Author Archives: Joe Sabado

How I Passed My CISSP Exam

I passed my Certified Information Systems Security Professional (CISSP) exam on November 20th, 2018. It took me 50 minutes to answer 100 questions.  I am sharing this blog post as resource to colleagues who are intending to take the test and to the cybersecurity profession as my way of “paying it forward” since I received help from vast and free online resources and from advice I received from those I didn’t even know personally.

Motivation

I decided to take the CISSP exam for the following reasons:

  • Model my commitment towards professional development (one of this year’s four key areas in our department strategic plan by learning topics relevant to our organization (SIS&T) future direction including 1) improving our organizational resiliency (staffing, information systems), 2) improving processes (governance, operations, devops), and 3) “liberate data” – expose data across campus systems that have been siloed in the past.
  • The need to acquire new leadership/management and technical knowledge required for my role as IT leader on campus given emergent technologies and changing workforce dynamics and demographics. Campus initiatives including cloud adoption, integrated campus cybersecurity, data analytics and campus data integrations using Application Programming Interface (API) and visualization software for decision-making also require new knowledge and skills.
  • Continue my commitment to life-long learning.

Background

Though I had intended to take the CISSP exam in 2017 and my organization had even paid for an online course and books to prepare me for the exam, in retrospect, that I didn’t create the pressure for me to prepare led me to not dedicate the time and effort as I had done these last two months before my exam.

The CISSP exam is often characterized as “mile-wide and inch deep”. It is very true the exam assess the tester’s knowledge in the eight domains ranging from understanding of laws and regulations, best practices, networking/physical/software security, and operations. I am not so sure it’s an “inch deep” however as while the exam may indeed provide questions at a general level, the level of knowledge I felt I had to learn (and acquired) in the process of preparing for the exam went beyond general information.

Since my professional background/experience were mainly in application development and leadership/management, I found those domains to be relatively easy. However, given my lack of experience in networking and data center management, I found myself needing to spend more time studying those areas than others. For example, I bought a book called Networking All-in-One for Dummies because I didn’t even know the differences between the different networking mediums (cabling) and wireless networking specifications.

Approach

Though I read many online resources about the CISSP exam, there were no materials I read about the specific questions themselves and even if I had come across them, I did want to honor the integrity of the process and professional ethical standards by using them. Given that I didn’t know what questions expect, I found myself using different study materials (books, iphone apps, quizzes, videos, websites, social media) and I even tried different study styles to improve my chance of passing the test. I have learned that I seem to understand and remember concepts better if I understand the “big picture” and when I can see the relationships among the different areas I study. So, I created a mind map of the 8 CISSP domains as my roadmap using a mobile/website called MindMeister. Here is the link to my CISSP mind map.

I also found study methods to maximize the limited time I had between when I registered to take the exam (October 2nd) until the day of the exam (Nov 20th).  I created a schedule which required discipline and dedication. The kindle books and the iphone apps which I could use anytime/anywhere during the day when I’m free (including between meetings, trips to the mall, commute) were useful. My wife’s support and encouragement throughout the process was also very helpful. She provided me with the space and time to study.

As I will share below, it was about two weeks before the test when I finally realized what methods increased my comprehension of the topics I was studying.

Timeline

September 2018

October 2018

  • Registered for the CISSP exam (Nov 20th) on October 2, 2018 on the PearsonVue website.
  • Created and completed exam preparation schedule for those six weeks.
    • First two weeks of October – complete the Sybex book and Shon Harris’ All-in-One CISSP Exam books). This meant spending 2-3 hours a night reading at least one chapter a day and completing the end-of-chapter quizzes.
    • Entire October up to November 19th.
      • Complete CISSP course on Cybrary.It, and Lynda.com CISSP course.
    • Completed at least 200 questions a day from various quizzes (see list below) and improved my knowledge on areas of weaknesses based on my scores.
  • Five days before exam
    • Took days off from work. Spent at least 5 hours during the day/night of continued studying. This is the period when I realized how to significantly improve my understanding of the topics. At this point in the process, I’ve read books, taken thousands of questions, and watched hours of videos so the areas new to me became smaller. However, there were still areas I struggled because of my lack of experience as I noted above. So, every time I completed the quizzes, I researched the questions I had missed by re-reading the books and re-watching videos AND in the process, I also started understanding/noticing related topics I had missed before.
    • Two days before the exam, I continued my routine above, and I also reviewed summary materials I had found online including the following:
    • The day before the exam, I had come across a blog post which said to watch the following videos to have the proper mindset going into the exam. So, I watched them, and they made a difference in how I approached the test – think like a manager and from a risk management perspective, not a techie. I encourage those preparing to take the test to watch these videos at some point in your preparation.

