1:10

Hey , hey . Cyberwork Hacks is back to keep you up

1:12

to date with the CISSP exam . Today

1:14

, infosec Bootcamp instructor Steve Spearman

1:16

joins me to talk about the new changes to

1:19

the CISSP's common body of knowledge

1:21

, how these changes to the CBK should

1:23

or shouldn't affect your study and preparation for

1:25

the exam . Keep learning and keep it here

1:27

for another CyberWork hack . Welcome

1:34

to a new episode of CyberWork Hacks

1:36

. The purpose of this spinoff of our CyberWork

1:38

podcast is to take a single fundamental question

1:41

and give you quick , clear and actionable

1:43

solutions , or give you a new insight into

1:45

how to utilize InfoSec products and training to achieve

1:48

your work and career goals . So , for example

1:50

, today Steve Spearman is an InfoSec

1:52

instructor and , among his many areas of

1:54

InfoSec expertise , he

1:56

is our Bootcamp instructor for one of the most

1:58

desired , demanded and elite certifications

2:01

ISE , squares , certified Information

2:03

Systems Security Professional , or the CISSP

2:05

certification . So for today's CyberWork

2:08

hack , steve and I are going to break down some of the forthcoming

2:10

changes to the CISSP's common

2:12

body of knowledge , or CBK , in 2024

2:14

. Thanks for joining me today , steve . It's

2:17

my pleasure , chris , all right

2:19

? So , steve , as we know , the

2:21

CISSP has made some pretty noteworthy

2:23

changes in what it calls its common body of

2:26

knowledge this year , so or it will be soon . This

2:28

involves shifting priorities of certain

2:30

topics or assigning different weights or importance

2:32

as different security concepts in order to keep up

2:34

with current cybersecurity practice . So can you talk

2:36

about what the CBK changes will look like

2:38

and when they're exactly going to take

2:40

effect ?

