My Passed Re-cap
First and foremost, I would like to thank everyone in the Facebook CISSP Exam Prep Study Group. What an amazing resource to explore different ideas and thoughts processes surrounding not only this exam, but cyber security in general. This debrief is a little long but I hope it not only helps others prepare for the exam, but become better cyber security professionals. Feel free to jump to the exam review, I won’t be offended but you will miss out on some KEY suggestions for studying. My purpose in the review is also to give you a sense of how things went for me on test day as to remove at least some of the mystique which is only heightening anxiety for many of you I am sure. I’m telling you what I wish someone had told me to make it a little less stressful.
I have been involved in information security in various capacities for the last 25 years. Currently, I am at the managerial level, but also perform vulnerability assessments and penetration testing (there is a difference and you should know that if you are a potential CISSP candidate). I just finished my B.S. in Business Information Systems/Cyber Security at a local college which offered a GREAT blend of business and Cyber Security to prepare me (along with experience) for this exam.
I was fortunate enough that my college’s course requirements literally mapped directly to each and every domain in the CBK. I had an entire semester for things like risk management, a semester for SDLC, software testing, etc. That said, I utilized the below material. I cannot stress enough to utilize more than one source because none of them offered a complete picture of what the exam exposed me to. Ie. Sybex 7th barely references SSAE16 Audits or SOC reports.
1. CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 7th Edition.
2. Eric Conrad’s CISSP Study Guide 3rd Edition.
3. ISC2 Official CBK 4th Edition.
4. Eric Conrad’s 11th Hour (I utilized this a few days before the exam).
5. Combined Notes PDF.
6. CISSP Summary v1.1 (aka The Sunflower Document).
7. Created my own Quizlet flashcards for every chapter in the Sybex 7th.
8. Kelly Handerhan’s Cybrary CISSP course (its free!). Highly suggested for last two weeks of review to get your mindset into exam mode.
For practice questions, I utilized:
1. Sybex 7th end of chapter questions – Good content, not too technical but enough for me to spot weak areas.
2. CCCure CISSP questions (on pro mode, not hard) – at times somewhat too technical but allowed me to focus in on weak areas as well assemble those details into a higher interworking concept.
3. CISSP Official (ISC)2 Practice Tests – Available in hardcopy or Kindle. If I had to pick one that contributed to my success on the exam as well as allowing me a high level of confidence, it would be this one. Well worth the $21 and was as close to the exam as possible (per their very own description of the book and I concur after taking the exam). The accompanying online test engine is the exact same questions as the book and is probably the best one out there in my opinion, although it does need some tweaking as I had a few answers correct, it listed that answer as the corrected one, but still said I answered incorrectly. Still, highly recommend. (have I said that enough yet folks?)
4. Keep in mind, NONE of these question banks will present you with questions nor necessarily ask in a manner you may see on the exam. If you’re just trying to memorize them, you’re going to fail, I guarantee it. Learn the concepts!!!
Roughly two weeks before my final semester in college (this past March) I began studying for the exam. I read completely both the Sybex 7th as well as Conrad’s 3rd, taking my own notes along the way. I cannot recommend this enough, to take your own notes. I do ok by typing them versus writing so I utilize Microsoft OneNote heavily not just for the exam, but in life in general as it allows me to cut/paste from pretty much all sources. Anyway, once I had read the texts, I focused in on areas that I felt weak on and really delved into those subjects. As many have said, the exam really is a high level exam so you should learn how all the pieces fit together, not just memorize numbers and ordering, etc. Once I completed the text reading and felt I had shored up on weak areas, I began taking practice questions. As I did, I had my notebook open and I would jot down what I needed to drill into more detail. This process was cyclical as I moved closer and closer to the exam, really allowing me to sharpen things in the most time efficient way.
The fact that I am listing this as a separate section in this de-brief should tell you how important I think it is. About two weeks before the exam, I took a simulated exam to gauge not only readiness, but endurance, which probably is a make or break it factor for many. I used the online ISC2 CISSP Official Tests noted earlier for this as it is the closest to the exam environment in my opinion. Sitting a 6hr exam is insanely trying, more so for the CISSP as it really is a tough exam so do yourself a favor and do some simulated exams. During the simulated exam, treat it EXACTLY as you would for the real deal. Don’t look at your phone, don’t open a book to check on a subject you’re not sure on, don’t look at Facebook or Twitter, etc. Take the simulated exams at the exact time you have scheduled your real exam for to gauge your fatigue and focus. I initially had my exam scheduled for 8am but after my simulated exam, I recognized I wasn’t at peak focus during that timeframe so I re-scheduled it for a 2pm exam, which in hindsight was the perfect slot for me. My point is, truthfully evaluate what works for you and adjust whether it’s scheduled time, pre-exam meals, etc. Take scheduled breaks as you would for the exam, utilize an already memorized note dump sheet (although I honestly never had to reference mine during the exam, I was that focused!), keep track of your time, etc. Get yourself into the mindset that you are actually taking the exam. My thought process doing the simulated exams was that if I wasn’t nervous for it, I wasn’t treating it as the real deal which I should be doing.
