CCSP How-To: A Legit Cheat-Sheet

A recent CCSP test-taker posted a blog entry (and made a related Reddit post) about their own experience in studying for/taking the exam…it is incredibly detailed and thorough, and reads very well. When I teach test-prep classes, I try to convey a list of “foot-stompers”: those elements of the material that are crucial and which candidates should really drill down on for the exam…this blog entry seems like a perfect list of foot-stompers to me. Enjoy!

“Preparation Guide for ISC2 Certified Cloud Security Professional (CCSP) Certification” by Stanislas Quastana

CCSP Feedback From Today

Got this from a former student today:

”I certainly don't want to scare anyone who hasn't taken it yet but I thought it was fairly difficult. Moreso than the CISSP in my opinion. Some of the questions seemed pretty out of left field based on the material we studied. And I think as we all know, the wording and phrasing of the question is super key so you have to pay very close attention to that or you'll get tripped up. Can't emphasize that enough. 180min duration and I wrapped with 7mins left but that was after I went through and reviewed EVERY answer a second time and some three times.”

Good to know.

CISSP Study Tips

A former student recently checked in and shared this. A darned good read.

“For some quick background, when we had our class I had been working in IT for about 15 years as a sort of jack of all trades at almost every level between help desk and IT Director. Every position I've held included some aspect or consideration of security so I had a decent background coming into the class and had already been studying the Pluralsight and Cybrary CISSP courses.

After the class, I was very intimidated by what I felt was my lack of depth of knowledge about some of the domains. I was so busy at work that I wasn't making time to study at first. Instead of dedicated study time, I had been studying ad-hoc on flights, in the evenings, on morning and evening commutes; basically, I tried to make CISSP my background noise. I think in the end this helped a little, but looking back, at the time it added to the anxiety since I wasn't spending dedicated time reviewing the material. My work slowed down a little in January around the time I needed to refresh my goals for our performance review process at work, so I took advantage of the opportunity to set a goal to study for 4 hours each week, take at least two practice tests per week, and sit for the exam by the end of June thinking it was far enough out.

Setting up the goal to have dedicated study time and take practice tests made a huge difference for me. I realized that I knew a lot more of the content than I thought and taking the practice exams (I started with the questions in the books and then later caved and bought the Boson ExamSim so I could get through more questions) helped me gauge more accurately what I needed to work on. Around March, I was still sticking with my study schedule and had even shifted the time around to take a practice exam each morning before work so I could note anything I wasn't familiar with and look it up during those few minutes of down time between tasks during the day. Anything I didn't recognize or any questions I got wrong I would jot down, and I would go through the items I was interested in during the day. A key piece of advice I received: Don't carry a running list for stuff like that beyond one day, if you don't get to everything by the end of the day just scrap it and start again the next day. It helped relieve a lot of the stress I had in trying to cover everything before moving on.

Another concept that played into my approach a lot was absorptive capacity. I think it's applied more commonly to organizations than people, but basically: the more knowledge you have, the more effective you are at integrating new knowledge. Or, the more you already know, the better you are at learning new things. I figured out that I need to be able to contextualize a concept to really understand it, so when I was trying to learn a new concept or term I tried to find resources that related the term back to something I was already comfortable with. For example, when learning more about the different encryption ciphers, I had to get down to the fundamentals first since so much of that content is specific to encryption. But once I was able to contextualize and visualize the basic concepts the rest of it just became different variations and combinations of those base concepts. To help remember those variations, it helped me to look at the situations in which those ciphers and combinations of protocols would be most effective or optimized for a specific situation (encrypting data for transfer vs. storage, encrypting for strength vs. performance, etc.). That was more beneficial for me than rote memorization. Since I work as a consultant, I was able to put some of those concepts into play at work, which helped me further solidify the knowledge.

One of my friends was ribbing me about not having even taken the exam yet since so many of our colleagues had already passed, so on a whim I scheduled an exam for a few days later on May 11. I sat for the exam, was convinced as I was taking the exam that I did not know the content well enough, and was convinced when, immediately after question 100 when the screen told me I was done and I needed to go see the proctor to get my print out, that I had failed so badly that the system wasn't even going to let me try the last 50 questions. I walked to the proctor convinced I had wasted $699 and beating myself up for stressing so much about time that I rushed through the first 100 questions in about 55 minutes. I was resigned to going home, taking a break from studying for the weekend, then starting again with practice tests and Pluralsight videos on Monday. But I passed. The proctor handed me the print out saying I had provisionally passed the exam and that I would receive an email when they confirmed I had passed. Awesome! Cue awkward, involuntary smile.