Lessons Learned

The benefit of the CISSP certification goes beyond the recognition of passing the exam. It has given me more confidence with the new knowledge learned about cybersecurity and how to study for future certification exams. In two months, I learned knowledge in areas I did not have opportunities to learn in my 20 years in IT. To pass the CISSP test requires the risk and organizational mindset AND technical knowledge. A technician’s approach of solving issues through tools only or a manager with little knowledge in the 8 domains will probably have a hard time passing the exam. Even with years of experience, the test also requires time and commitment to study the materials and be comfortable with the types of questions.

Personally, I found the preparation process as an opportunity to further assess what works for me in terms of learning style. I used a combination of books, videos, apps, mind maps to figure out what works for me. In the end, I believe memorizing the materials alone is not sufficient and it requires some thoughtful understanding of how the different tools/approaches in combination should be applied to solve real-life situations. It also requires intuition gained through experience to be able to effectively assess a problem. I believe therefore experience is a requirement of the certification.

Like other folks online and colleagues in my organization have who gave me advice and who shared their knowledge for me to pass the exam, I would like to offer you any insight about the process (within the NDA and ethical boundaries) so you may also pass the exam. Please feel free to contact me at joe@joesabado.com.

Resources

My learning style is different from yours so in general, every single resource listed here was helpful to me personally, but there were some I relied on more than others and ones I thought were most applicable to the areas and types of questions presented during my exam.

Exam Preparation/Mindset

Exam registration

Summaries

Videos

iPhone Apps

  • CISSP Certification Exam Prep – ImpTrax Corporation
  • CISSP Pocket Prep – Pocket Prep, Inc.
  • CISSP Study Guide by Cram-It – Rooster Glue, Inc.
  • CISSP Practice Questions – Laurie Hocking
  • CISSP Practice Exam Prep 2017 – Recurvo Learning & Educational Apps
  • CISSP Stress-Free: RocketPrep
  • CISSP Practice Test – Mark Patrick
  • LearnZapp CISSP Study Guide

Quizzes

Books

Websites

Social media

Tools

Importance of Shared Language in Big Data/Analytics Adoption

One of the necessary, yet overlooked, steps to the success of initiatives involving folks from across campus is the development of shared/common language to minimize misunderstandings and provide clarity. One of the first campus-wide projects sponsored by the new CIO Matt Hall at UC Santa Barbara when he came on-board two years ago was a series of day-long sessions for the 400 IT community members. The aim of these sessions called “IT Foundations” is to establish shared vocabulary and understanding of how the campus governance structure, IT infrastructure, and the general campus IT direction. Based on feedback, participants found the experience and the information valuable towards their understanding of the current campus IT layout and the vision of the CIO.

As the campus moves to adopt big data and analytics, I once again realize the importance of developing shared language for initiatives related to these technologies to move forward. The most significant barriers to adoption have not been technical in nature but rather the lack of understanding of the applications of these technologies especially as they involved ethics, privacy, and potentially unintended negative consequences.Specifically, the use of predictive analytics (using algorithms) for academic advising may lead to certain student populations (first-gens, etc.) or students who fit certain parameters to be inappropriately excluded from certain programs or opportunities. Certainly, the concerns about the use of predictive analytics are valid, but adoption of big data and analytics for other campus functions should not be stopped given that the specific concerns related to predictive analytics may not apply. It is for this reason that it’s important for campus administrators, technologists, and other folks involved to have a common understanding of big data and analytics as related to higher education.

