Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
1:10
Hey , hey . Cyberwork Hacks is back to keep you up
1:12
to date with the CISSP exam . Today
1:14
, infosec Bootcamp instructor Steve Spearman
1:16
joins me to talk about the new changes to
1:19
the CISSP's common body of knowledge
1:21
, how these changes to the CBK should
1:23
or shouldn't affect your study and preparation for
1:25
the exam . Keep learning and keep it here
1:27
for another CyberWork hack . Welcome
1:34
to a new episode of CyberWork Hacks
1:36
. The purpose of this spinoff of our CyberWork
1:38
podcast is to take a single fundamental question
1:41
and give you quick , clear and actionable
1:43
solutions , or give you a new insight into
1:45
how to utilize InfoSec products and training to achieve
1:48
your work and career goals . So , for example
1:50
, today Steve Spearman is an InfoSec
1:52
instructor and , among his many areas of
1:54
InfoSec expertise , he
1:56
is our Bootcamp instructor for one of the most
1:58
desired , demanded and elite certifications
2:01
ISE , squares , certified Information
2:03
Systems Security Professional , or the CISSP
2:05
certification . So for today's CyberWork
2:08
hack , steve and I are going to break down some of the forthcoming
2:10
changes to the CISSP's common
2:12
body of knowledge , or CBK , in 2024
2:14
. Thanks for joining me today , steve . It's
2:17
my pleasure , chris , all right
2:19
? So , steve , as we know , the
2:21
CISSP has made some pretty noteworthy
2:23
changes in what it calls its common body of
2:26
knowledge this year , so or it will be soon . This
2:28
involves shifting priorities of certain
2:30
topics or assigning different weights or importance
2:32
as different security concepts in order to keep up
2:34
with current cybersecurity practice . So can you talk
2:36
about what the CBK changes will look like
2:38
and when they're exactly going to take
2:40
effect ?
2:41
Yeah , yeah , we'd love to . And if it's okay , why
2:43
don't I step back just a bit and
2:45
talk a little bit about what is the CBK
2:47
? I mean ? Yeah , so this
2:50
stands for common body of knowledge
2:52
and it really is the official
2:55
truth about the CISSP . If
2:59
there's a question on the exam , it should
3:02
originate from the CBK
3:04
. In fact , one of the questions
3:06
I get asked quite a lot is like should I get
3:08
the CBK ? Because you
3:10
can buy it ? It's expensive , but you can
3:12
buy the common body of knowledge . My
3:15
general recommendation to students is eh
3:17
, you don't need to . The official study
3:19
guide is much
3:21
more readable . It contains
3:23
probably 90% of
3:26
the CBK . There's been some interesting
3:28
. There's been
3:30
in the last year . There's been some interesting talk
3:33
about the fact that somebody
3:35
did a little bit of an analysis and they
3:37
were able to find questions
3:40
in different resources
3:42
available from the ISC too , looking
3:44
at exam questions , and they couldn't really find
3:46
topics in either the
3:48
official study guide or in the CBK . But
3:52
that doesn't really help as much . I just think it's an interesting
3:55
fact . The
3:57
CBK is where questions come from , so
4:02
the ISC too , makes
4:04
changes really almost pretty
4:06
strictly about every three years . Try
4:09
inally , try inally
4:11
try inally . Try
4:14
inally , try inally . Anyway
4:17
, I'm not going to talk too much about it
4:19
Close enough , you're
4:21
viewers will understand . The
4:25
last one was so it was . The last one
4:27
was 2021 . Before
4:30
that was 2018 . With
4:33
that transition , they added a point
4:35
to the software
4:37
. They took a point away
4:40
from the telecom
4:42
. So
4:44
the main change that they've made
4:46
is they've actually that
4:48
will take place and it's going to happen April
4:51
15th this year , 2024
4:53
, is
4:56
they are adding a point
4:58
to the domain one
5:01
, which is the management , the governance
5:03
management . It is , in many ways , sort
5:06
of the anchor for the whole exam . This is a
5:08
management exam and
5:10
it's going from 15% to
5:12
16% and they're actually taking
5:14
a point away from software , but we're taking
5:17
a percentage away from
5:19
