Everyone has heard the stories of how tough the Certified Information Systems Security Professional (CISSP) examination is. It’s been described as taxing, mind-blowing and hard to pass. In fact, in many tech circles, it is known as the exam where 50% of the applicants do not pass it on the first try. It is for this reason that this test strikes fear in the hearts of future security professionals looking to climb this mountain. I will confess, it took me more than 8 years to get over my anxiety and attempt this feat, but 2020 was going to be my year.
I can’t tell you how many times this certification was on my New Years Resolution and each year it would be transferred to the next. So what changed? Honestly, I can’t pinpoint the single event but if I had to put my thumb on the pulse, I think the current pandemic put things into perspective for me.
With the economy in shambles in early March and the amount of job losses in a single quarter, I knew I needed to figure out what I was passionate about and probably more importantly, a contingency plan in the event things get worse. No one likes to think that their job may be at risk, but the reality is no matter how stable a company is, there is always a chance you could be promoted to customer. I’m of firm belief that there is no greater conqueror to anxiety than a sense of purpose and the CISSP was mine.
Now, I will be the first to admit that there is no one panacea on studying for this test. Hoping this is not a shocker to you; it is the honest truth. Effectively studying for this test requires an approach of understanding the security principles and not just memorization of acronyms, ports and 800-series frameworks. As I stated on my previous blog post, 5 Steps to Pass The Comptia Security+ Exam, you have to be honest with yourself and determine where you are weak in your knowledge base and constantly focus on ways to improve.
So how did I study for the CISSP? I used a layer approach that primarily focused on Video Lectures, Forums and Practice Tests. Below I will list the resources and tactics I used up until the day of the exam.
My First Stop was Cybrary.it and taking Kelly Handerhan’s class entitled Certified Information Systems Security Professional (CISSP). The course itself is a little over 19 hours and includes a lab to go over the Business Continuity Planning objectives. If you are a paid subscriber to Cybrary, it will also come with access to a practice exam through one of their vendors as well as access to their Slacker channel. The latter I cannot express how invaluable this was for me.
The Slacker channel gives you access to other CISSP professionals appropriately titled, mentors. They are very responsive and helpful in answering any questions you may have even if you get the information from an outside vendor.
Once I finished her course and uploaded the CEU credits towards my Sec+, I did my first practice test to help measure my strengths and weaknesses. I learned that Cryptography and Software Defined Life Cycles were not my strongest areas. Afterwards, I supplemented her lectures with a few Youtube ones.
I think people take for granted how useful YouTube really is. For my next study approach, I watched Sagar Bansal’s free CISSP Master Class. The video itself is nearly 10 hours long, so I broke these into 2-hour blocks at a video speed of x1.50.
The one thing that I appreciate most about the way Sagar approaches the CISSP explanations, is that he gives great analogies and tips on how to remember things. For instance, Fire Extinguisher classes are important to know especially in a Data Center environment. He stated the easiest way to remember is Class A stands for Ashes (i.e. paper, wood products), B – Liquids, C – for Computers (i.e. Electrical equipment) and D – for gases. It was simple and effective.
After each 2-hour block, I would do a quick 60 question practice exam on Cybrary. It is always important to gauge your understanding and progress.
Another great resource I found on Youtube was the CISSP Practice Question of the Day by IT Dojo. Colin Weaver gives 2 questions per video on the various domain topics with some solid explanations on why the answer is correct or incorrect.
As I stated before, I used one of Cybrary’s vendors to take my initial practice exams but I wasn’t satisfied with the way the information was presented. There would often be questions that had 8 answer choices which almost never a single answer option as correct with some questionable phraseology. I realized I wasn’t learning with this approach and often would get frustrated.
It was at this point that I needed to pivot. I picked up the Official ISC2 CISSP Practice Tests (Second Edition) on Amazon. I’m going to put this in bold because I cannot stress this enough, THIS BOOK IS NOT OPTIONAL;IT SHOULD BE CONSIDERED MANDATORY FOR YOUR STUDIES. The secret to this book is not the material within it, but the online practice exam that you have access to. Once you register and gain access, you can shelve this book.
