May 06 2024

How to prepare for the CISSP exam: Tips from industry leaders

Category: CISSPdisc7 @ 9:14 am

The Certified Information Systems Security Professional (CISSP) is the most widely recognized certification in the information security industry. CISSP certifies that an information security professional possesses extensive technical and managerial expertise for designing, engineering, and managing an organization’s security stance.

In this article, CISSP-certified cybersecurity leaders provide practical tips and strategies to help candidates navigate the extensive study requirements and effectively manage their CISSP exam prep time. Whether you’re just starting your study journey or in the final stages of preparation, these guidelines will help ensure you are well-equipped to tackle the CISSP certification exam.

Biljana Cerin, CEO, Ostendo Consulting

My preparation for the CISSP exam took exactly 10 sunny afternoons while working on a project in Palo Alto. Every day after work, I took “Shon Harris,” at that time the so-called “CISSP exam prep Bible.” I remember studying by the pool, swimming in between the chapters, so overall, it was a fun way to spend these afternoons without feeling like I was missing the sunny California weather.

I divided the contents of the book in a way that allowed me to read it all in eight days, while I dedicated the last two entire days to practicing exam questions and revisiting domains where my answers were incorrect, studying them a bit deeper. I remember that at that time (2013), there was a very popular site where colleagues from the profession would discuss questions or topics they struggled with, and “talking” to colleagues on that platform was of huge help.

The exam itself, I think, took about an hour and a half, and I passed on the first attempt. Now, this may all sound easy, but the truth is that by the time I decided to pursue the CISSP, I already had 13 years of experience, numerous other industry certifications, and had been deeply involved in the cybersecurity field since the day I graduated; my Master’s thesis was also in cybersecurity.

Looking back at the exam itself, I believe that having a strong knowledge foundation, coupled with real-life experience, and a network of colleagues you can always turn to and discuss certain topics you are less familiar with, is the key to success in passing the CISSP exam.

Shannon Brewster
Shannon Brewster, Executive Director, General Manager, AT&T Cybersecurity

Passing the CISSP exam is an ambitious goal, especially if you hope to pass on your first attempt. I recommend a 90-day preparation plan tailored to reinforce key cybersecurity concepts and identify weaker areas through regular practice.

Being intentional with your time is crucial; consider mapping out each domain as a “sprint” and mapping core concepts to learn each week. Schedule daily dedicated study time and regular practice exams. Testing with approved sample questions helps gauge your readiness and pinpoint specific topics you need to shore up on.

Most security professionals will find themselves very strong in the domains they work in most often, and weak in others. Cryptology is the Achilles’ heel for many.

I incorporated tools like handwritten index cards for constant review to boost memory retention. This method of repetition embeds critical information, making it more readily recalled.

An important element of my preparation was participating in a 6-day bootcamp. The bootcamp was a source of confidence because I had the benefit of a thorough review of the all the content that was necessary to understand. It also helped me build a new network of peers who supported each other as accountability partners and encouragement.

Make sure you take the exam within two weeks of a bootcamp to maximize the “cone of learning” on memory retention.

Lastly, don’t forget about the physical dimension, staying focused on your health and wellness throughout your preparation. Deep sleep is required for memory retention and recall, so avoiding alcohol and practicing sleep hygiene will improve your score. I brought a jump rope to my test and stepped out regularly to infuse fresh blood to my brain, vastly improving my focus.

This strategy worked for me to pass on my first attempt, I hope these ideas might work for you.

CISSP exam prep
Ryan Williams Sr., IT Security Analyst, Buddobot

Here’s how I effectively studied for the CISSP certification, relying solely on comprehensive study materials rather than quick-fix dumps or quizlets. This method ensured a deep understanding of the content required to pass the CISSP exam:

1. Bootcamp: I started my preparation with a rigorous week-long bootcamp (40 hours). This intensive course helped establish a solid foundation and highlighted areas where I needed further study. Even though I had over five years of experience in cybersecurity and over ten years in IT, my practical knowledge was only in specific domains (i.e. Security and Risk Management, Asset Security, Communications and Network Security, etc.). A good bootcamp will expose your weak areas and help you to hone in on where you need to obtain more knowledge.

2. Targeted reading: After identifying my weak spots during the bootcamp, I skimmed the Official ISC2 CISSP Common Body of Knowledge (CBK) specifically focusing on those areas.

3. In-depth study guides: I read the ISC2 CISSP Official Study Guide from cover to cover to ensure a comprehensive grasp of all domains. Additionally, I went through the Eleventh Hour CISSP: Study Guide twice, which is excellent for refreshing your memory due to its concise format.

4. Video courses and webinars:

  • I watched Kelly Henderhan’s Cybrary CISSP course twice. Her engaging teaching style and clear explanations helped reinforce the key concepts.
  • Larry Greenblatt’s series, “CISSP Practice Question with Spock & Kirk”, was instrumental in applying theoretical knowledge practically through scenario-based questions.
  • Pearson VUE’s Complete CISSP Video Course was another resource I used, which also included domain challenge questions that tested my understanding as I progressed.

5. Motivational prep: Before the exam, I watched Kelly Henderhan’s motivational video, “Why you WILL pass the CISSP”. This not only boosted my confidence but also put me in the right mindset to tackle the exam.

This structured approach to studying for the CISSP took approximately 6 months, using a mix of reading, practical exercises, and motivational content, equipped me with the knowledge and confidence to successfully pass the exam.

CISSP exam prep
Stein A. J. Mollerhaug, Senior Cybersecurity Advisor

For most people, passing the CISSP exam is the main obstacle. In addition to passing the exam, you must also document at least five years of experience in two or more of the eight CISSP knowledge domains. But don’t worry, if you miss that experience, you can get an associate status while you work on gaining the needed experience. Once the experience is documented, you will get upgraded without the need for a new exam.

You don’t need to follow any official course to sit for the CISSP exam and get CISSP certified, but the feedback from almost all students is that following an official course with an official instructor helps – a lot.

In my experience, there are three critical success factors for passing the exam:

1. Understand the basics of cybersecurity and information technology.
2. Understand how management systems work for the key processes in information security.
3. Be able to apply that knowledge to real life situations or imagined scenarios.

If you are unable to explain how the encryption in AES actually works, you are still fine with regards to the exam. If you don’t know that AES is a symmetrical algorithm and what it can be used for, you have some learning to do before sitting for the exam. This is just one example. CISSP is not a technical course, but as a cyber- or information security leader, you must know the basic technology you are going to use.

Management systems ensure the quality of the security implementations. Standards like ISO/IEC 27001 contain some of the framework for having measurability and the ability to improve your cybersecurity. There are such standards in almost all areas of cybersecurity. Knowledge of them is key to passing the exam.

The exam itself often asks for “best”, “most” or “not”. The key here is that you are to apply your knowledge and experience to find the right answer. Even if you don’t know a specific answer, you should be able to apply your knowledge to find the right answer through the process of elimination. That means you have to think and not just recall from memory when you sit for the exam.

This is also why many find the exam to be very exhausting. For each question, you need to read the answer alternatives and the question, think – and then answer. The good news is that for almost all questions, there will be two answer alternatives that you can easily eliminate – if you know your cybersecurity – and have read the question properly. Then you spend your time to choose between the two remaining.

And another piece of good news: You don’t need to be 100% right, 70% is the requirement for passing. And to destroy a myth: Time is not a key issue. Exhaustion is. Take breaks, even if the clock is not stopping during the breaks.

Andrea Szeiler-Zengo
Andrea Szeiler-Zengo, President of the Women4Cyber Hungarian Chapter

When I decided to get CISSP certified, I signed up for local training, but honestly, I learned more independently than in class.

The CISSP is unlike other exams where you can memorize the answers. You must understand the security domains. When I took the CISSP exam, the cloud and third-party risk sections were a big focus. However, these topics were not discussed in detail in the study materials.

You absolutely need to plan how you will prepare for it.

I gave myself a deadline, registered for the exam, and spent six months studying. I read all the study materials and did practice questions, but I also kept up with news and new technologies.

I tried to set aside 30 minutes each day to review materials. I read on public transport, at the beach, and pretty much everywhere else. The most significant help arrived via my network. They helped me out with questions and motivated me during these challenging days.

You might be asking yourself – why bother getting the CISSP certification in the first place? It makes you more recognizable to employers who trust people holding the certification. And let’s be honest, they’re more likely to pay you more. So, go for it, good luck!

CISSP exam prep
Edwin Covert, Head of Cyber Risk Engineering, Bowhead Specialty

Earning my CISSP in 1999 was a different experience from today’s process. Back then, comprehensive study guides and boot camps weren’t a thing. We had a two-week course delivered in segments—a week-long session followed by three weeks off, then another week to wrap up. We relied heavily on ISC2’s list of recommended books.

Sitting in that George Mason University classroom in Virginia, I was surrounded by a wealth of information security knowledge, a term not yet replaced by cybersecurity. I wanted to absorb everything. The discussions were phenomenal – a constant back-and-forth exchange of ideas among experienced professionals. I mostly listened, soaking it all in, occasionally contributing my thoughts. This became my learning model throughout my career.

The saying goes, “If you’re the smartest person in the room, you’re in the wrong room.” This held true for me. I actively sought out those more experienced in cybersecurity.

My advice is to start small, find mentors, and become a knowledge sponge. Don’t limit yourself to books—seek practical knowledge as well. Talk to veterans in the field, learn from their experiences, and integrate your ideas as you grow.

ISC2 CISSP Certified Information Systems Security Professional Official Study Guide & Practice Tests Bundle

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: CISSP Certified Information Systems Security Professional Official Study Guide

Nov 25 2023

CISSP Study Guide

Category: CISSP,Information Securitydisc7 @ 2:44 pm

CISSP Study Guide | Cyber Press

CISSP Study Guide

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: CISSP study guide

Jul 04 2023

What are the Common Security Challenges CISOs Face?

Category: CISO,CISSP,vCISOdisc7 @ 11:23 am

Chief Information Security Officers (CISOs) hold a critical and challenging role in today’s rapidly evolving cybersecurity landscape. Here are the common security challenges CISOs face.

As organizations increasingly rely on technology to drive their operations, CISOs face complex security challenges that demand their expertise and strategic decision-making.

These challenges arise from the constant emergence of sophisticated cyber threats, the need to protect sensitive data, and the ever-evolving regulatory landscape.

The role of a CISO requires balancing proactive risk mitigation with the ability to respond swiftly to incidents and breaches.

This article will delve into the top challenges CISOs face, including protecting digital assets, managing security incidents, ensuring compliance, dealing with insider threats, and the relentless pursuit of cyber resilience.

By understanding these challenges, CISOs can develop robust cybersecurity strategies and lead their organizations toward a secure and resilient future.

Who is a CISO?

Chief Information Security Officer (CISO) is a senior executive responsible for overseeing and administering an organization’s information security plan.

A CISO’s primary responsibility is safeguarding the confidentiality, availability, and integrity of an organization’s information assets and systems.