software . I think it's worth understanding
5:22
. You'll hear the term waiting . Yes
5:25
, exam waits . Waiting
5:27
is not actually a really good way
5:29
to describe what's happening . Waiting
5:35
would imply that the questions
5:37
in domain one are more important
5:40
than the ones in the
5:42
. That's really . It just means the
5:44
amount of topics that
5:47
are in the thing . So they're adding some
5:50
content to domain one in there . I
5:53
don't know if removing it from the software
5:55
domain or just adjusting . Yeah
5:59
, exactly . So the only thing that really
6:01
happens in the exam that's more like a
6:03
true weighting is the . We
6:05
don't know the algorithm , we don't know the scoring
6:07
algorithm , the exam itself , but
6:09
we but there is . The
6:13
exam does measure difficult
6:15
questions in
6:17
a manner that's different than
6:19
then . Quote easy
6:21
questions , and every question on the exam
6:23
is literally ranked as easy , medium
6:27
or hard , and
6:29
ultimately , your ability to pass the exam
6:32
is is tied to your ability to
6:34
get hard questions Correct
6:36
. Yeah , yeah , so
6:41
, anyway . So the big changes are they ? They change
6:43
, they're changing the weighting for those two domains
6:45
and then , interestingly
6:49
, they're going back to change
6:51
both the number of questions and
6:54
the length of the exam . So , in
6:56
order to kind of get to what's going on with this
6:58
, I want to go back to a little bit of history . And
7:02
in June June 1st
7:04
2022 , the
7:07
CISSP decided
7:09
to increase the number of questions
7:12
on the exam
7:15
and increase the time . So
7:18
on that date , they
7:20
increased the number the minimum number
7:22
of exam questions on the on
7:24
the on the computer adaptive test from from
7:26
a hundred to 125
7:29
. And the maximum number of questions
7:31
went from 150 to 175
7:34
. And
7:36
and then they increased the exam time
7:38
by one hour , so it went from three hours
7:40
to four hours . Okay , interestingly
7:43
, when they did
7:45
that , they didn't change the number
7:47
of scored questions at all , not
7:51
like that . In other words , they just
7:53
did it to have more
7:56
sample questions , and sample questions
7:58
are questions that are being
8:00
statistically validated for
8:02
use in a future exam Interesting
8:05
. So in other words , they don't benefit test
8:07
takers at all . I've been kind of complaining
8:09
about this for a couple of years .
8:12
You're basically doing unpaid labor there
8:14
for them .
8:14
It's kind of unpaid labor , exactly . It's
8:17
like you know they're adding an hour
8:19
to every you know , to every test taker's
8:21
time or whatever it's like , and they're getting all
8:23
the benefit . I suspect
8:26
that they probably now have a very
8:28
, very , very healthy database
8:30
of usable questions that have been
8:32
statistically validated , because on
8:35
April 15th they're going back , it's
8:37
going to be a three hour exam . Minimum
8:41
number of questions is 100 . Maximum
8:43
number of questions is 150
8:46
. So
8:48
that's the other significant change .
8:52
So I know that ISE2
8:54
makes these changes every three years , but can you
8:56
talk about why you think they made
8:58
these specific changes , and I won't say
9:00
weights , but these changes and allocations
9:02
to their certification like ? What aspects of
9:04
the industry were they trying
9:07
to address by making these changes , do you think ?
9:10
We can't really know exactly , but they
9:12
do . The ISEE-2 does
9:14
have a board that does
9:16
a review of the questions and
9:19
the certification and the common body of knowledge
9:21
. That board determined
9:24
that
9:26
they needed to adjust the waiting
9:28
, those domain waiting , and add some
9:30
content . I
9:33
don't have a other than what
9:36
the ISEE-2 has said and other pundits
9:40
have said . I don't really know exactly why
9:43
that decision was made , except to feel like
9:45
the CBK and the changes of
9:47
the CBK all come down
9:49
to trying to make the CISSP
9:51
relevant , like maintaining
9:54
its relevance in the marketplace . Their
9:57
own internal analysis must have shown
9:59
that there was a need for
10:01
that change .
