My Experience in the CISSP Mentorship Program

A little while back, I was talking with a friend of mine about the different services that Secure Ideas offered, and one of the topics that came up was training and certifications.  Since I just finished taking the CISSP Mentorship class, and it was the first thing that came to mind, I immediately started explaining what the class was all about and some of my thoughts on it.

First, before I get into the class itself, a little bit about me.  My background is very generalist in nature. I spent several years in the military and worked on all kinds of electrical equipment, mostly revolving around communication or navigation systems.  That’s also where I discovered an interest in computer systems and administration, which subsequently carried over into a DoD contractor position where I spent several more years doing sysadmin work in a healthcare environment.  Also, as the oldest of several kids, it was second nature to pass on the tips and tricks that I’d learned, so naturally I began doing some additional instructor work in the Health-IT field.

System administration was fun for me, and it was a hard decision to move on from this field, but eventually I did.  This landed me in a regulatory compliance position at a utility company for a few years. Interestingly enough, it was here that I was forced to merge concepts from practical cyber security, system administration, business policy, and compliance regulations, all into a single focus.  I fully admit that my personality wasn’t cut out for compliance, but I also can’t deny the benefits gained from having worked there. After this I spent a few years as a solution architect at a software startup company. Finally, I’ve ended up here at Secure Ideas, where I’m able to draw on all of these past experiences in an effort to help strengthen the security posture of other organizations.

So, when I first heard that Secure Ideas was going to be teaching the CISSP Mentorship course, I was cautiously intrigued.  I had obtained a few certifications in the past, such as Sec+, but that was really only because it was a DoD requirement for the projects I was working on.  I had considered the CISSP before, but never really entertained the possibility of pursuing it. Even though I could see that there was some value in getting the CISSP certification, there simply wasn’t a driving need for it.  I love to learn new things, but getting a cert just for the sake of getting a cert, doesn’t usually appeal to me. All-in-all, I’d much rather be knowledgeable about something and skip the hassle of certifications.

I had originally looked into the CISSP requirements a few years back, but it quickly became clear that it would be cost-prohibitive for me to take this without some particular purpose in mind.  When considering the cost involved, both in terms of the dollar amount and necessary study time, I remember thinking, why would I spend that much money and effort on something I don’t need? Isn’t this supposed to be basic security principles?  And then, how much effort would it be to maintain the cert? One of my younger brothers had actually gotten his CISSP a few years earlier and I vividly remember the groans with which he described the experience. So, with all that in mind, I honestly wasn’t all that eager to jump into it.  Regardless, I was still somewhat curious so I did some more research and discovered that there seemed to be three primary methods offered by various organizations.  

First there was the bootcamp option where I could attend a week-long, instructor-led class and attempt to digest the entire CBK (common body of knowledge) required for the test.  According to the articles I read, they generally seemed to have good materials and instructors who could answer questions as you go along. While the idea of basically gut-checking the materials and test had a certain appeal, there was no way I was going to pay $3k-$4k for it.  By the way, that’s $3k-$4k, not counting other expenses such as travel, hotel, etc.. The cost/benefit analysis just didn’t add up. Aside from the difficulty of retaining that much information for any length of time, this was probably the least feasible method for me. However, IF I had the time and money then I could see this being a good, albeit expensive, way to reinforce CISSP information just prior to taking the test.

Second, which was somewhat surprising to me, was the online guided self-study approach.  In retrospect, this really shouldn’t have been a surprise, but it was an option that I hadn’t thought of before.  For about $2.5k and up, this option would allow me to login online and access study materials for a certain amount of time.  The last site I looked at provided access for about 4 months, and offered instructor videos, practice tests, flash cards, etc..  This one actually made me stop and think for a moment. It was still too expensive for me, but the idea was good. I would have access to their study materials, I could work my study time around my existing schedule, and due to the time limit on accessing materials, I’d have a deadline to help keep me on track.  This was a far better way of actually studying to retain the information, and not having to take time off work or shell out for travel expenses. Overall, I felt that this one would’ve been moderately feasible, but still hard to swallow.

Finally, we come to old faithful, the DIY method, which is by far the most affordable.  For the base cost of the official study guide and practice test books, I could spend just over $50 and go over the information on my own.  In case anyone was wondering, just purchasing these books and following the registration instructions in the back provides free access to their online test banks for up to one year.  This includes chapter tests, assessment tests, and flashcards. The pitfall here is that it’s far more difficult to stay motivated with such a long study window. If no one has mentioned it already, a lot of the CISSP material is pretty dry, and even the more disciplined among us may be challenged to consistently prioritize study time.  Of the 3 options available here, if I was going to take the CISSP, then this is probably the route I’d have chosen. There wasn’t an immediate need, it was the most economic solution, and if I got partway through it and decided that it wasn’t worth the effort, then the loss would’ve been minimal.  

However, returning back to the CISSP Mentorship program, when I first heard of it, I still wasn’t entirely sure that I wanted to take it.  However, I was pleasantly surprised when comparing it to the other methods I’d previously researched. It seemed to balance all of my primary considerations, and did a really good job of bridging the gap between the bootcamp and self-study (DIY) methods.  For example, the total cost of the course was $1k or less, with discount options offered for early registration, veteran, first responders, etc.. For a CBK (common body of knowledge), this is a price range that I could justify for myself and budget for, even if I didn’t immediately need a CISSP certification.  Like I mentioned earlier, I could recognize value in obtaining the CISSP, just not at those other rates.  

The CISSP Mentorship program is conducted over 9 weeks and isn’t as intense as a bootcamp, nor as relaxed as self-study.  By registering for the class students then have perpetual access to the online recorded instruction, slides, and any future live sessions.  This was huge for me since I firmly believe in the need for affordable training opportunities, especially in regards to the cyber security field.  Plus, life issues seem to happen at the most inopportune moments and now I wouldn’t have to worry about losing any time or access. If a family situation arose, then I could pick up where I left off or come back and sit in during the next class.  One other aspect of the CISSP Mentorship program that I don’t remember seeing anywhere else is the use of an online chat forum. This is a place where the instructors can be asked questions, or just have general discussion over various CISSP topics.  The instructors themselves are eager to share their knowledge and have a LOT of relevant work experience within the CISSP domains, via both the attacking and defending perspectives.

Well, I eventually started the course.  As expected, the material was about as dry as I had feared, and even broken into 9 weeks, the amount of reading was a daunting task.  However, the live weekly sessions did a great job of keeping me on track. It even helped to bolster some of those weeks where I was unable to get through all of the assigned study material due to interruptions or other life issues.  Speaking of the live sessions, one of my favorite aspects of the course has been to hear real-world experiences from the instructors, describing pentest situations which are directly related to the basic security principles in the CISSP.  Not only is it interesting, but it tends to highlight the importance of the practical application of security concepts, which is something that I really appreciate.  

For me, this has been a great program to go through, and I’m glad that this is the option I chose, even over my usual self-study method.  The fact that I can freely come back to the weekly sessions (which I intend to do), or access the webcasts and slides online, is absolutely awesome and certainly worth the investment.  

*** This is a Security Bloggers Network syndicated blog from Professionally Evil Insights authored by Bill McCauley. Read the original post at:

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)