Greetings! Back at the blog now that my workload is reduced a good bit. That is fortunately primarily due to passing CISSP and putting the books back up on my shelf. I hope this article can provide some context into the exam for other people who are considering taking it or are already studying. I had a great experience–albeit exhausting–working through the material and testing. What an incredibly difficult exam, but damn if it doesn’t feel rewarding. It absolutely feels like a massive career milestone!!
Background and Experience
While still quite green relative to most who hold this certification, I do have a bit of relative background. I started back in high school as a certified technician, at a Staples in Danvers, Massachusetts. This position was split between sales and technical responsibilities, but a good portion of my job involved malware eradication on laptops, and installing security products. Following a year as a technician, I left Staples and started working as an IT specialist in a formal IT department, with full-time work coming in at just under two years. After I left school I’d go work the afternoon/evening shift for 8 hours doing general ticket resolution and network remediation/ security work. Towards the end of this position, I supported network security objectives and web-application fault management/improvement. I then left that company a month after graduating high school to leave for Air Force basic training. I now lead a team of four security analysts supporting the intelligence mission at Goodfellow AFB, Texas. My total experience at this point is just about 5 years of full-time work and a year of part-time.
In the certification department, I’ve held Security+ for two years now, and passed ICND1 before they recently retired the multi-test CCNA. I was about to take ICND2 at a centralized offsite in Afghanistan but was tasked to go somewhere else and then sent home, so it never happened–I actually still have the exam credit on my Pearson account. Regardless of certification, I think this has helped me considerably, as the networking context has been critical to understanding network topologies.
Finally, I will complete a dual major bachelors’ degree in April of this year (2020) in Cybersecurity (focus: vulnerability management, accreditation: NSA-CAECDE), and Management Studies (focus: cyber warfare). I still consider myself to be very green but feel a real passion for this work. I find that when I get off work, more often than not I have a tendency to go do technical projects (hack the box, home lab, random code projects).
A Plan for Slaying the Beast
1.5 Months, $183 in Resources, Heavy Caffeination, Light Sleep
- [$37] Sybex Official 8th Ed. (link)
- [$27] Official Practice Tests 2nd Ed. (link)
- [free but need account] Kelly H’s Video Series (Cybrary) (link)
- [$20] 11th Hour CISSP (link)
- [$99] Boson Practice Tests–750q, 5 preset exams (link)
- [the low low price of free] Sunflower Review PDF (link) (old version)
- [$$$ priceless $$$] Coffee and Time (link)
I studied pretty religiously for about a month and a half. While full-time, I’d leave work and study until I went to bed, on a cycle–rinse and repeat for about a month including schoolwork, and then about two weeks exclusively CISSP study. This might be unrealistic for some, but I don’t have a family where I’m stationed and work has been fortunately manageable going into the holidays, so I was able to put myself through it without too much heartache (minus the alleged heart damage due to excessive caffeination). The above resources are exactly what I used to prepare, but I will note that the older sunflower summary PDF was not used and is only included for those interested in additional cram notes. Also, I used Kelly Handerhand’s Cybrary lecture series before they introduced labs.
If you now go through Kelly’s series on Cybrary, I believe you earn 15 CPE’s and there are also some labs you can do. This is all free, no need to pay for anything on that site. The majority of my timesink was in the Official 8th Edition Sybex book. That monster is 900 pages of fine text and graphics plus 20 official practice questions per chapter, but I think it’s an important study objective and I know it contributed significantly to my pass. I was using a black pen to take notes as I went through, and wouldn’t recommend highlighting unless that’s your thing, simply due to the volume. Someone on Reddit said they went through five highlighters in that book alone. I was working through Kelly’s videos alongside the respective domains as I read through the book. I finished all that roughly the first week of December, which is when I completed my last bachelor’s classes of the year and was able to devote two weeks entierly to CISSP study before taking the test.
The last phase of study: which I’ll call the assessment portion, primarily purposed at darkening the grey areas–was mostly practice-questions and review from the 11th-hour book (which is about 200 pages for all 8 domains). This was the most significant contributor to my success. I had done the 20 questions at the end of each Sybex 8e chapter as I was going through, but now I was working out of the official practice questions book. The strategy was to time a test as I did 20 of the questions from each domain (for a total of 160 per test/sitting). I kept track of these and the Boson results (as that gives domain-specific feedback as well) in an excel document with averages so I knew what domains were my weak knowledge areas. After each exam, I’d re-read the sections of the 11th-hour book for the questions I missed. This was the last two or three weeks leading up to my exam day. The last week, I completed the last four official exams in the official practice tests book (which are all 125 questions) [timed] and reviewing the Sunflower PDF. I was getting between low 70’s and low 80’s on both the Boson and official practice tests during the last week, and averaging between 30 and 40 seconds per question. I’d ultimately pass at 100 questions, but if we averaged out the time per question, I’d be close to going over max time if I went all the way out to 150.
Finally today; test day! I got some good sleep and had to drive about an hour and a half to the test center as I’m located in a pretty remote area, so I left early and sat at a Starbucks once I got to the city to cram off of the Sunflower PDF for an hour before my test window. I don’t think this did much other than psychological reinforcement and de-stress though; it’s quite a broad test as you all know. When I started, my heart was pumping a bit and nerves were high–the first 20-30 questions felt like a different world. I managed to read through them and figure out most (the advisor’s perspective [Kelly H.] was critical), but it was a mental kick in the knats right off the bat. I’m a relatively nervous person so I was concerned at that point, but pushed forward and ultimately passed at the minimum number of possible questions. As soon as I passed question 75 I felt better about my odds (since you can get stopped and fail at 75), but I still felt that they were taking me all the way to 150 and was starting to worry about going over the time limit. I was pretty shocked when it stopped me at 100 questions, but ultimately I think that the CAT format really messed with my head.
What a great experience! The CISSP has always been a significant career goal for me, so it conquer it at this point in my career feels phenomenal. I think that you have to respect the beast, but ultimately if you put in the work–while the test will still be a considerable challenge–anyone can pass it. Hopefully this helps someone out, and I’m always an email away!!