10:02
Yeah , I ask only because of past
10:04
guest Layton Johnson . We did this with the CISM
10:06
certification and he was saying that there's
10:09
a massive change over there from going
10:11
back to the security side , from the management side
10:13
. I know that they're always thinking in terms of
10:15
addressing specific needs in
10:17
the industry . Also , I realize that there is
10:19
a black-back nature to what they do , especially
10:22
with regards to test scoring and so forth . Yeah
10:24
, I appreciate the insights there . If
10:27
you're currently studying for the CISSP
10:29
but not scheduled to take the exam just yet and
10:32
I know the changes are coming in April 15th
10:34
at what point do you need to change your
10:36
study or learning strategy , if at
10:38
all ?
10:41
I would say first of all , today
10:43
you really can't change it . There's no new
10:45
material available . The ISEE-2
10:48
is going to drop their own internal
10:50
training content on
10:52
April 15th and not before . Historically
10:58
, if you have the experience requirements , this is
11:00
an exam that you
11:02
have to lean into your experience a lot . You
11:05
need five years in order to become a
11:07
CISSP . You need to have five years experience
11:09
Worth pointing out . Yeah . Yeah
11:12
, you've
11:16
, then , been doing the kind of methodical study
11:18
that's necessary to pass this exam . I
11:21
strongly suspect that
11:23
you'll do fun . I
11:26
don't think you're going to see earth-shattering
11:28
changes . That
11:31
would be pretty disruptive . I'm sure even
11:33
though I'm not dismissing the significance
11:36
of those changes , I'm sure that they were
11:38
properly evaluated Historically
11:41
. When those changes have happened
11:43
, it didn't really impact
11:46
the way that you prepared . I
11:49
guess I can't be too definitive until
11:51
we see what happens April 15th , but I suspect
11:53
it'll be the same thing . You'll
11:56
methodically prepare the same
11:58
ways you have in the past . Yeah
12:01
.
12:03
I think it's probably something that , if you're already
12:05
well on your way , you just steady as
12:08
she goes . But if you're considering starting
12:11
to study for the CISSP at this point , you might almost
12:13
want to wait until we get closer to April 15th
12:15
and you have a better sense of what's going on .
12:17
Yeah , it's the opposite . If you've been studying
12:20
, you feel like you're ready . It's like , make sure you
12:22
schedule it before April 15th .
12:23
For sure yeah .
12:24
You know what I'm saying . If
12:26
you feel like you're ready and you
12:29
want to be able to work within a known
12:31
quantity and know
12:33
, then yeah , go ahead and take it . That would be my
12:35
advice , I guess . Yeah .
12:38
It's no less of a CISSP that you get if
12:40
you get this one , versus the brand
12:42
spanking new one . Yeah
12:44
, exactly . Obviously , infosex
12:46
is all about helping our students pass their
12:48
certification exams with flying colors , but we
12:51
also want to be with you for the long term
12:53
and help you retain that info and use it to level up your
12:55
skills and your career . Steve , I want to just
12:57
ask more of a broad brush question . For
13:00
people who are taking the CISSP , I know that an
13:02
awful lot of the buildup
13:05
to it is that you're just pushing a metric
13:08
ton of stuff into your head so that you can pass
13:10
the exam in the moment . What aspects of the information
13:13
on the exam , would you say , are more important , the most crucial
13:15
to continue learning and practicing to keep your skills
13:17
at the top of the heap .
