I survived the CISSP and I *miiiiiiight* get a t-shirt?

So, after much rending of garments and gnashing of teeth (e.g., complaining), I passed the CISSP.
Let's talk about that.

TL; DR

My first (terrified yet realistic) thought when I resolved myself to passing the CISSP was 'this is gonna be a lot.'
My second (overconfident and optimistic) thought was 'how bad could it be though, really?'
My first thought after passing the certification for the CISSP (and coming to my senses enough to find the elevator): holy s*%t. That. Was a lot.

So, I was right. Also, I want my victory t-shirt. I'm gonna be mad if there's no victory t-shirt.

(Also also, there's an outside chance that "overconfident optimism" is overrated.)

What is the CISSP?

The CISSP (or "Certified Information Systems Security Professional," if you're not into the whole brevity thing) is a premier IT Security certification. Organized into 8 technical Domains, the CISSP is intended to show that the holder has both practical experience (at least 5 years demonstrated proficency) and the technical understanding (the CISSP exam itself) in the Common Body of Knowledge. The certification is actively developed and maintained by the ISC2, who also vet and approve all CISSP applications.

Why CISSP Now?

I knew even before starting my intense studying that the CISSP was a bear. It is famously 'a mile wide and a foot deep' (yes I know that the phrase really says 'an inch deep' but I feel like that sells the CISSP's technical demands a tad short), and I would have a lot of work to do to prepare. I had 15-odd years of direct and indirect security experience in over half the domains, but that is a lot different than having a thorough mastery of the intricacies of all 8 domains at the tip of my tongue. However, I found myself in a unique situation with significant time to devote to studying, and so I resolved to do it.

(Well, truth be told, there was X amount of whining that went into the planning and resolution phases as well, but I will edit that part out. You know.. for brevity.)

PROLOGUE: Study Materials

So I started out with just the official Study Guide. I thought at first that would be enough. They are incredibly comprehensive, but, to quote a great philosopher, "page turners they were not." I needed to approach the material from a few other angles than just reading.

Official ISC2 Materials

No CISSP study plan is going to be complete without the Official Study Guide and Practice Exams. I was somewhat taken aback by the study guide- the book is 1,117 pages long. 21 chapters, each one between 40 and 100 pages. Each chapter had 20 practice questions after it, a whole subsection of additional questions and labs (kind of short essay questions that help illustrate key points.)

Both the Study Guide and the Official Practice Exams also include an online resource that allows you to take the quizzes, questions, and practice exams online, saving you the degrading necessities of paper and pencil.

Add'l Support - Audio Book

Another resource I used was the audiobook version of “Eleventh Hour CISSP Study Guide,” Third Edition. This was useful as it was much more specific in what it covered. The Official Study Guide is more expansive; this one was to the point. As an audio book it was a tight 10 hours, organized as one chapter per Domain. I listened to this through in its entirety, hitting up some of the Domains more than once.

Add'l Support - Udemy Courses

About halfway through my self-imposed study timeframe, I added some of Thor Pedersen's CISSP courses. He keeps these pretty well updated, which is important, because the CISSP certification exam does change somewhat regularly (more on that point later.)

I added this because there were some domains that were frankly just harder than others for me to lock down and feel confident about. It's always been my philosophy that if your brain gets the same information in three different ways, one of those ways is bound to stick. Having Thor's course available added an audiovisual component that helped me hit some of those more complicated topics from the third angle.

ACT 1: Study Approach - The Fits, and the Starts

Like I said, I started with the Official Study Guide. I read the first chapter and it felt like I had a concussion. Great start. One thing that immediately stood out to me was that ISC2 has their way of describing things. They are usually things that an IT professional will be well familiar with, but the real magic (for lack of a better word) is in describing them in the appropriate vocabulary- i.e., the precise way the ISC2 is looking for. So the first chapter was tough. However, in testing myself with the questions at the end of the chapter I felt hope- I got more right than wrong.

After this each chapter was very similar. I would read it, hope that I comprehended, take the questions at the end, feel marginally better. The trouble was it still didn't feel like any type of uniform knowledge was growing. It felt like a class I didn't like in college where I just studied to pass the quiz. In order to memorize terms and concepts in the right way took a few times through, especially for the Domains that I felt less confident in to begin with.

(YMMV, of course, but it was this very frustration that led me to expand my materials to the audio book and the Udemy course.)

And the practice questions and tests. Those absolutely helped. Like I said, when I bought the study guide it came with online materials. There were 1000 additional questions, organized to drill the various domains, and there were four "complete" practice exams.

Prior to taking the test I completed all 1000 questions, and three out of the four practice exams. And I feel like that was absolutely essential. Take a look at any of the freely available questions around CISSP and you'll see why. The questions very rarely ask you to solve a specific problem. What they ask is, "what's best?" or "what's appropriate?" or "what should you do in this case?" This makes the questions (and the way you have to study for them) kind of holistic.

Say for example that a question is designed to test you on domain six. The question could also incorporate information that you would have (should have) learned from domain two. Having 1000+ practice questions really put you in this "always think about everything at once" mindset.