They are accountable for creating and enforcing strategies, policies, and procedures to defend against cyber threats, protect sensitive data, and mitigate security risks.

CISOs play a crucial role in maintaining an organization’s security posture by establishing and enforcing security standards, conducting risk assessments, and implementing appropriate security controls.

They collaborate with other executives, IT teams, and stakeholders to align security initiatives with business objectives and ensure that security measures are integrated into the organization’s operations.

In addition to their technical expertise, CISOs often engage in risk management, incident response planning, security awareness training, and compliance with regulatory requirements.

They stay updated on the latest cybersecurity trends, threats, and technologies to address emerging risks and implement appropriate security measures effectively.

The role of a CISO has become increasingly important as cyber threats evolve in complexity and frequency.

CISOs are responsible for safeguarding the organization’s sensitive information, maintaining the trust of customers and stakeholders, and ensuring business continuity in the face of cybersecurity challenges.

CISO Guide to Balancing Network Security Risks Offered by Perimeter 81 for free, helps to prevent your network from being at Risk.

What are all the Roles and Responsibilities of CISO?

  1. Developing and Implementing Information Security Strategy: The CISO is responsible for developing and implementing an overarching information security strategy aligned with the organization’s business objectives. This includes setting security goals, defining security policies and procedures, and establishing risk management frameworks.
  2. Leading the Security Team: The CISO manages and provides leadership to the security team, including hiring, training, and supervising security personnel. They ensure the team has the necessary skills, resources, and support to carry out their responsibilities effectively.
  3. Overseeing Security Operations: The CISO oversees day-to-day security operations, including incident response, vulnerability management, threat intelligence, and security monitoring. They ensure appropriate controls, technologies, and processes are in place to protect the organization’s assets.
  4. Risk Management: The CISO is responsible for identifying and assessing security risks to the organization’s information systems and assets. They develop and implement risk management strategies to safeguard critical data and systems, including risk mitigation, transfer, and acceptance.
  5. Compliance and Regulatory Requirements: The CISO ensures that the organization complies with relevant security regulations, industry standards, and legal requirements. They stay updated on emerging regulations and ensure appropriate controls and processes are in place to meet compliance obligations.
  6. Security Incident Response: The CISO leads the organization’s response to security incidents, including data breaches, malware attacks, and other security breaches. They establish incident response plans, coordinate efforts, and collaborate with relevant stakeholders, such as legal, PR, and law enforcement agencies.
  7. Security Awareness and Training: The CISO promotes a culture of security awareness throughout the organization. They develop and deliver security awareness programs and training initiatives to educate employees on security best practices and minimize human-related security risks.
  8. Vendor and Third-Party Risk Management: The CISO assesses and manages security risks associated with third-party vendors and partners. They establish vendor security requirements, conduct due diligence, and monitor compliance with security standards and contractual obligations.
  9. Security Governance and Reporting: The CISO provides regular reports and updates on the organization’s security posture to executive management, board members, and other relevant stakeholders. They ensure that security metrics and key performance indicators (KPIs) are established to measure the effectiveness of security programs.
  10. Incident Investigation and Forensics: In the event of security incidents, the CISO oversees the investigation and forensic analysis to identify the root cause, assess the impact, and prevent future occurrences. As required, they collaborate with internal and external resources, such as forensic experts and law enforcement agencies.

Security Challenges CISOs Face

CISOs face various common security challenges as they strive to protect their organizations’ digital assets and information. Perimeter 81 Guide helps CISOs to prevent their network from being at Risk. Some of the key challenges they encounter include:

  • Sophisticated Cyberattacks: CISOs must defend against increasingly sophisticated cyber threats, including advanced persistent threats (APTs), ransomware attacks, social engineering, and zero-day exploits. These attacks can bypass traditional security measures and require constant vigilance and adaptive security strategies.
  • Insider Threats: CISOs need to address the risks posed by insiders, including employees, contractors, or partners who have authorized access to systems and data. Insider threats can involve accidental data breaches, negligence, or malicious intent, requiring a balance between enabling productivity and implementing controls to prevent unauthorized access or data leakage.
  • Compliance and Regulatory Requirements: CISOs must ensure their organizations comply with industry-specific regulations, such as GDPR, HIPAA, PCI-DSS, or SOX, and evolving privacy laws. Navigating complex compliance requirements and maintaining a robust security posture to meet these standards can be a significant challenge.
  • Cloud Security: As organizations increasingly adopt cloud services and infrastructure, CISOs must address the unique security challenges associated with cloud computing. This includes securing data stored in the cloud, managing access controls, and ensuring the security of cloud service providers (CSPs) and their environments.
  • Security Skills Gap: CISOs often need more skilled cybersecurity professionals. The industry’s rapid growth and evolving threat landscape have resulted in high demand for cybersecurity talent, making recruiting and retaining qualified professionals challenging.
  • Third-Party Risk: Organizations rely on third-party vendors and suppliers, introducing potential security risks. CISOs must assess the security posture of third parties, establish contractual security obligations, and monitor their adherence to security standards to mitigate the risk of breaches through these external connections.
  • Security Awareness and Training: Human error remains a significant factor in cybersecurity incidents. CISOs must promote a strong security culture, provide regular training and awareness programs, and educate employees about cybersecurity best practices to minimize the risk of social engineering, phishing attacks, and other user-related vulnerabilities.
  • Incident Response and Recovery: CISOs must develop and test robust incident response plans to manage and recover from security incidents effectively. This involves identifying and containing breaches, conducting forensic investigations, and implementing remediation measures to minimize the impact and prevent future incidents.
  • Emerging Technologies: Adopting technologies like the Internet of Things (IoT), artificial intelligence (AI), and blockchain introduces new security challenges. CISOs must understand the security implications of these technologies, assess risks, and implement appropriate controls to protect against potential vulnerabilities and attacks.
  • Budget and Resource Constraints: CISOs often face budget limitations and the need to prioritize security initiatives. Balancing the allocation of resources to address immediate security needs while investing in long-term security capabilities can be a significant challenge.

