to be adjustable for either ergonomic needs or visual limitations. If you have any concerns that you typically address through adjusting your chair, mouse, font size or color, etc., be sure to ask about accommodations in advance.
The Endorsement Process
If you are taking the exam for Associate status, you are finished once you pass the exam. If you are applying for the full CISSP, you will need to fill out an online endorsement request. This entails listing at least 5 years of work experience with dates, supervisor contacts, a list of CISSP domains you worked with in those jobs, and a brief job description. This file then goes to an active CISSP for endorsement. If you have an appropriate friend or colleague you can specify her, but if not (ISC)2 will have somebody in-house review your file. After that, (ISC)2 eventually performs some kind of review and you will receive a final determination. At this time there is an approximately 8 week wait between submitting the endorsement form and receiving the certification.
Continuing Professional Education
Maintaining the CISSP certification requires 120 CPE credits per 3-year cycle. CPE credits are awarded pretty generously and are weighted towards activities that further the profession. For example, writing an article earns 20 credits; attending a course or seminar earns 1 credit per hour of instruction up to 40 credits. Podcasts and webinars can also be counted towards CPE, as well as relevant volunteer work. Some materials may fulfill CPE requirements for both CISSP and CIPP/US or CIPT.
If you have worked in cyber security, or intend to work in cyber security, the CISSP is probably worth your time. It’s not especially hard to achieve with a reasonable amount of work, but be realistic about whether it’s the best choice for your situation. If it’s tangential to your goals, you may or may not want to commit to 40 hours/year of cyber security CPE.