PASSING CISSP AND CISM EXAMS WITH ED SKIPKA

Kip Boyle:
Hey everybody. Welcome to Your Cyber Path. I’m Kipp Boyle, and today I’m not here with Jason Dion actually because he has an important family event and that takes priority. So I said, “Yeah, you should go do that because family’s important. Don’t worry, I’ll handle it.” Now, if you’re listening to this podcast and your first reaction is, oh my God, it’s Kipp all by himself. No, you do not have to put up with that. Actually, you’re not alone with me, our good friend Ed Skipka is here. He’s our guest again, and I just found out that he nailed his CISSP and his CISM exams. And when I found out, I said, Ed, you absolutely have to come back, be a guest again and tell us how you did that.

And as I was talking to him, and I’ll give him a chance to talk in a minute, I said, “How else are you doing?” I said, “This is a great professional accomplishment.” And he goes, “Well, the reason why I got the CISSP is because I got this great new job and a condition of getting the new job is I had to get this certification within six months.” So if you’ve listened to this podcast, Ed’s been on here twice before, episode 58. He came on and told us how he got hired into cybersecurity with no experience. Then he came back on episode 81 and he told us how he negotiated a pay raise, not just one pay raise, by the way. You’ll have to go listen to that episode because it’s absolutely fantastic. And I encourage you to follow Ed’s example, which is why I wanted him to come back again. So Ed Skipka, welcome back to Your Cyber Path.

Ed Skipka:
Always good to be here, Kipp. An honor, a privilege to talk about myself and hopefully in that process of talking about myself, we can help some folks and they can do these things too.

Kip Boyle:
Yeah, that’s what this is all about. We’re trying to serve people, trying to clear a path for them, help them figure out, Hey, I want to be in cybersecurity. What does that look like? How do I that? And so I really appreciate you being here, and the more you butter me up, the better. I just get more and more happy as the host. So it’s good stuff. Okay, so what I want to do today in this episode is I want to talk about how did you go about studying for, assuming you studied, and taking those exams and passing those exams? Because listen, those are no small feats. Those are really, really substantial goals. It takes a lot of effort to achieve those goals. Everybody struggles. And so when somebody nails it, I just always want to ask the question, how did you do it?

Now, before you tell us, and I want to spend most of the time listening to you, I do want to tell listeners that if you didn’t know it, I have another podcast. It’s called the Cyber Risk Management Podcast. And I do that one with my co-host Jake Bernstein. And in episode 75 of that podcast, Jake himself had just gotten his CISSP. And so I said, “Jake, tell us how you did it.” Same thing that we’re doing now with Ed. And Jake said, “Well, I had a three point plan, Kipp.” He said, “First thing I needed to do is find out what’s the best way for me to prep? Should I read a book? Should I watch videos? How should I do this?” The second step was once he knew how he wanted to do it, he had to go find the right materials. And then the third step was he actually had to schedule and take the exam.

And that third step’s important because there’s a lot of people that study for certifications and just don’t ever get around to scheduling and taking the exam, or they schedule it and then they reschedule it and they reschedule it. And I don’t know why they do that, but I just wanted to put it out there. That that’s what Jake said. I thought that made a lot of sense. What did you do, Ed? Tell us what did you do? What was your plan?

Ed Skipka:
I followed that same mindset. Again, I had six months to go out and do this, or there’s always the hope that they would extend it, but deadlines are always good. Constraints are the creation of creativity, as I say. The more constraints I have personally, I can work with that. So the same process, I found what I needed to do. There are so many resources out there from Reddit to Udemy to LinkedIn Learning to your Cyber Path and all these different podcasts and YouTube videos, and it can almost be overwhelming. And in finding that first leg of the stool, you want to find reputable services or sources. And you don’t necessarily need to go out and have a 5,000 $10,000 bootcamp unless your company’s paying for it. There’s so many free or near free or maybe a hundred, $200 resources that are out there. So I did the same thing in finding all those different resources. I scoured YouTube and LinkedIn Learning and Udemy and landed on the Mike Chapel and the Thor Petersons and went from there.

Kip Boyle:
That’s fantastic. So I think you said something during show prep where you said, “I didn’t read a single book.” Is that right?

