Why is CISSP so challenging? Its comprehensiveness that we all agree with is just the exposed tip of the CISSP iceberg; The generalmanagementconcepts as the hidden part of it under the sea is the substantial stumbling block.
CISSP is an experience-based exam. It requires at least 5 years of security-related work experience for CISSP aspirants to sit for the exam. Why is the 5-year experience one of the prerequisites? One should develop general management concepts and fundamental project management capabilities that are required in almost every business setting before or during your CISSP journey.
IMHO, The following are some of the key concepts or skills:
Focus on effectiveness and understand the difference between effectiveness and efficiency.
Understand leadership and management. Lead and/or follow people passionately and strategically; manage things or projects effectively and efficiently.
Management by objectives; Plan-Do-Check-Act.
Be curious and learn how the business works.
Think strategically and integrate projects, programs, and portfolios.
Security is a business issue and by far beyond the scope of IT. CISSP aspirants have to be acquainted with specific technical and business areas, eg. operations, governance, and risk management.
CISSP is one of the most challenging exams ever because of its comprehensive perspectives and requirements of solid conceptual level understanding and in-depth insights to managerial and technical issues.
The following is my two cents for CISSP aspirants to get started his or her CISSP journey:
The Onion diagram is updated to emphasize that Information Security is a business issue. Security people should protect assets while always keeping business in mind, that is enabling business and delivering values. The tunnel vision and function boundary should be broken and removed.
Information Security is a discipline to protect information and information systems from threats through security controls to:
achieve the objectives of confidentiality, integrity, and availability, or CIA for short,
support the organizational mission and processes, and
create and deliver values.
The definition of Information Security is revised as Information Security is a business issue and should be aligned with the business mission, goals, and strategies, enable and streamline business processes, and create and deliver values ultimately.