CISSP - 2 years in the making
Well it has been a long time since I contributed to this page, but given this huge milestone I thought it would be a good way to return to the fold 
CISSP - 2 years in the making
I have been studying CISSP on and off for probably 2 years but had been fairly focused since end of January and finally pushed myself at the end of April to book the exam for Friday 13th June @ 8AM (on reflection maybe a bit early given I had to drive 40 miles to the test center)
A little bit of background;
I have worked in IT for just over 10 years, attaining many certifications along the way depending on the tech I was working with (see side bar) I became really interested in InfoSec about 5-6 years ago while working for a service provider and have strived to venture down that avenue ever since, ending up where I am now, effectively CSO for a billion dollar international company (always gonna look great on the CV ). I enjoy it because of sheer breadth of the subject which touches every part of business operations.
On to the CISSP journey;
First thing I would recommend if you are thinking about working towards your CISSP is to read the excellent blog by JDMurray
The CISSP Certification Experience - TechExams.net IT Certification Blogs
this should pretty much form the basis of your plan, that being said the actual exam experience is a little outdated due to the migration to CBT from paper. So I am not going to re-hash his great work (but I will provide an objective analysis on some items)
First of all my study materials, having completed the SSCP, 2 years ago(highly recommend doing this prior to CISSP) and given that there is a degree of overlap in the domains, some of the subjects I was very familiar with. I elected to skip the official guide this time round based on my experience of using it for SSCP, why you may ask as it got me through the SSCP, it was the hardest book to read, and the material was so dry it was challenging to absorb the information. I would read a chapter and forget what I had just read (I think I read cryptography 7 times). So I decided to go with a lot of recommendations and used the latest AIO guide by Shon Harris along with the training videos from Logical Security as my primary study paraphernalia. I used a lot of NIST and other online sources (see above blog) to augment the materials as well. I always endeavour to go beyond the expected level of knowledge. In my final 6 months of study I invested in uCertify materials after a quick CertGuard (http://www.CertGuard.com/Search.asp?Site=ucertify.com) check, guaranteed pass made me question legitimacy. The material included is pretty good, I speed read a lot of it having covered it already, and changed tact after a couple of chapters and started taking the tests and set a goal of 80% pass or I have to read the chapter There are a couple of mistakes (poor wording) in the questions and the random engine doesn't handle related questions, as an example I would get an ALE question about elements from say question 16 but as they had been randomised that could now be any question number so had to go and find it. Overall I would recommend the uCertify material as a final resource to cement the knowledge you have already learned, but they are nothing like the questions you encounter on the exam it is purely a test of your knowledge.
On a side note I highly recommend "The Code Book" by Simon Singh as a good reference guide for cryptography, very well written, so much so I have purchased all his other books! I read the book on holiday and really enjoyed it.
I approached the material domain by domain, so I would learn everything from my chosen materials about the domain over a defined time period and move onto the next, after completing the initial run through I would run through each domain again from my own notes.
And now for the exam experience, I completed the SSCP back when it was a paper based exam and only 1 test centre in the country could proctor it (200 miles away), so had to travel night before and stay in a hotel. It took me around 90-120 mins to complete that exam and was hoping to achieve a similar reduction in the CISSP (3-4hrs would be nice) and had to wait 6 weeks for the results
. I was relieved when they implemented CBT for the exams and increased the number of test centers. The main benefit of this is that you now get your results instantly (almost). I am not sure if this is the same in other countries but the centers that run the tests in the UK all seem to be government run and also proctor driving theory tests and immigration tests etc. on completion of the test unlike say a MS exam you don't get the result on screen, instead they are sent to a printer back at the administration desk (they do the same for driving theory tests). One of the other benefits of CBT in my personal opinion is it speeds up the process so the current 6 hour limit is probably excessive but given that MS give you 4 hours for an exam that takes 1, its nice to know you have the time (Cisco is the opposite, very limited time to question ratio). Anyway I am rambling on a bit, I would definitely say this is the most taxing exam I have ever completed, I literally felt the night before I could not fit anything else in my brain, if I don't know it now I wont by the morning. The questions range from the epically easy (what ports are used for x) to WTF moments (I wish I could explain this more but NDA's prevent that, I will just say I didn't expect to have to know something in such in-depth detail - it may have been a test question!) but the vast majority are acceptably challenging. A lot of people say this is a management exam, think like a manager (the answer to the WTF question couldn't come from management experience/knowledge ). I agree in part with JDMurray that you have to think like the entire Cx suite but I would say thinking like a business analyst would cover it better (I personally think working in security management requires more knowledge of business operations than any other single person within the organisation) but you do also need the technical aspects as there are questions that are purely technical and no amount of management experience will get you to the answer.