Ed Skipka:
Right. I didn’t read a single book cover to cover. I used to be better at reading and then through my first bachelor’s into WGU for my second, I’m terrible at reading. I can read, but it just doesn’t catch my attention. And studying for certs, which it should be mentioned that I do have a lot of other certs that have gone up to this and I’ve used Jason’s material on Udemy. I just found that that’s how I absorb information so much better.

Kip Boyle:
That’s fantastic.

Ed Skipka:
Just listening to video, diagrams, seeing it and then maybe going out and doing it. It’s I’ve literally fell asleep a couple of times reading through the books. So I think there was one, I did use the official study guide and then Destination Certification. They just had a book come out and it had very pretty pictures and colors and it was very concise. So I did read most of those two. But I’ve seen guides where you need to read this book cover to cover four times before you can even attempt to test, which is one thing I want to dispel throughout this whole talk is you need to take the test when you are ready. And the only person that knows that is maybe a mentor that’s helping you, but you. Someone will say, well, you have to study for 18 months. You have to study for six months. Some other people you don’t need to study at all. Just go in. You’ve been working for 20 years.

And I’ll say, there are people that are been in the RMF or InfoSec community that have been working for 20, 30 years that will fit, because you have your little rut and your little niche that you get into and you have to find that for yourself.

Kip Boyle:
Yeah, that’s right. CISSP covers a lot of domains. It’s 10 domains, isn’t it?

Ed Skipka:
It’s eight, which is, that’s a lot.

Kip Boyle:
That’s a lot. And is physical security still one of them?

Ed Skipka:
It’s rolled up within one of them. I think it’s either domain three or four.

Kip Boyle:
Okay.

Ed Skipka:
It’s a meme how much of, it’s only 15% of the… Well, 15% of the questions, but a quarter of the curriculum.

Kip Boyle:
And the reason why I’m asking you, there’s a couple reasons why I’m asking that. One reason is because I’m just reinforcing your point that if you are in a niche, and most of us are, and you had no exposure to physical security or some of these other topics that you’re going to get tested on, you’re going to get creamed probably. And so I think you’re right. Just because you have a lot of years in service, a lot of years in the career doesn’t automatically mean that you’re ready because you’ve got to make sure that you’re checking that you’ve got enough experience in all these different domains.

Now, the second reason why I asked you, how many domains are there, Ed? And is physical security still a domain? Because I took my CISSP exam so long ago that nothing’s really the same anymore. When I took mine, first of all, I did take one of those fancy schmancy boot camps because I took mine in 1997 and there was no YouTube, no Udemy, no LinkedIn Learning. The only thing I had to go on was they had published an official study guide, a book, and then they were putting on a bootcamp. It was, I think it was a two week bootcamp, but you could only go to one week and then you had to have two months in between, and then you could go to the second week. However that worked. But those were really the only choices that I had. And so that’s what I did. And you probably took your test on the computer, right?

Ed Skipka:
Yes. Yeah. It was in a Pearson VUE. All theres, it has to be an in-person proctored on the computer. I’m sure there’s some regions that you still can take the 250 year 400 question tests or whatever that goes for five, six hours. But I think most people are going to be in a Pearson VUE sitting at a computer.

Kip Boyle:
Yeah. And I hope that’s true for most people because I had to do it the old way. Just what you said. I had to bring a scantron, I had to bring a fist full of number two pencils. And if nobody listening knows what a scantron is, it’s like a bubble, it’s like when you vote, if you vote by mail and you color into the little bubble for the candidate that you want, that’s what a scantron is. I haven’t seen one of those in a million years. But anyway, I just want to be completely upfront with the fact that I took my CISSP exam so long ago that none of my advice is relevant at all. I can’t help anybody pass a CISSP these days, but that’s why I talked with Jake, and that’s why I’m talking with you. So anyway, there you go. There’s my limitations. So could we talk about how you organized yourself?

So you knew you had six months and you knew you had this external forcing function on you. Not everybody has that. A lot of times you have to play that role for yourself. So I think that’s a very interesting dynamic. And I know that your previous certifications, you didn’t always have an outside forcing function. You had to do that for yourself. But let’s talk about this one. So when did you first find out you had six months, and then how did you organize your time?

