The CISSP Companion Handbook

Posted on by Ben Rothke

If you are looking for a formal vade mecum in your quest for CISSP certification, then The CISSP companion handbook: A collection of tales, experiences and straight up fabrications fitted into the 10 CISSP domains of information security by Javvad Malik should not be your reference guide.

But if you are looking for an entertaining and educational book to give a break to the monotonous work of CISSP preparation; this is your guide, and a very funny one at that.  Even for those security gurus that have the treasured and adored CISSP certification (and all the more so for those with SANS certifications), the book is a witty look at the world of information security, and ones man’s observation of it.

What are Malik’s accomplishments?  Well, he really knows information security and brings a lot of experience to the table.  He won the RSA Social Security Blogger award for the most entertaining blogger, as well as the best security video blogger and most entertaining blog at the European Security Blogger Awards.  The book is entertaining in the sense that he doesn’t drone on about information security abbreviations and acronyms.

When discussing TCP/IP, the book uses rock music as an analogy.  Drums are TCP, an electric guitar is UDP; vocals are IP, with the band manager as ARP and the record label are RARP.  While those analogies certainly won’t help you pass the test; they will definitely give you a more realistic understanding of what the protocols really do.

No CISSP guide would be complete without a reference to the Bell-LaPadula model, which the book mentions on page 107.  The book doesn’t really define it, but notes that it may be used and implemented in pencil pushing governmental departments.

As an aside, I once worked with a really smart guy who once worked with Len LaPadula at Bell Labs.  He couldn’t tell me what the model was either.  But he did note that most people mispronounced his name as La-pa-doo-la.  When Dr. LaPadula himself pronounced it as le-pad-you-lah. 

In movies such as Cars, much of the humor is lost on the children, while the adults will laugh.  This book is very much like that in the sense that those have been in the industry for a while will get the humor and irony Malik’s writing.  In Domain 3: Information Security Governance & Risk Management, he writes that if you do things just because they are best practices, you end up becoming an auditor, and notes that nobody likes an auditor.  In the footnote, he clarifies hat despite the sweeping generalization, there are some good and effective auditors in existence… a few.  Only those who have been in information security for a while can appreciate the humor there.

The book is only available for the Kindle, and at 99 cents, that comes out to less than 10 cents per CBK domain.  Note that in the book, he never defines what CBK stands for, which would leave a CISSP candidate grasping in horror for an acronym without a definition.

When it comes to pure CISSP guides, a best practice is to use the CISSP All-in-One Exam Guide by Shon Harris, all 1,500 pages of it. 

If you want the funniest and cheapest and downright educational guide around, nothing beats The CISSP companion handbook: A collection of tales, experiences and straight up fabrications fitted into the 10 CISSP domains of information security.

Ben Rothke

Senior Information Security Manager, Tapad

security awareness professional development & workforce

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs