How Kevin Cracked His CISSP Exam
Exam done and time to reflect on how and what it took to get to this point. For some who do the exam it is fairly easy and straight forward, but if you’re like myself, it’s a marathon and far from a sprint..
When using study groups, Facebook and any platform, first thing you see after announcing your success is “ Tell us what you experienced, how were the questions, any tips etc etc “, I know because I was one. So first off when it comes to questions regardless what I, or anyone says it’s unlikely to help you at all. ISC2 have such a huge test bank, the chance of you getting the same as I did when you write your exam is exceptionally small. I also did the exam 3 times, and each exam was different 1 st attempt was very technical, lots of tech related stuff and minimal Management type questions, but enough to not pass.
2nd was mixed again, but what i do remember after finishing it felt like it was a domain 8 exam with focus on SDLC only. 3rd attempt was true management perspective exam, like everyone talks about when discussing in the various forums.
Does this experience help anyone plan for their exam, or what to focus on, highly unlikely? So then how can I help, I’ll tell you briefly my journey, my mistakes and what did and didn’t work for me. I do need to re-iterate, this is what did\didn’t work for me, you do need to find your own strategy to conquer it.
My background is 25 years in IT, Technically related IT, and for CISSP that’s exactly where the problems started. Trying to remove the tech hat when doing the exam, is difficult but absolutely required. 1st attempt, my preparation was very poor, I assumed it was like any other exam. I wasn’t on many forums and just before my exam discovered Discord, but I said “it’s like any other exam should be fine” big mistake. For prep, I did the official ISC2 online training, Official ISC2 CBK… Unless you’re a really experienced Security Professional, this is far from enough.
2nd attempt, bought Sybex and wow, immediately saw the contrast in material between this and the official CBK. By now I was fully involved in Discord as this was growing fast. Signed up to Study Notes and Theory, got Cybrary videos, did Mike Chappels CISSP training on LinkedIn, downloaded all sorts of NIST documents and really prepped, focusing a lot of the 3 domains that I fell short in the first attempt.
Few days leading up to exam, I didn’t have a good time (personal) and shouldn’t have done it, but was fed up with study and just wanted it done. Was really confident going in even though lead into it wasn’t the best. I had really put in a lot of effort into my 2 nd attempt, but I failed miserably. I was successful in 2 domains, so an absolute shocker given the effort.
3rd attempt. Took 3 months off to focus on something else, as I was really fed up with CISSP study, but also saying to myself, what else can I do to get this certification? I also realized after the exam that I really needed help to get that Managers hat on, and really have a different way of thinking in the exam. I mean this is what everyone keeps talking about, but I knew that’s what was missing.
I then signed up to an online session course with Brandon Spencer CyberActiveSecuirty, having found a short CISSP crash course session he did, and the man spoke my language and was exactly what I was after. So I built my next attempt around his 8 week training session (self-paced). 8 weeks for the course then another 3 weeks post that to focus topics that needed extra attention.
This time I also opted to get the AIO study guide from Shon Harris (RIP), added Luke's Ahmed's “How to think like a manager” which was due out soon, Went Wu’ “Effective CISSP” was also due, so now I’m just getting everything I think I need to nail it. I signed up to a 1on1 session with Larry GreenBlatt – InternetworkDefense, got all my NIST, ISO and GDPR docs and now I was ready to start. I’m going to nail this, I said with a determined inner head voice.
8.5 weeks in all is going well, study is good scores are not bad and climbing everyday so very confident and then just out of the blue for no reason, test scores drop to like 55 -60, managed the odd 65 and I’m like “wtf is happening now”… confidence blown, study all but stopped and I’m like what now? So took a deep breath and a few days off. No study, no questions and just contemplating what now! After 5 days off said, let’s get back on the horse and go for it, almost there. Got back into the groove again, scores improved and confidence slowly started to return. Did my 1on1 session with Larry G, which again highlighted more areas that I wasn’t strong in (confidence still shaky).
