Let's Cross the CISSP Off Your Bucket List

welcome everybody i see some people still coming in just come on in take a seat we have some items up in the front if you want to come up to the front feel free to do so can you believe this is the tenth year we're having b-sides here in pittsburgh that's crazy congratulations besides thank you everyone for coming let's let's give a big shout out to all the volunteers they've worked hundreds of hours so thank you for all the volunteers and everything that you've done [Applause] well they tell us most presentations should start with a joke i'm not going to do that today i'm going to start my presentation with a question that you would see

in the cissp now the question is listen carefully what is a orange now don't answer this question right now we're going to wait and we're going to answer it during the presentation but your choices are it's a color

i forgot what the choices are

it's a stop sign it's a fruit or it's a traffic light so what is an orange and the choices are color stop sign fruit or traffic light we're going to come back to that question now let's take a poll here real quick how many people have any kind of certification from ise squared right now okay how many of you have the cissp certification okay great nice number how many are you how many people here are interested in getting their cissp oh look at that wow yeah great great to hear

okay well who are we my name is anna cotter and earlier this year this week actually marked my 38th year of working in it wow that's lonely anna if you didn't know me and i would describe myself just through my work you would think that i wore a hoodie you know the hoodie lived in my parents basement ate pizza and drank pepsi all day and that's who i would be but really um i am the vp of cloud security for oasis and in my day job i am a identity and access management architect for highmark health

also in my spare time what i like to do is bake cookies i bake lots and lots of cookies do you know the italian wedding cookie table yeah that that's the kind of things i do in my spare time in addition i am the isc squared inclusion and diversity chair in that position what i'd like to do is bring in more minorities more women to the table we don't want to exclude any of the men but we want to add in because cyber security really needs everyone to be part of of the organizations

thank you and i'm going to go ahead and turn it over to lisa well hi i'm lisa young and i've been in the it business for a number of years prior to that i did mechanical drafting and design on a computer i don't know how i ended up in security well i do know how i crashed a security meeting when i worked at phillips healthcare and once i crashed that meeting i really fell in love with security i ended up working on product security application security eventually i did physical security at a company i worked for here in pittsburgh i went over to hm health solutions where i met anna and we worked together there i was on the

risk team there and from there i i went to another company ivalua and there i worked on governance risk and compliance managing sock audits and hip audits things like that and just recently i got a new job at autodesk and i'm a third-party risk management lead for autodesk thank you very much lisa before we start the presentation let me give you a little bit of the legalese basically the concepts were prov you know where we're showing here are nothing new um academia has been using them for a number of years but what we want to say is that any kind of opinion we express does not represent ise square our representative employers or any other

group these are our own opinions that lisa and i have helped develop uh in for a number of years now

why certify according to isc square a baseline cissp will make a hundred and thirty one thousand dollars and you can see some peppermints on the table that's a lot of peppermints i know this screenshot's a little bit small here but if you look at this heat map from cyberseek.org this was taken earlier in the week you can see this is the pittsburgh region and there are 743 openings looking for the cissp that's in the highest number of any other certification people want to see the cissp there are about 12 000 people employed in the pittsburgh area in the cyber security area and about 8 200 job openings right now so there's probably one job opening for

every three people that are employed that's that's a lot of openings i know a lot of you uh during the opening remarks said your company was hiring and a lot of people are here just to hire today so what we want to do um lisa and i thought hey we can be role models lisa's my role model my mentor and we want to um try to help bring in more people into this field to help fill these gaps so we we we continued doing the issc study group um to to help us and you know to stand out among our peers yeah so i'm going to talk about some of the ise squared certifications that

are available there most of them you need to have experience in the field to you know get certified but there is a new certification for beginners that you can go for to uh you know should prove to your employer that you're able to learn and and get into the cyber security field until eventually you can go for one of these other certifications and the certifications are in many different areas you have the cissp which is in leadership and operations the sscp which is it administration the cc sp which is cloud security the c c the c s s l p these are all tongue twisters which is uh software security even have health care security and privacy which

