top of page

How Ed Spencer Cracked His CISSP Exam


This is going to be long and I apologize for that. The CISSP exam has been a 15+ year journey for me and part of this is explaining that journey, and part of it is my study and test taking methodology. If you want to know the details jump down to one of the bolded and underlined sections… otherwise sit back, read up, and enjoy. I hope you get some good information from this and it helps to put you on a path of an incredible career. Good luck and remember to enjoy the journey…

The Story

I see a lot of different posts about how people ‘cracked’ the CISSP exam. While I wish I could do that, it’s not so simple for me. You see, I’ve always been an early adopter – I took the A+ Certification in April 1995 when there were no study materials and when I called CompTIA to ask about it, they said to read the Winn L. Rosch Hardware Bible as their best recommendation to help with the exam. BTW, that test was just a single test and 100 questions. In 1996 I was in an interview wearing my A+ lapel pin and the head of the repair department asked me what it was. It was a few years before people started asking for it and a few more before it became the default requirement for computer technicians.

That being said, over the years, I’ve taken a lot of certification exams and have taught classes for a number of them as a Microsoft Certified Trainer for a wide variety of training organizations. For some, I’d study on my own and take the test – like A+ and CNA (Certified Netware Administrator). For some I’d sit the week long class, and then ‘study’ for a week and take the test the following Friday. This was because the training center would have us sit a class, and then give us up to a week to study. I’d take the class, and then goof off for a week and study a little and take the test on Friday so I didn’t have to sit in the office all week. For others, I’d be talking to someone and just to prove a point schedule the test that same afternoon to prove it could be passed with just knowledge I had gained while working like I did with Network+.

So, when ISC2 announced the CISSP certification in 2001 you can imagine for someone working in the network security field and loved security it was like a calling. In 2002, the first All-In-One CISSP Study Guide came out from Shon Harris. I bought this and the first Official (ISC)2 Guide to the CISSP Exam which came out in 2004. I was working at Disney in the newly founded Information Security department and was active on the insecure.org forums, which led to my writing an article entitled, ‘The Anatomy of a Security Professional’ for Information Security Magazine’s Logoff column in August 2001.

At this time, the test was a paper exam which was only offered at a few places here and there. It wasn’t long and I was in Huntsville, contracted to the Joint Program Office working on a system to do financial report for the Mid-Course Ballistic Defense project – and I still wan’t near where they were testing. A short time later and I was in Alaska and no where near where the test was offered. Along the way I picked up some other certifications, including taking the Security+ exam in 2003 while it was still in beta.

While in Alaska I worked in IT but after I kind of got burned out, I took a year and a half off IT to work as a bartender and manage a bar. When we returned to Pensacola in 2006 I ended up working for a government agency which didn’t put much value in certifications. I did pick up my Enterays Systems Engineer certification in 2010, and I worked on a lot of great security related and other projects there, but when personnel changes gave me pause, I moved back into security as my sole focus working on the same software I had worked with at Disney 14 years before, Tripwire. I took on a lot of other work at my new job and decided that I wanted to pick up some certifications…. And below I’ll discuss my study plan…. But it’s important to note that this is how I study. It’s what works for me. It’s a great way to build and learn a lot about something by attacking your brain with information in a variety of ways much like long distance runners will sometimes run sprints to help with speed. I always learn to understand the material to the point I can explain it to others and use it on my job. I’ve nearly always viewed certifications as a check box to prove knowledge I have largely obtained from normal reading and study for my daily work in the field.

The Study Materials

So, I’ll cover my methodology and recommended process to pass the test and we’ll start with the materials I used and recommendations based on how I used them:

Study materials:

  1. CISSP All-In-One Study Guide by Shon Harris.

  2. You need a single book to use as your ‘core’ study material that will serve as the basis for your ‘intense’ study program.

  3. This book should be PHYSICAL. There are reasons for this which make sense later when talking about study methods.

  4. The core material hasn’t changed much in 15 years, so since I had access to other materials (see my study process later), I opted to use my 1st Edition which I bought in 2002. I HIGHLY recommend most people pick up the latest book because there are some areas that have more focus in the current book due to the changes in the exam.

  5. Safari Books Online

  6. I cannot recommend this service enough. It’s been a HUGE help for me. Subscriptions are about $40 a month, but they sometimes run a special if you sign up annually (I signed up in 2015 on Black Friday for the annual subscription which was half price).

  7. I used so many references from Safari Books Online it’s hard to cover them all:

  • I DID watch some of the videos in the series for the CISSP LiveLessons with Sari Greene.