Ed Skipka:
So going into this new job from my last job, which I really liked, but they made me an offer that I didn’t necessarily couldn’t refuse, but it was very tough to refuse. And again, the requirement was to get CISSP within six months. So talking with my former contract supervisor, program manager, she was out to get me. She said, “I’m going to steal you back Ed one of these days.” And the job I’m in right now was the job that was the carrot on the end of the stick for me when I first started with this company four years ago when I was in field service doing all that stuff. It’s like, you’re going to work in cyber with this mission that’s really critical, and it’s cool and it covers a lot of area like, oh, I would really like that. So it was a culmination point. It was a point of pride to get this job, but again, I had to get CISSP.

So knowing that I was kind to myself, because it was a big change to go to a different job. It was around Thanksgiving, it was around the holidays. I wanted-

Kip Boyle:
Okay. So just in 2022?

Ed Skipka:
Yeah, it was in November that I started this last job. Yeah.

Kip Boyle:
Yeah, because we’re recording this at the end of April 2023. So obviously you hit your six-month mark, but I just wanted to make clear. So around Thanksgiving you’re like, oh man, I got to do this thing. What then? Then what happened?

Ed Skipka:
I was still a little kind with myself, and I said, you know what? We’re going to wait until we get back from, I went back home to Ohio, which I’m from.

Kip Boyle:
And you’re living in Hawaii right now, right?

Ed Skipka:
Yeah, I’m in Hawaii. I’m on O’ahu.

Kip Boyle:
Okay.

Ed Skipka:
It’s probably, I don’t have my thermometer right here. It’s 80 and 80. You don’t want your temperature and your humidity to be the same, especially when they’re that high. But it’s pretty warm, which I can’t complain about because no one want to listen to me saying that. But I said, I’m going to start on the new year because I know myself and I know I’ve gotten other certs, and I know that if I buckled down, realistically I could probably do it in three to four months. I’m not going to need you the full six, so I’m going to be kind to myself, which I think is also good if you’re making huge changes and just know yourself, set yourself up for success and ramp yourself up to that.

Maybe if you have a month, then you don’t really have time to do that. So the new year hits and I start searching. And actually before that, the only real studying I did was I pulled out my old port flashcards, took a look at those. Then I took Jason’s basically how to take tests class on Udemy. And he broke it down and just generically, this is how you take cert tests. This is the way that you’re going to go through the four multiple choices, breaking it down, you grouping or super grouping. And then I really started. So I started on Reddit and Udemy and LinkedIn Learning. And there is maybe three or four tracks that you could have.

Some people say that you need to do two or three video courses and then do a bunch of books, and then and only then will you be able to do the practice tests. And so I got through two video courses, which were probably, the first one was 32 hours. The other one was 24 hours. I listened to those on one and a half times, because that’s up to you. You’re comprehension what you have. And at the end of it, I’m like, I’m not going to read through two books before I start doing breakfast tests. Because if you have taken other certs or you’ve been in the job for a while, you really want to hone down, hone in on what you personally need to work on. Because your [inaudible] computer. Yeah, it’s not just a bunch of buckets that all need to be filled to the same level. They might be already filled to a certain level. You don’t want to spend eight hours in cryptography if you work on communication security, or you don’t want to work on networking if you’re a network engineer.

Kip Boyle:
Yes.

Ed Skipka:
So I would personally say for me and for others is do at least one video course if that works for you or one book, whatever, interchange to that, and then take one or two practice tests and then see where you are and then let that guide you for the rest of your journey.

Kip Boyle:
That’s fantastic. So let me just recap what you said, but just to focus on a couple of things I think are super important. So this whole idea of gap analysis I think is really important. Going into it, you had a really good sense of, okay, here are the eight domains, these are the domains that I am already familiar with. These are the domains I really don’t know anything about. And that helped you prioritize where you were going to spend your time. And then eventually you took practice exams, and that was another gap analysis where you looked at the results of the practice exams and that told you where you still needed to put some additional study time. And I think that’s really smart.

