The CISSP Crucible

Attribution: https://www.flickr.com/photos/55810025@N06/5205904395/

How I Passed the CISSP in Two Weeks

So it’s been on my mind a while, okay, maybe a long while.

What’s a certification I can take that will provide assurance to my clients and not be a complete waste of time or lock me into a fixed mind set dependent on a single vendor’s solutions?

For about 15 years I got by on charm, but more recently I’m having to sell myself to people I have no opportunity to speak to. Certification — I know that’s the point, previously however I avoided it like one tries to avoid new car clear-coat upsells.

Last year I decided on the CISSP, as the primary focus of my practice is on concepts central to information security such as availability, integrity of data and confidentiality of customer data (and of course, how to find the right balance of dollars and sense). Also I hate handing dollars over to independent organizations slightly less than IT vendors.

So, here’s my “two-week” CISSP pass story:


July 2015

First Study Attempt

I downloaded (eBook) Shon Harris’s last practice exam text and through some particularly annoying spreadsheet acrobatics determined I 51LeTvplJRL._SX404_BO1,204,203,200_scored between 45 and 60% on each security domain of the CBK. The fact of me statistically “failing” sections of the CBK I thought I was highly knowledgable in was more than a bit distressing.

My goal here was to see how much study I would need, and in what areas. Based on the difficulty of the questions I missed I realized mindful study would be a requirement even in domains distinctly covering my primary work focus.

March 15th 2016

Okay, 9 months later and I still haven’t dedicated time to study. The phone never stops, and when it does there’s a mountain of email besides.

I decided what I needed was:

  • Time in isolation.
  • An aggressive deadline to force the isolation bit.
  • Just do it-iveness

Commitment

As a result I booked a bootcamp (8-5P daily classes, and a 2-hour study session afterwards). I also blocked my calendar out and cancelled some engagements (unavoidable to block out time). One week for self-study, and one-week for the bootcamp.

I also booked a furnished apartment for the week and flew to DC (not my home market) to force the isolation further.

March 17th 2016

WTF with crappy online training videos?

I wasted a day on ineffective training videos and decided it would have to be texts instead.

March 18th 2017

Study Texts

Okay a book … there’s a lot of books out there. There’s also a lot of people who claim one book is better than another book, or why their book is the best. I know people who own a stack of books and used them all to study. In theory to know this material you’d actually have to read a lot of books, and texts, and standards documents, and cereal boxes.

51eCnjSDQXL._SX397_BO1,204,203,200_I used one. And I didn’t fret over which one, I grabbed the study guide published by Sybex but accredited by ISC2.

I know ISC2 has their own materials, while I can’t comment on their content (because I didn’t even bother) I do know as a result of about 5 minutes of googling its pretty clear there’s no-one out there that thinks it’s any good. My guess would be that the ISC2 published CBK review texts are intended as reference material and are not meant as study material.

One really neat thing about this book is that it includes a couple thousand test questions (and Sybex has a mock CBT test engine you get access to besides).

It was an eBook (so no thickness check) but after a few minutes it became evident that the material was too much to be absorbed in a week and I’d have to triage. The Sybex test engine allowed me to quickly identify how I did in each domain, and from there it informed my reading.

March 19th – 26th 2016

How did I study?

I spent most of this time cramming. At first just during the daytime hours, but it quickly became evident I needed the evening hours too. This was basically 7 days straight with almost nothing going on but study until my brain stopped working each day.

After each chapter I completed the unit tests and for each bumped my scores by 20 points.

A pen and paper — WHAA?

I want to take a moment here to note that I didn’t just read the book. Despite the fact I never took notes in school (I always preferred reading or listening to lectures), and also despite the fact I don’t take paper notes at the office PC-Handwriting-iTunes-smallnor do I ever write anything by hand (security issues and all) … I was recently convinced by a Freakonomics podcast that basically everyone learns more writing by hand. While I’m not sure, it’s possible you’d get the same results from a typewriter (jam-free-speed-limit). The key here is to slow down the information processing to a speed which forces you to encode your memories in an easily accessible form. Typing on a computer is just too fast to learn anything completely. Reading WAY too fast.

Partial Progress

I took about 100 pages of notes in the first half of this book then ran out of time. The printed copy of the book is about 1000 pages of review material … so I guess I put down 1 page of notes for every 5 pages of text.

This on it’s own may or may not have pushed me into passing except two things:

  • 20 points only nudged me to the pass-line of 70% (and that only on “fake” test questions, not the real test). Not a convincing pass for dated questions.
  • After a week I had reviewed only half the material.

March 28th – April 1st 2016

Training Options

There are some options out there for intensive in-person training.

You can book a non-accredited course from a non-ISC2 source (I’ve heard mixed reviews, but the same can be said for ISC2-accreddited courses).

In the US at least you can also attend an ISC2 accredited course (run by an ISC2 certified trainer) but administered by Training Camp. Additionally you can buy them directly from Training Camp or through ISC2. They’re the same courses, just with a different sales agencies. There are two versions, the “Boot Camp” version includes 2 extra study hours per day, a Saturday review immediately prior to the actual test, and it includes the actual test. The non-bootcamp version means you have to book your test separately.

