One common tip in preparing for the CISSP is to "Think like a manager". However, most CISSP books do not emphasize this point strong enough, and most people failed the test because they did not have a deep understanding of this simple advice. Let me break it down for you.
1. Define - Specify - Plan/Design - Implement - Evaluate/Review - Document
You have to get into the mind set of separating a challenging task in to processes, and phases. Almost all cybersecurity related projects whether developing new enterprise security solution, improving existing infrastructure, or dealing with some crazy outbreaks can always be bolt down to these high level steps.- You have to know the problems you're dealing with and be able to define it
- You will need to specify as much details relating to the problem as you can and the potential solution
- You have to plan your execution carefully, taking into account human safety, time, budgets and legal obligations
- You implement it according to plan and always on the look out for disruptions
- You evaluate your work and point out areas for improvements, ambiguities, etc.
- You document everything
2. Due Diligence - Beyond Any Reasonable Doubt - In Time
"Due diligence" means having a process of making sure things are done properly and securely, to the best extend as current capabilities allow. For example, it is the process to make sure all of your systems are configured properly. Not only you need to do the work, but you also need to generate enough legal evidences to show that you did do the work. This is important especially when a manager can be legally held accountable.When bad thing happens (which it will), you as a manager must be able to prove beyond any reasonable doubt that you have done your best. For example, if a misconfiguration in a cloud bucket leads to a massive data leak, you must be able to prove that it was totally beyond your control to prevent such things from happening. Therefore, while one may find all regulations, processes, protocols, etc boring and hard to remember, one must know that those are there for many important reasons.
Finally, all due diligence beyond any reasonable doubt must be done in time.
3. Think Deep - Act Responsibly - Get Results
"Defense in depth" means many layers with many pieces and you and your team maybe just one piece of the puzzle. Thinking deep means thinking beyond the surfaces, and beyond your own team/department.That is why in some difficult questions, you may notice several correct answers. However, the best answer requires "reasoning in depth".Act responsibly starts with the way you prepare for the test and how you answer each question in the test. Being responsible means trying your best to understand each knowledge component, doing domain quizzes only when you are completely ready, and last but not least, going above and beyond to find out what you think you need to know. Remember, there is no short-cut in the real world when you need to find out ways to understand and solve cybersecurity problems.
Managers must deliver the right results. The more you understand different kinds of results, the more chances for you to deliver the Right results. Based on your background, you may favor one kind of results over others which may lead to wrong answers on the test. Keep this in mind, wrong answers on the test might just be point reduction for you but the same mistake in real life may cost you a career. Starting with the time of your CISSP preparation, I urge you to treat each quiz/sample test question as a real world problem and be really aware of the potential real-life damages a wrong answer may bring.