After the fact, I remembered not being worried about failing going into the exam because I knew I had been putting in the time and effort and my manager and the people in my support system knew I had been putting in the time and effort. I wasn't confident that I would pass, but I was confident that I had prepared and would be able to adapt my approach if I needed to retake the exam. I was taking the adaptive exam, so I expected it to be more difficult and that I would need all 150 questions to pass. In my head this meant that I would likely need to take more time on later questions since I figured I would get questions on domains I had not done well on earlier, so I tried to push through the first 100 questions quickly and if I wasn't confident in a question I made a best guess and moved on without waiting. Since I was expecting to need the additional questions and time, when I hit question 100 just before the hour mark I felt pretty good that I would be able to take my time on the last 50 questions. When the exam told me I was done, it was a huge surprise and such a big turn against my expectations that I was convinced I had failed. Ultimately, going into the exam confident that I had put in good time and effort on an effective study plan and being confident in my strategy helped a lot. I know I have a tendency to over-analyze, so relying on my ability to understand the intent of the questions without allowing myself to over-analyze every aspect was an inadvertent but important effect of my strategy for taking the exam.

Last thing: treat the endorsement process seriously and expect it to take a long time. After waiting for 6+ weeks, they let me know that I had not entered enough information to show 60+ cumulative months in at least two of the domains so my first endorsement application was declined. They're re-reviewing now and I submitted more information going all the way back to 2003, so hopefully there are no issues this time. I'm still getting some of the jokes from my group since I'm technically not a CISSP yet, so not doing the endorsement application correctly the first time led to a facepalm on my part.

Lessons learned for me:
1. Using the study material as background noise can help as long as it doesn't add to the anxiety about the volume of content.
2. A dedicated study plan focused on the process of studying effectively - not focused on passing the exam - worked best for me.
3. Practice exams exposed me to concepts, terms, and perspectives that helped me to build context around content I wasn't fully familiar with.
4. Using a variety of sources (our class, the (ISC)2 books, the Sybex books, the Pluralsight courses, the Cybrary courses, and the various practice exams) gave me different angles for the content, which helped me build context around some topics I struggled with.
5. It's important to have confidence going into the exam as long as that confidence is the result of following through on a good study program and a strategy for the exam that emphasizes your strengths and helps compensate for your weaknesses.
6. Support from the people around me allowed me to integrate studying into my daily routine so that my time studying could be dedicated and effective.”

More CISSP Feedback

A former student offers this insight:

“ I just took the test this afternoon. Ended up with 101 questions, in  just under 95 minutes, and I passed (unless they decide they need to do  "psychometric" (lie detector?) or "forensic" evaluation). At that speed,  even if I had gotten the maximum number of questions I would have been  O.K. -- from what I've seen, many people report finishing with time to spare, so I would recommend not rushing. 

My experience was:  Lots of "BEST" and "MOST" questions. Definitely not a test to take just  based on knowing facts by rote. I did guess on some answers, but only  when I could eliminate some of the responses: and I found that often at  least one response would not make sense. I also tried to follow advice I  saw to "read the question, read the answers, and then read the question  again", since during practice tests I often picked the opposite of the  answer I knew to be right. 

I studied from the Chapple book, and the (ISC)2 flash cards, and by  taking lots of tests. For tests I had the companion book (which seemed  closest to the real test), and CCCure tests (which too often revealed  the answer in the question: but if taken with "Pro" mode and fill-in-the  blank answers was still useful (and gave easier statistics on which areas I needed further study in). It was important each time to go back  and understand my wrong answers -- that's where about 1/3 of my learning  happened. 

A note on CCCure tests & fill in the blank: unless you type the exact phrase in, it will count it as wrong, so review the results before you  decide how well you did. “

Great stuff!

