Passed CISSP 3-29-2016 First Attempt

After I studied for what seemed like eternity, I passed the CISSP Yesterday.
Reason for taking the CISSP:
I took a security job last year. Now my role is entirely administrative. During my interview the folks let me know that being able to keep this job was contingent on taking/passing the CISSP. (No pressure there, right? )
My background: I have 20 years of experience with network/sysadmin/security/telecom in large enterprise IT organizations. I have been a Cisco Certified Security Professional and a HP-UX certified system administrator. I studied for Sec+ and passed it in August after around a month of study.

What I did to prepare:

I tried to force myself to read the Official CBK. I, honest to God, thought about looking for another job if meant having to read that book and speak that language. I had coworkers recommend the AIO to me so I bought it. I read that book cover to cover. Even though her writing style and attempts at humor were appreciated, this was still painful. It was hard to go through for two reasons:
a. Because of stuff I already knew very well being reduced through the lens of the exam.
b. Because of stuff I didn’t know very well seeming overly complicated and nuanced.
I read 50 pages a night until I was done. As others have said here the book is long, so it requires a lot of review and application to retain the material.

Even though I was feeling confident and doing well on the included Total Tester software, I read a lot of feedback here that said the AIO wasn’t enough for the new material, so I also ordered the CISSP® (ISC)2® Certified Information Systems Security Professional Official Study Guide, 7th Ed. It became my primary mode of study. I picked up links to Cybrary when I first started and powered through watching all the videos at once. I bought a subscription to CCCure and did several questions from the test bank. These questions seemed riddled with errors and ambiguous wording. Overall I thought the best test engine was the Total tester, but the best content was from Sybex. I studied, took practice exams and reviewed the info several times. In the end, I was finishing in the high 80s-100 on all my practice tests. This past weekend I discovered a link to the free Eric Conrad test at:
Elsevier: conrad: CISSP Study Guide Certification
I took that and scored in the mid 80s without ever seeing them before, so I took that as an indicator I was ready for the test.

My test experience:

My testing center is a good drive away so I stayed in a hotel the night before to get away from distractions. The test center was crowded with other folks taking exams, no other CISSPs, I don’t believe. I signed in, did my biometric enrollment, and got cleared through the room. The first hundred or so questions were killer. I took a break for about 5 minutes to drink some water and come to grips with why that the questions I was being asked did not seem to relate to what I’d been studying.  I then realized that I could not worry about the outcome, I just had to focus on what I was doing and finish so I could see where I stood. The next 150 questions were much easier, some were even just plain dumb. There were a few sneaky questions that did seem like deliberate attempts to trick you. At the end, a little over two hours had passed. I reviewed the 10 questions I had flagged, changed 2, and hit submit. I notified the proctor that I was done and we went to go pick up my test score. From a distance there appeared to be only one sheet on the printer, but when she picked it up it spread apart into the dreaded two sheets of failure. She handed it to me face down. I worked up the courage to flip it over and discover that I had indeed passed, but the printer had bled over slightly to second page. Many of the questions I had to rely on my experience in an outsourced enterprise ITIL environment.

My recommendations to other historically technical test takers:

1. Set a test date with a study plan in mind.
2. Study the entirety of the 8 domains. I feel that ISC2 varies the test so that a single exam can seem to focus heavily on “ANY” single area. Mine did not focus on any of my strong areas at all.
3. Use the Sybex book for content. Take each concept it teaches and put it in a scenario where it would be used. I feel that will help you recall them for the test.
4. Use the Cybrary videos and MP3s to listen to on your commute or your time on the treadmill. I personally learn a lot through discussion, and it felt like a conversation I was having with a coworker when I would listen on the treadmill or in the car.

The short answer is, this is very much doable, but the further you are away from a managerial or security background, the more effort it requires. I wish you all success going forward and thank you to those who took time to answer my questions on this forum.

Find more posts tagged with

Comments

SuperLT09

My friend, thank you for the motivation. I know that I will have to take the test sometime next Winter/Spring but I need to start the studying process right now!!!!! Congrats!!!!

NotHackingYou

Congratulations!

NetworkNewb

Nice work and thanks for the write up!

gespenstern

Gz! Any other certs you see yourself doing?