is the hciss or spp and you have the cap which is a risk management framework a grc source certification so all of these certifications can help you in whatever area of security you're interested and a lot of these certifications that if you get government jobs these are certifications that they like you have in those types of jobs so anna why don't you tell us a little bit more about the exam sure the cissp is an adaptive exam so what does that mean that means that the questions you get are in order you get the next question automatically you can't tag any of your questions you can't go back and answer any of your questions so once you answer it and submit it

it's submitted there's no minus points for answering wrong so make sure you answer all your questions when you do take the test um what happens also with the cissp is for instance you get a a question on threat models and say you get a question on the threat model stride you get it wrong and it's going to come right back and ask you about the threat model pasta yes there is a threat model called pasta it's not spaghetti not spaghetti [Laughter] so basically you need to make sure you understand the concepts you can't skip topics on the exam and what we recommend people do is take a look at the outline and make sure you

understand every single concept within the outline and you'll see when we we show some samples of things that we do within our study group how we make sure we hit every single concept you must score well enough in all eight of these domains listed here to be able to pass and an overall score of 700 of a thousand points now there's been a lot of changes to the cissp program some of you may remember the ten domains um that has switched over to eight domains and on june 1st of this year what cissp has done as is added 25 additional questions and an extra hour those 25 additional questions are unscored so they're basically untested

questions so sometimes you may look at a question and you're going to be like what the heck is this don't worry it's probably an unscored question just do your best and answering it and just think about what is an orange to become certified you have to have paid experience at least two uh two of these domains typically you need five years experience but you can cut one off if you do have a master's degree there are a ton of resources for this test it's been around a long time right this issue yeah okay so now we're going to give you a little teaser and some secrets to clearing this exam and some of these secrets i learned when i went to a boot

camp that i went to and i also learned them from other people when i was in study groups i found a study group on facebook cissp study group with luke ahmed and it was a great great group to join and these are some of the things i learned think like a manager so when you're taking the exam you want to make sure you think from a management point of view another thing when you see the questions on the test and if you see anything about life safety or people in the question that's what comes first so that's most likely going to be what the answer is related to then it also on the test if you see

something with risk assessment in the answer that's often an answer because if you have to choose they'll have answers that look good if it's like a technical sort of question oh yeah here's the answer but if you come from a technical background sometimes it's hard because you want to solve the problem and you want to pick that technical answer but most of the time on the test the answers do a risk assessment so again you want to look at the answers from the management perspective and people and processes will always trump technology answers on the test you want to think about your end game what is really needed to be done to avert the risk

and maintain a security mindset the technologies will come and go but the principles of security won't change you want to think about a security by design approach when you're looking at the questions and also layered defense when you're looking at the questions too and anna's going to talk to us about some of the low-cost resources that we've found thank you lisa these resources change all the time of what is the best to find if you notice at the beginning of our slide and we're going to have it again we have a qr codes we also have some qr codes that we can pass out here if you want one let us know and we have a paper copy of

that qr code probably at the end of the presentation we'll go in the back and hand those out um but these are some of the the qr codes within the cissp world there are a lot of superheroes i i hate to start naming them because there's just so many ones that have helped us immensely personally on a personal level is luke ahmed he runs a facebook group called study notes in theory he also has a website by that same name and this orange book is something that he has written uh how to think like a manager it's available for free right now with the one of the subscriptions i think the kindle subscription it's available for free many of these

books you'll find at the local library you don't have to go buy it look at it and see if this is something you want or not um for a second yes brian oh like if yeah in college right now a lot of this stuff you can look at stuff it might cost a person you know if it's by yourself and you're not a student 500 a thousand dollars a year you might get some of that for free so if anybody's looking at taking the exam any

that didn't hear ryan maybe in the back basically what ryan is saying is that there are a lot of resources out there that are available to a student look into them they could be low-cost i know you dummy the allegheny county library offers a free tuition there with with just your library card so go ahead and talk to your librarian you don't have to go out and buy a ton of things for this test that's not going to make it successful there there's probably a million different items out there today and i had a stack of books this high when i studied and you know what i slept on those books it was exhausting here here's an offer that we just found

on linkedin this week larry greenblatt larry lisa chats with larry on linkedin from time to time he's going to offer free classes during the day so a lot of times individuals especially like from india or asia they'll say all these classes are in the middle of the night for us you know but you know here we go larry's going to be offering some boot camps free of charge in the middle of the day next week if you're available great opportunity to listen to some materials and he's going to have these recorded and you will have to pay a nominal fee for the recordings they're typically i i don't know what the price of this one