I like how you also did a course on how to take certification exams. I think that’s important. I remember that when I took certification exams, it wasn’t always about getting the right answer. It was sometimes a question of, well, what do the test writers think is the right answer? It was almost like trying to get into the head of the person who wrote the question and choosing the answer that they thought it was. And sometimes that’s just because, well, technology moves fast and some of these questions can go stale. I don’t know if you encountered anything like that, but I just want to commend you for doing the, how to take tests course. I think this is a really smart idea. Okay, so now, where did you get your practice tests? I’m curious about that.

Ed Skipka:
I did, again, Udemy and LinkedIn Learning and coming from WGU, Western Governor’s University, that was, as an alumni I have that resource, Udemy Business. But again, you can find these courses for 10, $15 on sale. It says list price, $5,000, whatever it is, and then it’s usually between 10 and $20. So maybe you don’t have the resources to buy all of them at once, but you can buy, I know there’s ones out there that will do all eight domains and you get four tests or two tests for 10, $15. And you want to do this intentionally because there’s a lot of guides that say you need two to 5,000 questions before you’re ready and people do 10,000 and 12,000 or whatever questions.

And they say, well, I got all the questions and I did all these tests, and I read the books. And it’s like, well, what did you learn from them? And it’s good to know what, but it’s even better to know what you don’t know and why you don’t know it. Like, oh, I decided to say that we’re going to do cryptography. And you find out they’re talking about integrity. Well, you should have gone the way of hashing. So again, like you’re saying, you need to be able to read the question. Every question is its own test and-

Kip Boyle:
Oh, I like that.

Ed Skipka:
… I was just talking to my buddy and he has been doing InfoSec for a really long time and he’s a staff level security engineer and he has a lots of experience and he was having some issues with some of the questions because he was like, well, that’s not how it is in the real world. Even in a well-staffed multinational company, you have to live in the land of rainbow hoses and unicorns and glitter. You have top-down support. You have the money, you have the staff. You could actually go up to the CSO or the CTO or the CEO with the concern and they’ll listen to you. So the big part of CISSP and CISM was getting that mindset, because it is not a recall the answer, and it’s not even necessarily recognize the answer. It is knowing the answer, why you would pick this thing and you can always have too much security. That’s a dirty thing to say, but the answer to-

Kip Boyle:
It’s true.

Ed Skipka:
… how much security is the right amount of security? And the answer is the right amount of security. And that’s different for everybody.

Kip Boyle:
That’s right. That’s right. That’s a very squishy thing to get. And it’s a balancing act, because you don’t want too much security. You don’t want too little. And the other thing that can get really annoying as a practitioner is you get that balance styled in and then something changes and it goes out of whack again, and then you got to go back and you got to fix it. And that’s just a constant thing in our work. I want to make a comment about the courses that you chose. So I know Mike Chapel and I could see why you chose his courses. I think he’s very good. Jason Dion knows Thor really, really well, and he thinks Thor is really good at what he does. So I don’t think, if you’re going to choose a video course, I don’t think you can go wrong with either of those guys. And if you can get both of them more power to you.

So I think that’s great. And there’s a CISSP exam book. Of course, there’s the official one, which I actually think is okay as far as official books, the Body of Knowledge book I think is good. And then there’s other third party test prep books that you can get. And I know some of the authors there. So now I want to break down your schedule a little bit more. So how did you figure out how you were going to allocate your study time over… You had four months, because you… Well, yeah, maybe a little bit more than four months, because you let the six weeks between Thanksgiving and New Year, you took that off. Then here’s January one and now you’ve got three, four months. How did you allocate your study time across that?

Ed Skipka:
Lots of understanding from my partner and my friends and anybody that talks to me and my work.

Kip Boyle:
Yeah, but did you have a number of hours per week? Were there certain days of the week that you said, I’m going to study on these days, not those days? Are you a morning studier or a night studier? I’m interested in those details.

Ed Skipka:
I already wake up at six in the morning, so it wasn’t feasible for me because I can’t get to bed too early. It’s just who I am as a former gamer and a musician and et cetera, et cetera. So I knew I wasn’t going to wake up an hour or two before work to get that hour or two in. So I knew I’d have to piece out my day, so I could probably get half hour to two hours maybe at work if I really got my work done. And I had the understanding of the people above me and they knew that I was doing the skull communication is key there. I was able to get a half an hour to two hours during work and then-

Kip Boyle:
Great.