What are the Security Compliance CISO Should Follow

As a Chief Information Security Officer (CISO), there are several security compliance frameworks and regulations that you should consider following, depending on the nature of your organization and its operations. Here are some of the key security compliance frameworks and regulations:

  1. General Data Protection Regulation (GDPR): If your organization deals with the personal data of individuals in the European Union (EU), GDPR sets requirements for the protection, processing, and transfer of personal data. It includes principles for data minimization, consent, data breach notification, and the rights of individuals.
  2. Payment Card Industry Data Security Standard (PCI DSS): PCI DSS applies to organizations that handle credit card information. It sets requirements for securing payment card data, including network security, encryption, access controls, and regular vulnerability assessments.
  3. Health Insurance Portability and Accountability Act (HIPAA): HIPAA applies to organizations in the healthcare industry that handle protected health information (PHI). It establishes requirements for the privacy and security of PHI, including access controls, encryption, risk assessments, and breach notification.
  4. Sarbanes-Oxley Act (SOX): SOX applies to publicly traded companies in the United States. It sets requirements for financial reporting and establishes controls and processes to ensure the accuracy and integrity of financial statements. While not solely focused on security, it includes provisions for protecting financial data.
  5. National Institute of Standards and Technology (NIST) Cybersecurity Framework: The NIST Cybersecurity Framework provides guidelines and best practices for managing cybersecurity risks. It covers risk assessment, security controls, incident response, and continuous monitoring.
  6. ISO 27001: ISO 27001 is an international standard that provides a framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It covers various aspects of information security, including risk management, access controls, incident management, and security awareness.
  7. Federal Information Security Management Act (FISMA): FISMA applies to U.S. federal agencies and sets requirements for securing federal information and systems. It mandates risk assessments, security controls, incident response planning, and continuous monitoring.

Security Challenges CISOs Face to Manage Security Team

Managing a security team as a Chief Information Security Officer (CISO) requires effective leadership, communication, and coordination. Here are some key aspects to consider when managing a security team:

  1. Establish Clear Roles and Responsibilities: Clearly define the roles and responsibilities of each team member to ensure everyone understands their specific duties and areas of expertise. This clarity helps streamline operations and avoid confusion.
  2. Set Goals and Objectives: Define strategic goals and objectives for the security team aligned with the organization’s overall security strategy. Communicate these goals to the team and regularly track progress to ensure everyone is working towards the same objectives.
  3. Provide Guidance and Mentorship: Offer team members guidance, mentorship, and professional development opportunities. Encourage skill development, certifications, and staying up-to-date with the latest security trends and technologies—support team members in their career growth.
  4. Foster Collaboration and Communication: Promote a collaborative and open communication culture within the team. Encourage knowledge sharing, cross-functional collaboration, and effective communication channels. Regular team meetings, brainstorming sessions, and updates are valuable for aligning efforts.
  5. Support Decision-Making: Empower team members to make decisions within their areas of responsibility. Provide guidance and support when needed, but encourage autonomy and ownership in decision-making. Foster an environment where team members feel comfortable taking calculated risks.
  6. Establish Incident Response Procedures: Develop clear incident response procedures and ensure the team is well-prepared to handle security incidents effectively. Conduct regular drills, tabletop exercises, and simulations to test and improve the team’s incident response capabilities.
  7. Stay Informed and Adapt: Stay up-to-date with the latest security threats, industry trends, and best practices. Encourage continuous learning and professional development for the team. Adapt security strategies and measures as the threat landscape evolves.
  8. Collaborate with Other Departments: Work closely with other departments, such as IT, legal, HR, and executive management, to ensure security initiatives are aligned with business objectives and integrated into overall organizational operations. Build relationships and foster a culture of security awareness throughout the organization.
  9. Regularly Evaluate and Improve: Regularly evaluate the team’s performance, processes, and procedures. Collect feedback from team members and stakeholders to identify areas for improvement. Implement changes and adjustments as necessary to enhance the team’s effectiveness and efficiency.
  10. Lead by Example: Demonstrate strong leadership skills, integrity, and a commitment to security best practices. Lead by example in adhering to security policies and procedures. Encourage a positive and supportive work environment.

Final Thoughts 

CISOs face many common security challenges as protectors of their organization’s digital assets and information.

From sophisticated cyberattacks and insider threats to compliance requirements and resource constraints, these challenges highlight the complex and evolving nature of the cybersecurity landscape.

CISOs must navigate these challenges by adopting a proactive and strategic approach to security, leveraging advanced technologies, fostering a strong security culture, and collaborating with stakeholders.

To overcome these challenges, CISOs must stay abreast of emerging threats, continuously evaluate and improve their security measures, and prioritize investments in critical security capabilities.

They must also foster strong partnerships with internal teams, third-party vendors, and industry peers to collectively address security challenges and share best practices.

While the security challenges CISOs face may seem daunting, they also present opportunities for innovation and growth.

By effectively addressing these challenges, CISOs can enhance their organizations’ security posture, safeguard critical assets, and instill confidence in customers and stakeholders.

