Journey to CISSP

Journey to CISSP
Kathy Collins
Author: Kathy Collins
Share:

 

Insights from a Security Consultant on the Rise

My journey to achieve the Certified Information Systems Security Professional (CISSP) certification has been both a marathon and a sprint, wrapped into one intensely rewarding experience. Juggling the demands of a career at a bustling company experiencing its best year ever, navigating living with a teenage daughter, getting married, and just dealing with life in general, carving out time to study proved to be a significant challenge, leading me to reschedule the exam three times. Every time I pushed the exam back, I was forced to gather my thoughts and refocus. It gave me a chance to look at the massive amount of information the exam throws at you from a new perspective, and continue to amass new study materials along the way.

So, is my experience unique?  I really don’t think so. Over the course of a year I fluctuated between intense study sessions and weeks where I didn’t review a thing. I found that using a variety of materials helped, but they are not all created equal. For example, it was disappointing to discover that, despite consistently scoring well on a CISSP prep app I was using and feeling confident about my progress, I then scored terribly on a practice test from the official (ISC)2 guide. This was eye opening and highlighted that, although the app did cover some of the material, its questions weren't structured in a way that aligned with the CISSP exams perspective, which is essentially from a CEO or management viewpoint. Consequently, it became clear that success on the actual exam requires adopting a managerial mindset, something that particular app's questions hadn't prepared me for.

From there on I acknowledged the importance of broadening my strategy. But I also needed to be mindful not to invest time in resources that wouldn't serve my best interests, so I became much more selective in choosing my study materials. Below, I'll outline a rough timeline of my journey from scheduling to test day, detailing the resources I used along the way. Remember, this is merely my personal experience. There's a wealth of study materials available, so I encourage you to explore options that best suit your learning preferences.

January - June 2023

I booked the test date and enrolled in the Professionally Evil CISSP Mentorship Program, which spanned from March 7th to May 9th, setting my exam for mid-June. I felt that adhering to the program's reading schedule and the weekly sessions would adequately prepare me. Truth be told, I had previously sat through the mentorship to gauge whether I was ready to commit to the exam or if it was wise to accumulate more experience first. During that time I was working with the sessions in the background and browsing the book when time allowed, not having fully committed yet. Since I have my Security+ certification and found this content reminiscent of the Sec+, I decided I was up to it. Now, with the exam date locked in, armed with a shiny new version of the (ISC)2 CISSP Official Study Guide, and filled with the fresh enthusiasm of a new student, I was eager to conquer the exam.

While both the book and the mentorship program are both excellent resources, they are most effective when used together. The mentorship program is tailored to complement the book, creating an environment that aims to not only facilitate passing the CISSP but also a deeper understanding of the topics. The program includes weekly discussions led by Secure Ideas CISSP holders, supplemented by student support and communication channels. They are designed to enhance each other's strengths, with the mentorship bringing to life the book's content, which, while incredibly informative, can be quite dense and not the easiest 1100 pages I have ever read. 

June - August 2023

In a past life I was a Chef, so I occasionally find myself voluntold to cater family events. It turns out one such event was planned for the same week as my exam. Despite having read most of the book and attending every mentorship session, a part of me was somewhat relieved to reschedule, as I didn't feel entirely prepared. I love reading for pleasure, but when it comes to learning I benefit more from hands-on experiences and applying concepts practically. There were areas within the domains that I breezed through since they were familiar, but looking back I began to doubt my depth of understanding. It's one thing to navigate through topics with a basic grasp and entirely another to comprehend them to the extent required to apply them effectively and select the best, worst, or most correct responses during the test. The CISSP is not a technical exam so if you go into it with that mindset you may be disappointed in the results.

I rescheduled the exam for August with a sense of relief, but as summer rolled in, my schedule intensified. My daughter was home from school, work was busier than ever, we had our annual all-hands meeting, my teacher fiancé was off for the summer, and I had a major trip planned with my disabled brother. Life, as it tends to do, made it clear that preparing for the exam in August was unrealistic, especially since I had hardly cracked the book, let alone explored additional resources. Optimistically thinking maybe I had become smarter over the last few months, I attempted a few practice tests only to be met with disheartening results.

If you have a copy of the book, visit the Wiley website to tap into the practice exams. You will need to register your book to obtain a pin, which you can then use to set up a new account or add the book into an existing account. Here, you'll unlock access to 1000 practice questions. This enabled me to take 125-question practice exams or create personalized quizzes based on specific chapters of the book. By focusing on chapters 1-4, dedicated to Security and Risk Management, for example, I crafted quizzes aimed at particular domains. This was extremely helpful in refining my understanding and pinpointing which areas needed more focus.

August - December 2023

As you may have guessed, I found myself postponing the exam once more, each reschedule costing me $50. I've managed to delay it until early December now. As I reflect on this, I'm not sure why I thought this was a good idea. For Secure Ideas, the fourth quarter is our peak season. Beyond the hustle and bustle of the holiday season, this is also when clients looking to utilize their security budgets before the year's end are all eager to schedule their tests.

During this period I did come across a few more study aids. I experimented with a variety of practice question apps, and found several I liked. The ones I gravitated to were the most challenging and offered me the best preparation for the exam. As I mentioned before, I encountered one app where I was scoring great but found it to be inconsistent with what I was scoring on more reputable practice tests. I'll refrain from mentioning it here; instead, check out this list of free apps so you can explore and decide for yourself which ones align best with your exam prep needs. Each app is different, and the ones I used are all here, so I encourage you to try them out and find the ones that help you gear up for the exam effectively.

