Reading and Study

This is a running list of books I’ve read, am reading, or plan to read, plus current and completed trainings and certification study. I’ve borrowed and slightly modified this idea from @varcharr’s website, I also include certification study in this list as certs tend to take up the same me time that a book or game might occupy, and I feel that those resources and lessons learned are similarly worth communicating.

Current Certification Study

N/A - considering my next steps.

Currently Reading

Re-reading / listening to audiobook versions of The Lord of the Rings trilogy by J.R.R. Tolkien, Rob Inglis narration.

Recently Read

Certification Study: ISACA CRISC

Completed August 2022. CRISC is a natural pairing to my role as a BISO, and completed a personal goal to obtain a certification trifecta covering each line of defense: 1st line CCSP, 2nd line CRISC, 3rd line CISA. I made use of both the CRISC review manual and QAE book, but realizing I wasn’t making enough headway with these I went back to the tried and true method from my CISA study of of doing a ten question PocketPrep quiz every day. PocketPrep I had to pay for this time: $47.99 for three months access, worth it to enforce consistent daily study.

Resources used:

  • ISACA’s CRISC review manual, 7th edition.
  • ISACA’s CRISC Questions, Answers, and Explanations manual, 6th edition.
  •’s CRISC module

How to Measure Anything in Cybersecurity Risk by Douglas W. Hubbard & Richard Seiersen

8/10. Solid read that I would recommend to any security practitioner. It arms the reader well with an understanding of what can be measured, how measurements can be applied to reduce uncertainty, and why ordinal, qualitative approaches to risk assessment are setting us up for failure. Although I will readily admit that implementing the core quantitative and statistical lessons of this work within my own organization feels beyond my standing. The book reads generally well, but hits a zone of sleep inducing hard statistics in the final third.

Certification Study: ISACA CISA

Completed October 2021, overall exam score 573. I put this off for years and finally resolved to get it done via self study in 2021. I settled on a routine of doing a ten question PocketPrep quiz every day, doing some reading from the review manual every week (okay closer to every two), and as I got closer to exam day I would use PocketPrep 100 question quizzes as mock exams. PocketPrep was surprisingly effective and I would highly recommend them if you learn well via regular quizzing, albeit their subscription pricing may be a turn off to some. ISACAs review manuals are notoriously long and dry, and I understand why they have that reputation now.

Resources used:

  • ISACA’s CISA review manual, 26th edition
  •’s CISA module, legacy access

Certification Study: ISC^2 CCSP

Completed March 2019. This was a week-long, exam cram style course offerred through my employer with an instructor from Infosec Institute. It did exactly what it said on the tin: take the class all week, take notes, do the reading and the homework, pass the exam. This was my first non-entry-level certification and was an immense benefit in bringing me up to speed on vendor-agnostic cloud concepts and design, although for engineering and architecture roles I feel you will be best served pairing CCSP with AWS/Azure/GCP certifications. I also consider it acceptable to let the CCSP lapse if you obtain the CISSP; as of 2019 our instructor claimed the CCSP now covers 40% of CISSP’s content.

Resources used:

  • Sybex CCSP Official Study Guide by Brian T. O’Hara & Ben Malisow
  • Infosec Institute instructor-led class