Ultimately, the role of a CISO requires a comprehensive and adaptable approach to cybersecurity, where staying one step ahead of threats and continuously improving security measures are paramount.

By embracing these challenges, CISOs can help shape a secure and resilient future for their organizations in an increasingly interconnected and threat-filled digital landscape.

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: CISO

Jul 01 2023

CISSP Cheat Sheet

Category: Cheat Sheet,CISSPdisc7 @ 10:16 am

CISSP booksOfficial (ISC)2® Guides

CISSP training

InfoSec tools | InfoSec services | InfoSec books

Tags: CISSP books, CISSP Cheat sheet, CISSP training

Nov 11 2022

How can CISOs catch up with the security demands of their ever-growing networks?

Category: CISO,CISSP,vCISODISC @ 11:12 am

Vulnerability management has always been as much art as science. However, the rapid changes in both IT networks and the external threat landscape over the last decade have made it exponentially more difficult to identify and remediate the vulnerabilities with the greatest potential impact on the enterprise.

With a record of 18,378 vulnerabilities reported by the National Vulnerability Database in 2021 and an influx of new attack techniques targeting increasingly complex and distributed environments, how can CISOs know where to start?

Why has maintaining network visibility become such a challenge?

Heavy investments into digital transformation and cloud migration have rendered significant, foundational changes to the enterprise IT environment. Gartner predicts end-user spending on public cloud services will reach almost 600 billion in 2023, up from an estimated $494.7 billion this year and $410.9 in 2021.

Long gone are the days when security teams could concern themselves only with connections to and from the data center; now they must establish effective visibility and control of a sprawling, complex network that includes multiple public clouds, SaaS services, legacy infrastructure, the home networks of remote users, etc. Corporate assets are no longer limited to servers, workstations, and a few printers; teams must now secure virtual machines on premise and in the cloud, IoT devices, mobile devices, microservices, cloud data stores, and much more – making visibility and monitoring infinitely more complex and challenging.

In many cases, security investments have not kept up with the rapid increase in network scope and complexity. In other cases, agile processes have outpaced security controls. This results in security teams struggling to achieve effective visibility and control of their networks, resulting in misconfigurations, compliance violations, unnecessary risk, and improperly prioritized vulnerabilities that provide threat actors with easy attack paths.

Adversaries are specifically targeting these blind spots and security gaps to breach the network and evade detection.

What are the most common mistakes being made in attempting to keep up with threats?

With the average cost of a data breach climbing to $4.35 million in 2022, CISOs and their teams are under extraordinary pressure to reduce cyber risk as much as possible. But many are hindered by a lack of comprehensive visibility or pressure to deliver agility beyond what can be delivered without compromising security. One of the most common issues we encounter is an inability to accurately prioritize vulnerabilities based on the actual risk they pose to the enterprise. With thousands of vulnerabilities discovered every year, determining which vulnerabilities need to be patched and which can be accepted as incremental risk is a critical process.

The Common Vulnerability Scoring System (CVSS) has become a useful guidepost, providing security teams with generalized information for each vulnerability. Prioritizing the vulnerabilities with the highest CVSS score may seem like a logical and productive approach. However, every CISO should recognize that CVSS scores alone are not an accurate way to measure the risk a vulnerability poses to their individual enterprise.

To accurately measure risk, more contextual information is required. Security teams need to understand how a vulnerability relates to their specific environment. While high-profile threats like Heartbleed may seem like an obvious priority, a less public vulnerability with a lower CVSS score exposed to the Internet in the DMZ may expose the enterprise to greater actual risk.

These challenges are exacerbated by the fact that IT and security teams often lose track of assets and applications as ownership is pushed to new enterprise teams and the cloud makes it easier than ever for anyone in the enterprise to spin up new resources. As a result, many enterprises are riddled with assets that are unmonitored and remain dangerously behind on security updates.

Why context is critical

With resources like the National Vulnerability Database at their fingertips, no CISO lacks for data on vulnerabilities. In fact, most enterprises do not lack for contextual data either. Enterprise security, IT, and GRC stacks provide a continuous stream of data which can be leveraged in vulnerability management processes. However, these raw streams of data must be carefully curated and combined with vulnerability information to be turned into actionable context – and it is this in this process where many enterprises falter.

Unfortunately, most enterprises do not have the resources to patch every vulnerability. In some circumstances, there may be a business case for not patching a vulnerability immediately, or at all. Context from information sources across the enterprise enables standardized risk decisions to be made, allowing CISOs to allocate their limited resources where they will have the greatest impact on the security of the enterprise.

Making the most of limited resources with automation

There was a time when a seasoned security professional could instinctively assess the contextual risk of a threat based on their experience and familiarity with the organisation’s infrastructure. However, this approach cannot scale with the rapid expansion of the enterprise network and the growing number of vulnerabilities that must be managed. Even before the ongoing global security skills shortage, no organization had the resources to manually aggregate and correlate thousands of fragments of data to create actionable context.

In today’s constantly evolving threat landscape, automation offers the best chance for keeping up with vulnerabilities and threats. An automated approach can pull relevant data from the security, IT, and GRC stacks and correlate it into contextualized information which can be used as the basis for automated or manual risk decisions.


Vulnerability Management Program Guide: Managing the Threat and Vulnerability Landscape

Tags: CISO, Vulnerability Management Program

Nov 10 2022

CISOs, Security Leaders Eyeing Other Job Options

Category: CISO,CISSP,vCISODISC @ 3:35 pm

Nearly a third of CISOs or IT security leaders in the United States and the United Kingdom are considering leaving their current role, according to research by BlackFog.