Ertaz

gespenstern wrote: »

Gz! Any other certs you see yourself doing?

That is a great question. I have 1 SANS training budgeted for this year. I don't know if I should do GPEN or GCUX. I may prepare to take the CISA in December. They are all for professional development at this point

. Overall goal is to get the architecture specialization in the next two years.

gespenstern

Ertaz wrote: »

Overall goal is to get the architecture specialization in the next two years.

That's where I'm heading to as well, enterprise security architecture. But why CISA? I don't ask about SANS since they were already budgeted for. For architecture one would expect TOGAF, SABSA and ISSAP.

havoc64

Congrats!

Ertaz

gespenstern wrote: »

That's where I'm heading to as well, enterprise security architecture. But why CISA? I don't ask about SANS since they were already budgeted for. For architecture one would expect TOGAF, SABSA and ISSAP.

The short answer is to keep up with the Joneses.

Work will pay for the materials. My coworkers all have them. I can't have them outshining me... I want my business card to weigh 3lbs from all the ink.

gespenstern

Ertaz wrote: »

The short answer is to keep up with the Joneses.

LOL, Okay! I guess it is exactly the right way to go building a career in a single organization. Who cares what happens outside, as long as you manage to mark all the checkboxes of internal politics!

Ertaz

gespenstern wrote: »

LOL, Okay! I guess it is exactly the right way to go building a career in a single organization. Who cares what happens outside, as long as you manage to mark all the checkboxes of internal politics!

You don't have to out swim the shark, just the people you're swimming with...

Congrats!

Congrats!

Congrats

Congrats

Congratulations! I, too, passed the CISSP yesterday on my first attempt, in great part to the tips I learned from this forum--thank you!

My experience very closely resembled yours, including a long string of "WTF?" questions and the need to overcome the reality that the test in NO WAY reflected what I’d been studying. Here are some more thoughts:

I read the Harris book twice, taking notes and highlighting text. Based on advice from this forum, I then bought/used the following:
--(ISC)2 Official Study Guide 7th Edition - Sybex and flash cards
--CCCure test bank.
--Cybrary CISSP videos

Were I to do this again, I would use the CCCure test bank earlier in the process because many of the explanations are helpful—be sure to read them. However, the most valuable thing I learned from this test bank was that, over and over, the explanations said that ISC2 is the authoritative source for the exam, so I focused on the ISC2 Official Study Guide and the flashcards. I used the Harris book as a back-up for concepts that weren’t fully explained in the ISC2 Guide. (I probably wouldn’t buy the Harris book at all; I’d use a valid Internet source.)

I found the cybrary videos helpful, also, although I didn’t believe Kelly when she stressed that the exam was management-focused, although she was right. The most valuable thing I learned from these videos was that we are “risk advisors”. Part of the way through those WTF? questions, I remembered her saying that, and I approached the questions from that viewpoint.

Finally, several sources suggested that you understand the “concepts” of computer security, and they were right, also. You cannot pass this exam simply by being able to define BCP or list the steps of incident response. You have to KNOW the concepts--that means understanding them backwards, forwards, and sideways as they apply to or influence other concepts. Applying them to different scenarios is an excellent way to learn them.

Many other posts here provide test-taking tips (read them), so I will only add these:
--Figure out during practice tests when you typically start to get bored/annoyed, and plan on taking a break at that point during the real test.
--Flag for review a) the first 10-15 questions because you’ll probably be nervous and not thinking straight, and b) every question where you not 100% sure of what they’re asking. Pick an answer and come back to it—you’ll understand it the second time.

Good luck!

CIPHERSTONE

Great job!!

bpenn

Ertaz wrote: »

The short answer is, this is very much doable, but the further you are away from a managerial or security background, the more effort it requires.

Quoted for truth. I spent nearly 5 months preparing for the exam but I needed it because I only had 4 years experience. Experience is so, so crucial for the exam.

Ertaz

bpenn wrote: »

Quoted for truth. I spent nearly 5 months preparing for the exam but I needed it because I only had 4 years experience. Experience is so, so crucial for the exam.

I had my coworker submit my endorsement paperwork today. Here's to hoping for a speedy & uneventful return!