Time to pay it forward! Recently, I passed the CISSP exam on my first attempt. I was pleasantly surprised to be endorsed, certified, and awarded my full CISSP within three business days. A timeline that is unheard of before the COVID-19 lockdown. I am listing the mindset, timeline, resources, and end game strategies I used during my six-month sprint. I hope this helps someone who is just starting their journey to attain this highly respected certification.
Mindset: For technical folks it’s very important to stay out of the weeds. One could spend days studying encryption algorithms in excruciating detail or get lost in the details of a specific application level security mechanism. The most helpful advice I received from various successful security practitioners was to think like a high-level manager. You play the crucial role of a risk advisor for your organization. This exam is not about reconfiguring firewall ACLs but to fix the process that broke the technical control in the first place. Your battle cry should be these three things: (1) think end game, (2) do not fix, and (3) be a risk advisor.
Timeline: After wrapping up three certifications (Security+, AWS solution architect associate and AWS Security Specialty) in six months, I had my eyes on CISSP. I ordered all the resources listed below but never got to it for a couple of months as I got distracted during the holiday season due to family commitments. I really started to dig deeper and focus after the new year. My exam was originally scheduled 90 days out but due to COVID-19 it got rescheduled three times before I was finally able to find a date in June 2020. A way to move you to taking action is to book the exam first. This is an expensive test with rescheduling fees so having the end date in my radar forced me to buckle down and get serious.
Testing Day: This was exactly like the several 100 articles I read. I studied heads down four to five hours a day on weekdays and around 10 hours a day during weekends. I never felt ready, neither will you.
Do not wait to be 100 percent prepared. That day will never come. My goal was to take the last 24 hours off with slight revision but I ended up studying till 9 p.m. the previous night. I got to the testing center an hour early and was surprised to find it pretty much empty. Due to COVID-19, I was asked to keep my masks on the entire time. I said a little prayer before starting the test and completely shut everything out till I finished my test. The test was hard but was fair.
It did not try to trick me. It forced me to use my work experience from different scenarios. When the test ended, I felt like I failed and was mentally preparing what I would tell my family. They have spent months supporting my hectic work and study schedule. Failing was not an option, but I can’t control the outcome just my work ethic. Will I wait just 30 days before I attempt the test again? Is it worth blowing another $700 with no social life? Do I wait another three months and, most importantly, how long am I willing to be in this intense study mode? With all these thoughts racing in my head I stepped out and the front desk person took their time to verify my credentials and give me the print out. I was extremely happy to see the word Congratulations on the print out. I could not believe it but at the same time I could. It was a true race condition of emotions (CISSP folks will understand this inside joke). I felt like a huge weight was removed from my shoulders and I could breathe again.
Books/ Guides/ Websites/ Forums:
· Shon Harris AIO 7th edition
· Sybex 8th edition
· 11th hour Eric Conrad
· Discord CISSP group: https://discord.gg/certstation. Great resource to brainstorm ideas, defend your answers and learn from a group. I used this to my strengths and logged out when I got overwhelmed. Your mileage may vary. This is 24/7 so you will have someone to brainstorm ideas with no matter when. This forced me to work harder knowing there is someone working harder than me 10x.
· CISSP Subreddit : https://www.reddit.com/r/cissp/
· Memory Palace by Prashanth Mohan: Great last minute reference material
Online video courses
· Kelly Handerhan Cybrary CISSP course: Used it heavily in the beginning when it was free. This is no longer the case and requires a paid subscription. This was my foundation. I probably went through this course three times. Her “Why you will pass the CISSP exam” YouTube video is a must watch. She puts you in the right mindset of a risk advisor. I watched it right before I walked into the testing center.
· Luke Ahmed Study Notes and Theory: This was my bread and butter. I probably spent the most time here. Luke’s videos are in-depth and he does a great job of giving real life examples. Watched all the videos twice. He is a phenomenal trainer and truly brainstormed several exam strategies with me via email. He personally took time to coach me in this journey and his paid subscription is worth the money.
· Adam Gordan IT Pro TV course: Adam has two CISSP courses. Accelerated and the full version. The former runs approx. 30 hours and the latter is around 90 hours. Pick what is right for you. Adam is great in explaining concepts and has fun doing it. Adam wrote the Official CBK.
· Mike Chapel LinkedIn Learning course: This was part of Lynda.com and now has been migrated over to LinkedIn learning. This was truly fantastic. The videos are short and to the point. I used it at the beginning and during end game to reinforce concepts. Mike is one of the co-authors of the Sybex 8th edition.
· MF Prod on YouTube: These are a little dated but the content is spectacular. The trainer takes several deep dives on core concepts and I listened to them during long walks.
· Thor Pedersen’s CISSP bundle on Udemy: To be honest I did not watch this till the last couple of weeks. They were sitting for a year on my Udemy Account. I was so glad I got into it as Thor has a great skillset of teaching hard concepts in an easy to understand way.
· Destination Certification Channel Rob (Rob Witcher): Rob is a phenomenal trainer and pumps out mind map videos. His Kerberos video is one of my favorite and breaks things down very well.
· Larry Greenblatt COVID19 bootcamp: Larry is an OG CISSP trainer who has tremendous in depth knowledge on the core concepts. I was fortunate enough to attend his free online bootcamp. His Spock vs Kirk videos and end game strategy videos on YouTube have stood the test of time. They put you in the right mindset.
Practice Tests: Before you even read further please understand unlike other certification you cannot base your readiness purely on practice test scores. I probably did somewhere north of 6,000 practice tests but use it primarily to understand concept and dig deeper into your weak areas. I stopped testing three weeks prior to my exam to start seeing the bigger picture. Does this work for everyone? Absolutely not. Please do what works best for you.
· CISSP Official practice tests: Used heavily to understand different topics
· Sybex 8th edition tests: Used moderately
· Boson CISSP practice tests: I started this first to establish a baseline before opening the book or watching videos. These are great to understand not only why one out four answer is correct but why the other three are wrong. Use this as a study resource and do not worry about scores.
· Study notes and theory tests: These are extremely difficult. I truly wanted to throw my computer out of the window but it forced me to dig deeper. Again, do not get overwhelmed with the complexity. Luke will force you to think out of the box and it will only make you better.
· Shon Harris AIO practice tests: Great for understanding technical concepts.
· Kaplan tests: These came bundled with IT Pro TV Subscription. They were great and helped me narrow down Domain 3, 4 and 8 concepts.
· Official ISC2 IOS App: Great set of questions to put you in the right mindset. Did not finish them fully.
· Certification Destination Flashcard App IOS: Great resource to quickly revise concepts and terminologies.
· Pick a date and book your exam. Work backwards.
· Think like a risk advisor and not purely technical. This is a management certification.
· Learn concepts deeply and do not memorize. Learn as much as you can about Risk Management Framework, Disaster Recovery, Incident Response, SDLC, Cloud, NIST frameworks, Cryptography.
· Learn by doing: Have a friend of spouse who is not technical listen to you explaining what Kerberos is or how Security should be job zero during SDLC. This will force you to think high level and explain security risks to C-suite/Management.
· Do not get caught up in the weeds or chase squirrels. Your goal is to pick the right answer and not fight the test. Watch Larry Greenblatt’s CISSP mindset video for more on this.
· Last but certainly not the least: Do not compare yourself with others, have patience/focus/perseverance. This is a marathon and not a sprint. If you pass at 100 questions 60 minutes or 150 questions 180 minutes, you are still a CISSP. Take your time to center yourself before the test and leave the rest up to your training and a higher power.
You can check out my entire LinkedIn experience here as well: