Good AV/IT tech managers know that addressing security concerns makes for a stronger relationship between their organization and the security team—and for smoother deployments. But it doesn’t stop there: when you’re well-versed in IT security concepts, you’re well-positioned to gain access to higher-level business discussions. One route to developing security expertise is through certification, and AV Technology recently explored what’s involved in earning what’s widely considered the gold standard of security certs: the Certified Information Systems Security Professional, or CISSP.
Azeem Khan is senior consultant of application development (AV) at CIBC, a financial institution headquartered in Toronto. With a background in both security and AV, he is currently pursuing a CISSP—a logical step forward, he said. He believes that security knowledge is necessary in today’s networked environment, and holding a CISSP proves that one is capable of implementing and managing enterprise-level information security. “Nowadays at the enterprise level when we are putting all of these AV devices [on the network], it is our responsibility as AV specialists to be able to point out the security risks that we see when devices are communicating with each other,” he said. “As an AV specialist, you know how people interact with those devices, so you have more perspective on the security risk that comes from those devices versus people who are not from the AV domain.”
(ISC)2, headquartered in Clearwater, FL, is the professional organization that offers the CISSP. The CISSP comprises eight domains: security and risk management; asset security; security architecture and engineering; communication and network security; identity and access management (IAM); security assessment and testing; security operations; and software development security. (ISC)2 requires that candidates have five years of paid work experience in two of the eight domains (there are exceptions; visit the (ISC)2 website and download the CISSP Certification Exam Outline for more details).
“In IT and AV—and I consider AV part of IT—cybersecurity crosses many fields,” said Toni Hahn, content development manager at (ISC)2. “I feel everyone should know something about cybersecurity.” The CISSP, she explained, covers cybersecurity concepts, and the exam requires candidates to apply them. “AV could fit into almost every domain on the CISSP.”
The CISSP is not, however, for everyone. Damon Drake, content developer at (ISC)2, noted that sometimes organizations require job candidates to hold CISSPs for positions that don’t really require them. “We’ve seen [situations] where a company will have an entry-level position with entry-level pay requiring a CISSP certification,” he said. “It’s really a managerial-level cert. You’ve got to be able to look at risk management: how does that affect your physical security? How do you do access control—both physical and cyber?” There’s a lot to it, and as Drake puts it: “it’s not a beginner cert.”
Drake and Hahn should know. Both are ex-military (he was in the Air Force, she’s former Navy). While in the military, both worked in AV and IT. Once out, both worked in security engineering and management in mission-critical environments. Both failed the CISSP twice.
Drake recounts that when he first decided to prepare for the CISSP, he took an online course featuring many videos. When he didn’t pass his first exam, he did a boot camp. That didn’t bring the desired results either.
“A lot of it comes down to—and this is probably going to sound counter-intuitive—the more diverse your career is, the more you can get jaded by what companies do, as opposed to what the right thing to do is,” Drake said.
Because the questions on the CISSP exam are largely scenario-based, the “right thing to do” is the primary focus, Drake explained. But if you’ve been working in a company that has refused to invest in the application of security best practices, you may have developed a belief system that negates their necessity. This won’t be much help with the CISSP. “A lot of our questions are worded like, ‘What is the best? What is the most appropriate? What is the greatest?’ And although those are subjective terms, that is putting you in the best practice mindset. All of our questions are written that way to really focus on the best practice for whatever concept is being presented at the time. It’s really stepping back and almost being mentored by a manager and understanding the business functions, and then applying the cyber concepts to those.”
Like Drake, Hahn took a boot camp and failed her first exam. “Then I said, ‘well, I’m just going to study all these books and these practice questions,’” she recalled. “I thought I was really ready. They put the test in front of me and I actually asked the proctor—because this was back in the paper/pencil days—‘Are you sure you gave me the CISSP?’ He looks at the exam and he says, ‘Yup.’” After yet more studying—and another boot camp—the third time turned out to be the charm.
Both Drake and Hahn agree that candidates should plan for a year’s worth of exam preparation. “One single boot camp, one class, one book, or one video series is probably not enough,” Hahn said. She advises people to cross-study and take the practice exams. Although they may not contain what is on the actual exam—sometimes practice exams focus on definitions, like “What is a disaster recovery plan?” rather than the scenario-based questions the CISSP exam tends to favor—she said that it helps people gain a deeper understanding of the concepts. “It all starts clicking. And so by the time you do sit for the exam, you know the concept—you’re not just memorizing [the definition of a disaster recovery plan]. You know the actual concept, and when you’re asked the [scenario-based] question, you can say, ‘You know what? This is what I would do.’”
Anishia Gopi, senior consultant of infrastructure engineering at CIBC, is also in the process of preparing for the CISSP exam. In addition to the official study guide and other materials, she has also participated in study groups. “Some people prefer to just sit with their book and go through it,” she said. While she said the book and online materials are definitely necessary, exchanging with other candidates helps to solidify the concepts. “If you have a group of people, you can share knowledge and tackle the scenario-based questions in a better way.” She also counsels candidates to examine the tasks they perform daily at work, and how they may relate to the exam preparation material.
For Gopi, the CISSP provides the opportunity for meaningful professional development. “This is not just about adding a certification tag on your resume—it’s not just that,” she said. “You are taking a step toward being involved in making business decisions. It’s not easy—some of the modules are so difficult that you can easily give up. But I would say that if you are serious about that bigger goal, then it’s easier to pursue.”
Additional CISSP Tips
Hahn recalled that when she was working in AV, she was hands-on, ready to connect cables, configure systems, and perform the plethora of physical tasks associated with deploying a system. There is an element to the CISSP, she said, that more traditional AV professionals may be unfamiliar with.
“They have to touch on the paperwork side,” Hahn said. “How do you do a business continuity plan? What is a disaster recovery plan? Is there anything I need to know about configuration management? What is a risk assessment? It’s more the paperwork—the policies, the procedures—that an audiovisual professional may have to study a little more. And probably the cryptography—it’s not its own domain anymore, but it is on the exam.”
Carolyn Heinze is a freelance writer/editor.