2:41

Yeah , yeah , we'd love to . And if it's okay , why

2:43

don't I step back just a bit and

2:45

talk a little bit about what is the CBK

2:47

? I mean ? Yeah , so this

2:50

stands for common body of knowledge

2:52

and it really is the official

2:55

truth about the CISSP . If

2:59

there's a question on the exam , it should

3:02

originate from the CBK

3:04

. In fact , one of the questions

3:06

I get asked quite a lot is like should I get

3:08

the CBK ? Because you

3:10

can buy it ? It's expensive , but you can

3:12

buy the common body of knowledge . My

3:15

general recommendation to students is eh

3:17

, you don't need to . The official study

3:19

guide is much

3:21

more readable . It contains

3:23

probably 90% of

3:26

the CBK . There's been some interesting

3:28

. There's been

3:30

in the last year . There's been some interesting talk

3:33

about the fact that somebody

3:35

did a little bit of an analysis and they

3:37

were able to find questions

3:40

in different resources

3:42

available from the ISC too , looking

3:44

at exam questions , and they couldn't really find

3:46

topics in either the

3:48

official study guide or in the CBK . But

3:52

that doesn't really help as much . I just think it's an interesting

3:55

fact . The

3:57

CBK is where questions come from , so

4:02

the ISC too , makes

4:04

changes really almost pretty

4:06

strictly about every three years . Try

4:09

inally , try inally

4:11

try inally . Try

4:14

inally , try inally . Anyway

4:17

, I'm not going to talk too much about it

4:19

Close enough , you're

4:21

viewers will understand . The

4:25

last one was so it was . The last one

4:27

was 2021 . Before

4:30

that was 2018 . With

4:33

that transition , they added a point

4:35

to the software

4:37

. They took a point away

4:40

from the telecom

4:42

. So

4:44

the main change that they've made

4:46

is they've actually that

4:48

will take place and it's going to happen April

4:51

15th this year , 2024

4:53

, is

4:56

they are adding a point

4:58

to the domain one

5:01

, which is the management , the governance

5:03

management . It is , in many ways , sort

5:06

of the anchor for the whole exam . This is a

5:08

management exam and

5:10

it's going from 15% to

5:12

16% and they're actually taking

5:14

a point away from software , but we're taking

5:17

a percentage away from

5:19

software . I think it's worth understanding

5:22

. You'll hear the term waiting . Yes

5:25

, exam waits . Waiting

5:27

is not actually a really good way

5:29

to describe what's happening . Waiting

5:35

would imply that the questions

5:37

in domain one are more important

5:40

than the ones in the

5:42

. That's really . It just means the

5:44

amount of topics that

5:47

are in the thing . So they're adding some

5:50

content to domain one in there . I

5:53

don't know if removing it from the software

5:55

domain or just adjusting . Yeah

5:59

, exactly . So the only thing that really

6:01

happens in the exam that's more like a

6:03

true weighting is the . We

6:05

don't know the algorithm , we don't know the scoring

6:07

algorithm , the exam itself , but

6:09

we but there is . The

6:13

exam does measure difficult

6:15

questions in

6:17

a manner that's different than

6:19

then . Quote easy

6:21

questions , and every question on the exam

6:23

is literally ranked as easy , medium

6:27

or hard , and

6:29

ultimately , your ability to pass the exam

6:32

is is tied to your ability to

6:34

get hard questions Correct

6:36

. Yeah , yeah , so

6:41

, anyway . So the big changes are they ? They change

6:43

, they're changing the weighting for those two domains

6:45

and then , interestingly

6:49

, they're going back to change

6:51

both the number of questions and

6:54

the length of the exam . So , in

6:56

order to kind of get to what's going on with this

6:58

, I want to go back to a little bit of history . And

7:02

in June June 1st

7:04

2022 , the

7:07

CISSP decided

7:09

to increase the number of questions

7:12

on the exam

7:15

and increase the time . So

7:18

on that date , they

7:20

increased the number the minimum number

7:22

of exam questions on the on

7:24

the on the computer adaptive test from from

7:26

a hundred to 125

7:29

. And the maximum number of questions

7:31

went from 150 to 175

7:34

. And

7:36

and then they increased the exam time

7:38

by one hour , so it went from three hours

7:40

to four hours . Okay , interestingly

7:43

, when they did

7:45

that , they didn't change the number

7:47

of scored questions at all , not

7:51

like that . In other words , they just

7:53

did it to have more

7:56

sample questions , and sample questions

7:58

are questions that are being

8:00

statistically validated for

8:02

use in a future exam Interesting

8:05

. So in other words , they don't benefit test

8:07

takers at all . I've been kind of complaining

8:09

about this for a couple of years .

8:12

You're basically doing unpaid labor there

8:14

for them .

8:14

It's kind of unpaid labor , exactly . It's

8:17

like you know they're adding an hour

8:19

to every you know , to every test taker's

8:21

time or whatever it's like , and they're getting all

8:23

the benefit . I suspect

8:26

that they probably now have a very

8:28

, very , very healthy database

8:30

of usable questions that have been

8:32

statistically validated , because on

8:35

April 15th they're going back , it's

8:37

going to be a three hour exam . Minimum

8:41

number of questions is 100 . Maximum

8:43

number of questions is 150

8:46

. So

8:48

that's the other significant change .

8:52

So I know that ISE2

8:54

makes these changes every three years , but can you

8:56

talk about why you think they made

8:58

these specific changes , and I won't say

9:00

weights , but these changes and allocations

9:02

to their certification like ? What aspects of

9:04

the industry were they trying

9:07

to address by making these changes , do you think ?

9:10

We can't really know exactly , but they

9:12

do . The ISEE-2 does

9:14

have a board that does

9:16

a review of the questions and

9:19

the certification and the common body of knowledge

9:21

. That board determined

9:24

that

9:26

they needed to adjust the waiting

9:28

, those domain waiting , and add some

9:30

content . I

9:33

don't have a other than what

9:36

the ISEE-2 has said and other pundits

9:40

have said . I don't really know exactly why

9:43

that decision was made , except to feel like

9:45

the CBK and the changes of

9:47

the CBK all come down

9:49

to trying to make the CISSP

9:51

relevant , like maintaining

9:54

its relevance in the marketplace . Their

9:57

own internal analysis must have shown

9:59

that there was a need for

10:01

that change .

