I passed my Certified Information Systems Security Professional (CISSP) exam on November 20th, 2018. It took me 50 minutes to answer 100 questions. I am sharing this blog post as resource to colleagues who are intending to take the test and to the cybersecurity profession as my way of “paying it forward” since I received help from vast and free online resources and from advice I received from those I didn’t even know personally.
I decided to take the CISSP exam for the following reasons:
- Model my commitment towards professional development (one of this year’s four key areas in our department strategic plan by learning topics relevant to our organization (SIS&T) future direction including 1) improving our organizational resiliency (staffing, information systems), 2) improving processes (governance, operations, devops), and 3) “liberate data” – expose data across campus systems that have been siloed in the past.
- I need new leadership/management and technical knowledge required in my role as IT leader on campus given emergent technologies and changing workforce dynamics and demographics. Campus initiatives including cloud adoption, integrated campus cybersecurity, data analytics and campus data integrations using Application Programming Interface (API) and visualization software for decision-making also require new knowledge and skills.
- Continue my commitment to life-long learning.
Though I had intended to take the CISSP exam in 2017 and my organization had even paid for an online course and books to prepare me for the exam, in retrospect, that I didn’t create the pressure for me to prepare led me to not dedicate the time and effort as I had done these last two months before my exam.
The CISSP exam is often characterized as “mile-wide and inch deep”. It is true the exam assesses the tester’s knowledge in the eight domains ranging from understanding of laws and regulations, best practices, networking/physical/software security, and operations. I am not so sure it’s an “inch deep” however as while the exam may indeed provide questions at a general level, the level of knowledge I felt I had to learn (and acquired) in the process of preparing for the exam went beyond general information.
Since my professional background/experience were mainly in application development and leadership/management, I found those domains to be relatively easier than the other domains. However, given my lack of experience in networking and data center management, I found myself needing to spend more time studying those areas than others. For example, I bought a book called Networking All-in-One for Dummies because I didn’t even know the differences between the networking mediums (cabling) and wireless networking specifications.
Though I read many online resources about the CISSP exam, there were no materials I read about the specific questions themselves. Even if I had come across them, I wanted to honor the integrity of the process and professional ethical standards by not using them. Given that I didn’t know what questions to expect, I found myself using different study materials (books, iphone apps, quizzes, videos, websites, social media) and I even tried different study styles to improve my chance of passing the test. I have learned that I comprehended concepts better if I understood the “big picture” and when I saw the relationships among the different areas. I created a mind map of the 8 CISSP domains as my roadmap using a mobile/website called MindMeister. Here is the link to my CISSP mind map.
I also found study methods to maximize the limited time I had between when I registered to take the exam (October 2nd) until the day of the exam (Nov 20th). I created a schedule which required discipline and dedication. The kindle books and the iphone apps which I used anytime/anywhere during the day (including between meetings, trips to the mall, commute) were useful. My wife’s support and encouragement throughout the process were also very helpful. She provided me with the space and time to study.
As I will share below, it was about two weeks before the test when I finally realized what methods increased my comprehension of the topics I was studying.
- Registered for the CISSP exam (Nov 20th) on October 2, 2018 on the PearsonVue website.
- Created and completed exam preparation schedule for those seven weeks.
- First two weeks of October – complete the Sybex book and Shon Harris’ All-in-One CISSP Exam books). This meant spending 2-3 hours a night reading at least one chapter a day and completing the end-of-chapter quizzes.
- Entire October up to November 19th.
- Completed CISSP course on Cybrary.It, and Lynda.com CISSP course.
- Completed at least 200 questions a day from various quizzes (see list below) and improved my knowledge on areas of weaknesses based on my scores.
- Five days before exam
- Took days off from work. Spent at least 5 hours during the day/night of continued studying. This is the period when I realized how to significantly improve my understanding of the topics. At this point in the process, I had read books, taken thousands of questions, and watched hours of videos so the areas new to me became smaller. However, there were still areas I struggled because of my lack of experience as I noted above. So, every time I completed the quizzes, I researched the questions I had missed by re-reading the books and re-watching videos AND in the process, I also started understanding/noticing related topics I had missed before.
- Two days before the exam, I continued my routine above, and I also reviewed summary materials I had found online including the following:
- The day before the exam, I came across a blog post which recommended to watch the following videos to have the proper mindset going into the exam. I watched them, and they made a difference in how I approached the test – think like a manager and from a risk management perspective, not a techie. I encourage those preparing to take the test to watch these videos at some point in your preparation.
The benefit of the CISSP certification goes beyond the recognition of passing the exam. It has given me more confidence with the new knowledge learned about cybersecurity and how to study for future certification exams. In two months, I learned knowledge in areas I did not have opportunities to learn in my 20 years in IT. To pass the CISSP test requires the risk and organizational management mindsets AND technical knowledge. A technician’s approach of solving issues through tools only or a manager with little knowledge in the 8 domains will probably have a hard time passing the exam. Even with years of experience, the test also requires time and commitment to study the materials and be comfortable with the types of questions.
Personally, I found the preparation process as an opportunity to further assess what works for me in terms of learning style. I used a combination of books, videos, apps, mind maps to figure out what works for me. In the end, I believe memorizing the materials alone was not sufficient and it required some thoughtful understanding of how the different tools/approaches in combination should be applied to solve real-life situations. It also requires intuition gained through experience to be able to effectively assess a problem. I believe therefore experience is a requirement for the certification.
Like other folks online and colleagues in my organization have gave advice and who shared their knowledge for me to pass the exam, I would like to offer you any insight about the process (within the NDA and ethical boundaries) so you may also pass the exam. Please feel free to contact me at email@example.com.
My learning style is different from others and in general, every single resource listed here was helpful to me personally, but there were some I relied on more than others and ones I thought were most applicable to the areas and types of questions presented during my exam.
- CISSP Certification Exam Prep – ImpTrax Corporation
- CISSP Pocket Prep – Pocket Prep, Inc.
- CISSP Study Guide by Cram-It – Rooster Glue, Inc.
- CISSP Practice Questions – Laurie Hocking
- CISSP Practice Exam Prep 2017 – Recurvo Learning & Educational Apps
- CISSP Stress-Free: RocketPrep
- CISSP Practice Test – Mark Patrick
- LearnZapp CISSP Study Guide