How Deepti D. Cracked Her CISSP Exam!
My CISSP Journey
Last month I cleared the beast of the exam that CISSP is. I started preparing in Oct end last year, with the aim to write the exam sometime around February 2020. I had travel plans for March, and I wanted to get done with the exam before that. Some background about my experience, I had worked in Security Governance, Consulting and Audit throughout my security career of 10 years. While I have a computer science engineering degree, I had no experience in the most crucial domain of network security. I dreaded it to say the least. So in Oct I enrolled myself in Prabh Nair’s weekend classes, and started reading Sybex at the same time. While I was unable to keep up with Prabh’s classes, I was very rigorous with my Sybex reading. My preparation gathered momentum towards the holiday season and I was doing fairly ok in all tests around Jan end, I booked my exam for 24 th Feb, when life happened and due to some personal issues I had to give up my preparation in Feb beginning. I was almost there, however just was not in the mental state to write the exam. I decided to pick up again in April, and be done with it sometime in May/ June. However, 2020 was not a year of plans as we all know, and my vacation to India became an extended stay and all preparation was on hold for the next few months.
I did however kept reading the Sybex during this time, but with much reduced rigor and focus. I started preparing again in Aug’20, and I realized few things- Reading the material end to end helped a lot. Even after this much gap, I still remembered the concepts. By now I had already gone through Sybex at least thrice- every chapter. The more you read the more clear the concepts get. I referred to Shon Harris for areas that needed more explanation. By now I had also joined SNT, and Luke’s videos are GOLD! Especially for a very concept driven and technical domain like network. I went through those videos multiple times, so much so that I knew the examples/ tidbits he included in his narration (like when he was chewing gum during recording and his wife suggested not to..lol). The best part about SNT is- the very concept based approach Luke has taken- every single concept is related to CIA and risk and
he stresses so much on it throughout that looking at things from a risk and CIA perspective becomes second nature to you while going through the material.
Towards the end of my preparation- around Oct mid- I had read Sybex end to end almost five times! Had gone through Prabh’s and Luke’s videos multiple times, had taken almost 5000+ questions. In the last two months I studied almost 6-7 hours a day, with almost 12 hours each day for the last two weeks. But this is by no means a reference to how many hours one should put in- every person’s concentration and absorption ability differs. I lack concentration- and that was a real struggle throughout.
Key learnings from the exam:
1. This exam really enhances your knowledge given its breadth and coverage. Don’t be in a hurry to get done with it. Yes, stick to timelines, but try to make the most of this by really understanding the material. At the end you will really emerge a better security professional and more in love with information security if you have studied in depth.
2. Try to understand the concept and explore multiple resources. Having said that there is no dearth of resources available- identify what suits you best (books, videos etc.). I would highly recommend one main book + one supporting reading material, aided by videos and other stuff available online.
3. Try finding a study partner. I realized the value of this very late. Join any of these telegram groups and get in touch with people writing the exam around the same time as you. The material is so vast and it is difficult for one single person to have experience across all domains, and this is where discussing concepts with fellow CISSP aspirants really helps.
4. The study groups- like the above telegram groups help a lot, otherwise too. People post questions, and a lot of concepts are cleared just by attempting those. Sometimes it is a very good way of revision, because it forces you to refer to concepts/ topics you think you have already covered and understood.
5. Identify your weakest domain and over prepare it! For me it was Network Security, by the end of it, I had kind of memorized Sybex Chapter 11 and 12 (Network Security). The challenge with this domain is that it is very technical and beyond a point it becomes difficult to understand things if you have no real life experience. However, I realized that CISSP will never test you on very technical stuff. So identify the key areas, and try to go through as many sources as possible till you think you have internalized the concept. For Network Security I used Sybex, Shon, Prabh’s videos, Luke’s videos, internet articles and other YouTube videos. Aided these with questions (from sources mentioned at the end)Just to add, I got minimal questions from this domain in the exam! Over preparation worked!
6. Do as many questions as you can! However be careful as to which sources you are using. With CISSP gaining lot of popularity off late, there are multiple sources available for questions, but a lot of these are not very trustworthy. So at times what ends up happening is we end up spending valuable time on these with negative impact on our understanding of concepts. So stick to reliable sources of questions.