By the way I took 3.5 hours to finish the exam (with 1 bathroom break), I do not review answers once I click next, I sometimes mark questions I am not confident on before I submit the exam so it gives me an idea of scoring if I get all my confident questions right.
Quote from JDMurray's blog
"Pay attention to the wording of the question and answers in each item. Circle or underline words that are comparatives (e.g., “better”, “worse”, “more”, “less”), superlatives (e.g., “best”, “worst”, “most”, “least”), prepositions (e.g., “only”, “without”), and negatives (e.g., “not”, “never”, “nor”). These words change the meaning of a sentence, and not noticing them will mean misinterpreting an item's question or answers.
Do not read information into an exam item that isn't there. For example, if wireless networking isn't mentioned in the question, don't consider it when choosing the answer. Everything you will need to choose the correct answer is contained within the item. Adding additional information to the question may make you more susceptible to the distractors."
IMHO these are probably the most important pieces of information in his blog, don't try and over-think the questions, don't assume elements not mentioned, one of the words I found most used was BEST, a lot of questions could be have multiple correct answers, you have to decide which is the BEST based on the information provided.
Obviously with the migration to CBT exams it has given license to ISC2 to implement new questions types (paper was pure multiple choice), like drag and drop based questions, which could be placing a subset of options in the correct order or placing something on the correct part of the screen.
I have been writing (adding to) this for about 6 weeks while waiting for my full accreditation, while enjoying the expensive bottle of whisky I treated myself to after passing
Here is my timeline
Exam Pass - 13th June
Paperwork Submitted - 22nd June
Notification of Documents Received - 23rd June
Notification I’d been chosen for Audit - 28th July
Returned Requested Information - 28th July
Notification of Documents Received - 29th July
Confirmation of Accreditation - 31st July (9-10PM GMT+1)
I am not sure how much work they do on the audit but I ensured that my contacts were completely aware of the fact and they may be contacted
So now time for another bottle of Whisky to celebrate
Good luck to anyone going for this exam (so glad it works on maintenance rather than retakes)
What’s Next?????
While I have no real desire to take anymore exams I always have a desire to learn new things, so I decided to step into an arena I have never really touched, programming. I am currently teaching myself Python but going forward I am going to pick an annual subject (not necessarily IT/Security related) and study as much as I can over the course of a year
CISSP - 2 years in the making
I have been studying CISSP on and off for probably 2 years but had been fairly focused since end of January and finally pushed myself at the end of April to book the exam for Friday 13th June @ 8AM (on reflection maybe a bit early given I had to drive 40 miles to the test center)
A little bit of background;
I have worked in IT for just over 10 years, attaining many certifications along the way depending on the tech I was working with (see side bar
) I became really interested in InfoSec about 5-6 years ago while working for a service provider and have strived to venture down that avenue ever since, ending up where I am now, effectively CSO for a billion dollar international company (always gonna look great on the CV ). I enjoy it because of sheer breadth of the subject which touches every part of business operations.On to the CISSP journey;
First thing I would recommend if you are thinking about working towards your CISSP is to read the excellent blog by JDMurray
The CISSP Certification Experience - TechExams.net IT Certification Blogs
this should pretty much form the basis of your plan, that being said the actual exam experience is a little outdated due to the migration to CBT from paper. So I am not going to re-hash his great work (but I will provide an objective analysis on some items
)First of all my study materials, having completed the SSCP, 2 years ago(highly recommend doing this prior to CISSP) and given that there is a degree of overlap in the domains, some of the subjects I was very familiar with. I elected to skip the official guide this time round based on my experience of using it for SSCP, why you may ask as it got me through the SSCP, it was the hardest book to read, and the material was so dry it was challenging to absorb the information. I would read a chapter and forget what I had just read (I think I read cryptography 7 times). So I decided to go with a lot of recommendations and used the latest AIO guide by Shon Harris along with the training videos from Logical Security as my primary study paraphernalia. I used a lot of NIST and other online sources (see above blog) to augment the materials as well. I always endeavour to go beyond the expected level of knowledge. In my final 6 months of study I invested in uCertify materials after a quick CertGuard (http://www.CertGuard.com/Search.asp?Site=ucertify.com) check, guaranteed pass made me question legitimacy. The material included is pretty good, I speed read a lot of it having covered it already, and changed tact after a couple of chapters and started taking the tests and set a goal of 80% pass or I have to read the chapter