This practice exam was everything for me. It gave the option to test by domains or simulate an actual exam. You could also set the amount of questions and it measures collectively the amount of questions you got correct in the total test bank. It also allowed you to focus on the domains that you were weak on.
As I would get the answers wrong, the test would give you a detailed explanation of why it was wrong as well as the correct answer. Immediately, I documented this and used it as part of my studying. I improved tremendously my knowledge on Cryptography and SDLC with this approach. I tested myself 3 times a day for 5 days a week. Once I achieved a consistent 70% overall, it was time to schedule my exam.
Originally, I planned on taking this test in May 2020 but with everything going on with the Pandemic, it was clear that August would be a more appropriate timeframe for me. I also knew that if I didn’t schedule my exam on the date that I wanted to, I would continuously push back the date as I had been the last 8 years. As I stated in a previous blog post on scheduling exams, “Procrastination is the killer of all progress.”
My best advice: don’t delay. Once you have a consistent passing score, it is time to schedule the exam with the ISC2 website. I am of the firm belief that when you are bumped against a timeline that has consequences, you tend to do better and retain more. It’s not about getting 95% or more. It’s just about understanding and passing.
Once I scheduled my exam, I started to keep track of my scores on a spreadsheet. My scores are a combination of the Cybrary Practice Exam and the ISC2 Official Practice Exam. I would keep track of the highest daily score. I feel that having a visual representation of your progress is a good measurement for your overall progress.
Here is what mine looked like. It was obvious that I had struggles especially when it came to the Cybrary exams, but when I switched over to the Official Practice Exam, I tended to rank higher. I also did better on 150 questions vs. 60 question sets.
Many have asked for a copy of this spreadsheet, so I will make it available free to all community members of this blog. Use the banner to the right to gain access if you are not a member. Speaking of blog….
Truth be told, I set this blog up for the sole purpose of helping others and myself while I was studying for this exam. I felt that if I can blogged (and in many cases vlogged) about what I have learned, it would help me retain the information and at the same time provide insight to those aspiring. I truly believe that knowledge should be shared and collaboration should be had without an altier motive. Call me old school.
In the end, I feel like blogging has helped keep me honest. At times I wanted to skip blogging because I felt like I had nothing to share but as I have posted, people have consumed the content which has helped keep me motivated. I’m hoping that it has the same impact for you.
On August 15, 2020, I successfully passed my CISSP exam. This was my first attempt and words could not describe how happy I felt in that moment. All of the anxiety and pressure went away immediately after reading my letter of confirmation. Although I cannot disclose details on the test itself, I will say that I probably would not have passed this test had I not used this approach for studying.
I’m eternally grateful to those who have provided their time and efforts like Kelly Handerhan, Sagar Bansal, Collin Weaver, Mike Chapple and more. Being a fellow content creator myself, I know that it is not easy to put that material together and know whether it has an impact on others lives. Well I’m a testament that it has.
Later in the week, I will post a second set of resources to include contact information. I hope you found this information useful and please let me know when you passed the exam and if any of this information was useful for you.
For over 20 years, I have had the distinct opportunity to work in the Information Technology space under a variety of distinct roles.
My unique position has helped me become a risk management Maven for Fortune 500 and Small Business Companies around the world. For the last 12 years, I have assisted Small Business Owners and Insurance Agency understand the impacts of Cyber Incident exposures and what steps to take to help mitigate potential data breaches.
My desire to expand my reach related to cyber security has led me to establish the Sage Knows IT blog as a way to help Small Business Owners and aspiring Information Technology (I.T.) Professionals better understand the road-maps of I.T. through the experiences I have had.
Information Technology and Information Security is the future of our world and I hope this blog will inspire those that are interested in joining our ever involving field.