Exam Day (time to GET…IT…ON!)
The day of the exam, I was pretty nervous. I felt really confident that I knew the material based on my life-long experience, as well as academic dedication to the craft but I was still intimidated. I barely reviewed before leaving for the exam as I came to the conclusion if I didn’t know it by now, I wasn’t qualified enough to pass it anyway. It’s all about ethics and self-morals here folks as it should be in your career. I got to the exam center about 45 minutes early to allow me to settled down, pray before leaving my vehicle, and get my game face on. I won’t get into detail on registering in the test center and all of that as it is common and you have probably already read that elsewhere. I did bring water and some snacks to utilize during my break.
As I began the exam, I had to really settle myself down. Before even looking at the first question (although it was on the screen because you can’t dump before beginning the exam per the rules), I dumped my memory sheet to the one dry erase sheet they give you. Again, I never used it I was that focused during the exam but it was there just in case. Everyone has their own method to do this but for me, I just focused on the fact that I truly have prepared myself the best I could. The first 30 or so questions went rather smooth for me, then things seemed to get a little to very difficult for a while, and that process ebbed and flowed throughout. I can honestly say that this is probably one of the most well written exams I have ever taken, and I have taken a lot in my lifetime. There were no grammatical errors, I didn’t at any time feel as though it was a trick question or trying to frustrate me, etc. Either I knew the concept and what they were truly asking or I didn’t and even those I was able to dig into and eventually understand what they were getting at and answer it confidently. I marked probably 30 questions for review at ended up changing maybe 10 of those. I could spot maybe 2-3 questions that were beta questions, but the other 22 beta questions I had probably been exposed to based on experience. You really don’t know which are anyway but…I took a break after the full 250 questions were answered. I planned to do it at every 100 but I was in the zone and being a casual runner, channeled my “just one more mile” drive to push on. I took a 10-minute break to use the restroom, drink some water, eat a Cliff Bar and got back into the test room to review my flagged questions.
After the flagged questions, I started to review the entire test but didn’t want to second guess my already confident answers so I just ended the exam after flagged question review and hoped for the best. I completed it I about 4hrs. I admit, my heart was beating insanely has I hit ‘Submit’ and raised my hand for the proctor to escort me out of the room. I can still remember my hand shaking as it was hanging there waiting. Adrenaline was on high mode no doubt. When I got to the counter, she handed me two sheets upside down and said nothing to me. I had read that two sheets many times means you didn’t pass but as I flipped it over and read “Congratulations!” so it must have been a printer margin issue. I literally began a celebration move. The lady at the counter said “I guess somebody is celebrating this weekend!” and she was correct, hence the time it took for me to write this debrief.
• Study concepts, not questions and answers!! Be able to put it all together in your head as to how it works in the real world. As you are studying, picture you being in a managerial role and how you would use that method or concept or how it relates to something you’ve already done.
• Utilize test questions to support the above tip, especially the Official ISC2 CISSP Practice Tests (last time I will suggest this!). Keep in mind you won’t see ANY of them on the exam however!
• Truthfully evaluate your experience requirements for this exam. Many of the questions I would have not been able to answer had I not had the experience level I have in the field.
• It’s a tough exam, but to some extent I felt over-prepared. Don’t get in the mindset like I did that this is some enormous beast that is undoable.
• Be confident in yourself! I cannot stress this one enough. If you put the time in, have the experience, and understand the concepts you will pass.
If I had to explain this exam in one word, it would be “elegant” and I have a high respect for it, ISC2, as well as anyone who has passed it after going through the entire process. It’s a strange feeling but as I was taking it, it began to be a type of sparring match between them asking the question, and me maneuvering to prove I had what it takes to be a CISSP.
Lastly, thank you to my wife, friends, family, and team mates for the support. What an amazing ride and I assure you, once you pass, you will indeed feel like you have climbed a mountain! I wish everyone who has the dedication and passion to this craft the best of luck and wishes in preparing for the CISSP. I’ll gladly entertain questions via the CISSP Study Group Facebook site. I won’t, however, address any non-ethical questions. I had to do the work, put in the effort, and so should you. You owe it to yourself as well as the field of cyber security if you want to be a professional in it.