The New CISSP CAT Exam
The CISSP Computerized Adaptive Testing is going to be here starting December 18, 2017!
It totally caught me off-guard, there really was no confirmation or a prior announcement. If there was an announcement, the (ISC)² only told a select few at private conferences. We had at least 6 months notice before The Great CBK Change of 2015!
Either way, the CAT exams are happening, and we're going to have to deal with it. I mean, there really is no "constant" in today's security field anyway, things can frustratingly change every day, every week, or every year. It's how you deal with the constant change that make you stand out as the professional when everything else is falling apart.
I remember a time when the firewall for a high-profile and edgy client started experiencing high latency. The client's network security engineer called the SOC and wanted us to investigate whether a DDOS was occurring - and let's just say he was not a calm person at that moment.
At the same time, our own VPN at the SOC was malfunctioning, and we were unable to authenticate to our own systems before SSH'ing to the client firewalls.
The client's network was possibly undergoing a DDOS, and we were unable to provide managed security services to a paying customer because of our own internal issues. It was a bad situation.
During this disaster, our Tier 3 security engineers remained calm, collected, and kept it 100% professional. They found another jump server within our network and port-forwarded their SSH tunnel from there to the customer's environment. They calmed the customer down and figured out it wasn't a DDOS, but rather a simple firewall rule allowing DNS traffic which was re-enabled somehow. The DNS traffic is what caused an influx of new connections to the firewall.
The senior engineers were presented with a challenge, utilized their knowledge and experience, adapted to the situation, and succesfully resolved the issue.
Facing this new type of CISSP exam may just be your first in a series of challenges that await you in a security career. The hard work only really begins after you pass the CISSP.
If you have to take the new CAT exams instead of the 250 straight questions, whether you pass or fail, wear it as a badge of distinction. You took it and anyone before December 18, 2017 did not in the history of the CISSP.
You'll be able to say you took the new more intimidating and technologically sophisticated exam.
Here's some information about the new CISSP computer adaptive testing if it helps:
What is Computerized Adaptive Testing?
CAT exams aren't relying solely on a points system for a pass or fail. Based on your response, the exam software uses a complex algorithm to calculate whether you will fail early, or pass late during the exam.
The more questions you get right, the harder the questions get and the closer you are to passing the exam.
The more questions you get wrong, the questions get easier but you are further away from passing.
To pass this type of exam, you really have to change your psychology and convince yourself there is no choice but to get the answer right every time. It's really important to get the first question right, and try your absolute best to get the next few questions correct early on during your exam.
Let's say the exam questions are of this difficulty:
Below is an example of what your exam could be like with CAT. The first question could be one that is Medium difficulty.
If you get the first question correct:
You are now that much closer to eventually passing the exam.
The second question could once again be Medium or Medium-Hard difficulty.
And if you consecutively get the next few questions correct, then the exam starts to learn about you - like Skynet.
I'm not really sure, but maybe the tougher the questions the closer you are to passing the exam? No idea.
But does that mean the easier the questions you get the closer you are to failing the exam early? No idea.
If you get the first question wrong:
You are now that much further from passing the exam
The second question could be Medium or Medium-Easy.
If you consecutively start getting these questions correct, then you will be catching up to those Hard questions and closer to passing your exam.
If you start getting these Medium or Medium-Easy questions wrong, then you're drifting away from your pass and getting closer to a fail.
Will the exam be harder?
While you're studying, your goal should be to study as if you're going to get all the hard questions.
Are you struggling with the software security domain? Then study that domain like the exam is going to give you only Hard difficulty software security questions.
Are you unable to get a grasp on the network security domain? Then you have to study it like the exam is going to be nothing but Hard level questions about network security and cryptography.
It's what you make it, if you study hard the exam will be easy. If you didn't study, then the exam will be hard.
If you don't like to sit in a testing center for 6 hours and answer 250 questions, then in that sense this new CAT exam will be easier. It's 3 hours and 100-150 questions.
If you didn't study, then the exam will be hard.
How should I mentally prepare for CAT?
As much as it sucks, you now have to study for the exam with the goal of getting every...single...question...correct.
There's probably a really small margin for error, otherwise you're going to fall behind in your score and have to really catch up.
This is going to cause an immense amount of pressure on you during the exam. You'll have train your mind to handle those moments during the exam when you think you aren't going to pass in time, or fail the exam. Just know that everyone has felt this way during their CISSP exams.
Can I still keep studying the current CISSP material?
Got any CISSP notes?
CISSP Process Guide Notes PDF
Organized Sunflower CISSP Notes
The Core CISSP Concepts
Sunflower CISSP Notes Old Version
CISSP-Related NIST Documents
Got any copyright-free practice questions and study resources?
Does this site have a membership and Telegram group?
Thank you for your time in reading this article and watching the video.
I hope it helped.