Of those considering leaving their current role, a third of those would do so within the next six months, according to the survey, which polled more than 500 IT security leaders.

The report also found that, among the top issues security pros have with their current role, the lack of work-life balance is the most troublesome—cited by three in 10 survey respondents.

More than a quarter (27%) of respondents said that too much time was spent on firefighting rather than focusing on strategic issues.

Twenty percent said they felt that keeping their teams’ skill levels in line with new frameworks and models such as zero-trust was a “serious challenge”, while 43% of respondents said they found it difficult to keep pace with the newest innovations in the cybersecurity market.

Using Automation to Ease the Pressure

Phil Neray, vice president of cyber defense strategy at CardinalOps, a detection posture management company, said both CISOs and security operations center (SOC) personnel take pride in being cybersecurity defenders for their organizations and both groups feel the pain of information overload and constantly being on call to respond to the latest emergencies.

“What needs to change? The CISO’s peers in the business need to understand that cybersecurity risk is a top business risk, not just an IT issue, and they need to allocate higher budgets to support a higher level of staffing in the SOC,” he said.

In addition, Neray said by investing in more automation for the SOC, CISOs and their teams will be freed from performing mundane tasks.

“This way, they can direct their human creativity and innovation toward proactive activities like threat hunting and remediating gaps in their defensive posture, rather than always being reactive,” he explained. 

Darren Guccione, CEO and co-founder at Keeper Security, a provider of zero-trust and zero-knowledge cybersecurity software, added that there is “absolutely no denying” that being a CISO is one of the most difficult and demanding roles in any company.

“The board of directors and fellow business leaders must support their CISO’s priorities and needs, particularly when they’re faced with a cyberattack or data breach,” he said. “Without that support, talented CISOs won’t stick around as there are plenty of other job opportunities awaiting them.”

Indeed, the BlackFog report noted recruiting is a challenge globally and with stiff competition to attract the best talent, organizations need to address the well-being and work-life balance issues that have persisted across the industry.

Acknowledging CISO Burnout

Sounil Yu, CISO at JupiterOne, a provider of cybersecurity asset management and governance solutions, noted that CISOs face an uncommonly high risk of burnout due to the nature of security work. 

“Burnout is more common than most realize,” he said. “Acknowledging burnout risks is an important way to be supportive and to let team members know that they are not alone.”

Yu pointed out that CISOs cannot personally shoulder the burden of mitigating burnout.

“Instead, CISOs should educate their company’s board and fellow executive leaders on security burnout risks and collaborate with HR to improve resources such as employee resource programs, flexible working arrangements and systems of reward and recognition,” he said. 

John Bambenek, principal threat hunter at Netenrich, a security and operations analytics SaaS company, said CISOs are facing the same burnout risk as cybersecurity professionals with one key difference–the CISO is the designated ‘throat to choke’ when things go awry.

“One of the biggest changes to be made in the C-suite to improve the situation for security leaders would be focusing on freeing the CISO to work on strategic issues,” he says. “Constant firefighting burns out everyone up and down the ladder. You can handle that with line staff with job rotation, but the CISO needs to have the resources to make their life better overall.”

Bambenek added that mandatory PTO that involves someone else tending to the fires while the CISO is gone would help, too.

“PTO where you are still on call isn’t PTO,” he noted. “It’s just working from home.”

He explained that organizations that are well-funded should have emerging technology labs where they can explore both new technology and new security tools to help address the challenges CISOs are facing. 

“A big part of this problem is threats evolve with rapid changes in technology—security is playing catch-up behind both,” Bambenek said. 

Tags: CISO, CISO Burnout, Job Options

Jan 06 2022

CISSP Study Guide

Category: CISSPDISC @ 10:54 am

Official (ISC)2® Guides

👇 Please Follow our LI page…

DISC InfoSec

#InfoSecTools and #InfoSectraining



Tags: CISSP study guide

Dec 05 2021

CISSP study guide

Category: CISSP,Information SecurityDISC @ 12:59 pm

Official (ISC)2® Study Guides 

Tags: CISSP study guide, Official (ISC)2® Study Guides

Sep 10 2021

How getting a CISSP can change the course of a career

Category: CISSPDISC @ 11:53 am

Technical certifications are increasingly in demand with 87% of IT employees possessing at least one and 40% pursuing their next, according to Questionmark. Despite cybersecurity pros being more likely to have earned vendor-specific credentials, they think job pursuers should focus more on getting vendor-neutral ones.

In this interview with Help Net Security, May (Maytal) Brooks-Kempler, CEO at Helena, talks about her CISSP journey. Seven years ago she passed the CISSP exam, and today she teaches a CISSP course based on materials she co-authored.

Certified Information Systems Security Professional (CISSP) training course

If you’re building a career in information security the Certified Information Systems Security Professional (CISSP) is the must-have qualification to help you progress. It is a globally recognized standard that demonstrates your competence as an IT professional.

This course will prepare you with the knowledge and skills to complete the CISSP exam, which will get you Certified Information Systems Security Professional status. professional. Covering topics including cloud computing, mobile security, application development security, and risk management, you will gain the knowledge to best manage information security issues back in your organization.

Certified Information Systems Security Professional (CISSP) training course

(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide & Practice Tests Bundle 3rd Edition


Jun 12 2021

Certified Information Systems Security Professional (CISSP) training course

Category: CISO,CISSP,Information Security,vCISODISC @ 6:22 pm

Certified Information Systems Security Professional (CISSP) training course

If you’re building a career in information security the Certified Information Systems Security Professional (CISSP) is the must-have qualification to help you progress. It is a globally recognized standard that demonstrates your competence as an IT professional.