I assume Training Camp pays for the accreditation and ISC2 pays Training Camp to administer the course. I’m not sure who nets who profit on that arrangement — but these courses aren’t cheap and I’ll bet the actual trainer takes home less than half — so probably everyone is taking a hefty wad of bills home except whoever shells out for the course.

The Boot Camp Experience

I booked the boot camp by training camp. Thats a 6-day hellish experience (by no fault of training camp) which hopefully ends in a passed exam on the last day.

ttc_logovendor_logo_ISC2

The trainer I had was excellent. Due to the nature of the classroom environment and the format required the time spent in the classroom was not nearly as useful as the independent study time in terms of absorbing hard facts — but it was irreplaceable in honing your soft skills.

If I had to guess I’d say the class was 1/3 test-taking skills (or specifically, CISSP-taking) , 1/3 hard facts, and 1/3 conceptual theory.

Lots of people critique “test skills” being part of the training regimen however despite the fact we’ve all taken plenty of tests in our lives, surviving a 250 question 6-hour test could possibly qualify as an olympic contest. I certainly haven’t taken another one of this sort.

The third of the class we spent reviewing hard facts was a waste of time for me. It would have taken weeks or more likely months to review the entire CBK in full in a classroom — so the instructor only reviewed the most important stuff. Of course that was mostly the stuff I already knew from work experience or studied the week before. I’m sure many of the people in the class were thankful for this factual review time.

I had gotten into the habit of taking review questions every night. During my independent study week this was only the topics studied during the day, but during boot-camp week I took practice questions covering the entire CBK every night to watch my scores creep up.

The conceptual review we performed was good stuff. Despite the fact a third of the class was wasted on hard facts, a third on test taking skills … that remaining third conceptual review bumped my practice exam numbers about 15% all by itself. If you subtracted out the lunches and non-theory related material and bundled it into an isolated lecture series it would have fit into 2 days, or maybe a 10-hour video bundle. Why were the videos I tried a couple weeks earlier so horrible?

Sidebars:

  • I wrote another 100 pages of notes over the course of this week, by hand, on paper.
  • I also used the questions from CCCure.org to gauge my preparedness — similar scores to Sybex. The CBT engine is better but in my opinion the questions are not as well balanced as the ones from the Sybex book. These questions are apparently all submitted by the public, and some domains are not very popular.
  • While the value of the extra 2 hours of study each day was debatable, it was worth the cost on its own to ensure the test was scheduled immediately following the course (so everything was fresh).
  • This course, and every other course I’ve heard of let’s you re-take the course if you fail the test. While that may sound like a crappy door prize after a fail, it may be a really great way to learn (bootcamp –> fail-with-score –> study –> bootcamp –> pass).

April 2nd 2016

Test Day

I didn’t study at all the night before the test. Figured an extra evening of cramming would do me zero good at this point and what I really needed was rest. So, Amazon video to the rescue (think it was Better Call Saul S2) and some early sleep.

Early start so I could make the morning study session before the test .. but honestly I would have preferred to take the test straight away. Starting the test at 1pm just ensures my natural afternoon zone-out coincides with the test. Coffee helped.

The fact that your brain naturally shuts down about half-way through means you need to know the material cold and your test-taking habits need to be solid — because you aren’t thinking through that second half of the test.

So, how did I do? I finished the test in about 4 hours. Maybe a bit more including two 10-minute breaks or so (but the clock keeps ticking). I did leave the questions I was more unsure on for last, but I didn’t spend any time reviewing questions I already answered. Earlier in the week I determined that second guessing myself resulted in the wrong answer just as often as the right one — so a complete waste of time for me.

“Provisional Pass” first attempt. (I guess they reserve the right to change their mind later if they suspect fraud)

How much did I pass by? I have no idea. ISC2 doesn’t disclose passing scores. I know I wasn’t sure I passed before the score came out of the printer. The test was hard. It was unlike any of the questions I saw from Training Camp, ISC2, Sybex or CCCure.org — and not in an easier way. While all those practice test questions may not have reflected the real test questions, they did ball-park gauge my preparedness — so in that way they were good.

I can’t say any more than that — the entire thing is covered under NDA.

What do I think of the CISSP?

I’ve heard a ton of spiteful people who failed criticize the exam for various reasons. I’ve also heard people who passed claim the exam is full of information thats entirely irrelevant to their chosen work focus.

While far from perfect, I think the certifications’ industry leading placement is well deserved.  Both categories of above criticism fail to see the big picture.

For me, studying for this test forced me to both place my frame of reference in context, and reassess my own “knowledge” of the way things are. What do they say about hammers and nails?

A good half of the CBK was outside my comfort zone, forcing knowledge growth into areas that makes me much more well rounded in my assessments of security. It also puts the areas that are well within my comfort zone in perspective when it comes to priorities.

Additionally, there’s tons of “truths” I was forced to unlearn to pass this test — and I’m better for it.

I may pursue the CISSP-ISSAP — when this last round stops hurting.

… I’m still waiting on official certification, and thats pending endorsement processing …

July Update:

After the prerequisite 6 weeks or so of waiting for CV and endorsement approval I was officially credentialed. CISSP 549598.

cisspcert