So I took today the CISSP exam... and failed
602. Oh my...
The material that I used:
1) Sybex 7th edition - a great book. I read most of it. regretfully I haven't read all of it. They also have 4 full exams and many more practice questions in the book and online. If for some reason you want to choose one source to study from, use this one.
2) Conrad CISSP Study Guide, 2nd edition - a great book as well.
3) Conrad CISSP 11th hour, 2nd edition - read all of it
4) Cybrary.it videos - Not only is a great introduction, but it also provides a way to think about the test and real-life scenarios.
5) Larry Greenblatt's videos - I actually saw the 1st video, regarding Security&Risk Management and Asset Security (5 hours) and it was a good one.
6) CCcure questions - it's a great source of questions to practice, and should be used daily.
7) Shon Harris 6th Edition - Used as reference here and there. I regret not using it more often.
I took 30 days of constant efforts (after studying on and off in the past). Solved around 500 questions from CCcure (I knot that's not enough).
One of the mistakes that I did was to jump from one material to another which resulted in not giving enough attention to some of the domains.
The biggest mistake which I probably did, was to attempt "optimizing" my studies, almost haven't touched the "less important" domains, such as security operations, software development security and asset security.
Without revealing NDA and such - they were important part of the whole exam, and even if some of the questions weren't related to them directly, some of the methods (like using SDLC) were used in other related domains, such as security engineering.
Actually, every domain is important. One of the best advises here is to think like a manager. Not only that, I would add that you should also think about combining different domains. Although we have 8 domains, they have real connections to each other.
Think how you can make the best (or worst) efforts, or what is the best/worst practice to create this kind of system or another. Security Operations and Security Engineering domains go well with almost everything. Think (for example) how you can combine some domains to make better security in an organization. And all that goes well with risk management and assessment in general. That's something that I missed the most in the exam, and probably 1000 more questions wouldn't get me that point. I had to pay that 600$ lesson, live...
My weakest domains were also the most "combined" ones in the test, for me: Security&Risk Management, Software Development Security and Operation Security.
Now, there comes my question to the experts here - how do I improve from here? I was actually quite sure that I knew the Risk Management domain well, but I did the worst in it. I'd love to hear how I can strengthen my knowledge especially in those 3 domains, without (just) solving more questions. Needless to say, as people mentioned in other posts - the questions are not the same. I seriously consider reading some SPs related to my weak points... but that would probably an overkill.
Thanks and enjoy my experience...
The material that I used:
1) Sybex 7th edition - a great book. I read most of it. regretfully I haven't read all of it. They also have 4 full exams and many more practice questions in the book and online. If for some reason you want to choose one source to study from, use this one.
2) Conrad CISSP Study Guide, 2nd edition - a great book as well.
3) Conrad CISSP 11th hour, 2nd edition - read all of it
4) Cybrary.it videos - Not only is a great introduction, but it also provides a way to think about the test and real-life scenarios.
5) Larry Greenblatt's videos - I actually saw the 1st video, regarding Security&Risk Management and Asset Security (5 hours) and it was a good one.
6) CCcure questions - it's a great source of questions to practice, and should be used daily.
7) Shon Harris 6th Edition - Used as reference here and there. I regret not using it more often.
I took 30 days of constant efforts (after studying on and off in the past). Solved around 500 questions from CCcure (I knot that's not enough).
One of the mistakes that I did was to jump from one material to another which resulted in not giving enough attention to some of the domains.
The biggest mistake which I probably did, was to attempt "optimizing" my studies, almost haven't touched the "less important" domains, such as security operations, software development security and asset security.
Without revealing NDA and such - they were important part of the whole exam, and even if some of the questions weren't related to them directly, some of the methods (like using SDLC) were used in other related domains, such as security engineering.
Actually, every domain is important. One of the best advises here is to think like a manager. Not only that, I would add that you should also think about combining different domains. Although we have 8 domains, they have real connections to each other.