10:02

Yeah , I ask only because of past

10:04

guest Layton Johnson . We did this with the CISM

10:06

certification and he was saying that there's

10:09

a massive change over there from going

10:11

back to the security side , from the management side

10:13

. I know that they're always thinking in terms of

10:15

addressing specific needs in

10:17

the industry . Also , I realize that there is

10:19

a black-back nature to what they do , especially

10:22

with regards to test scoring and so forth . Yeah

10:24

, I appreciate the insights there . If

10:27

you're currently studying for the CISSP

10:29

but not scheduled to take the exam just yet and

10:32

I know the changes are coming in April 15th

10:34

at what point do you need to change your

10:36

study or learning strategy , if at

10:38

all ?

10:41

I would say first of all , today

10:43

you really can't change it . There's no new

10:45

material available . The ISEE-2

10:48

is going to drop their own internal

10:50

training content on

10:52

April 15th and not before . Historically

10:58

, if you have the experience requirements , this is

11:00

an exam that you

11:02

have to lean into your experience a lot . You

11:05

need five years in order to become a

11:07

CISSP . You need to have five years experience

11:09

Worth pointing out . Yeah . Yeah

11:12

, you've

11:16

, then , been doing the kind of methodical study

11:18

that's necessary to pass this exam . I

11:21

strongly suspect that

11:23

you'll do fun . I

11:26

don't think you're going to see earth-shattering

11:28

changes . That

11:31

would be pretty disruptive . I'm sure even

11:33

though I'm not dismissing the significance

11:36

of those changes , I'm sure that they were

11:38

properly evaluated Historically

11:41

. When those changes have happened

11:43

, it didn't really impact

11:46

the way that you prepared . I

11:49

guess I can't be too definitive until

11:51

we see what happens April 15th , but I suspect

11:53

it'll be the same thing . You'll

11:56

methodically prepare the same

11:58

ways you have in the past . Yeah

12:01

.

12:03

I think it's probably something that , if you're already

12:05

well on your way , you just steady as

12:08

she goes . But if you're considering starting

12:11

to study for the CISSP at this point , you might almost

12:13

want to wait until we get closer to April 15th

12:15

and you have a better sense of what's going on .

12:17

Yeah , it's the opposite . If you've been studying

12:20

, you feel like you're ready . It's like , make sure you

12:22

schedule it before April 15th .

12:23

For sure yeah .

12:24

You know what I'm saying . If

12:26

you feel like you're ready and you

12:29

want to be able to work within a known

12:31

quantity and know

12:33

, then yeah , go ahead and take it . That would be my

12:35

advice , I guess . Yeah .

12:38

It's no less of a CISSP that you get if

12:40

you get this one , versus the brand

12:42

spanking new one . Yeah

12:44

, exactly . Obviously , infosex

12:46

is all about helping our students pass their

12:48

certification exams with flying colors , but we

12:51

also want to be with you for the long term

12:53

and help you retain that info and use it to level up your

12:55

skills and your career . Steve , I want to just

12:57

ask more of a broad brush question . For

13:00

people who are taking the CISSP , I know that an

13:02

awful lot of the buildup

13:05

to it is that you're just pushing a metric

13:08

ton of stuff into your head so that you can pass

13:10

the exam in the moment . What aspects of the information

13:13

on the exam , would you say , are more important , the most crucial

13:15

to continue learning and practicing to keep your skills

13:17

at the top of the heap .

