What the CISSP Won't Teach You

Tuesday, June 28, 2011

Boris Sverdlik


ISC2 outlines information security within their “10 domains of the (ISC)² CISSP CBK®” 

  • Access Control
  • Application Security
  • Business Continuity and Disaster Recovery Planning
  • Cryptography
  • Information Security and Risk Management
  • Legal, Regulations, Compliance and Investigations
  • Operations Security
  • Physical (Environmental) Security
  • Security Architecture and Design
  • Telecommunications and Network Security

While the following 10 ISC2 domains are interesting in theory, they only cover information security in the pie in the sky context.

I have been receiving numerous questions on how do I break into information security, without the CISSP. ISC2 has had a very successful marketing campaign, which has had over a decade to saturate the industry.

As such, unfortunately you probably will have to take the exam, for now anyway. This series will focus on what I believe you need to know as an information security professional starting with the basics.

imageWe will eventually get to “sexy”, but for now we need to get back to basics. The key to being a successful security professional is the ability to think outside the box.

The most successful law enforcement officials were once the most successful juvenile offenders. Why is that so??? Well, they think like the bad guys… 

Taking an exam, regardless who is offering the accreditation will never teach you how to change your mindset. That is something at least I believe is a combination of nature and nurturing.

With that said, what the hell is this security thing? Why do we do it? What are we trying to accomplish? If you can’t answer that, then all the book knowledge in the world isn’t going to help you.

Every organization will be different, there is no one size fits all solution.  You need to be able to understand every aspect of your business. How do we do that? Information Security will always be an uphill battle.

You are embarking on a career that will have very unique challenges. You need to be able to come to a realization that there is no such thing as 100% secure. This is a myth… So lets talk security.

What do I need to know? How do I break into the field? Well little Johnny, you must have a passion for it first. Yes, the field is lucrative and it will not be going away anytime soon, but if you don’t have a thirst for knowledge you wont be successful.  

Information security unlike other industries does not sleep; I personally spend 3+ hours a day just learning what I can. Technology, regulations and attack methods change every day. If you don’t stay ahead of it, you will end up with pie on your face when you get hit with the latest “New Thing”.

The CBK looks at everything from passwords to my pipe, I mean dry pipe. My exam was 80% BCP & DR, so needless to say if you don’t pass the exam more than likely you are too technical for it. The problem is they want you to learn concepts that are almost defunct in some ways.

If you just want to pass the test and not learn about security than go buy the latest Shon Harris book and call it a day. If you want to learn how to be an effective security professional, keep up with this series. I promise it will not disappoint.  

Step #1 What the are we trying to accomplish? Every organization has assets that are critical to their business. This will be different in every industry from the mom & pop bodega to the fortune 100.

In order to establish your security plan, you need to perform some type of asset valuation. There are tons of formulas available, but unless you understand what your business does you won’t get any practical results.

Assets come in two forms:

  • Tangible – Hardware, software, facilities, etc…  Easy to valuate
  • Intangible – Intellectual property, client data, employee information, strategy plans, books & records and much much more…

How do you value the intangibles??? And that is where the whole qualitative/quantitative blah blah formulas kick in... They are useless for the most part. The business can assign values based on what-if scenarios.

An example where an intangible asset could be valued properly would be if a client record was exposed you would If we lose 1 piece of client day we could be fined X. Ok. So we know we have to spend at least X-(enter profit margin here) to protect this piece of data.

What about our reputation? Can we put a number on that? NO. There are some way out formulas that claim you can use historic analysis. The problem is most companies do not share reputational impact.

It isn’t in their interest to release any of that information. You can damn well bet that they do some type of analysis on bottom line impact, but even that would have to be based on statistical analysis which isn’t possible.

Sounds confusing don’t it? Ok.  We lose 1 client record on June 1st. We are fined $100 dollars. We know last year our stock price was $1, we made .10eps in the 2nd quarter last year. If this year we make .08 or even .11eps, there is no way to link the 2. It just isn’t possible.

So regardless of everything the book says, your main goal is to limit your reputational risk. Keep the pie off your face. How do we accomplish that? This is what I will go through during the rest of this series.

In the mean time, on your way to that security profession, pick up a book on networking. The next episode will focus on what you need to know at Layer 1. We’ll get to Sexy... Stay tuned.    

Cross-posted from Jaded Security

Possibly Related Articles:
Security Training
Information Security
Certification CISSP Training Information Security Skill Set ISC2
Post Rating I Like this!
Michael Fornal Boris,
This is a great article. I myself are looking to enter into the field of security and this has given me some great insight as well as affirm that some of the things that I have been doing will put me on the right track to where I want to be.
Boris Sverdlik Cool.. goodluck.. it has some formatting issues here.
LIgatt security Great article. I will have some of the college student I speak to read this!
Isaac Rivera Awesome article, looking forward for the next ones !
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.