is normally larry's recordings are less than a hundred dollars um so yeah take advantage of the free resources and don't hesitate to reach out to someone like larry on linkedin and say hey i saw your materials i like you i have this question about your materials it it's it's these types of things that you know that really help you

okay like part of passing this test is going to come from the academia world right you need to know what kind of learner you are what we found is by running these study groups by taking a presentation creating your own presentation trying to teach it to someone else and talking through these topics and asking questions and having a discussion with others it really helps you be able to reinforce reinforce your learning because even though some of these things are academia you're not actually just an active learner you're usually an active learner maybe with a visual learner with sensory learning so you're usually parts of all these types of learnings and that's why we feel that you know

going through it with a study group is a good way to get the exam to pass the exam especially when they participate right when people participate it it helps yeah and and people that have presented and really participate in a group so far i'm not counting our last uh study group that just finished we have one person that passed from that group so far but 100 of the people that actively participate and present pass so far so it's a 100 pass rate now you know participating and just doing it halfway doesn't get you there it only gets you halfway but if you're fully engaged you you do pass

so next we just wanted to show some of the example slides that we had from our study group and i presented on the risk domain and actually i have a whole deck of cissp slides because like anna was talking about previously i'm more of a visual learner so these pictures help me and when i'm on the exam they help me to picture answers for certain things so that was helpful for me so here i put this slide together and you'll see like in the top here 1.6 develop document and implement security policy standards procedures and guidelines that's one of the topics in the domain so on all the slides i put the top the domain topic to make sure

that we covered the topic so when the presenters are doing their slides they take the outline of the chapter and kind of go through those so this one was about the policies and standards hierarchy a lot of people don't understand what's a policy what's the standard what are procedures but this kind of puts it together and shows you the strategic versus the what's tactical and another example slide i have here is of risk management concepts you know there's all these initials mtbf mttf mtt or you know what does all that mean so i found a picture and i put the picture up there to try to tell me the story of what that means on

the slide so for me that helped me with learning and we as we did the study groups i presented this a while ago and as we progressed through the study groups we offered for the people who wanted to present to use some existing slides and then add in the new things that were from you know updated in the presentation so they would add it and then we would either present together or they would present the slides and some people just created their own slides which is very helpful i think so anna let's talk about how we reinforce learning here sure in the cyber security world you're not alone don't try to do this test alone i i've

talked and i've mentored some young women they're like i don't want anybody to know that i'm studying for this test like why not well what if i don't pass well you will pass so you might as well go and get help from other people so basically learn here we're using this uh what's this word not an acronym mnemonic yeah learn learn be you know you first have to be exposed to the new information um then you have to encode it you have to apply it you have to recall it and don't give up that's failure only happens if you give up if you don't pass the exam yes it's an expensive exam but don't give up just

try it again many times many employers will pay for that exam if you don't have an employer that's paying for the exam there are a lot of job openings go find an employer that's going to pay for the exam ask them that when you're looking for a job out there today do you pay for a cissp exam you know it's like well i'm not even sure how much it is does anyone know eight hundred dollars now uh is it eight hundred i think so like 7.99 or something like that okay so um now i'm going to go into some exam day tips one of the things you want to do is you want to arrive at the test center at

least 30 minutes before you even start your exam and to check in you'll make sure you have two acceptable forms of id provide your signature submit a palm vein scan i mean that you're signing your life away here you have your photo taken but don't wear hats or scarves or sunglasses or anything like that because they want to see your face and you can't take any of those things into the room because in the room you'll have to leave your belongings outside there'll be a test administrator in the room and they'll give you an orientation they'll escort you to a computer terminal and if you need anything during the exam you raise your hand and you alert them

if you have any problems you need a new note board or you need to take a break for any reason you have to raise your hand and they'll come help you the other thing you might want to bring ear plugs i brought earplugs because there's a could be distractions around you so that was helpful for me and you'll see on the tables here we have and peppermints are are one of the keys that you need to pass this exam when you're studying you want to eat peppermints it helps you to focus and it helps people to concentrate better so it might even reduce your anxiety but that's why we brought the peppermint so anyone who's going to take the exam