There are a couple of mistakes (poor wording) in the questions and the random engine doesn't handle related questions, as an example I would get an ALE question about elements from say question 16 but as they had been randomised that could now be any question number so had to go and find it. Overall I would recommend the uCertify material as a final resource to cement the knowledge you have already learned, but they are nothing like the questions you encounter on the exam it is purely a test of your knowledge.On a side note I highly recommend "The Code Book" by Simon Singh as a good reference guide for cryptography, very well written, so much so I have purchased all his other books! I read the book on holiday and really enjoyed it.
I approached the material domain by domain, so I would learn everything from my chosen materials about the domain over a defined time period and move onto the next, after completing the initial run through I would run through each domain again from my own notes.
And now for the exam experience, I completed the SSCP back when it was a paper based exam and only 1 test centre in the country could proctor it (200 miles away), so had to travel night before and stay in a hotel. It took me around 90-120 mins to complete that exam and was hoping to achieve a similar reduction in the CISSP (3-4hrs would be nice) and had to wait 6 weeks for the results
. I was relieved when they implemented CBT for the exams and increased the number of test centers. The main benefit of this is that you now get your results instantly (almost). I am not sure if this is the same in other countries but the centers that run the tests in the UK all seem to be government run and also proctor driving theory tests and immigration tests etc. on completion of the test unlike say a MS exam you don't get the result on screen, instead they are sent to a printer back at the administration desk (they do the same for driving theory tests). One of the other benefits of CBT in my personal opinion is it speeds up the process so the current 6 hour limit is probably excessive but given that MS give you 4 hours for an exam that takes 1, its nice to know you have the time (Cisco is the opposite, very limited time to question ratio). Anyway I am rambling on a bit, I would definitely say this is the most taxing exam I have ever completed, I literally felt the night before I could not fit anything else in my brain, if I don't know it now I wont by the morning. The questions range from the epically easy (what ports are used for x) to WTF moments (I wish I could explain this more but NDA's prevent that, I will just say I didn't expect to have to know something in such in-depth detail - it may have been a test question!) but the vast majority are acceptably challenging. A lot of people say this is a management exam, think like a manager (the answer to the WTF question couldn't come from management experience/knowledge ). I agree in part with JDMurray that you have to think like the entire Cx suite but I would say thinking like a business analyst would cover it better (I personally think working in security management requires more knowledge of business operations than any other single person within the organisation) but you do also need the technical aspects as there are questions that are purely technical and no amount of management experience will get you to the answer.By the way I took 3.5 hours to finish the exam (with 1 bathroom break), I do not review answers once I click next, I sometimes mark questions I am not confident on before I submit the exam so it gives me an idea of scoring if I get all my confident questions right.
Quote from JDMurray's blog
"Pay attention to the wording of the question and answers in each item. Circle or underline words that are comparatives (e.g., “better”, “worse”, “more”, “less”), superlatives (e.g., “best”, “worst”, “most”, “least”), prepositions (e.g., “only”, “without”), and negatives (e.g., “not”, “never”, “nor”). These words change the meaning of a sentence, and not noticing them will mean misinterpreting an item's question or answers.
Do not read information into an exam item that isn't there. For example, if wireless networking isn't mentioned in the question, don't consider it when choosing the answer. Everything you will need to choose the correct answer is contained within the item. Adding additional information to the question may make you more susceptible to the distractors."