I won't lie- there were a lot of false starts with this. The material ISC2 draws from to test really is a mile wide. It can at times be overwhelming. At other times you can read a chapter, thinking you understand it, and put it away for the night, only to wake up the next morning and seemingly forget everything you read. It's important to remember that this is what learning is; some things will click immediately while others will need repeating. And repeating. And repeating. And- well, you get the idea.

ACT 2: Scheduling the Test

At a certain point I simply decided that I had to get the exam scheduled. (Well there's an argument to be made that I was- some say encouraged, some say convinced, still others say compelled, to do this. Who's to say really; it was all so very long ago.) So in the course of my studies I had read and/or skimmed most of the Official Guide, listened through the entire audio book, and completed 2 of the 8 domains in the Udemy course. I scheduled the test for 2 weeks later (depending on your location and the time of year this can be kind of challenging- it's not a test that's on the books to schedule for every day), which I picked because it was the last day of the month. Thus I immediately began to panic.

Then I took my first of the 4 Official Practice Tests, and panicked more.

Having the exam scheduled absolutely kicked my efforts into a higher gear. Between the reading, Udemy, and the practice questions, I was regularly doing 4 hours of studying a night. Which sounds like a lot. And perhaps in the end I did over-prepare, but again, that's going to be a personal question. I am glad that I put it on the calendar though, as there is a big difference between the mindset of “I'll take the test when I'm ready,” and “I need to be ready in 2 weeks because that's when the test will happen.”

(Oh, I also told a lot of people about the test date so I wouldn't try to weasel out of it by silently rescheduling.)

ACT 3: The Test Itself

NOTE: I took the exam on May 31st, 2022. In June of 2022, the test changed slightly. The biggest thing that changed was the number of questions increased (along with the time limit). Most of what I say below should still apply to the 'new' 2022 test.

NOTE 2: The test I took was an in-person Pearson exam. I have heard people state that online versions existed (possibly just during COVID) but it wasn't something I saw as an option. In truth I had already resolved to take it in person, so I also didn't look too hard.

So the way the test is scored is aggregate. Each question is worth X number of points, and they add up as you get them right. Get them right, and the next question will be harder (and also worth more points.) Once you have accrued 700 points, the test is over and you pass. As a consequence of this, you can't go back after you hit submit on a question.

I found the test to be very intense. I was absurdly focused on it and moved quickly through the questions. My strategy was to basically trust my first instinct and hit 'submit.' While some questions were very straightforward, "What is the answer to 2 + 2" kinds of things, most were of the more grey area "Caleb wants to protect his home with 1000-folded Nippon steel- but cost is a factor. How should he approach the mall?" kinds of formulations. During the practice exams I found that overthinking these kinds of questions could lead me to think that literally all of the answers were the correct answer.

(I really can't emphasize this enough- it's not the same thing as memorizing the dictionary. If you don't understand- truly understand- what the question is looking for, all four answers can look correct.)

I suspect that I finished faster than normal, in something like an hour 45, completing either 93 or 94 questions. The screen just said “your exam is complete. You can go now” or some such. Then after collecting my things and leaving reception, I was handed a paper, face down, and more or less encouraged to gtfo. It was only in the hallway walking towards the elevators that I actually saw the result. “You have passed” etc. (And of course the paper includes a tiny grainy photo of me that makes me look like a serial killer.)

POST-LOGUE: Final Thoughts

What I Took Away

So having finished it, what am I left with? I was already well-versed in a lot of the stuff- this is why I thought it made so much sense to get a CISSP in the first place. CISSP thinking makes security first and foremost in every aspect of IT. And the process of studying for the exam really flushed out for me ways to think about security in some of the Domains that I was not as strong in. For example, I am not a capital-P Programmer. This process has made me feel more confident to speak more fluently even around things like software development where I am not programmer I might have been overwhelmed. Also, understanding how process and policy connects to actions and deploying security solutions makes a lot of sense. And I mean that in a practical way, not just as answers to a test. (Spoiler alert, there is a LOT of policy and process.)

yeahokayfinethoughBUT- What About The Test Though???

Thinking back on the specifics of the exam, what's funny is I can't really even clearly remember a single specific question. They ask a lot of questions in a short period of time, and you had better know the information cold. As of June, 2022, there will be four hours of testing time, and the test will have 150 questions on it. This adds up to something like 1.2 minutes per question, and some of the questions are multiple sentences and multiple variables that you have to consider. So reading time is a factor too.

So in my opinion it is absolutely essential to understand this material inside and out. At least because if you start having doubts you will slow down you will second-guess yourself and you will make mistakes. During this time of struggle hi had to sync back to the philosophical words of Pete Mitchell, who said don't think just deal. Now that I think about it I'm pretty sure he was plagiarizing Yoda, but that's really where you got a way to get past the if you can't answer these questions basically subconsciously then you're gonna run out of time.

SWAG-LOGUE: What About the T-Shirt??

To be determined. After you pass the exam, you can then apply to be a full member of ISC2. This is the part where they vet your experience and someone who is already a CISSP endorses you. This took a while (note: there's also a yearly maintenance fee and some ongoing learning responsibilities to maintain the active CISSP status.)

Once that was all sorted out, I got my congratulations email, and they said that I would be shipped a 'welcome kit.' So I didn't get a t-shirt yet. BUT- hopefully... soon.