  • I referred to the later publication of Applied Cryptography and a number of other books as well. My copy of Applied Cryptography was getting a little long in the tooth – about 20 years or a little more.

  1. org

  2. This site is a part of CCCure.org and I bought an annual subscription.

  3. I used this for both my CISSP and CISM so far. I have less than 60 days left on the subscription and depending on what I take on next, I’ll consider renewing.

  4. Other ‘Free’ sources

  5. I mean legitimately FREE sources. Among these are white papers, DoD, NIST and other publications.

  6. Consider signing up for various reading lists like SC Magazine that provide free white papers.

  7. Look on SANS for white papers and on IBM for RedBooks.

  8. Book Darts

  9. Less than $10 for 50.

  10. GREAT for marking your stop points or items of note in supplemental reading.

  11. I mention these because they make keeping track of information very easy and it’s a great tool not a lot of people are aware of.

  12. Other books I’ve bought over the years

  13. Applied Cryptography

  14. The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography

  15. Internetworking with TCP/IP Vol. 1, 2, 3

  16. CISM Study Materials from ISACA (I diverted briefly to take this test and study for about 2 months before I took the CISSP – A lot of overlap with Risk Management, etc)

  17. CISSP Practice Exams, 4th Edition

  • Used the ‘full’ practice exams to get me used to sitting and going through that many questions at one time.

  1. CASP Study Guide, Second Edition (Sybex)

  2. GIAC GSEC Study Guide All-In-One

  3. I have a LOT of supplemental material… listing them all would be, well, difficult and overly time consumming.

THE PROCESS:

The process I use for studying involves intense study sessions and ‘general’ study/reading broken up like this:

INTENSE STUDY:

Set aside 1-2 hours each night, but only 4-5 nights a week

Take your ‘primary’ study source and start reading.

Highlight important phrases and concepts.

Take notes in a notebook dedicated to that one certification you’re working on – I like 8 ½ x 5 ½ notebooks for this (roughly A5 for non-US).

This process seems slow, but you’re focusing on the material, highlighting critical concepts and taking notes. This helps you to remember the material since you’re dealing with it multiple times. Actually WRITE the notes. Don’t type them out.

When you come to a book or paper they recommend add it to a ‘general’ reading list.

ADDITIONAL STUDY:

From that ‘general’ reading list above (Bibliographies are GREAT to get more material to read), attempt to get all the items you can. I’m not saying buy every book, but with the Safari Books Online and other free sources, you will be surprised how many you can pick up and/or access. I’ve even bought books used off Amazon for pennies in some cases; mostly when I wanted a copy and couldn’t get it any other way.

Take one of these additional books or any book that seems interesting on the topic you’re studying and read it in your spare time.

THIS IS VERY IMPORTANT – DO NOT TAKE NOTES, HIGHLIGHT OR ANYTHING ELSE.

Unless you come across something so incredibly provocative you HAVE to make a note or plan to use it at work, don’t take notes. If you want to make a reference for later, I highly recommend BOOK DARTS. These fit right on the page, and let you mark the line and page quite easily. Now you see why I mentioned these earlier. I’ve been using these since they sold them at Borders and LOVE them.

The idea here is that you aren’t studying. You’re just reading. It’s not meant to be study, it’s just general reading of the material. Make sure you understand what you read, but don’t think of it as study. You’re coming at the material in different ways and in different depths to help with long term retention.

The idea is that you want to spend a little time in intense study, but a larger period of time in general information collection. If you read about PKI from a dozen sources, you’ll understand the concepts. If you add in a video or two it wouldn’t hurt – but VET YOUR SOURCES. Don’t just watch any random source on YouTube that thinks they can explain it. Look for legitimate sources like iTunes University which has college professors that have lectures online to watch.

If someone else is willing to pay for an actual course (like an employer), consider taking one like the CyberSecurity course at MIT which has some of the best explanations on PKI I’ve ever heard in my life. Admittedly, it was being explained by Ron Rivest; more commonly known at the R in RSA, but overall, it provided an insight and depth on CyberSecurity that truly took me to places I didn’t even realize were possible and provided me with some core concepts that really solidified more than 20 years of working in IT, CyberSecurity, and InfoSec.

Basically, for the intense study, work through each of the sections in the book like this – If they talk about NIST SP800-53, then download a copy and look it over – even if you don’t read it all. If they talk about FISMA, SOX, GLBA, HIPAA or something similar, then download and take a look at those. If nothing else consider google searches and look at white papers from companies that deal in compliance. I’ve read multiple white papers on compliance and the actual laws that comprise the different requirements. It was eye opening.