This course will prepare you with the knowledge and skills to complete the CISSP exam, which will get you Certified Information Systems Security Professional status. professional. Covering topics including cloud computing, mobile security, application development security, and risk management, you will gain the knowledge to best manage information security issues back in your organization.

Duration: 5 days

“I would highly recommend the course to a friend, and in fact I already have! I’d also recommend it to a security team within an organization, even if they’re not specifically targeting a CISSP certification as it teaches a broad range of best practices and will help instill a culture of security and best practice in any organization.”

Who should attend?

This training course is intended for professionals who have at least 5 years of recent full-time professional work experience in 2 or more of the 8 domains of the CISSP common body of knowledge (CBK), such as:

  • Security consultants
  • Security managers
  • IT directors/managers
  • Security auditors
  • Security architects
  • Security analysts
  • Security systems engineers
  • Chief information security officers
  • Security directors
  • Network architects

Please note: A one year experience waiver is available with a 4-year college degree, or regional equivalent, or additional credentials from the (ISC)² approved list, thus requiring four years of direct full-time professional security work experience in 2 or more of the 8 domains of the CISSP CBK.

Don’t have 5 years of experience? – Become an Associate of (ISC)²

Certified Information Systems Security Professional (CISSP) training course

Official (ISC)2® Guides

7 tips for CISSP Success

Risk Management Training

ISO 27001:2013 Lead Auditor

Tags: CISSP book, CISSP book recommendation

Apr 30 2021

The realities of working in and pursuing a career in cybersecurity

Category: CISSP,cyber security,Information SecurityDISC @ 5:50 am

“One of the biggest challenges we have in cybersecurity is an acute lack of market awareness about what cybersecurity jobs entail,” said Clar Rosso, CEO of (ISC)². “There are wide variations in the kinds of tasks entry-level and junior staff can expect. Hiring organizations and their cybersecurity leadership need to adopt more mature strategies for building teams.

“Many organizations still default to job descriptions that rely on cybersecurity ‘all stars’ who can do it all. The reality is that there are not enough of those individuals to go around, and the smart bet is to hire and invest in people with an ability to learn, who fit your culture and who can be a catalyst for robust, resilient teams for years to come.”

cybersecurity career realities

Mar 04 2019

RSAC 2019: 58% of Orgs Have Unfilled Cyber Positions | Threatpost

Category: CISSP,cyber security,InfoSec jobsDISC @ 10:14 am

The workforce and skills gap in cybersecurity continues to plague organizations.

Source: RSAC 2019: 58% of Orgs Have Unfilled Cyber Positions | Threatpost

  • InfoSec Jobs
  • InfoSec Certs
  • Enter your email address:

    Delivered by FeedBurner

    Jun 30 2018

    (ISC) 2 CISSP Certified Information Systems Security Professional

    Category: CISSPDISC @ 1:44 pm

    (ISC) 2 CISSP Certified Information Systems Security Professional Official Study Guide 8th Edition


    Get expert content and real-world practice with the new CISSP Study Guide, now available for purchase in paperback and kindle! Order yours today >>

    CISSP Study Guide –  fully updated for the 2018 CISSP Body of Knowledge

    CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 8th Edition has been completely updated for the latest 2018 CISSP Body of Knowledge. This bestselling Sybex study guide covers 100% of all exam objectives. You’ll prepare for the exam smarter and faster with Sybex thanks to expert content, real-world examples, advice on passing each section of the exam, access to the Sybex online interactive learning environment, and much more. Reinforce what you’ve learned with key topic exam essentials and chapter review questions.

    Along with the book, you also get access to Sybex’s superior online interactive learning environment that includes:

    • Six unique 150 question practice exams to help you identify where you need to study more. Get more than 90 percent of the answers correct, and you’re ready to take the certification exam.
    • More than 1400 Electronic Flashcards to reinforce your learning and give you last-minute test prep before the exam
    • A searchable glossary in PDF to give you instant access to the key terms you need to know for the exam

    Coverage of all of the exam topics in the book means you’ll be ready for:

    • Security and Risk Management
    • Asset Security
    • Security Engineering
    • Communication and Network Security
    • Identity and Access Management
    • Security Assessment and Testing
    • Security Operations
    • Software Development Security


    Tags: CISSP book, CISSP book recommendation

    Nov 19 2017

    4 reasons you should get a cyber security qualification

    Category: CISSP,cyber security,Information SecurityDISC @ 7:10 pm

    The dramatic rise in cyber attacks over the past few years has caught most businesses off guard. Their cyber security departments are severely understaffed, causing them to look desperately for qualified professionals to help tackle the threat.

    There has never been a better time to get into cyber security, so if you’re looking to enter the field, or further your career in it, you could benefit massively from gaining a relevant qualification. Here are four reasons why:

    1. Cyber security professionals are well paid

    Money isn’t everything when it comes to choosing your career, but it’s obviously a big factor for many people. We mentioned recently that people with a CISM®PCIor GDPR qualification could earn £60,000 or more a year.

    Of these, the CISM (Certified Information Security Manager) qualification is the most versatile. It’s the globally accepted standard of achievement among information security, information systems audit and IT governance professionals.

    According to ITJobsWatch, people with a CISM qualification earn £64,000 a year on average. This figure has grown by more than 9% in the past two years.

    1. There’s a high level of job security

    The shortage of qualified cyber security professionals means that those in the field are less likely to be replaced or made redundant. Their skills are hard to find elsewhere, and the more someone gets to know the company, the more valuable they will become.