CISSP Feedback

Got a detailed message from a former student I’d like to share…good insight for those studying the CISSP:

“I took your class last year (7/16-7/20), sat for the exam in late September, but did not passL. In that instance I know I incorrectly answered a drag and drop on controls and was surprised by the number of Cloud questions. That said, I spent the rest of the year and this spring internalizing all the material using the following resources:


·         CISSP All-in-One Exam Guide, 7th Edition

·         Official (ISC)2 Guide to the CISSP CBK ((ISC)2 Press)

·         (ISC)2 CISSP Information Systems Security Professional Official Study Guide

·         CISSP Official (ISC)2 Practice Tests

·         How To Pass Your INFOSEC Certification Test: A Guide To Passing The CISSP, CISA, CISM, Network+, Security+, and CCSP

·         CCSP (ISC)2 Certified Cloud Security Professional Official Study Guide


I read the (ISC)2 CISSP Information Systems Security Professional Official Study Guide, Reviewed and read CISSP All-in-One Exam Guide, 7th Edition, and took all the end of chapter tests as well as the CISSP Official (ISC)2 Practice Tests and also read your book, How To Pass Your INFOSEC Certification Test: A Guide To Passing The CISSP, CISA, CISM, Network+, Security+, and CCSP. In addition to all of that, I spent some time studying the Cloud Security basics contained in - CCSP (ISC)2 Certified Cloud Security Professional Official Study Guide and test questions.


I then sat and passed the exam on 4/30/2019. I was fed a completely different exam questions and again had quite a few Cloud based questions which I felt prepared for after studying the CCSP material. It’s been a long road, the test always looks deceptively easy, and I am pleased to have provisionally passed. I must say the practice exam application that came with the SHON Harris book most closely represented the actual exam experience. “

Hope that helps— seems like useful stuff!


Got an email from a recent former student...the kind of email I really enjoy:

"Hi Ben,I wanted to let you know that I took my test yesterday and passed at 100 questions :D


- After our class, I studied using mostly the Boson practice exams (reading the explanation for EVERY question, failed or passed).

- After that I bounced back and forth between Boson random exams, the updated Sunflower guide, and the 11th Hour book (which was great for last-minute cramming, the last 2 days leading up to the exam).  I also watched Kelly Handerhan's CISSP prep videos at Cybrary prior to our class, and various other YouTube videos (Larry Gleenblatt's CISSP exam tips were helpful) here and there.

- I studied for about 2-3 hours a day, every day, for 4 weeks total (taking 1.5 weeks off for vacation).

- I was 100% certain that I was going to fail while taking the exam.  I was so sure of it that I considered just picking the same letter answer over and over to end the test and GTFO at around 80 questions.  Glad I didn't.

- I took my time reading and re-reading each question and answer so many times that I thought I was going to shoot myself in the foot with the time of the exam.   I had about 30min left at 100 questions.


Thank you for all of your wisdom and guidance during our class.  I feel that it helped a lot and set a good expectation for the exam and framework of where to study. It helped me realize my weak areas so I knew where to focus.  Although, the test has a funny way of making you feel that you're completely unprepared while you're actually taking it. :)"

Ditching the ALE

At this point in my career, I deliver a lot of certification prep content, through teaching and writing. And I see certain things that were included at the outset of the industry as guidelines and suggestions that just aren't applicable anymore (or at least, not applicable in the same way as when they were proposed). My primary customer is ISC2, for the CISSP and CCSP certs, but I've taught ISACA and CompTIA certification prep courses in the past, and many of them suffer from the same problems. While I can't say for certainty exactly why all the major INFOSEC certifications suffer from the same blind spots, I can guess: most of the test writers have the same training in the same fundamental concepts, get the same certifications (from multiple vendors), and have received that content from their predecessors, and will pass it to the next generation in kind.

This leads to the possibility of stagnancy in content and approach. Which isn't terrible, for certain fundamental security concepts (say, defense-in-depth/layered approach/multiple redundant controls, or the use of two-person integrity), but there are other notions/ideas that are simply treated as sacrosanct in perpetuity, instead of being re-examined for validity, assessed as nonsense, and thrown onto the trash pile of history.

Today, I want to talk about one of the latter: the ALE formula.

If you don't what it is, consider yourself lucky. Then consider yourself unlucky, because if you're going to go get an INFOSEC cert, I can tell you for damn sure that it's going to be one of the things you're going to have to learn and memorize whether you like it or not.

Simply put, it's an approach to estimating the cost of a given type of negative impact as the result of security risk being realized. We teach INFOSEC practitioners that this value determination can be used to weigh the possible costs of controls to address a particular risk, and figure out whether or not to spend the money protecting against it.