Ed Skipka:
… I would come home and there was an understanding that there was a decompression time, maybe eat, maybe watch one or two episodes of something, but then it was game time. It was going to be at least one to three hours, but it was going to be at least one to one and a half hours. And that was the expectation was that’s your target. That’s a reasonable target. You got to hit at least that for me. And then on the weekends I had more time, and maybe that’s not you, maybe you have children or you have a side hustle or something and it’s like you have less time on the weekends, you never know. But I squeezed in, like I said, half an hour to two hours at work, one to three hours. And then on the weekends I would let myself sleep in and then I would probably aim for the two to five hours. I don’t think there was more than five, six hours on any given day, but there were some four to six hour days.

Kip Boyle:
That’s pretty good. That’s a pretty long binge of learning. Did you ever feel like your brain was melting at the end of that?

Ed Skipka:
Yes, but the way that I am personally is I’m all or nothing to a certain extent when it comes to these certs is it’s like I want to relax when I’m relaxing. I want to be there doing stuff with my family and my cats when I’m there with that. And when I’m studying, I’m studying and-

Kip Boyle:
Okay, so you can get really intense during-

Ed Skipka:
Yes.

Kip Boyle:
.. study sessions. That’s good. That’s actually-

Ed Skipka:
I think the people around me would agree with that assessment.

Kip Boyle:
Okay. Now is there anything else about the CISSP exam before I ask you about the CISM that you would want to share with folks who haven’t taken it yet and they’re thinking about taking it?

Ed Skipka:
I would say don’t put barriers in front of yourself because someone else said it was tough, or that they, man, this is… And it is a really tough test. You need to acknowledge that and respect it, but you don’t have to be afraid unless you know.

Kip Boyle:
Yeah.

Ed Skipka:
If you got half a year experience, you’re coming from another career field or something, maybe you’re going to have a lot of deltas that you’re going to work on. You’re going to have to take more time depending on what time you’re able to allocate. But don’t put barriers in front of yourself because someone else said it was tough, because people are like, oh, you’re going to have to sit, study for six, eight, 10 months. And I was like, I actually felt pretty good after two months. And some people are good after a week or two. I would also say between this and CISM is just stay consistent. Don’t beat down on yourself. Don’t feel guilty if you miss a day or two. If you can crack a half hour, if you can do a half hour five days a week, that’s better than doing six hours on a Saturday. To me, if you can do that, maybe one or two hours on a weekend-

Kip Boyle:
Yep.

Ed Skipka:
… that’s going to net you much more than if you just binge it on a Saturday or Sunday with a bunch of hours.

Kip Boyle:
I think that’s very good overarching advice. And I want to underscore something which is, and you’ve said this a couple of times now, you’re going to hear other people talk about the test. You’re going to hear other people talk about what you must do to pass that test. Don’t get hung up on, well, Joey said, I got to read the book four times before I can take the test. So I guess that’s what I got to do even though I hate reading. That’s what works for Joey. You need to figure out what works for you. So take a step back. Okay, that’s great.

Now let’s talk about CISM. Where did that come into the picture? Because you told me that you needed CISSP for the job. That was a requirement, how to get that within a certain amount of time. How did the CISM get on your radar so quickly?

Ed Skipka:
And it’s a good question to ask. It’s like you just, do you torturing yourself? Are you trying to be a completionist? You got to catch them all, thano snap of all the different certs? And the answer is no. But I’m lucky enough that my company will pay for all or most of the certification. These are really expensive certifications. It’s up to $750 right now for CISSP, 760 for CISM if you’re not a member, which we could talk about later, you can get a discount on that.

They’re expensive. So I could understand if someone gets the CISM or the CISSP and says, I’m done. That’s respectable. But for me, I have that little bit of safety net. They’re mostly going to cover it. And there’s so much crossover. They’re two different tests. They’re the same overarching mindset, but two different perspectives. I would say the CISSP is a generalist and the IT manager up to maybe a CSO level, and then the CISM is at that sizzle level. You’re making decisions about policy. Maybe you’re writing a policy about an implementation, but you’re really not having to be, you’re very far removed from firewall management and things like that.

