How I Became a CISSP – A Journey to Certification

Image

On September 26, 2016, I received my final notice of my Certified Information Systems Security Professional (CISSP^®) designation. My path to certification really began in 1996 when I first stepped into the computer world, but my decision to pursue certification began with a conversation that took place at NolaCon in 2015. I was chatting with a colleague there. He encouraged me to look into the certification process. In early 2016, another colleague at a different event mentioned the certification, as well. He was affiliated with the local (ISC)² chapter and encouraged me to obtain the designation. I investigated the requirements and found them fairly straightforward. I made up my mind to dive in and start the process. The basic requirements are as follows:

1. Obtain or have 5 years’ cumulative full-time work experience in two or more of the 8 domains listed in the (ISC)² CISSP CBK. There are waivers for having a 4-year degree (or regional equivalent) or additional credentials from an (ISC)² approved list.
2. Schedule the exam through Pearson Vue. The exam fee at the time of this post was $599.00 USD.
3. Pass the exam with a scaled score of 700 or greater.
4. Complete the endorsement process by subscribing to the (ISC)² Code of Ethics and submitting the endorsement form (which is completed by an active (ISC)² member). You must become certified within nine months of the date of your exam or you will be required to retake the exam.
5. Maintain your CISSP by paying the annual maintenance fee, abiding by the (ISC)² Code of Ethics and obtaining 40 CPEs per year.

Seems pretty simple, right? Guess again. The little detail mentioned in step 3 – passing the exam with a scaled score of 700 or higher – that is the kicker. The test consists of 250 multiple choice and drag-and-drop questions. Unlike other certification tests, the vast majority of the questions are not simple fact regurgitation. You cannot memorize a bunch of facts and have any hope of passing this exam. There are some questions that are simple facts, but they're very few in number. Most questions require that you understand processes and be able to think through scenarios in order to arrive at the best answer.

If your background is mostly technical, you will have to re-train yourself to think like a manager. Quick fix options like “close firewall port x” are not the type of answers that will be considered acceptable. There are eight domains from which questions can be asked, and many of those domains have overlapping content. From discussions with others who have taken the exam, I've learned that each exam is weighted toward one domain or another, so don’t expect an even distribution of questions from the eight domains, either. You must master all of them and be able to reason why one answer is better than another. In addition to the questions pulled from the (ISC)² CISSP CBK, there are evaluation questions mixed in.

You will not know which ones they are except for the obvious content that is pulled from left field. Good news is those questions don’t count for or against your score. According to (ISC)², all questions are pulled from information discussed in the (ISC)² CISSP CBK. There are some questions on my exam that contained terminology that I had not studied previously. So, bottom line – if you think you can get a question dump, review the answers and expect to pass the exam, you might as well save your time and money and not take it. Chances are slim that you will pass. I know people who have studied very hard for the exam and failed it more than once.

In addition, releasing exam questions clearly violates the (ISC)² Code of Ethics and those doing so, if certified, are on shaky ground ethically. Here’s how I prepared for the exam. First, I purchased the Official (ISC)²® Guide to the CISSP® CBK®, Fourth Edition (CBK), the Official (ISC)² CISSP Study Guide and the Official (ISC)² CISSP Practice Tests. You can find them for reasonable prices. I chose to read the entire CBK cover to cover. I did not read it in great detail, and I glossed over the sections that were repetitive. Keep in mind, the CBK is boring, disorganized, often repetitive, and at times contradictory. It is a great in-depth reference and covers most of the material, but it is an aggregation of work by multiple authors and therefore has no consistent style or format. One author might do a poor job of explaining a topic only to have another author explain things in a manner that you understand clearly later in the volume.