While this extra reading can seem like it’s a rabbit hole, keep this in mind – if the material seems to get too deep during the general reading time, consider putting it down for a while, moving on to something else, and possibly returning later. The time that’s not intense study is meant to be just general reading without pressure or stress. Consider sources that cover the topic in a narrative way as well. For example, I read The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography again while studying for my CISSP to refresh my memory on cryptographic concepts. I also added ‘The Imitation Game’ to my NetFlix cue (it’s a movie about Alan Turing, the man responsible for breaking the Enigma machine). Remember, this is about variety. Even if you just put a book in the john (W.C., loo, etc) or pick something up on the train/subway and read it a few minutes at a time the idea is to have other reading that’s NOT intense study but helping to move you toward a goal. Don’t be afraid to to have multiple times partly read at any given point in time, and if possible, leverage reading you may be doing for work to help with study by shifting the topic you’re working on to match what you’re dealing with at work.

PROBLEMS UNDERSTANDING A TOPIC:

If you’re struggling with a topic, consider another source. Look for someone else that has explained it in another book. This is where SafariBooksOnline is a HUGE help. Consider watching a video on the topic – even if it’s from the old exam. I watched some of the videos on both the old and the new CISSP and let them run in the background while I was working on other items. Yes, I was only partially paying attention, but occasionally, something would catch my attention and I’d watch more intently for a bit.

Note: Do NOT do this during your intense study periods. I suggest using music from the Baroque period for background while you study. This music has been scientifically shown to help with retention, recall, and generally help you to learn ‘faster’ – and while there is a little debate on this, the studies were done on students which applies to our use case.

PRACTICE EXAMS:

Practice exams are NOT a good judge of whether you will pass the test. Let me repeat that. Practice exams are NOT a good judge of whether you will pass the test.

Most people take the exams over and over until they pass. Seeing the same question over and over again does NOT help you to understand the material, even if they shift around the answers. You’re just learning the answers to those questions which I can almost guarantee won’t be on the test. But it doesn’t mean practice tests aren’t a good study and preparation tool.

I have the CISSP Practice Exams 4th Edition. I took the full practice exam just once a few weeks out because I wanted to know how I was doing and to get a feel for answering that many questions in a single sitting. I didn’t care if I passed or failed, I wanted to see the areas I was weak in. I wanted to look at the questions I didn’t understand and study the concepts a little more closely.

I also used a number of others including the freepracticetests.org site. Normally, I prefer to take short tests only 10-20 questions at a time for review of a specific topic. I ignore the answers, look to see if I know the answer of the top of my head, and then to see if I can explain my answer in relation to the question. I then answer the question on the test and look at the explanation. My explanation should be similar in the conclusions – but not necessarily in how I arrived at them. (Remember the coming at material in different ways?)

It’s important to note that if you have a setting for ‘only use unanswered questions’ it can help to get more accurate with what you know and don’t know. But since they can’t use questions from the actual exam, you have to know that the actual questions may be very different, but the concepts and ideas won’t be.

BRAINDUMP SITES:

I cannot stress this enough – do NOT use braindump sites. If you know the material, the test is easy. If you use braindumps to pass you don’t have to understand the material. You can either study before the certification or after while you’re trying not to screw up on the job and avoid getting fired because you were able to fake your way through the interview. And remember, those questions on braindump sites are put up by people who violated the NDA. Violated the ethics clause of the CISSP. And they’re actively cheapening the certification by allowing people who don’t know the material to pass. Using them is also a violation of the ethics clause. Do NOT contribute, read, study from, or use braindump sites. Paraphrasing The Waterboy’s Mom, “…. grumble grumble grumble…. Braindumps are the devil…. Grumble grumble….” Using them can land you in hot water, including having your certification(s) taken away, and in some cases banning you from holding any certification from that organization for LIFE. They’ve done this before with Cisco Certifications and I’m sure others. If you want to be shamed, have your certification stripped away, and likely tank your career, by all means use them. But it’s much easier to just learn the material from valid sources.

MOST IMPORTANT THING:

Remember to sometimes stop, relax, unplug and take some time away from the books. I took the CISM exam on December 10th, and left for the Florida Keys on vacation the next day even though I wanted to take the CISSP sometime late last year. Because of the availability of testing centers and work projects, I had to push my CISSP exam out to January 11th, but I STILL TOOK THE TIME OFF FROM STUDYING.

Treat your brain like a muscle. It needs time off to recover and build itself up. It needs a variety of different exercises to handle all the work expected of it.