please grab a peppermint off the table and make sure when you're taking the exam you read the questions thoroughly read the answers i took the approach where i read the answers and then i read the question and then i read the answers again and you can usually eliminate two of the answers and then you have a 50 50 chance of getting that answer right so our lovely volunteer just brought me a peppermint lisa oh nice where's my peppermint anna do you want to talk about some of the test taking tips here yes definitely budget your time the one thing that has caught some people off guard is at the beginning of the test there's an nda basically you

can't talk about what questions are on the test et cetera um you only have five minutes to accept that when you go to the testing center you basically get just a blank piece of paper with like a sharpie or something to write on and a lot of people are like i want to write the osi model down and i want to write this down you know while still fresh on my mind even before i start my test i want to write all this stuff down and they don't realize that they need to um you know accept that nda agreement the first thing you do when you go take your test is go in and accept that mda

agreement i've heard of several people that have missed that five-minute opportunity so don't let that be you read the question carefully to determine what it's actually looking for determine the correct answer try to think about it in your head before you you look at the answer you've read through them you kind of know what the answers already are and when you when you're reading the question which one do you think it is before re-looking at that answer and we read those carefully uh and select the best answers so back to the question what is a orange what is a orange does anybody know what an orange is you're going to give them the choices again go ahead i'm going to go ahead and

it's a fruit right answer it's a fruit because i'm saying what is a orange if that question was asked a different way it may be a color and this is basically a lot of the questions on the exam are like this where two of them are just off they're not close but two of them are really close and both can be correct but you have to pick the most correct answer so what's the correct answer tori do risk assessment yes yes about we have to do risk assessment and figure out if it's an orange [Laughter] all right i like that [Laughter] okay here's the qr code that we promised if you take a picture of this qr code

again we'll have some handouts at the back of the room at the end of the presentation here but um can everybody get the picture is it working for you we'll keep this updated going forward qr codes they trust us yeah qr codes can be did you did you do a risk assessment before you did that on your phone

so anyone have any questions here questions if we don't have questions we did we did have some quotes from people in our study group eric are you here where did you leave us so we told eric we would make him come on stage i he was on stage earlier for opening remarks i think we scared him away but he's on the other side right now yeah so we have some quotes from people who who did take the exam that we put up here austin i don't want to read them all there so long [Laughter] but we we do have some shorter quotes but we have quotes from people who actually took the class to study

and then quotes from some of our mentors in the class which are probably a little shorter here yeah this is our mentor slide yeah this is our mentor slide and um pete's been one of our mentors before um so we do have a roblox cissp group that that will help you along on this on this journey you know always feel free to reach out to myself or lisa but also feel free to reach out to your partner cissps for mentoring most of the members that come to the study group that we hold come because they're recommended by another cissp i know ryan you've recommended some people to come up to our group as well so um

you know feel free to do that if you'd like to join how many people think they would like to join the cissp study group can we i see some hands good okay i'll be shocked we'll give you the card and how how to do it after the session and also uh at being the membership chair for isc squared pittsburgh i invite anybody who is not already a member to join our chapter and come see us and talk about that too yeah ryan do you have anything to add ryan's the president of our local isc square chapter we um just so you know the study group is all volunteer it's student-run and it's free do you want to

come up ryan come on up come on up front

yeah i just want to mention that it seemed like a lot of people here were interested in taking the exam so if you're just even on the fence come to study group and then see if it's for you so i mean it's what you typically do monday or tuesday nights yeah it's usually a good time for people to make so if you're like i've been thinking about it like this is a really good way to do it and then if it's one of those things you do it you're like you know what i just don't want to well then that's fine too but i think i say if you're like i've been thinking about doing this come to one of the

the meetings give it a try and then see if it's for you strongly encourage that yeah it's also a good way of networking and you do meet people in different areas of security so i know me i've learned a lot from the people in the group and you know just the different areas of security they work in the domains but anyway that's all we have so thanks everybody for listening yeah we're ahead towards the back there if anybody has any questions you know feel free to catch one of us both lisa and i will be here all day so at any point in time you have questions feel free to come up and say hey i have this

question thank you very much everyone for coming thank you cat and the rest of the organizers [Applause]