December 2023 - January 2024

As expected, the end of the year turned out to be an impractical time for me to sit for the CISSP exam. With the deadline looming — I had only a year from the initial scheduling date to complete the test — it truly became a now-or-never situation. I rescheduled for one last attempt in late January 2024 and decided to really dig in during the holiday break between Christmas and New Year's since I had some time off. Despite my best intentions, unexpected holiday visitors threw a wrench in my plans — a common occurrence when you live in Florida. This disruption led to my intense study period falling apart, culminating in a costly, impromptu trip to a theme park alongside seemingly the entire population of the state. The experience was incredibly stressful; throughout it all, I was plagued by anxiety, fully aware that I should have been studying instead. I give this approach a 0 out of 5, and do not recommend.

Fortunately, I had set the exam for the very end of January, giving me a bit more time to prepare. With an out-of-state test in the first week of January, I took advantage of the nights in my hotel to study, free from the usual distractions at home. After returning, I dedicated 2-3 hours each evening after work exclusively to studying, only pausing for dinner before diving in. My weekends were also heavily centered around CISSP material. I followed this formula for about three weeks right up until the exam date. During this time, I was using all the study materials I have mentioned thus far, and added two more. Both the CISSP Exam Cram and CISSP Mindmaps became invaluable resources during those last three weeks.  

January 30, 2024

The day of the exam arrived. Surprisingly, I managed to get more sleep the night before than I expected. I did everything I could, and there was no going back. That morning, I watched the videos 50 Practice Questions - Master the CISSP Mindset and The CISSP Mindset about getting into the managerial mindset required for this exam and they were definitely helpful. I've often heard of people dedicating a year or six months to prepare for this exam, and I wished to be among them. True, I scheduled it a year ago and maintained a studying pace, of sorts. However, when someone mentions studying for a year I tend to picture them immersed in the material every single night for an entire year, much like my final three-week push. Yet, I just don't believe that is realistic for most, given all our other responsibilities. In retrospect, I was not disappointed with the way it panned out. Despite rescheduling several times, having a year at my disposal enabled me to explore different study materials and remain motivated by the looming deadlines. I was able to discover what worked best for me and had the flexibility to manage unexpected life events. So many aspects of my job during this time proved beneficial too; whenever I encountered a topic from my studies, I delved deeper into it, reinforcing my understanding of the concepts.

So, what was the outcome? Arriving early at the test center, I brought two forms of identification, underwent a palm scan, stored my belongings in a locker, and braced myself for a 4-hour exam ranging from 125 to 175 questions. A 70% pass rate is mandatory, and if you fail a single one of the 8 domains, you fail the test. For those unfamiliar, this exam uses a computerized adaptive testing (CAT) format. CAT adjusts the difficulty of questions based on the test taker's performance, making each answer crucial for determining the next question's level of difficulty and if it will continue to give you more questions from specific domains.

As the question count neared 125, the minimum cutoff, nerves kicked in. This point could mean either you've crushed it, or you've performed so poorly that improving your score is impossible. I was also becoming distracted by the time. Though 4 hours seems like a lot, I noticed three hours had nearly passed by question 120. I had found myself meticulously reading and rereading each question, pondering over answers, which meant I could not maintain this clip should I need to answer up to 50 more questions.

The exam didn't end at question 125; it continued past 150 and didn't stop until I reached the maximum 175 questions. Then, the screen instructed me to collect my results. I had no idea if I passed or failed. The only consolation was thinking that being asked the maximum questions might indicate I hadn't failed yet, as the CAT system was still seeking to accurately gauge my knowledge level.

I exited the test room and detoured to the restroom instead of heading straight for the results desk. The weight of the exam lifted off my shoulders, yet I was already calculating the soonest I could retake it, considering the mandatory 30-day wait after failure. I headed to the desk to accept my fate. The attendant handed me my results, facedown, with a subdued smile, which in my mind, confirmed she had seen a failure and silently pitied me. Retrieving my belongings from the locker, I finally mustered the courage to look at the paper. I scanned the page for the dreaded FAIL, but the words Congratulations! We are pleased to inform you that you have provisionally passed the Certified Information Systems Security Professional (CISSP) examination leapt out at me. I stood there in a state of shock for a minute and then started to laugh. The ladies behind the counter perked up and smiled and I told them I had assumed I didn’t pass. They claimed they never peek at the results before handing them over. 

Stepping outside, I called my wife with the good news, walking to my car wrapped in a mix of joy and disbelief. This test is no joke, and like so many others I have spoken to who don't feel confident while taking it, passing felt incredibly surreal. All things considered, the experience was not one I regret. If you meet the requirements and are planning to schedule your exam, my best advice is just don't put too much pressure on yourself. Schedule it, reschedule if you need to, and realize you will likely grasp and retain the material more effectively if you approach it as a marathon, not a sprint. Allowing the concepts to gradually sink in and applying them in your workplace whenever possible not only aids in passing the exam but also enhances your skills, enabling you to effectively implement the practices in real-world scenarios, which is what it’s all about.

Join the Professionally Evil newsletter