Remember, you can push yourself really hard and pass the test. But if you take your time, hit the material from a wide variety of different ways, you may find that you retain a lot more of the material for the long term. You’ll have a better understanding. The CISSP credential may get you an interview, but the KNOWLEDGE and UNDERSTANDING will land you the job.

BTW, if you’re wondering, I finished the exam in 2 ½ hours. That’s roughly 100 questions an hour I’m able to read, comprehend, and answer. That’s because the material was well covered in my readings and work and I was able to answer and move on.

TEST TAKING

My test taking strategy works like this:

  1. Start at the beginning and answer as many questions as you can.

  2. If you find yourself stopping or struggling, flag the question and move on. The goal is to move through as many questions as possible while you’re still ‘fresh’.

  3. This also gives you a feeling of accomplishment so you aren’t second guessing yourself on a single hard question right out of the gate.

  4. When you get through them all, go back through and review the flagged questions.

  5. Sometimes material you read earlier will jog a memory of material.

  6. If you find yourself burning time, move on and leave it flagged.

  7. Once you get down to a small number of questions you just have no idea, answer the best you can and move on.

Remember, there are 250 questions on the exam. A passing score is 700 out of 1000, or 70%. It’s important to know that not all questions are weighted the same and that a number of the questions are ‘test’ questions for them to consider in the future (25 is an often quoted number). That means that you have roughly 67.5 questions (evenly weighted) that you can get wrong. If you have 3 questions you can’t answer at all, but all the others you answered easily or with a little thought, you shouldn’t worry and fret. Remember, by the time you’re sitting the exam, you either know the material or you don’t. You can’t waste time second guessing yourself and wondering about that one question you just couldn’t answer.

My first pass had me completing all but about 30 questions or so. I went back through and was down to 3 or so. I guessed at these and submitted my test for scoring.

There is lots of ‘help’ for multiple choice exams, but here’s a refresher.

  1. 1 answer is the ‘right’ answer

  2. 1 answer is the distractor – close to the right answer in phrasing, wording, or has a minor tweak to make sure you read closely.

  3. 2 answers are normally not even close.

  4. If you don’t see this pattern the question either lends itself to more distractors (like which part of the CIA Triangle does this apply to – which would have 2 distractors and be obvious this is the case), or you just simply don’t know the material well enough.

  5. You should see this pattern, even in the practice exam questions.

When you think you’re ready, set a date, schedule your exam, and stick to that date. I had a hard date on the CISM. I set myself a hard date on the CISSP. I wasn’t done with the book, but I was more than ready for the test because of the work I’ve done and the way I go about studying. And make your declaration of a date public. Saying and writing the date publicly puts pressure on you to make it happen.

WHAT’S NEXT?

I’m taking 2 more certification exams in the next 4-6 weeks. If all goes well, I’ll complete close to a half dozen certification in a period of 90 days. This works by layering certifications that have areas that overlap and dedicating the time to make it happen. The certifications are CISM (Dec. 10th), CISSP (January 11th), with CASP, ITIL within the next 30 days. GSEC, AWS, TOGAF, Tripwire, Splunk, and others are on the horizon… If you want to earn multiple certifications in a period of time, consider mind mapping them or putting them on a matrix to show the areas where they overlap so you can speed your study. This is where the study methodology I use really pays off.

FINAL WORDS:

This was a previous post I made on studying recommendations for someone which was covered on the Study Notes and Theory site/Facebook group and you will find that my recommendations above aren’t far from the process I actually do myself:

I’d go through the Shon Harris book again… only take notes as you go through it to reinforce the information. Use those notes as reference material and review them once a day. This means you’re not just listening/reading, but also listening for what’s important and then writing it down. It reinforces the information in multiple ways.

Also, consider reading security related materials not aimed specifically at the test. Immerse yourself into the industry. Consider reading books dedicated to singular domains like Applied Cryptography by Bruce Schneier. General books like the multi-volume Information Security Management Handbook is another (7th Edition is current on these… and last I checked there are 4 volumes).

When you go through a practice exam read the question and then stop. Take each answer and say not only which is right, but why it’s right AND also why each of the others is wrong. It means you need a higher understanding of everything other than just what’s right.

Get the latest book from ISC2 on the exam. It’s the only book out that’s been updated to the new materials that I’m aware of.

These techniques are a bit extreme and push the limits but they’re cheaper than paying for the exam again. And some of the books can be ‘rented’ through Amazon’s Kindle or something similar.

-Ed Spencer

Tags:

bottom of page