At the same time, I followed what I was reading with an online course from Cybrary.it. The course follows the book fairly well and helps sort out the wheat from the chaff. I reviewed that entire course multiple times. I also followed along in the study guide, covering the same topics as the CBK and Cybrary course. This approach gave me triple exposure to topics and explanations from multiple perspectives. I was also fortunate enough to be able to attend a 4-day CISSP boot camp. I attended one put on by Parameter Security at NolaCon. The course was taught by Dave Chronister and really served as a great review and confidence builder for me. Once I completed the mentioned book study, I scheduled my exam. Scheduling the exam gave me a clear timeframe for final review. My review for the last couple of weeks before the exam consisted of watching Hacker Jeopardy at DEF CON, one of The State of Security's top 11 conferences in information security.

Hacker Jeopardy fortuitously had a category entitled “Are You Smarter Than a CISSP?” I followed up my BSides Las Vegas / DEF CON trip with a concentrated two weeks of practice questions. The study guide comes with on-line access to a bank of over 1,000 practice questions presented in a format that closely follows what you will experience on exam day. I strongly suggest doing marathons. Do several 250-question runs and finish with a non-stop run of all questions. If you are scoring in the 90% range, you are on target. Anything less, make sure you stop, review what you are missing, and test again. In addition to the on-line study guide questions, I did all the questions in the practice test book and took both full practice exams on consecutive days.

When test day came, I felt confident that I had developed the test-taking endurance necessary to complete the exam. The day before the exam, I did not study. I simply prepared a plan for taking the exam and got a good night’s rest. In my case, I had to drive about 75 miles to the testing center. I arrived in time to have a substantial breakfast before the exam. You can take breaks during the exam but the break time counts toward the 6 hours you have to complete the exam. I brought several protein bars to the testing facility, but I ended up not taking any breaks. You might as well leave everything but your ID and snacks in your car. Everything, including watches and jewelry, must be stored in a locker.

You can take nothing into the test with you. The testing center provided a dry erase board, and there was a calculator built into the testing computer. I started my exam just after 8:00 am. My strategy was to answer every question on the first pass. Any question that I was not 100% sure of the answer, I flagged for later review and made a note on my board. I did not do an initial “brain dump” on the white board, as I really felt like I knew the majority of the material well and was not in the least bit panicked about forgetting a formula or other fact. I was able to get completely through all 250 questions in about 3 hours. The questions were much more difficult than any of the study questions I had encountered.

After the initial pass, I reviewed each flagged question. I DID NOT change any of the answers unless I was able to completely convince myself that another answer was the better choice. I ended up changing about 30% of the flagged questions. Sometimes, later questions answered some of the flagged ones or simply jogged my memory in a manner that gave me an “ah ha” moment. After reviewing the flagged answers, I did one last quick pass to make sure I hadn’t neglected to answer any questions and clicked the “Complete Exam” button. I recall feeling very unsure of my answers as I progressed through the exam. My confidence level was not at all close to what it was when I was completing the practice exams. I was worried that I might not pass. In spite of that feeling of dread, I methodically continued through the questions, applying my strategy as I went. In the end, my focus paid dividends. I exited the exam room, checked out and was handed my results.

I had conditionally passed! Great relief! I did not know my score, as you only receive a score if you fail. Now all I had to do was complete the endorsement form and wait. I submitted the requirements within a couple of days of passing the exam. Once the endorsement form was completed, I received a notice from (ISC)² that it would take up to six weeks to process and receive final acceptance. In reality, it only took about three weeks to get my final notice and access to the Members Only portion of the (ISC)² site. Once you are approved, you can get some pretty significant discounts on material for other certifications, as well as access to quite a number of other interesting material. 

Now that I am officially certified, I need to make it a habit of recording any and all opportunities for CPE credit in the member portal. Remember, you need to get 40 CPEs each year to maintain certification, that is, unless you are into taking this exam again in 3 years. Feel free to hit me up with any questions you might have, and good luck in your certification pursuits.  

About the Author:

Jim Nitterauer, CISSP is currently a Senior Security Specialist at AppRiver, LLC. His team is responsible for global network deployments and manages the SecureSurf global DNS infrastructure and SecureTide global SPAM & Virus filtering infrastructure as well as all internal applications and helps manage security operations for the entire company. He is also well-versed in ethical hacking and penetration testing techniques and has been involved in technology for more than 20 years.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire. Save