How I Passed the CISSP
thestig220
Registered Users Posts: 1 ■■□□□□□□□□
So, even though it has only been about a week since I passed the exam, I have received multiple messages asking how to study as well as what are the “main things” they should study in order to pass. Many others have contributed to this group in some way, and now that I have had a little bit of time to process things, I wanted to give my humble opinion on what is required to pass the CISSP.
First off, coming into this exam, leave your other certifications at the door. Having A+, Security+, CASP, MCSA, and MCSE I can tell you that none of the aforementioned certifications were even close in comparison when it comes to format as well as how to study for this exam. In the past I have outlined exam objectives, read a book or two, practiced hundreds of questions and managed to pass. It was a formula that I have been programmed with much like anyone else that has gone through the traditional school system. Unfortunately, I knew after trying the CISSP once on a free voucher that old methods would not work for me (key word here).
In 2017 I sat the traditional exam (250 Q, 6 hours). I completed a boot camp through the local community college and had to take the exam within 60 days, pass or fail, or pay for the course + the voucher. The course was crap, and due to other unforeseen circumstances in my life was unable to really engage the material in the short time frame that I was given. Either way, I still had to attempt the exam. I decided I was going to use the opportunity to focus more on the structure of the questions and identify the deltas I needed to work on.
The format of the questions were obviously quite different than what I have had experience with in the past. On Security+, you might be asked “What is PaaS?”. On the CISSP you will be asked “Your organization has a custom application running on a third-party distributed cloud service. Through an internal audit, it is discovered that PHI is present in the application. What would be the MOST appropriate step to take to remedy the situation?” There is a stark difference between these questions, as one can be solved by recall and the other is conceptual.
The latter question has multiple concepts and, arguably, multiple domains of the CISSP CBK. You would have to know what a “PaaS” as denoted by a “custom application hosted by a third party”. This along with distributed systems is part of Domain 3 objective 3.5: “Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements”. PHI is involved with a third party, so Domain 1 objective 1.2: “Applying due care/diligence” and 1.3: “determine compliance requirements (Contractual, legal, industry standards, and regulatory requirements) all are part of this question. Taking all of these things into account is how you should arrive at the correct answer.
I knew going forward I had to go about this test a completely different way, as knowing the concepts would not be enough. I would have to learn how the domains tie together, and how things might be applied in a real world setting. I think this is where the experience part really comes into play, and because I have been in IT for only a few years at that point in time, I would have to find an effective way to close the gap.
I think the first thing anyone should do before attempting the CISSP is to know YOUR learning style. I don’t mean what has worked for you in the past. If the goal is understanding, conceptualizing, and applying, how would you go about doing so? I would check out this article by googling lonestar edu "know your learning style" (I can't post the link) , which discusses the learning styles and how they are instructed. For the purposes of the CISSP, I needed instructors who use real-life examples, applications, and hands-on approaches. Much like an apprenticeship, I needed to learn from someone who has “been there, done that”. For my needs, I figured a book could only go so far on concepts and application without becoming extremely bloated and in the end overwhelming/too big to digest. I decided I would stick with video series who have real cybersecurity professionals who can break down the concepts, and tie into an overall picture. For this, I stuck with Kelly Handerhan and Larry Greenblatt because of their expertise as well as ability to “fundamentalize “ different subjects.
I did not watch the videos straight through, and I only moved on when I honestly felt like I had a great understanding on a particular subject. My mindset was “How do I become a CISSP?” and not “How do I pass the CISSP?”. I would stew on different concepts and pose questions to people in my work space on how they might have seen things in the real world. I also would spend random periods throughout the day googling different white papers just out of curiosity.
I also realized that video series have similar setbacks that books do. They can be too short and not cover everything in the CBK, or too long and not be easily digested. This is why people stress using different learning strategies to achieve a goal. In order to meet the objective of conceptualization and application, I decided I would learn no better than being in a position where I can ask thought-provoking/situational types of questions. I was able to accomplish this by attending Larry Greenblatt’s online boot camp twice.
I did not attend these boot camps until after I have spent maybe a year and a half to two years of on and off learning. I emphasize learning because, again, I had little experience to rely on to simply study. I wanted to make sure I had this so I could have substantive discussion with Larry and other students in the class. That combined with Larry’s excellent approach to relating every objective/subject to a part of SDLC really made for a wholesome experience that for me, connected the dots and bridge gaps in my comprehension. I attended his online boot camp twice in early and late 2018. As a last run through, I spent a couple months watching the video series by Sari Greene until may of 2019. I stopped and took a couple months off, and just on a whim I decided to take the new CAT exam with the goal to narrow down my weaknesses. I passed the exam last week.
When you ask “what are the main things to study in order to pass the exam”, anything in the CBK outline is fair game. A term may not be used, but the concept behind it will. It may also blend other concepts. The purpose of the CISSP is to gauge your understanding of the entire picture, and this is evident in how the questions are formulated and how the exam adapts to focus on your weaknesses. Experience normally is what allows you to more easily tie everything together, and because I lacked that I had to approach this exam in a way that was right for me.
If there are any takeaways from this long post, I believe it starts with being honest with yourself. When answering a question, how did you reach a specific conclusion, and what concepts did you utilize to reach that conclusion? Identify what your gaps may be, and approach studying in terms of how it applies to the real world. Know your learning style. Just because I learned a specific way does not mean it will work for you. Your time spent on certain things could be drastically faster than mine. It depends on an individual’s experience, comprehension, and even perseverance. Some people need to see things demonstrated while others can read a book and practice questions. Find out what works for you. Take bits and pieces of different methods and resources mentioned by other wonderful individuals in this group and tailor it to you. Also, you WILL be a CISSP!!