IMHO these are probably the most important pieces of information in his blog, don't try and over-think the questions, don't assume elements not mentioned, one of the words I found most used was BEST, a lot of questions could be have multiple correct answers, you have to decide which is the BEST based on the information provided.
Obviously with the migration to CBT exams it has given license to ISC2 to implement new questions types (paper was pure multiple choice), like drag and drop based questions, which could be placing a subset of options in the correct order or placing something on the correct part of the screen.
I have been writing (adding to) this for about 6 weeks while waiting for my full accreditation, while enjoying the expensive bottle of whisky I treated myself to after passing
Here is my timeline
Exam Pass - 13th June
Paperwork Submitted - 22nd June
Notification of Documents Received - 23rd June
Notification I’d been chosen for Audit - 28th July
Returned Requested Information - 28th July
Notification of Documents Received - 29th July
Confirmation of Accreditation - 31st July (9-10PM GMT+1)
I am not sure how much work they do on the audit but I ensured that my contacts were completely aware of the fact and they may be contacted
So now time for another bottle of Whisky to celebrate
Good luck to anyone going for this exam (so glad it works on maintenance rather than retakes
)What’s Next?????
While I have no real desire to take anymore exams I always have a desire to learn new things, so I decided to step into an arena I have never really touched, programming. I am currently teaching myself Python but going forward I am going to pick an annual subject (not necessarily IT/Security related) and study as much as I can over the course of a year
This week I have achieved unprecedented levels of unverifiable productivity
Working on
Learning Python and OSCP
Working on
Learning Python and OSCP
Comments
-
cyberguypr
Mod Posts: 6,928 Mod
Haven't read the whole story because I HAVE TO mow the lawn but CONGRATS! Will read as soon as I'm done. -
Spin Lock
Member Posts: 142
Excellent write-up. Thank you for taking the time to give back. I haven't read JD Murray's CISSP blog entry in a looong time, but I'll go back and take another look at your recommendation.
Thank you for the certification timeline as well - good to know that your audit was completed so quickly. -
Pupil
Member Posts: 168
Now that's dedication. Congratulations on becoming a CISSP. It's one of my long term goals. I will take lessons from your journey.2015 Certification Goals: CCNA: Routing & Switching FONT=courier new][SIZE=2][COLOR=#ff0000]X[/COLOR][/SIZE][/FONT, CCNA: Security FONT=courier new][SIZE=2][FONT=courier new][SIZE=2][COLOR=#ff0000]X[/COLOR][/SIZE][/FONT][/SIZE][/FONT, Security+ COLOR=#ff0000]X[/COLOR -
Alanjen
Member Posts: 14 ■□□□□□□□□□
Congrats Dave0212! Huge accomplishment. Thank you for the detail on the endorsement process as well. I received acknowledgement on my endorsement on July 3 and am waiting to hear back from ISC2 on my congratulatory CISSP. From your timeframe, it sounds like ISC2 is taking 5 - 6 weeks to turn endorsements around. So I still have another week or two.
i am also llearning Python as my next step and am taking a Coursera course on Python that starts in September. In the long run, I hope to have a better understanding of reverse engineering.
thanks again for the info and Congratulations! -
dave0212
Member Posts: 287
Thanks guys,
Having set myself the target of CISSP several years ago it is nice to finally achieve it
One note I will add to the above is;
My audit must have been straight forward (maybe my CV is written really well - I write mostly custom CVs for ISC) as my job contacts were not contacted for any clarification
I was endorsed by the ISC2 as I always thought that a CISSP would need to have known me for the full 4-5 years to endorse but have seen comments on here that counter that mindset?This week I have achieved unprecedented levels of unverifiable productivity
Working on
Learning Python and OSCP -
JoJoCal19
Mod Posts: 2,835 Mod
Congrats on the accomplishment! Now that you've knocked out the CISSP, what's next?Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
Currently Working On: Python, OSCP Prep
Next Up: OSCP
Studying: Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework -
dave0212
Member Posts: 287
Well just to finish out the timeline, received my certificate in the mail yesterday (18/08/2014), quicker than expected.
This week I have achieved unprecedented levels of unverifiable productivity
Working on
Learning Python and OSCP