    Additionally, because almost every organisation currently needs cyber security professionals, those with the relevant qualifications are more likely to find a position in a location or company that suits them.

    1. There’s room for career growth

    For the same reason that cyber security is a safe career, it’s also one that offers plenty of room for growth. Qualifications plus experience is a powerful combination that can help you move into more senior positions.

    As you gain experience, you’ll also get the opportunity to earn more advanced qualifications. For example, you must have at least three years’ experience in IT governance to be eligible for a Certified in Risk and Information Systems Control (CRISC) qualification, and five years’ experience to be eligible for a Certified in the Governance of Enterprise IT (CGEIT®) qualification.

    1. The work is rewarding

    Cyber security is still a relatively young field, making it an exciting and prosperous place. The threats that organisations face are constantly evolving, so you’ll always have new challenges. Plus, you know that your hard work is for a good cause: to stop cyber criminals and keep your organisation safe.

    What qualifications do I need?

    The qualifications you need will depend on the career path you choose. If you’re interested in governance, risk management, and compliance, for instance, a CGEIT qualification is essential. If you’re interested in information security, you’ll need a CRISC qualification.

    We’re currently running promotions on our CRISC, CGEIT, CISA and CISM training courses. If you book before 22 December, you’ll receive a 10% discount on the courses and a 5% discount on all reading materials.

    Find out more about our:

    Sep 04 2017

    Information Security Certifications and Salaries

    Category: CISSP,Information Security,Security ProfessionalDISC @ 2:54 pm

    Is this a good time to be in the field of InfoSec, (ISC)2 report shows the skills shortage is getting worse.


    Over the next five years, the number of unfilled cybersecurity jobs will rise to a whopping 1.8 million, a 20% increase from 2015 estimates, according to a new (ISC)2 survey released. Cybersecurity Faces 1.8 Million Worker Shortfall By 2022


    Start learning InfoSec basic:

    When planning to take on this career, at early stage of this career you may get as much practical experience as possible and achieve industry-standard qualifications offered by such as Microsoft, CISCO, Checkpoint, Symantec and HP. Also vendor-independent learning path A+, Network+, and Security+ qualifications are recommended.

    When evaluating prospective InfoSec candidates, employers frequently look to certification as one of the measure of excellence in continuing education and commitment to learning. Below are the 7 most sought out InfoSec certifications.


    InfoSec Salaries review:

    Security Analyst Salaries in the United States
    Information Security Analyst Salary Range
    IT Security Certifications Salary Guide
    Top Cyber Security Salaries In U.S. Metros Hit $380,000


    Mar 07 2017

    CISSP Books

    Category: CISSPDISC @ 6:41 pm

    Top Rated CISSP Books

    Jan 09 2011

    Information Systems Security

    Category: CISSP,Information SecurityDISC @ 1:20 pm

    CISSP: Certified Information Systems Security Professional Study Guide

    CISSP: Certified Information Systems Security Professional Study Guide

    Totally updated for 2011, here’s the ultimate study guide for the CISSP exam
    Considered the most desired certification for IT security professionals, the Certified Information Systems Security Professional designation is also a career-booster. This comprehensive study guide covers every aspect of the 2011 exam and the latest revision of the CISSP body of knowledge. It offers advice on how to pass each section of the exam and features expanded coverage of biometrics, auditing and accountability, software security testing, and other key topics. Included is a CD with two full-length, 250-question sample exams to test your progress.

    CISSP certification identifies the ultimate IT security professional; this complete study guide is fully updated to cover all the objectives of the 2011 CISSP exam
    Provides in-depth knowledge of access control, application development security, business continuity and disaster recovery planning, cryptography, Information Security governance and risk management, operations security, physical (environmental) security, security architecture and design, and telecommunications and network security
    Also covers legal and regulatory investigation and compliance
    Includes two practice exams and challenging review questions on the CD
    Professionals seeking the CISSP certification will boost their chances of success with CISSP: Certified Information Systems Security Professional Study Guide, 5th Edition.

    From the Back Cover
    Comprehensive preparation for the 2011 CISSP certification exam

    With pages of in-depth coverage, real-world scenarios, and detailed explanations of all domains from the Common Body of Knowledge (CBK) for the CISSP certification exam, this complete guide not only thoroughly prepares you for the exam, it also helps you develop practical skills for success on the job. Key topics include access control, business continuity, cryptography, biometrics, and more. You’ll also find helpful advice on how to pass each section of the exam. Inside, find:

    Full coverage of all exam objectives in a systematic approach, so you can be confident you’re getting the instruction you need for the exam

    Real-world scenarios that put what you’ve learned in the context of actual job roles

    Challenging review questions in each chapter to prepare you for exam day

    Exam Essentials, a key feature in each chapter that identifies critical areas you must become proficient in before taking the exam

    A handy tear card that maps every official exam objective to the corresponding chapter in the book, so you can track your exam prep objective by objective

    Look inside for complete coverage of all exam objectives.


    Test your knowledge with advanced testing software. Includes all chapter review questions and two full-length, 250-question practice exams.


    Reinforce your understanding with electronic flashcards.

    Also on CD, you’ll find the entire book in searchable and printable PDF. Study anywhere, any time, and approach the exam with confidence.

    Includes Real-World Scenarios, Written Labs, and

    Leading-Edge Exam Prep Software Featuring:

    Custom Test Engine

    Two Full-Length, 250-Question Practice Exams

    Electronic Flashcards

    Entire Book in PDF

    Tags: CISSP book, CISSP book recommendation, information systems security