13:21

Um , you know , the thing is , I think

13:23

that gets into more just core preparation

13:25

stuff , which is

13:27

, you know , content , like content

13:30

, and , uh , in content

13:33

, understanding how to take the exam

13:35

, uh , in the techniques around

13:37

that . I'd love to have another discussion

13:39

with you about kind of recommended you know

13:42

ideas around that , but

13:44

, um , the content , like I said , we don't expect any

13:46

dramatic changes . You should just keep working

13:48

with the content that's currently available . Uh

13:50

, I have , you know , I have opinions about

13:53

sticking with ISC to material

13:55

. Uh , you know I'm not

13:57

and additional stuff . There's other things that I recommend

13:59

skills , the skills website and info

14:02

sec is excellent . Um , but I , but

14:04

I , I lean heavily into

14:06

the official study guide . Uh

14:09

, uh , practice exam

14:11

I'm sorry , probably not practice exams

14:13

the study , the study questions and the practice

14:15

exams and the official practice

14:17

test , third edition , uh , to

14:20

kind of help the thing and one and again

14:22

, the benefit is it helps you identify

14:24

the areas that you're you're weak . You know

14:26

that you can , you can continue to study on

14:28

. So , um , yeah , so

14:30

I I think that , um

14:32

, you know your actual preparation

14:34

doesn't change a lot . Uh , and

14:36

you need to . You know , uh , keep

14:38

plugging away . Again , my , my recommendation

14:41

for people that really want to

14:43

shortcut your best option as a bootcamp

14:45

. Uh , there's , there's no question

14:47

that the bootcamp is . The bootcamps are

14:49

effective . Yeah , uh , actually , I

14:51

think extraordinary a good bootcamp , or

14:54

they're extraordinary , uh , extraordinarily

14:56

effective at helping people prepare for this exam

14:59

.

14:59

So well , I hope our listeners will keep , uh

15:01

, keep listening to the site word heck series , because in a few

15:03

weeks here Steve will be uh talking to us about

15:05

, uh , what a bootcamp is like for CISSP

15:08

. So , uh , it'll be great . I'm

15:10

looking forward to it . So as as someone who's

15:12

taught so so many students over the years , steve , what's your

15:14

top piece of advice for studying for and taking the

15:17

CISSP exam ?

15:19

I mean , top piece of advice is

15:21

um , do

15:24

lots of questions . I mean , I

15:26

hit to break it down , but so you need

15:28

to understand how to take the exam . That's maybe

15:30

for another you know , uh , cyber hacks

15:32

thing , but you need to understand

15:35

how to take the exam . What do you know

15:37

what ? What are the techniques you use all that sort

15:39

of stuff ? Uh , you also want to

15:41

familiarize yourself with the content , as we said

15:43

. But , honestly , the key

15:45

thing is lots of

15:47

questions . It's sort of like

15:50

you know , if you decided , hey , I'd like to run

15:52

a half marathon , you know you're

15:54

going to not just , okay , they are the marathon

15:57

, and you haven't you know , haven't put on your running shoes

15:59

.

15:59

Just read a book about how to run a marathon . Yeah

16:01

Right , exactly , exactly . So , yeah , exactly

16:03

.

16:06

You got to put the miles in and that in your best way . Most important

16:08

kind of uh technique to do that is

16:10

to do lots of questions .

16:12

So well , perfect . Steve Spearman , thanks for getting us

16:14

caught up on the new aspects of the CISSP . Appreciate

16:16

it . It has been a pleasure , chris , thank you

16:18

, and thank you all for watching this episode

16:21

. If you enjoyed this video and felt it helped you , I hope

16:23

you'll please share it with colleagues , forums or

16:25

on your own social media accounts and definitely

16:27

subscribe to our podcast feed and YouTube page

16:29

. You can type in cyber work info second

16:31

to any of them and you'll be well on your way . There's plenty

16:33

more to come , including more CISSP with

16:36

Steve Spearman , so if you have any topics you'd like

16:38

us to cover , absolutely drop them in the comments . We

16:40

read them and we take them to heart . Until then

16:42

, we'll see you next time and happy learning .