A framework to understand big data and analytics in higher education was introduced in the book “Big Data and Learning Analytics in Higher Education: Current Theory and Practice” by Ben Kei Daniel. The framework by Daniel and Butson (2013) classifies the different analytics and their uses in higher education. I translated their descriptions into the graphic below.

In addition, Daniel and Butson (2013) also classified the scope of analytics as shown below.

Gartner also developed the analytics ascendancy model below to highlight the different types of analytics with respect to their values and difficulty.

credit: http://dataanalyticsandvisualization.com/negocios/modelo-analitico-ascendente/

The frameworks introduced above should be good starting points in campus conversations as they provide shared language and understanding of big data and analytics towards actions to benefit the students and the institutions in general.

Can you recommend other approaches to introduce big data and analytics in higher education? Can you share applications of these technologies in higher education beyond marketing/communication (web analytics) and instructions inside the classroom?

Productivity Ideas for Busy Managers

ProductiveOne of the difficulties for managers is how to simultaneously meet their responsibilities to 1) manage others, 2) attend seemingly endless meetings and 3) taking care of the work they must also do for themselves. In my role as Executive Director of IT, I found myself caught in the position of becoming a bottleneck for the organization in that decisions and/or tasks that don’t take more than minutes to complete were left unattended for weeks. The problem is that I was doing too many things all at the same time (time slicing) and I was distracted with technologies that should help me be more productive. I was checking my emails and at times social media every few minutes. I’m sure some of my staff were getting frustrated for having to wait on me and I was also getting frustrated at myself for not being more productive. The frustration led me to finally trying different ways to improve my productivity. For years, I resisted using productivity techniques I’ve come across thinking I don’t need them. However, through a combination of a change in mindset, technology, and techniques I’ve found noticeable improvements in my productivity. Below is a list of these proven ideas you could consider.

1) Mindset. Focus on one task at a time. I used to think I could “multi-task” but from multiple articles/books I’ve read, what I was actually doing is time slicing, and the time to transition from doing one task to another is costly. Specifically, the cost of getting back to the the original task once distracted is an average of 25 minutes.

2) Use time blocking. I mentioned above that managers have to balance managing/delegating, attending meetings, along with “creating” which means taking care of their own tasks. In my case, “creating” means taking care of HR actions, budgeting, or thinking about strategies. Too often, the time for “creating” are short times between meetings resulting in low quality and incomplete tasks. The solution to this problem is to block out times in your schedules so you can have continuous hours of time dedicated to “creating”. In my case, I’ve blocked my morning hours (8-12) for these times and the other parts of the day for other tasks. That’s impossible you might say. I thought the same thing, but while it hasn’t been perfect, this technique has worked for me. The key is to inform your staff and others you deal with of your intention so they don’t schedule these blocked out times. There’s also a transition period to implement this. While these contiguous hours may not be available in the next few weeks for you since meetings have already been booked, you can schedule these time blocks starting two to three months from now.

3) Pomodoro technique. This is a time management technique aimed to promote maximum focus and energy by concentrating on one task for 25 minutes. Using my iphone, I set the timer for 25 minutes and I aim to work on the one task I’ve defined to complete within that time span. This means I don’t check my emails, browse through social media, or tend to distractions.

4) Manage your energy, not time. I’m a late night and morning person. This means that my energy is highest in those times of the day. in the past, I had a habit of going through my emails and taking care of “little things” to start my day, but the problem is that I could have been using my peak energy during those times to tackle task requiring high energy and focus. Given that I’m a morning person, this is the reason why I’ve dedicated my “creating” time blocks from 8 am – noon. I then try to spend my afternoons meeting with my staff and other tasks.

The techniques I’ve mentioned above are fairly new to me but I’ve found the results to be encouraging which has led me to focusing on other ways I can be more productive. It requires a different mindset and employing time management techniques that work for you.

Let me know other ways you’ve improved your productivity at work! If you’re to try the ideas I shared above, let me know as well if they did work for you.