Which is a good idea: spending too much on addressing a particular threat is just as bad as not spending enough...and, arguably, sometimes worse, because spending too much leaves you with a false sense of security and a lack of money, where not spending enough just means you have some of that risk left.

But the ALE formula is not really the best tool to accomplish this in our realm of INFOSEC, for many, many reasons. And we should stop requiring its use, and teaching it to newbies.

Why? Well, for starters, let's talk about the potential cost of a single type of incident, known in the formula as the SLE.

It's worth noting that the ALE formula works great in the physical security universe, where tangible assets can be mapped to specific losses. If I'm trying to secure a retail space selling goods that are of a particular size, shape, weight, and cost, I know some discrete, objective information about those assets. I know how many can be stolen at one time, by a single person picking them up and walking off with them. I know the amount (number and dollar value) of my inventory, based on another limiting factor: the footprint of my retail space and storage area. I know the various access points to get at my inventory: the doors/windows/loading areas. All these things can be defined and somewhat limited.

With electronic data as assets, all this numeric determination goes out the window (I mean, not the literal window, like tangible assets, but a metaphorical window, because the determination is impossible). I can't really know how many "data"s a person can steal at any given moment, because the size of files or objects or characters don't really have any meaning in the physical universe-- a flashstick that weighs less than an ounce can carry one file or a thousand files, and any given file can contain one character, or a million characters, and all of this fits inside one person's pocket, anyway (and that person doesn't need any exceptional muscles to carry even the heaviest flashstick).

So trying to determine the monetary impact of a single security event involving data is impossible, unlike the impact of a single security event involving physical assets. If someone steals one spoon in a retail environment, we know the cost of that spoon (and we actually know several costs: the wholesale cost we paid to get the spoon, the retail cost of what we would have realized in revenue if we sold that spoon, and the logistical cost of getting that spoon to the retail location)...but if someone steals a file, the value of the information in that file can vary wildly. A file might contain a photo of the user’s pet kitten (which is of value only to the user, and then only arguably at that, if the user has a copy of the photo), or it can contain the privacy data of the target organization’s entire customer base, and the relevant monetary impact can stretch into the range of millions of dollars, as the result of statutory damages assessed against the organization, or the loss of market share, or direct fraud on the part of the perpetrator using that information, and so on.

Sure, insurance companies in recent years have created various approaches to assigning value to data, but these are all just gibberish. Take, for instance, the idea of “average file cost”-- even if we were to determine the midpoint of value between the kitten photo and the customer list, that medium value would be meaningless when we suffered an actual loss: if we lost the kitten photo, and the insurance claim paid the amount of “average cost,” we’d be receiving far more in cash payout than the thing was worth, and if we lost the customer list the “average cost” claim payout would be far less than the damage we’d suffered. And what’s the size/value of an “average” file, anyway? How many files are there in a given business environment? The concept is absolutely pointless.

When the SLE is just a fictional construct, the entire ALE formula is ridiculous. We could use just this argument to eliminate the wretched thing from our industry. But there are even more reasons why ALE is stupid in the INFOSEC world-- and I’ll get to those in subsequent articles.



New Year, New CISSP Exam

Just in time for 2018, the CISSP exam from ISC2 has converted from standard multiple-choice format to a Computerized Adaptive Testing model for exams delivered in English (foreign-language versions of the test currently remain in the traditional format). This means that instead of the grueling 6-hour, 250-question test, CISSP candidates now face only 100 to 150 questions, in a maximum of three hours.

Depending on your success with multiple-choice tests, and your personal technique, the new experience could be either a massive boon or a ridiculous hurdle to get the certification.

I got my CISSP back when the test was in the traditional format...and done with pencil and paper. I have no clue how I'd do on the current version.

I have, however, received feedback from the first of my students to take the new version of the test: they passed! Their exam was also only 100 questions long (meaning the student demonstrated sufficient command of the material so that the testing engine didn't have to throw more questions at the student), and it took the student an hour to complete. Perhaps most interesting, this particular student is not an IT practitioner, but is familiar with the industry in other roles. Main impression? The student repeated what I always try to stress to anyone taking one of the certification tests: READ. THE. FULL. QUESTION. Make sure you read it completely, and understand what's being asked, and that you read all of the possible responses.

The exam is still being administered by PearsonVUE, and you can download the outline from ISC2's website.

Have you taken the exam in the new format? Please add some feedback about your experience in the Comments!