Think how you can make the best (or worst) efforts, or what is the best/worst practice to create this kind of system or another. Security Operations and Security Engineering domains go well with almost everything. Think (for example) how you can combine some domains to make better security in an organization. And all that goes well with risk management and assessment in general. That's something that I missed the most in the exam, and probably 1000 more questions wouldn't get me that point. I had to pay that 600$ lesson, live...
My weakest domains were also the most "combined" ones in the test, for me: Security&Risk Management, Software Development Security and Operation Security.
Now, there comes my question to the experts here - how do I improve from here? I was actually quite sure that I knew the Risk Management domain well, but I did the worst in it. I'd love to hear how I can strengthen my knowledge especially in those 3 domains, without (just) solving more questions. Needless to say, as people mentioned in other posts - the questions are not the same. I seriously consider reading some SPs related to my weak points... but that would probably an overkill.
Thanks and enjoy my experience...
Comments
-
jt2929
Member Posts: 244 ■■■□□□□□□□
How do you improve? Study more, do more questions, take your time. 30 days isn't a whole lot of study time. -
dustervoice
Member Posts: 877 ■■■■□□□□□□
You have all the right tools. Maybe you need a change of mindset. Please read all the "passed" threads here and retake the test. Don't give up!
-
bigdogz
Member Posts: 881 ■■■■■■■■□□
For studying for only 30 days straight it's not bad.
IMHO, most people place about 6 months of study on the exam. If you feel that you may be weaker on one domain when the exam is close (2 days) you can reschedule to find those answers to your questions.
As you may know this exam is unlike others. Chances are you may not get the same exam the next time you sit for the CISSP.
You may want to run through practice exams that will make you sit the entire time so you can build up some mental and physical endurance.
Good Luck!!! -
SirPercard
Registered Users Posts: 1 ■□□□□□□□□□
30 days isn't a lot of time to prepare for the CISSP exam. I just passed mine and was studying for six months. The CBK is a huge amount of information to try to cram for. You need to understand the concepts behind the material, as there will be very few 'gimme' questions on the exam. That said, I felt like my head was going to explode during the test. I thought that almost every one of the questions were research questions.
-
Danielm7
Member Posts: 2,310 ■■■■■■■■□□
What sort of practical experience do you have as well? I've heard from a number of people with enough years in security that it was hard but more logical leaning on work experience.
-
the_Grinch
Member Posts: 4,165 ■■■■■■■■■■
Don't worry. Study up for another 30 days and then try again. I studied for 60 days straight and then took the exam. I'd also add that you should view the Cybary videos as well.WIP:
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff -
danny069
Member Posts: 1,025 ■■■■□□□□□□
Have you seen the size of the Sybex 7th edition? It's sitting on my coffee table right now and seems it will take the rest of my life to read lol.I am a Jack of all trades, Master of None -
g33k3r
Member Posts: 249 ■■□□□□□□□□
I read and skimmed the Sybex book due to its wordiness. I much preferred the Eric Conrad Study Guide which should be updated very shortly.
-
LollyBaggins
Member Posts: 14 ■■■□□□□□□□
I honestly love the Sybex books. I didin't finish the book by the time I passed my exam but I made a point to go back after passing the exam to finish the book. Very good book. I'm now reading the CCSP guide and it's good stuff. -
barman
Member Posts: 38 ■■□□□□□□□□
SirPercard wrote: »30 days isn't a lot of time to prepare for the CISSP exam. I just passed mine and was studying for six months. The CBK is a huge amount of information to try to cram for. You need to understand the concepts behind the material, as there will be very few 'gimme' questions on the exam. That said, I felt like my head was going to explode during the test. I thought that almost every one of the questions were research questions.