13:21
Um , you know , the thing is , I think
13:23
that gets into more just core preparation
13:25
stuff , which is
13:27
, you know , content , like content
13:30
, and , uh , in content
13:33
, understanding how to take the exam
13:35
, uh , in the techniques around
13:37
that . I'd love to have another discussion
13:39
with you about kind of recommended you know
13:42
ideas around that , but
13:44
, um , the content , like I said , we don't expect any
13:46
dramatic changes . You should just keep working
13:48
with the content that's currently available . Uh
13:50
, I have , you know , I have opinions about
13:53
sticking with ISC to material
13:55
. Uh , you know I'm not
13:57
and additional stuff . There's other things that I recommend
13:59
skills , the skills website and info
14:02
sec is excellent . Um , but I , but
14:04
I , I lean heavily into
14:06
the official study guide . Uh
14:09
, uh , practice exam
14:11
I'm sorry , probably not practice exams
14:13
the study , the study questions and the practice
14:15
exams and the official practice
14:17
test , third edition , uh , to
14:20
kind of help the thing and one and again
14:22
, the benefit is it helps you identify
14:24
the areas that you're you're weak . You know
14:26
that you can , you can continue to study on
14:28
. So , um , yeah , so
14:30
I I think that , um
14:32
, you know your actual preparation
14:34
doesn't change a lot . Uh , and
14:36
you need to . You know , uh , keep
14:38
plugging away . Again , my , my recommendation
14:41
for people that really want to
14:43
shortcut your best option as a bootcamp
14:45
. Uh , there's , there's no question
14:47
that the bootcamp is . The bootcamps are
14:49
effective . Yeah , uh , actually , I
14:51
think extraordinary a good bootcamp , or
14:54
they're extraordinary , uh , extraordinarily
14:56
effective at helping people prepare for this exam
14:59
.
14:59
So well , I hope our listeners will keep , uh
15:01
, keep listening to the site word heck series , because in a few
15:03
weeks here Steve will be uh talking to us about
15:05
, uh , what a bootcamp is like for CISSP
15:08
. So , uh , it'll be great . I'm
15:10
looking forward to it . So as as someone who's
15:12
taught so so many students over the years , steve , what's your
15:14
top piece of advice for studying for and taking the
15:17
CISSP exam ?
15:19
I mean , top piece of advice is
15:21
um , do
15:24
lots of questions . I mean , I
15:26
hit to break it down , but so you need
15:28
to understand how to take the exam . That's maybe
15:30
for another you know , uh , cyber hacks
15:32
thing , but you need to understand
15:35
how to take the exam . What do you know
15:37
what ? What are the techniques you use all that sort
15:39
of stuff ? Uh , you also want to
15:41
familiarize yourself with the content , as we said
15:43
. But , honestly , the key
15:45
thing is lots of
15:47
questions . It's sort of like
15:50
you know , if you decided , hey , I'd like to run
15:52
a half marathon , you know you're
15:54
going to not just , okay , they are the marathon
15:57
, and you haven't you know , haven't put on your running shoes
15:59
.
15:59
Just read a book about how to run a marathon . Yeah
16:01
Right , exactly , exactly . So , yeah , exactly
16:03
.
16:06
You got to put the miles in and that in your best way . Most important
16:08
kind of uh technique to do that is
16:10
to do lots of questions .
16:12
So well , perfect . Steve Spearman , thanks for getting us
16:14
caught up on the new aspects of the CISSP . Appreciate
16:16
it . It has been a pleasure , chris , thank you
16:18
, and thank you all for watching this episode
16:21
. If you enjoyed this video and felt it helped you , I hope
16:23
you'll please share it with colleagues , forums or
16:25
on your own social media accounts and definitely
16:27
subscribe to our podcast feed and YouTube page
16:29
. You can type in cyber work info second
16:31
to any of them and you'll be well on your way . There's plenty
16:33
more to come , including more CISSP with
16:36
Steve Spearman , so if you have any topics you'd like
16:38
us to cover , absolutely drop them in the comments . We
16:40
read them and we take them to heart . Until then
16:42
, we'll see you next time and happy learning .
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More