Kip Boyle:
You’re not an implementer anymore.

Ed Skipka:
So it was a, it’s going to get paid for. I have all this knowledge. I’ve already taken eight, nine weeks to study and it’s just bouncing around in my head. And if I don’t do it now, I probably could do it later, but will I have the motivation? Will I still have all that stuff? Am I going to have to relearn stuff that, there’s stuff that you learn for certs that you’re not going to use in your day-to-day life because it’s on the test and there’s no shame in that. But if you don’t know it and you go take a test, well then you might find yourself flatfooted. So, I wanted to get it right after the CISSP.

Kip Boyle:
Okay. So you already knew you wanted it and you already looked at yourself and you said, wow, I’ve just spent all this time and energy studying for a test. There’s overlap here, so why don’t I just do a little island and just go to the next one and just knock it out. I get that. I totally get that conservation of resources. Now, what study materials. Did you do anything extra to study for the CISM?

Ed Skipka:
So the same providers cross pollinate.

Kip Boyle:
Okay.

Ed Skipka:
I would’ve used Jason’s materials, but he stays out of the CISSP, CISM world because CompTIA is, you get people started. So I use Thor and Mike again and other… I used a lot of the same materials, but I had to find the mindset difference because again, a lot of those were 90% of the same videos. Some of them were worded differently, but they were titled differently and they were approached differently in how you thought about the materials for CISM versus CISSP. Because again, you’re making decisions on a very high level. This is on the league of like CCISO, maybe even the CISSP, Tech, ISSMP, the management professional. It’s a different test with that crossover.

Kip Boyle:
Okay. So then you did do additional study. You went and got the video courses on CISM. You went through them. Did you do anything else? Did you do CISM practice tests?

Ed Skipka:
Yeah, so the same providers had practice tests for CISM. I also used Pocket Prep, which was good. I will say that of the 50 hours of material for the CISM on Udemy and LinkedIn Learning, I probably, I had it on 1.75 at this point because I was getting impatient and it was a lot of the same words, a lot of the same things. And I was jumping around and I was finding things that maybe I didn’t get on the first and second and third passes that I did it, I was filling in those holes, maybe I didn’t quite know this, I need to brush up on that. So it was more of a brush up. And then I found with the Pocket Prep, I hadn’t used Pocket Prep before.

And when you go to a new test provider, they have different wording, they have different methodology and they’re going to approach the questions. Some people are very by the book of, well, it’s in the book, we need you to know it. And others are like, we know they’re not going to ask you about this question, so we’re not even going to bring it up. And I was a little blindsided because I was like, I’m going to crush this. And I think I got a 62 or 65 on the first test, which was good, but I was like, I already passed it and I was confident that I passed the CISSP. Why am I not just knocking this out of the park? But again, Pocket Prep the same providers before. I’m trying to think how to quantify the difference of these two different things, but-

Kip Boyle:
Okay.

Ed Skipka:
Yeah, I would just say that it’s at a higher level on this system versus-

Kip Boyle:
Yeah. And it’s just more about governance as opposed to-

Ed Skipka:
Correct.

Kip Boyle:
… implementation. Maybe that’s a one way that we could differentiate them. So how many additional hours of studying did you do for CISM on top of what you’d already done for CISSP? Did I hear you say 50 hours?

Ed Skipka:
Yeah. So that was the 50 hours of video, but again, at 175 speed and clicking through it. I did it over six weeks, but I really pared down my study time. I wasn’t studying, let’s say 14 to 20 something hours a week. I was probably doing an hour a day, maybe two to three hours on the weekends per day because I was a little burned out from my-

Kip Boyle:
Sure.

Ed Skipka:
… my push.

Kip Boyle:
Yeah. Easy to see that.

Ed Skipka:
Yeah. And I didn’t need it. So that was the other thing. I had to fight myself. I did drag my feet a little bit. I think I probably could have done it at week four. I ended up doing it at week six. So I had to regain that motivation. Yeah, you want to do it, so just get it out of the way, fricking do it.