My head was going to explode when I saw a question regarding risk calculation. It included the whole package: the values, the safeguards cost, the insurance cost (for the optional risk transfer), the vulnerabilities, their impact, etc. It was a story on half a page, while the other page included several questions regarding the situation. That was a huge surprise and quite a "research" question. I haven't seen such a thing anywhere else. -
barman
Member Posts: 38 ■■□□□□□□□□
What sort of practical experience do you have as well? I've heard from a number of people with enough years in security that it was hard but more logical leaning on work experience.
I've got around 15 years of practical experience. 6 years as a security and systems administrator, 4 more years of "pure" programming (in C), 3 more years in regulatory projects as a consultant (guiding staff working with relevant security standards) and in the last 2 years I was in charge of building security architecture in a software team and started to dive into the world of reverse engineering and malware analysis, assisting the projects as well. My experience is quite diverse. I like almost everything in security and that keeps me unfocused with one main skill. (I call that a disadvantage, as I can't point that I am "good" at one main thing, but I do all kind. Maybe that's a good sign to switch to a real security management position in the future).
-
barman
Member Posts: 38 ■■□□□□□□□□
SirPercard wrote: »30 days isn't a lot of time to prepare for the CISSP exam. I just passed mine and was studying for six months. The CBK is a huge amount of information to try to cram for. You need to understand the concepts behind the material, as there will be very few 'gimme' questions on the exam. That said, I felt like my head was going to explode during the test. I thought that almost every one of the questions were research questions.For studying for only 30 days straight it's not bad.
IMHO, most people place about 6 months of study on the exam. If you feel that you may be weaker on one domain when the exam is close (2 days) you can reschedule to find those answers to your questions.
As you may know this exam is unlike others. Chances are you may not get the same exam the next time you sit for the CISSP.
You may want to run through practice exams that will make you sit the entire time so you can build up some mental and physical endurance.
Good Luck!!!dustervoice wrote: »You have all the right tools. Maybe you need a change of mindset. Please read all the "passed" threads here and retake the test. Don't give up!How do you improve? Study more, do more questions, take your time. 30 days isn't a whole lot of study time.
Thanks for cheering up guysHave you seen the size of the Sybex 7th edition? It's sitting on my coffee table right now and seems it will take the rest of my life to read lol.
No, I haven't seen it. I read it via Kindle It's very good to search for the right word, its translation, look for it in another domain,
look for a question and then its answer, etc. It's quite "wordy" but pleasant to read. The book itself is very didactic. One can make a CISSP course just by using that book, IMHO. -
chrisone
Member Posts: 2,278 ■■■■■■■■■□
Have you seen the size of the Sybex 7th edition? It's sitting on my coffee table right now and seems it will take the rest of my life to read lol.
I am reading it right now and I am on chapter 8. With proper dedication you can get through it. Doing the test questions at the end really helps drill in the concepts. I have only read for about a month now. I gave myself 3 months for studying so I have all Nov-Jan. I plan on taking the exam early February. At the end of December I should be almost done with the book. I have two Udemy courses I bought for $10 each during the black friday sales I am going through those as well. I might pick up one of those practice exam books by shon harris to reinforce the topics further, but the sybex 7 edition book has so many pratice exams already. I dont think the sybex book is a tough or boring read. I study at home and at work so I get through 1 to 2 chapters a week. Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
2023 Cert Goals: SC-100, eCPTX -
CLICK
Member Posts: 88 ■■■□□□□□□□
Sorry to hear barman, just keep at it, regroup and go again, you should have a better perspective now that you've seen what you're dealing with. All the Best dude and look forward to your passed post.
-
TechGuru80
Member Posts: 1,539 ■■■■■■□□□□
How do you improve? Study more, do more questions, take your time. 30 days isn't a whole lot of study time.
Agreed on the time frame. It depends on your experience level but many people spend months studying. Do you understand the steps of forming a program? Types of risk analysis and the terms associated? ARO, SLE, MTTR, etc. The exam covers a lot of material...identify your weak domains and hit them hard...then fill in occasionally with your strong domains.
