CISSP Experience/Thoughts

amsicamsic Member Posts: 6 ■□□□□□□□□□
tl;dr Relax, approach it from a business perspective, experiences are helpful

I sat and passed the CISSP recently. This is something I'm quite proud of as I've wanted to become CISSP certified for 10+ years. icon_cool.gif

It took me 3 hours to go through the entire exam and an extra 1.5 hours to review/second guess myself/take a break to eat and stretch. The first 15 questions were a bit rough as I adjusted to the exam, environment, and letting go of the anxiety/stress of taking the exam. So remember to relax! Once I settled down I felt the exam went smoothly and was fair. I answered all 250 questions in one pass, took a 15 minute break, then reviewed flagged questions and finally went through the exam a second time (much more quickly). When I completed the second pass I decided I had had enough and pass or fail I had learned more about infosec and myself.

I feel my experiences made this an easier exam than I thought it was going to be based on the things I had read and heard. I have 10 years of experience working in the military, as a DoD contractor, Fortune 500 and SMBs doing network/security work so I have been thoroughly exposed to all domains. I have a degree in computer science and I'm also currently an information systems engineering graduate student. The latter of these is what I think helped me the most as I'm better able to understand the business side of the house (drivers, governance, compliance, planning, budgeting, cost/benefits, risk, etc.). If you are able to understand why and how businesses use IT/IS/ICT to meet their missions/goals/visions then I feel you will have an advantage over those who are studying minute details (yes, these are needed, too). You should be able to explain, for example, a few different scenarios as to why a company would use ESP to protect data in transit (how does it relate to risk, what threats/vulns does it protect against, what would happen if it wasn't used, what compliance requirements require this, what pros/cons are involved, what is the cost/benefit, what technologies are needed, etc.). If you have a strong business acumen then I would focus on the technologies, controls, etc. that allow the business to fulfill its mission/goals/vision. When you can translate effectively between management/business and the technical/physical for all domains I think you'll be ready for the exam in addition to being a valuable asset to your employer/community.

My primary source of study was Shon's AIO. I read it over the course of a year and became intimately familiar with it the last month prior to my exam. I filled in gaps with NIST, RFCs, and texts from Safari Books (the best $40 I spend a month). The McGraw-Hill practice exams were useful. I tried Skillset but it felt inconsistent and erroneous at times which is a shame because it has the potential to be a great learning tool. The posts on this forum were invaluable, specifically those from people who failed/passed (tips, resources, motivation) and those that helped me gauge what the exam experience would be like. Thank you!

All in all, I think the journey was rewarding and I would encourage anyone with a passion for information security to challenge themselves to the CISSP. If you're currently pursuing it, stay focused! Time to reintroduce myself to my wife, complete the endorsement process and move on to the CCSK! icon_biggrin.gif Good luck!


Sign In or Register to comment.