Kip Boyle:
Yeah. There wasn’t an external forcing function on you for the CISM and you’re getting fatigued from all the studying. I can absolutely understand that. Did you test for the CISM at a Pearson VUE Center the same way as you did for the CISSP?

Ed Skipka:
So they have a different test provider that had a similar test center, but it wasn’t the same. So right now you can actually take the CISM at home web proctored and they’d do the whole thing. I had to take a 15 second video of my hands and my wrists and my area and under the desk, and we had to go through the whole thing again when I logged on. But I actually took it at my house and my cats were very happy that I was home, but were very unhappy that they were not allowed in this specific room. So I had shoved the towel under the door. I put a couple suitcases in front of the door because they like to hop up on and try to climb on the doorknob.

So you have to think about that for yourself. I would’ve preferred to take it at a testing center, but the availability at times was just, it was like, I don’t want to wait another six weeks to take the test. That’s just going to knock me out of the box. I’m going to get fatigued or I’m not going to study anymore. But I did take it at the house.

Kip Boyle:
Okay. So two different testing experiences. Any comments about how to be successful or anything about the actual sitting for the exam that you would want to share with folks to help them, maybe things that you didn’t expect that they might not expect?

Ed Skipka:
I found the CISM more clearly worded. It wasn’t necessarily leaps and bounds easier, although I did find the CISM personally a little bit easier because there’s four domains, and again, they’re at high level versus eight domains that are a little bit more in depth. I would say if you can get… If you have any memorization things, you got to do that two days out from the test, that’s your drop dead date. You’re not going to suddenly memorize all of the symmetrical and asymmetrical and the rounds and the keys and all the frameworks.

I would say they, ISACA who runs the CISM CSA, they lean towards COBIT because that’s their, their framework, the C-O-B-I-T, where CISSP is very broad. So I would maybe brush up on your COBIT, but again, know your frameworks, but don’t dig into, okay, control AU-1, AC says that I have to have this implementation of this control. You’re getting too far into it.

Kip Boyle:
Okay, that’s too far. Okay.

Ed Skipka:
And I would say in preparation, learn enough, and learn enough that you’re going to get something out of this experience because you don’t want to just take something like a CISSP or a CISM to, just to get it. It’s a slog and there’s a lot to learn, but you should know something at the end of it because especially if you get endorsed and you show up, I’m sorry to say I’ve met some folks that maybe you’ve let their knowledge lapse and you look at their signature block and you’re like, man, you were just killing it. You’re a director level, blah, blah, blah, CISSP, CISM, all these different things and they don’t know the basics of what they’re talking about.

So I would not study too much where you’re, again, we talked about CISSP, I won’t go too far back, but that CBK has this common body of knowledge, has so much material and they have something similar for CISM with the QAE through ISACA and stuff like that. You don’t need to know every word of every page. You need to know why things are happening and what you would do as the appropriate level of person. So if they’re like as a custodian, as a data owner, as a CSO, all those different people are going to do something different in a given situation. So that’s the main thing is mindset and finding what are they asking for and who am I in that instance?

Kip Boyle:
I think you have shared a great deal of wisdom. I really appreciate you taking the time to come and tell everybody what it was like for you to get a CISSP under the gun and then use that as a springboard to go get your CISM on your own. I think that was fantastic strategy on your part. Thank you so much for being here and I think that’s going to wrap up the episode. So the only thing I want to tell listeners before we go is that when we publish this episode, go to yourcyberpath.com/ put in the episode number because that’s going to give you access to a full transcript and all the show notes are going to be there for you. So maybe, you want to copy out some of the information that Ed shared as far as where he got his study materials. That’s a great way to do it.

Now, if you’re going to go over to my yourcyberpath.com, I also want you to look for the signup for mentor notes. So every other week I send out an email to everybody who signed up and I talk about something that is going to help you either get your career started in cybersecurity or help you advance your career in cybersecurity. And it’s just about 500 words, very easy and quick to read and you can unsubscribe at any time. So you might want to check it out. If you don’t like it, unsubscribe, it’s not a problem. What I write isn’t for everybody and that’s totally fine, but I do, I would appreciate it if you’d give it a shot. All right, so that’s our episode today. Hope you have a great couple of weeks before we see you again and so long for now.