Those of you who are close to me will know that I have been off my feet for a few weeks following knee surgery. It forced me to take sick leave \u2013 which is something that I rarely do, and you could probably count on one hand the number of days I have been off work over the past 15 years or so. Admittedly \u2013 I have been lucky in this respect.<\/p>\n\n\n\n
However, the prospect of taking a long period of time off work filled me with dread \u2013 not least as to what was I going to do with my time. The good news is that if you have ever had knee replacement surgery \u2013 your mind is kept quite busy with how much it hurts and how sadistic physiotherapists are.<\/p>\n\n\n\n
Six weeks in and my knee is still not flexing well – and I am not sure if I will be able to do my old dance routines ever again! Which is going to be more of a shame for the general public.<\/p>\n\n\n\n
After a couple of weeks of feeling sore and gradually getting more bored (I did the whole series of Star Wars) \u2013 I started to attack some reading material to get some new certs underway and this helped keep me busy. My wife complained that I shouldn\u2019t be working but it was more reading and research \u2013 so wasn\u2019t too taxing. I still had plenty of time to put my feet up and sleep (which still evades me!)<\/p>\n\n\n\n
But despite being off work \u2013 I still needed to keep my mind active on something cybersecurity related and decided to flex the grey matter and have a go at the EC Council CCISO study. This has been on my \u2018to do\u2019 list for a while and having completed CISSP with Firebrand, earlier this year \u2013 I thought it would be a good opportunity to compare and contrast.<\/p>\n\n\n\n
I used the official study book from EC Council and read through the 5 domains \u2013 stopping and researching the bits that I either didn\u2019t understand or needed some form of clarification on. As with all certification vendors \u2013 there is often a difference in the terminology and focus of a course but luckily never a change of tack on the intended outcomes. Nobody needs to re-invent the wheel.<\/p>\n\n\n\n
The course material was difficult to read through and I found breaking it up into small areas rather than hitting each large domain in a \u2018oner\u2019 worked for me. There were areas that I knew well and others that I needed to take more time over. <\/p>\n\n\n\n
Domain 5 is particularly odd (for me at least) \u2013 \u2018Strategic Planning, Finance, Procurement and Vendor Management\u2019. I would imagine that this was also a particularly difficult module to write the courseware author. There are so many if\u2019s, but\u2019s and maybe\u2019s in this area that it really only scratches the surface in a lot of areas – and although it gives some guidance \u2013 for me was quite a handful. Every organisation I have worked with does this differently and has different terms for stuff relevant to this domain.<\/p>\n\n\n\n
The one thing that I didn\u2019t really like about the EC Council course was the focus was sometimes on US-based legislation and processes. I am fine with NIST standards and guidance and a lot of other great US-centric frameworks that have been adopted internationally \u2013 but there were a few moments when I thought \u2013 hold on a minute \u2013 we don\u2019t do that here.<\/p>\n\n\n\n
Luckily the exam was very neutral in this respect. So if you do the course or read the book \u2013 don\u2019t fret when it goes all weird and foreign.<\/p>\n\n\n\n
The NDA for the exam means I can\u2019t really tell you if it was all relevant, but a few odd questions did come up.<\/p>\n\n\n\n
There is no secret in the fact that the CCISO exam is 150 multiple choice questions and 150 minutes long. So even with my level of maths \u2013 that\u2019s 1 minute per question. Some of the questions are fairly straightforward and you will know the answer as soon as you read the question \u2013 others take a bit longer to digest. So it all averages out. I didn\u2019t find time an issue.<\/p>\n\n\n\n
As with all EC Council exams \u2013 there is no set passing percentage and you won\u2019t know until the final tot up if you have passed or not.<\/p>\n\n\n\n
You can take the exam at home using the remote proctor (unlike CISSP) which is handy – and the exam portal is simple and easy to navigate. You can mark questions for review and come back to them which also helps. I used this feature.<\/p>\n\n\n\n
Another big difference between the CCISO and CISSP is that EC Council expect you to know a few ISO\u2019s and Frameworks (which the CISSP alludes to but remains quite neutral on). But the good news is that if you have been knocking around information security for a while \u2013 these will be old hat to you. I guess that\u2019s the point.<\/p>\n\n\n\n
The CCISO had a lot of mini-scenario type questions which I quite liked but there were always 2 answers which could have been correct. CISSP is a bit like that \u2013 so as soon as you have got rid of the blatantly obvious wrong answers \u2013 it is a question of taking your time to pick up what they are after.<\/p>\n\n\n\n
I also found that a few questions on processes came up but again these were straightforward if you have done incident response, forensics and project management before.<\/p>\n\n\n\n
The CCISO exam and course is not technically deep (the same as CISSP) but there were a couple of questions on cryptography, network defence mechanisms, zero trust and cloud-technologies that made me stop and think. Mostly because all the answers looked the same or could have been correct and the well-used \u2018choose the BEST answer\u2019 questions are always my least favourite.\u00a0 The problem I find with courses which are not technical is that when they discuss the technology at such a high level it all gets very confusing and often poorly described.\u00a0 There are few courses out there that are like this.<\/p>\n\n\n\n
The whole point of CCISO is to layer on top or alongside CISSP a bit more of the executive officer angle of attack and so there is an emphasis on the Domain 5 stuff. Finance, legislation, procurement processes and \u2018what would the board do\u2019 type situations. I did find these tough and probably where I lost marks in the exam.<\/p>\n\n\n\n
Just like CISSP if the answer has something in it that benefits the business objectives \u2013 it is probably the right answer. However these are very ambiguous in the real-world.<\/p>\n\n\n\n
I am pleased to say that I passed the test but more importantly \u2013 I learned some stuff along the way. Do I ever want to be a CISO? Nope. Do I want to get a better understanding of how a business can maintain a good security posture and support operations at all levels? Yep. That\u2019s what this course puts in place.<\/p>\n\n\n\n
If you do want to be a CCISO or consider the knowledge and skills required for such a role \u2013 then this is a great option.<\/p>\n\n\n\n
This course and others from EC Council have recently been re-accredited by the NCSC in the UK which gives them a great stamp of approval at the highest level. This is not to be sniffed at. I know this first hand as I have been involved in the accreditation process with the NCSC for the Firebrand law enforcement courses we deliver and understand the process and rigour that is put in place to get on this list.<\/p>\n\n\n\n