Image credit: http://cdn-media-1.lifehack.org/wp-content/files/2014/11/Productive.jpg

Identity is In the Eye of the Beholder

identityIdentity is relative based on perspectives. I’ve come to recognize that how I view myself, all the different components of my identity, may not be the same as how others view me. I view my racial identity as an Asian-American to be the most salient part of my identities.  In my mind, my experience in the United States, through the marginalization and the struggles I’ve faced since my family and I immigrated to this country have been shaped because of my racial identity and my physical features. While I have primarily defined my identity as one who belongs to a historically marginalized group, what I have come to realize is that others may not see me as that. In fact, I’ve been reminded that as a male in the position I hold at the university, I am seen as a person of privilege. For others, I’m seen through the lens of gender, organizational position, etc. beyond race and these lenses are relative to the other person’s perspectives.

I ‘ve been thinking about this notion that while I may feel oppressed in some ways, I also carry privileges because of certain aspects of my identity. I was reminded by a student recently of the privileges I/we carry as university staff (and even students) relative to those who live in their hometown (inner city). This student reminded me that while we do have our own struggles we are fighting for, sometimes we live in a bubble and forget the struggles of folks like those who live beyond the confines of the university must go through. This student reminded me that their family is currently homeless and they must move from time to time depending on which friends and families are willing and able to house them.

Taking the time to understand other folks’ perspectives and their struggles is one of the efforts I’ve always tried to do since I can remember but at times, I fall into the trap of just thinking about the issues I face without realizing that while in some ways I have been marginalized, I also carry privileges I must be conscious of.

Can you relate with my experience? How do you define your identity and how do you think others view you?

image credit: https://pixabay.com/en/identity-mask-disguise-mindset-510866/

ACPA/NASPA Technology Competency for Professional Development

The  technology competency in the latest ACPA/NASPA Professional Competencies(2015) and the corresponding rubric provide student affairs practitioners and administrators guidance on how to effectively learn and apply technology in their roles as educators and programmers for student success. In addition, the two documents are also useful to the same groups when it comes to self-directed and formal professional development.

In my role as student affairs IT director, educator, and student affairs administrator, I was very interested with the technology competency when it became available and how it could be applied to my organization and for my personal learning. I’ve offered my thoughts in this blog post.

I found the competency and the rubric to be useful for the following reasons:

1) I’m able to identify areas I need to pursue. For example, most of my experiential learning and training have been mostly on “technical tools and software” and “data use and compliance” so when I planned my schedule for the NASPA national conference in San Antonio next week (March 10-15), I purposely planned my schedule to attend sessions on “digital identity and citizenship” and “online learning environments”.

2) As I defined areas I need further development, I began to explore other methods of learning. For example, most of my education when it comes to technology the last three years have been through my job and also through kindle books. This year, I discovered Lynda.com videos and I have completed seven courses in data governance and security.

3) The techniques and mindset I have developed through the technology competency have also led me to applying them in other development areas beyond technology. Just recently, I completed a 10 course series on people management certification via the University of California online learning system.

4) Given the lessons learned from my experience in applying the competency and rubric, I am in the process of developing a training curriculum for our division of student affairs based on the competency and rubric with the support of our Vice Chancellor for Student Affairs.  My hope is that by next year’s NASPA conference, we would have implemented the curriculum and present our experience so other student affairs practitioners and administrators may consider using the competency for theirs institutions as well.

Dr. Josie Ahlquist, and I presented via webinar (Infusing The New Student Affairs Technology Competency Into Practice) last month, on how the competency could be applied in graduate programs, student affairs organizations, and for professional development. Part of the presentation focused on the use of the competency for professional development. I offered how I have used and how I plan on using the competency and the rubric to guide my learning. Using Excel, I created a template that lists learning activities, when I would pursue them, the format, and which areas of the technology competency rubrics these activities fulfill. The template also provides a link to the rubric.

Attached is the Excel file I developed and please feel free to modify them for your use. Click on the image to download the file.

personal_plan

I look forward to how other institutions and student affairs professionals apply the competency and rubric. If you or your institution have used these tools, I would love to learn more about them.