After studying for and passing the CompTIA SYO 501 Security+ certification, it didn’t take long before I was feeling antsy. I’m talking next day antsy. After you find yourself dedicating so many hours to studying and research and flash cards and you suddenly find yourself without anything to study for you feel a massive void and it can be quite disorienting. I think many out there can relate.
Capitalizing on the study discipline I had amassed as a kind of “muscle memory” and with a flexible work schedule, after consulting with peers and spending a goodly amount of time on Reddit, I decided I was going for the whole enchilada–I would be taking the CISSP. This was the certification that CIOs and CISOs have (or are supposed to have), so I thought “Go for it!”
What followed was the most intense study period of my life, and I’m an autodidact so I’m not unfamiliar with this type of activity.
Unlike the Security+ where I gave myself a strict 45 day study period and then immediately took the exam, with the CISSP I knew I was going to have to give myself much more time and not set any arbitrary deadlines.
The good news was that studying for the CISSP was an excellent followup from the Security+ because so many of the concepts were similar and overlapped. The bad news was that with this certification the knowledge you need to absorb while not incredibly deep was massive: As they say in this case, “an inch deep and a mile wide.”
Study Duration: 4.5 Months
All Study Materials Including Books: $189
Exam Cost: $699
Week 1-4: January
This was the period I started exploring the various books and deciding which was going to be right for me.
Pro Tip: You can purchase books on Kindle and return them. If you find yourself not liking something you purchased or feel it was an accidental purchase, get your refund. I think Amazon does place some type of limit on returns but if you are a normal person with normal purchasing habits, by all means return them.
I started with the brilliant Shon Harris tome CISSP All-in-One Exam Guide, Seventh Edition and this book is INTENSE. She REALLY knows her stuff, although the critique is that you don’t need to go as in depth as she will take you. I made it about halfway through and decided that it was not for me. As a reference, definitely! As the main study source, nope.
From there I moved over to the “Conrad” book CISSP Study Guide – by Eric Conrad, which was the most concise and “to the point” of all of the books I found:
Week 4-10: February – Mid March
Up until this point I had taken very few notes. I had read portions of Harris and Conrad front to back without taking notes or flash cards or any other memory devices. I wanted to start building up a familiarity with as many of the overall concepts at the outset and then dive deep later.
Now I re-read Conrad, this time making flash cards as I progressed. Usually, I waited until I got to the end of each chapter and then went back and filled out as many flash cards as I could. I even made ones that seemed unnecessary. In the case of the CISSP I don’t there is an overkill to the amount of studying you can do.
I LOVE flash cards. They are simple. They force you to remember with your mind and with your fingers. And they can be studied just about anywhere.
Not going to lie, there were many times during this period where I thought, “This is stupid, there is no way I can pass this test” but then I just kept going. Ultimately it dawned on me that people DO pass this test, hence so could I, so I kept going.
During this period I was doing tons of Googling and watching YouTube videos, but also started using the following two resources, heavily: The Reddit CISSP group and Kelly Handerhan on Cybrary, which is free.
As with all things on Reddit, the CISSP group was a mixed bag but ultimately proved to be invaluable. On the positive side it was a great place to get encouragement from fellow future test takers and those who had already taken it, and also a fantastic place to ask specific questions from the very people who could answer them. The only negatives to Reddit were that you get a handful of “haters” who can really discourage you. I guess part of your job is to rise above and ignore those jerks–part of the training, I suppose.
With Kelly Handerhan, the videos I watched appeared to be sort of older and possibly address an earlier version of the CISSP exam, but they were great! This is the thing people get unnecessarily hung up on, just because an instructional series or book is older and may be specifically targeting an earlier version a particular exam doesn’t mean there isn’t great value in the training. Kerberos is still Kerberos (boy that’s a fun one, to be read with dripping sarcasm). Due diligence is due diligence. Non repudiation is still non repudiation. Get my point? Long way of saying all resources are your friend. Use them all!
At this point I became impressed by a concept called The Feynman Technique in which people are quickly able to absorb, understand and retain information about the most complex subjects by “explaining’ the concepts in “simple language.” This was my eureka moment! I decided that I was going to make as many videos explaining CISSP topics as I could, in my own words, as a way to both understand the information but also to explain it so that I could retain it. After all, if I could explain it in my own words then that proved that I had sort of mastered it myself. The bonus was that there was a chance I would help other people to understand the topics. I thought that was pretty cool.
In hindsight I probably should have been more selective about which videos I made because Domain 1 – Security and Risk Management alone is such a beast that I quickly got bogged down in making videos for just that domain’s concepts.
As I progressed I began choosing specific topics that I had trouble with as a way of being more efficient because at this point I had over 70 videos. Some of these included . . .
OSI Model AKA The 7 ridiculously Fun Layers of TCP/IP
RPO vs RTO AKA Who Wouldn’t Want To Know This?
As you can see from the above videos, I was beginning to look awfully grizzled–I had decided not to shave or get a haircut until after the exam, win, lose or draw.
Week 10-12: Mid March – End of March
After having read through Conrad a couple of times I moved over to the official “Sybex” book, (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide. I would say this was somewhere in between the Harris and Conrad books in terms of difficulty. This book was to the point, digestible and based on reviews seemed to provide all the knowledge one would need to pass such an exam.
