I passed my Certified Information Systems Security Professional (CISSP) exam on November 20th, 2018. It took me 50 minutes to answer 100 questions.  I am sharing this blog post as resource to colleagues who are intending to take the test and to the cybersecurity profession as my way of “paying it forward” since I received help from vast and free online resources and from advice I received from those I didn’t even know personally.

Motivation

I decided to take the CISSP exam for the following reasons:

  • Model my commitment towards professional development (one of this year’s four key areas in our department strategic plan by learning topics relevant to our organization (SIS&T) future direction, including 1) improving our organizational resiliency (staffing, information systems), 2) improving processes (governance, operations, devops), and 3) “liberate data” – expose data across campus systems that have been siloed in the past.
  • Given emergent technologies and changing workforce dynamics and demographics, I need new leadership/management and technical knowledge required in my role as an IT leader on campus. Campus initiatives require new knowledge and skills, including cloud adoption, integrated campus cybersecurity, data analytics, and campus data integrations using Application Programming Interface (API) and visualization software for decision-making.
  • Continue my commitment to life-long learning.

Background

Though I had intended to take the CISSP exam in 2017 and my organization had even paid for an online course and books to prepare me for the exam, in retrospect, that I didn’t create the pressure for me to prepare led me to not dedicate the time and effort as I had done these last two months before my exam.

The CISSP exam is often characterized as “mile-wide and inch deep.” The exam assesses the tester’s knowledge in the eight domains, from understanding laws and regulations, best practices, networking/physical/software security, and operations. I am not so sure it’s an “inch deep,” however, as while the exam may indeed provide general questions, the knowledge I felt I had to learn (and acquired) in preparing for the exam went beyond general information.

Since my professional background/experience was mainly in application development and leadership/management, I found those domains to be relatively easier than the other domains. However, given my lack of experience in networking and data center management, I found myself needing to spend more time studying those areas than others. For example, I bought a book called Networking All-in-One for Dummies because I didn’t even know the differences between the networking mediums (cabling) and wireless networking specifications.

Approach

Though I read many online resources about the CISSP exam, there were no materials I read about the specific questions themselves. Even if I had come across them, I wanted to honor the integrity of the process and professional, ethical standards by not using them. Given that I didn’t know what questions to expect, I used different study materials (books, iPhone apps, quizzes, videos, websites, and social media). I even tried different study styles to improve my chance of passing the test. I have learned that I comprehended concepts better if I understood the “big picture” and when I saw the relationships among the different areas. I created a mind map of the 8 CISSP domains as my roadmap using a mobile/website called MindMeister. Here is the link to my CISSP mind map.

I also found study methods to maximize the limited time I had between when I registered to take the exam (October 2nd) and the day of the exam (Nov 20th).  I created a schedule that required discipline and dedication. The kindle books and the iPhone apps I used anytime/anywhere during the day  (including between meetings, trips to the mall, and commutes) were useful. My wife’s support and encouragement throughout the process were also very helpful. She provided me with the space and time to study.

As I will share below, about two weeks before the test, I finally realized what methods increased my comprehension of the topics I was studying.

Timeline

September 2018

October 2018

  • Registered for the CISSP exam (Nov 20th) on October 2, 2018 on the PearsonVue website.
  • Created and completed exam preparation schedule for those seven weeks.
    • First two weeks of October – complete the Sybex book and Shon Harris’ All-in-One CISSP Exam books). This meant spending 2-3 hours a night reading at least one chapter a day and completing the end-of-chapter quizzes.
    • Entire October up to November 19th.
      • Completed CISSP course on Cybrary.It, and Lynda.com CISSP course.
    • Completed at least 200 questions daily from various quizzes (see list below) and improved my knowledge of areas of weakness based on my scores.
  • Five days before the exam
    • Took days off from work. Spent at least 5 hours during the day/night of continued studying. This is when I realized how to improve my understanding of the topics significantly. At this point in the process, I had read books, taken thousands of questions, and watched hours of videos, so the areas new to me became smaller. However, there were still areas I struggled with because of my lack of experience, as I noted above. So, whenever I completed the quizzes, I researched the questions I had missed by re-reading the books and re-watching videos. In the process, I also started understanding/noticing related topics I had missed.
    • Two days before the exam, I continued my routine above, and I also reviewed summary materials I had found online, including the following:
    • The day before the exam, I came across a blog post recommending watching the following videos to have the proper mindset going into the exam. I watched them, and they made a difference in how I approached the test – thinking like a manager and from a risk management perspective, not a techie. I encourage those preparing to take the test to watch these videos at some point in their preparation.

Lessons Learned

The benefit of the CISSP certification goes beyond the recognition of passing the exam. It has given me more confidence with the new knowledge learned about cybersecurity and how to study for future certification exams. In two months, I learned knowledge in areas I did not have opportunities to learn in my 20 years in IT. Passing the CISSP test requires risk and organizational management mindsets AND technical knowledge. A technician’s approach of solving issues through tools only or a manager with little knowledge in the 8 domains will probably have a hard time passing the exam. Even with years of experience, the test requires time and commitment to study the materials and be comfortable with the types of questions.

Personally, I found the preparation process as an opportunity to further assess what works for me in terms of learning style. I used books, videos, apps, and mind maps to figure out what works for me. In the end, I believe memorizing the materials alone was insufficient. It required some thoughtful understanding of how the different tools/approaches in combination should be applied to solve real-life situations. It also requires intuition gained through experience to effectively assess a problem. I believe, therefore, experience is a requirement for the certification.

Like other folks online and colleagues in my organization who have given advice and shared their knowledge for me to pass the exam, I would like to offer you any insight about the process (within the NDA and ethical boundaries), so you may also pass the exam. Please feel free to contact me at joe@joesabado.com.

Resources

My learning style is different from others. In general, every single resource listed here was helpful to me personally. Still, there were some I relied on more than others and ones I thought were most applicable to the areas and types of questions presented during my exam.

Exam Preparation/Mindset

Exam registration

Summaries

Videos

iPhone Apps

  • CISSP Certification Exam Prep – ImpTrax Corporation
  • CISSP Pocket Prep – Pocket Prep, Inc.
  • CISSP Study Guide by Cram-It – Rooster Glue, Inc.
  • CISSP Practice Questions – Laurie Hocking
  • CISSP Practice Exam Prep 2017 – Recurvo Learning & Educational Apps
  • CISSP Stress-Free: RocketPrep
  • CISSP Practice Test – Mark Patrick
  • LearnZapp CISSP Study Guide

Quizzes

Books

Websites

Social media

Tools