Reflections on Certified CISO (CCISO)
tl;dr The training was fantastic, but the exam was shocking.
What is CCISO
CCISO is offered by the same people (EC-Council) that offer CEH, and is designed to give aspiring CISOs the ability to apply information security management principles from an executive management point of view. It covers 5 domains:
- Domain 1 - Governance, Risk, Compliance
- Domain 2 - Information Security Controls and Audit Management
- Domain 3 - Security Program Management & Operations
- Domain 4 - Information Security Core Competencies
- Domain 5 - Strategic Planning, Finance, Procurement, and Third-Party Management
In my opinion, the biggest hurdle to obtain CCISO is, by design I imagine, the verification of your five years experience across each of the domains above. The pre-reqs are explained in detail here, but basically:
- Self study route - You need five years experience in all domains. Only been working for 4? Full CCISO won’t be for you.
- Training route - You need five years experience in 3 of the domains.
On the application form you’ll need to provide reference(s) that can validate your experience across all of the pertitent domains. They don’t need to hold CCISO themselves. I had 4 references in total, 3 of which responded, and this was sufficient.
My goal was less the certification and more the knowledge that it taught, so despite probably having enough experience across all 5 domains to qualify, I opted to take the training route.
I chose the virtual, on-demand training package offered by EC-Council, which gives you 12 months access to a video series that naturally shares all of the knowledge you’d need to pass the exam. The quality of these videos was fantastic, and the instructor complemented the syllabus with their own anecdotes which was great. The fact that these videos could be consumed on-demand meant it was easier to fit the learning around other stuff, although you obviously miss out on the ‘learning by osmosis’ that you get from an in-person taught course.
Preparing for the Exam
I didn’t bother taking notes during the video training, and instead relied entirely on the content found in the three books below:
CCISO Exam Guide - With this book alone, plus a little bit of experience, you could easily pass the CCISO exam. If anything I thought this perhaps went into too much detail, however that’s obviously better than the alternative! My approach was to do all of the practice questions first, and then use that to inform where I needed to focus my revision.
Both practice question books were almost word for word identical, so only buy one, and both were littered with spelling mistakes. As it turns out, these spelling mistakes were indicative of what I could expect in the exam, and I lost faith in the accuracy of the practice questions so didn’t finish them all. This was probably a mistake, and on reflection I think I would have benefitted from finishing all of the questions.
Given the quality of the training, I had high hopes for the quality of the exam, and expected a similar candidate experience to CISSP. This was definitely not the case.
Unlike other exams I’ve sat, typically at Pearson Vue test centers, this was a remote proctored exam. You need to have a Windows machine with a webcam and microphone, and you essentially give the proctor full control over your machine via LogMeIn. The entire thing felt like a scam, and fortunately I had the foresight to configure a fresh VM with nothing on it, but I guess that’s just how these things are done.
The exam itself was a frustrating experience, and I had 3 major complaints:
Out of 150 questions, 5 were word for word duplicates of questions I’d already answered, with just the ordering of the multiple choice answers changed up. If you know the answers to these like I fortunately did then it’s less of a problem, but indicative of a broken question selection system.
If I had to give a conservative estimate then I’d say probably 50% of the questions had spelling mistakes, and they’d clearly been written by someone who is not a native English speaker. When you pay $1000 for exam, you expect better.
One of the questions even had the instructors notes included in the answers, for instance “(remove this answer as its no longer accurate)”. How does this even happen?!
I walked away from that exam disheartened; why had I spent so much time preparing for an exam, which I’d also paid $1000 for, when they couldn’t even be bothered to spell check their questions? I can’t in good conscience recommend CCISO, and if I was to do it all again, I’d drop £30 on the book rather than £3000 on CCISO.