Those topics became focal points in final days and was now sort of ready to do the exam, but determined to give it a go anyway, and YES success. I didn’t know I was successful till a few hours later, as the printer at the test centre was broken and I had no way of knowing if I passed for failed.
The stress continued for 6 hours post exam, after emails back and forth with ISC2 and then finally got the provisional pass email through…. Huge relief, even at 2am when the email came through. Below is the list of resources used throughout my journey and then some final comments.
First 3 notable mentions and recommendations, these guys in their own way are very much part of my success, so a big thank you to them
Brandon Spencer CyberActiveSecuirty – Self paced sessions, with weekly live 1 hour session to follow-up on that week’s topics. Brandons enthusiasm is infectious and helps drive that desire to be successful. He will be planning more interactive sessions for his future courses.
Luke Ahmed – StudyNotesandTheory – Particularly Luke’s book and all his SNT sites test questions. These are the closest you may get to anything resembling the exam. His videos and advice on how to learn CISSP is invaluable.
Larry Greenblatt – InternetworkDefense – 1on1 session was great, gave a different perspective on thinking and really dive into the technical way Security works. Larry also has 5 day crash courses, which are either live or you could get as downloads.
All of the above helped get that “Think like a manager” hat on which I really needed, so again thank you to them.
Official ISC2 CBK
How to think like a manager
o AIO – good if you have very limited security knowledge and need more explanation
o Sybex – Good if you have some security knowledge
o ISC2 CBK – only good if you are already a Security expert
Study Notes and Theory
Wentz Wu & Adam Gordons daily questions
Official ISC2 (on their site) pretty much anything I could get my hands on
CyberActiveSecurity – Brandon S
Cybrary - Kelly H
Mike Chappell – LinkedIn
Countless Youtube stuff
Documents: NIST, ISO, GDPR , HIPAA (anything I thought may help)
Final thoughts and comments:
Is all of the above resources and effort really needed to pass CISSP? Absolutely not. Mine has been a long journey with poor advice, too many assumptions and not finding the right things that work for me, but that’s what I ultimately ended using at some point.
NB: The CISSP exam goes beyond the study materials available, so you have to learn from external resources. Do not rely only on study material unless you’re a security professional already - sorry ;)
This won’t be a popular comment, but if you have many distracting sources like Discord, Telegram, What’s App groups etc, stay off them, unless you have a specific question that the group can answer. They are very distracting and you end up spending way too much time on them instead of learning. Not everyone on the other actually knows what they’re talking about and you end up with wrong information. You may pick up tips from them, but it’s very few and far between. For my 3 rd attempt I completely avoided all of these.
When studying and you find you’re distracted with a YouTube cat video ;) or some other distractor just tell yourself “This will not help me pass my exam, and get back to studying.
Prior to the exam, if you can get a few days undistracted days then do it, meaning if you can write the exam on a Tuesday and can get the Monday off, then you 3 days uninterrupted to study and focus, it’s a good combination in my view.
In the exam I had advice from Brandon “take breaks”. I didn't when I planned to, then hit a couple difficult questions and as I was already fried from concentrating, this really threw me off for the next few questions. So I wish I had stuck to the game plan and taken that break as planned. I also wrote down in big letters “THINK LIKE A MANAGER” so I would always see that when I had a question that needed additional re-reading and thought.
Remember: Test scores are not a gauge of your knowledge so don’t focus on getting 80% every time. It’s more important to understand the answer, and even more important that you understand the concept of the topics you’re studying and how everything works together. Luke, Brandon and Larry always try instill this on anyone who uses their materials and courses and I absolutely agree 100%, as this is how you will pass. Kelly Handerhan – Cybrarys advice “stay out of the weeds” this is also very true. All the instructors have Youtube or videos on their site for exam taking guidance, definitely review them.
CISSP is not 1+1 =2 exam , its 1+1 , and then depends on which hash algorithm you used, how that was then encrypted, which tunnel ,route it passed though, before arriving at the recipient, how he decrypted and verified it , is mostly likely still wrong the answer, why, because you didn’t get Management Approval
I’m on Study Notes and Theory's FB page and can answer questions if there are any.
Good luck to everyone.