7. For all the process related topics, read from multiple sources and make your own notes. For something as simple as security incident management, knowing the logical flow of steps is critical, and unfortunately the process steps are not uniform across books. These are the kind of topics I read from multiple books (Sybex, Shon, CBK, Videos). Also, I kept updating the handmade notes with additional information as I studied, so towards the end, all key things were in one place- very handy during the last few days when you are in the revision mode.
8. And last but not the least- analyze your tests- each and every one of them. It’s a tedious process, but one of the most crucial. It’s the only way to take best advantage of good question sources- like Luke’s. I made a mistake of not analyzing my wrong answers for a lot of his tests in the beginning. A lot of concepts can get cleared just by analyzing your test attempts.
CISSP is a test of resilience, grit and new experiences- It made me do things I had never done before- like making notes in my native language! (It helped! writing in the language I think in) After postponing my exam multiple times, I finally wrote the exam on 26 th Oct’ 20. Took a week’s break from work. Stopped studying a day before (dropped a topic I was still struggling with- XSRF and Cross Site Scripting!, and left it on luck..:)), had a good 8+ hours of sleep. Reached the exam center almost 45 minutes in advance. Since it’s an adaptive test, some successful candidates had shared that spend good amount of time on the first 30 questions- so did that. (Be conscious of time, I think I messed up in time management)
Was totally unsure while answering the questions, because honestly I found most of the questions difficult and the last two options were pretty similar for almost 75% of the questions. Don’t think about the question answered after clicking next, time is a pretty crucial factor. Finally the exam stopped at 100 questions, with almost 45 minutes to spare.
a. Sybex (Main reading except for domain 3 and 8, though I did go back to Sybex for Physical Security),
b. Shon Harris (selected topics)- Basically any topic where I needed to dig deeper- referred to Shon ex: (EAP, 802.1x, IPSec etc.), Access Control Types, Cyber Kill Chain,Kerberos, TPM and many others
c. CBK (selected topics)- For very selected topics, picked this only towards the end.
d. Eric Conrad Full (for Domain 3 and 8) and
e. Eric Conrad 11 th Hour (for revision)
f. Google for few topics like COTS, GDPR, Cloud etc., which are not covered in detail in any of the books above
2. Memory Palace and Prabh’s final notes for revision+ my own notes. Memory Palace is a really good document for revision.
3. Prabh’s, Luke’s Videos and Kelly Handerhan’s Cybrary videos and limited topics from other videos on YouTube.
a. Luke’s videos on Network security, Oauth, Open ID, Kerberos, ICS were specially very helpful.
b. Kelly’s videos are pretty high level- but good thing is they are short- and help remembering some key stuff.
4. Luke’s blog on weak topics (Ex- Due Diligence and Due Care!)
5. Questions: Sybex Main book, Sybex Question Bank, Shon Harris Total tester, Shon Harris
Main book, SNT all question sets, all questions from Prabh’s classes, CISSP Examprep,
BOSON Test Engine, ITdojo (limited questions) almost 80% questions from the Telegram
groups (if the Group is active this can be a very good source because this would come with
good explanations and discussions that follow)
6. Kelly’s video “Why you will pass CISSP” the night before. It’s effective!
Few other imp points
1. They say it’s a management exam and not a technical one- which is true to some extent. However, thing is that some management decisions can only be made if you are aware of the underlying technical details. So yes, I did not get any so called direct technical questions in exam- I realized that you need to be thorough with the course material (including understanding of ALL in-scope technical areas).
2. Time Management while writing the exam is critical. I never thought too much about it till when I was actually writing the exam. You would not want to rush through the questions at any point, so plan for it in advance and ensure at any point during the exam you have at least one min per question remaining.
3. The exam does not give you any assurance at any time that whether you are moving towards success of failure! I think that’s how it has been designed. I was totally unsure till 100th question if I was answering correctly or not. So do not get stressed by that- take one question at a time, keeping time in mind and keep moving!
4. Go through as many peoples’ experiences as you can/ want but in the end develop your own strategy. I realized after reading many stories like this and speaking to people that what works for others may not work for you, life everything else in life! So design your study plan based on what works best for you. But do create a rough plan of how you would want to study. I did not! and realized later that better planning could have saved me some extra effort.
It was a very fulfilling journey overall, and I am glad that I came across people like Luke, Prabh, Anosha, who are doing a wonderful job of really advancing the profession by being of great help to CISSP aspirants.