First I read the whole thing, then started reading it from the back, chapter by chapter to reinforce what I had just learned–We always start books at the at front so I figured re-starting the book from the back would give the latter parts of the book more attention.
After completing a chapter, I would then take the official Sybex practice questions that accompanied the book. You can also get the practice banks online by entering a code from your purchase of the book.
At this point I also began religiously studying what is known as the Sunflower PDF. This 37 page document is a must have in terms of assessing your level of expertise on the domains of the CISSP. While compact, it packs a wallop.
I also began doing a question (or two) a day on a very cool series called IT Dojo by Doug Weaver.
I have to say YouTube and a treadmill are perfect study companions. Oxygen flowing to your brain while you are absorbing the topics.
Week 12-14: Early April Through Mid April
The last two weeks my brain was really beginning to fill up. I began to look for every possible resource I could find, particularly test questions.
I bought Transcender Cybrary practice exams and began bashing through them. Even up to the last days before the exam I was getting anywhere from 30% to 90% correct. Hardly conclusive!
I then came across free McGraw Hill Shon Harris CISSP Practice exams and suddenly had the scary epiphany that I was sunk and that I would be failing the test. The questions were so in depth and so hard that I thought “What the heck had I been studying this whole time?” This was very similar to my experience when I was studying for the Security+ when I found a bank of questions on Certmasters that convinced me I had learned nothing from all of my studies because I was getting so many of the questions wrong. As I was to learn at the real exam, this was the exact same feeling I would have there as well so good to get that feeling out of the way. A quick Google search will pull up a lot of debate about whether the Shon Harris Mcgraw Hill questions are worth your time because they are so incredibly difficult. My feeling was embrace every possible resource! You will learn something valuable along the way.
Also nested within the McGraw Hill practice exams, Shon Harris has MP3s that you can download but I only listened to some of them.
I found that most of the free CISSP iOS prep apps sucked but CISSP Pocket Prep was quite good. Maybe the paid apps are better? Who knows?
At this point, I could study no more, I could absorb not much more. It was time to book the exam! I set the date and was now locked and loaded.
During the last week I did a seven day free trial with Cyber Nuggets by Keith Barker I Watched as many as I could within the week. Barker has a very cool style where he literally draws out all the concepts that he teaches.
Night Before The Exam:
The night before the exam I watched Kelly’s Handerhan’s video called Knowing the CISSP Mindset: How to Pass and Larry Greenblatt’s CISSP 2018 Exam Tips both of which were super useful. The gist: Think like a boss! When in doubt, with multiple seemingly correct answers take the answer where you don’t do, instead have someone else do it for you.
I went through a ton of flash cards, re-watched as many Kerberos, ITIL, and COBIT and COSO videos as I could find–My least favorite topics–and burned the ports into my brain. Then I pounded the ISC2 Code of Ethics “Canons” into my cranium, which is highly testable. In fact, that’s the only specific question area I remember, since the rest of the exam was a total blur.
Day of Exam:
When I got to the exam facility I sat in my car and did something that I had read is useful: I scanned through all of my flash cards and read the answers aloud. There is something about doing this so that, when in need, your subconscious may be able to conjure up answers you don’t even know you know, you know?
I told the receptionist that if I passed the exam I would be shaving my beard afterwards. After a quick trip to the bathroom, I came back put my coat, phone and keys in a locker (these are pretty high security exams) took a deep breath and went on in.
Because of the NDA I can’t say much about the actual exam except to say the exam is VERY hard. When people say the author’s of the test are devious, sadistic, torturers of the mind they are NOT lying. I can’t explain how complicated and otherworldly the language they use is and EVERY question seemed to have MULTIPLE correct answers.
The way the CAT (Computer Adaptive Testing) works, at a certain point if it determines you have either passed or failed the test will stop. Mine kept going . . .
About 3/4 of the way through my test I started thinking, great I’ve lost over $700 and I have no idea how to study for this for the next time. It’s that hard! As I continued on feeling more and more demoralized I just kept telling myself “Think Like A Boss” and “Trust Your Gut.”
When the test came to an end the results don’t display on the screen so you have to go up front to the receptionist to get them. I felt like I had been run over by a steamroller and I wanted to crawl into a hole. How could this calamity have happened? I studied for 4 months straight. Did I have it in me to do it again?
When I got up front the woman looked up at me and said, “Do you have a razor?” I was like WHATTTTTTTT? I had passed! I literally did a karate chop in the lobby. I think I actually did several. Jubilation is the best adjective I can think of to describe the feeling.
Me 5 Minutes After Exam:
As you can see I think I had literally broken out in hives. That’s how stressful the experience was. In fact as I write months later I still can summon up the nervous energy that accompanied the exam.
Here is a video I made the day after passing the exam describing my journey and the events of the day before:
My Study Guide:
1) You can do this!
2) Study. Study. Study. Study. Study. Study. Study. Study. Study. Study. Study. Study.
3) You really can do this.
4) Use diverse study methods and sources even if they may be old or not specifically related to the CISSP. They all have value.
5) Many don’t pass the first time. Remember: You are a hero for even attempting it. If you fail, dig deep and do it again.