top of page

How to Come Back From CISSP Failure

Just the fact you even took the exam is an achievement by itself. Be proud of just this accomplishment regardless of pass or fail.

The CISSP is an elite exam known to only a few, as security is still a small sector in the overall information technology industry. I know sometimes in the Facebook group it feels like everyone is passing their exam except you, but it's only because you're surrounded by those on the same mission as you.

Do you really think your friends and family understand asymmetric encryption? Do your cousins know each layer of the OSI Model? Do they know anything about the techniques to secure data in use (access control & encryption)?

Probably not.

But you do, and have taken an exam which tests you on it. Exams are supposed to test the boundaries of your knowledge pertaining to the subject matter. The CISSP however, goes beyond those boundaries in the books and tests your concepts about the overall general fields of information security. It's a tough exam which requires a special person just to attempt it.

This blog post is just meant to let you know failing the CISSP exam is not a negative, rather it's a milestone in your life. If you wanted to know some general steps on what to do after failing the exam, check out this link:

The exam is meant to not test your knowledge of the books, but the ability to apply the knowledge in the real-world. And that's still not enough. Yes, it is a high-level exam, but it also requires technical knowledge. You're not going to get a question on how to configure an IPSec VPN, but you will be expected to know which security concepts it is meant to uphold. If you know exactly how to create crypto maps, tunnel-groups, and ACLs on a Cisco ASA and create VPNs, but don't know that it is used for confidentiality, integrity, and will fail the exam. You can say the CISSP is a business exam with technical language.

What I'm trying to say is that the CISSP is a tough exam, and you took it. You didn't pass. Maybe you didn't pass twice. Or three times. You're not the only one. People have passed on their fourth, fifth, and sixth attempts. What would make a better (and expensive) story? Someone who passed on their first attempt? Or someone who passed on their tenth?

Failure builds the constitution of the security professional.

In order to face our adversaries on the Internet, we have to face our own adversaries first. As far as the security industry, let's put it this way: some of the best CISSPs I know have failed their exam either once or multiple times. You never know when a hiring manager would rather take someone who has come back from failure instead of a superstar security professional. Sometimes life is funny like that.

It can feel crushing at first, but you have the right attitude, all it takes is adjustment. Right now, you have an advantage, you know what the new CAT exam is like, and you are able to more accurately pinpoint your weaker areas. But just because the exam says it's your weak areas doesn't really mean it's your actual weak areas. The whole exam is a conceptual exam drawing from all domains, the higher security picture. So if you scored a low score in for example the Security and Risk Management domain, you may have just missed some of the big concepts, but gotten the smaller more simpler questions correct. To adjust for this, all it takes is consistent reading from the ISC2 book, the Sybex, and the Shon Harris or whatever else you can find.

At this point you have to ask yourself "Did I do everything in my power to make sure I ate/slept/breathed CISSP before my exam?" It takes nothing but 100% pure dedication and focus in order to pass.

TV time, lunch time, socializing time, or family time - all this must take a backseat to CISSP time. It's only for a few months, after which you can live the rest of your life working a job you actually want to do your whole life.

If you feel you did all of the above, then go even more intensely at it the second round. If you are part of our Facebook Group or Telegram group, utilize it. Harness the energy from the members and keep up with the conversations while also asking and providing your own comments.

If before the exam, you just took and took and took all the CISSP information and answers to your questions from other people, then it's time to switch things around and start giving back. Time to give back to others who have questions of their own, the very same ones you might have had. When you are able to explain something to someone else, it enforces not only your own knowledge, but may provide the necessary clairvoyance to make a connection to another CISSP topic.

I would also recommend this document if you haven't used it already (along with the Memory Palace and Sunflower Notes):

On the CISSP exam you have to think like a manager. Managers don't fix the immediate issue, they fix the "process". In order to fix the process, you have to know the process. The Process Guide is by no means an official list of processes, no official/unofficial document provides that. It's just the general steps and some things to glance or skim through as you supplement your other studies.

Bottom line, if you know the process you know how to fix and recognize it when it's broken.

Studying and talking the language of the CISSP really is something that must be attained before the exam, to adapt to the language of the exam. Here is another thing I can suggest: attend security conferences and seminars, or view them online. There, you will be surrounded by other security professionals, and there is something about a conference with participants in the same industry which just spurns a common type of conversation - security. In addition to those: reading blogs, newspapers, books (fiction/non-fiction) on information security also helps to gain more insight into the language of security. This is why, while there are no official pre-requisites, the ISC2 recommends at least 5 years of direct security experience (not that I'm saying you don't have it). Understanding the language of the CISSP helps to answer the questions in the same frame of mind.

There is a lot of failure, hardships and sacrifice. But after you pass, it's worth it for years to come.

Without failure, there would be no Doug, who failed his exam 5 times:

How Doug Cracked His CISSP Exam Without hardship, there would be no Eduardo, who passed after a brain hemorrhage:

Without failure, there would be no Study Notes and Theory.

Here are some general tips for the CISSP if it helps:

It is a business exam with technical language.

Businesses want to be around for a long time, so think of long-term solutions which maximize the most profit while keeping an acceptable level of risk.

Practice due care by doing the right thing, and due diligence by making sure what the right thing is supposed to be.

Fire extinguishers, firewalls, anti-virus scanners, or pre-built code libraries are not going to save the business. Proper BCP/DRP, SDLC, incident response, policy, training, security awareness, security governance, risk management, documentation and learning from past mistakes are what actually save the business.

I'd like nothing more than to see you accept failure, then reject the failure, and come back to win it. Those are the best stories.

Good luck on your next attempt.


bottom of page