Passing CISSP

Like college degrees before them, professional certifications seem to be waning in popularity in the cybersecurity industry. Perhaps as a way to mitigate the well-documented workforce shortage, some companies have gradually begun to account for competence and experience, too, rather than onerous credentials alone — and in some cases, base their hiring decisions solely on those criteria. This is a localized phenomenon, though, exclusively limited to the private sector, and even there primarily limited to smaller firms. In the public sector, at many large firms, and particularly at large firms that work with the government, formal credentials such as a degree and professional certifications remain not only an important factor, but in many cases the only factor. This led me to take (ISC)<sup>2</sup>’s Certified Information Systems Security Professional (CISSP) exam earlier this summer. Even as a Cyber Operations Officer, credentials like this one carry great weight. I passed on my first attempt, so in this article I want to share my preparation strategy.

(ISC)<sup>2</sup> does not publish statistics for the CISSP exam, but estimates for candidates passing on their first attempt range between 20% and 60%; I have heard 40% a few times, which seems reasonable. Wherever the true number falls on that spectrum, the bottom line is that this is a tough exam, so do whatever you can to improve your odds of success. This worked for me, and it might work for you, too.

Class #

I started my preparation with a two week-long “review course” that covered roughly one of the eight domains per day. Anyone who has any experience with the CISSP exam will understand that this meant breezing through a lot of material at a very high level. For some perspective, the top CISSP prep book, CISSP All-in-One Exam Guide, Eighth Edition by Shon Harris and Fernando Maymi, clocks in at nearly 1,400 pages; this course required covering more than one hundred pages of material per day for two weeks. Despite its brevity, I found this course helpful because it introduced the core concepts of the exam at a high level and provided access to an expert to which I could ask questions.

The CISSP “review course”, or “boot camp”, provided a good foundation upon which my self-study would eventually rest. I recommend all CISSP candidates take a course like this if they have the chance.

I scheduled my CISSP exam for approximately two months after the course ended.

Quizzes #

As part of the “review course”, I received a 90-day access pass to CCCure. CCCure offers candidates access to realistic questions for a variety of exams, CISSP included. During breaks and after class, I reviewed the day’s material via CCCure until I could consistently finish its 10, 15, and 25 question quizzes at or above 90%.

The CCCure quiz engine helped reinforce the day’s material during the CISSP “review course”, and kept the material fresh in my mind after it finished. I recommend all CISSP candidates find some sort of quiz engine; I used CCCure and found it helpful, but others prefer different ones.

Books #

More than classes, hands-on “practical exercises”, or any other form of instruction, I prefer to learn from books. I used three books to prepare for my CISSP exam:

I read CISSP for Dummies and Eleventh Hour CISSP cover-to-cover once each. I made liberal use of my highlighter in both books; after each chapter, each of which corresponded to a single domain, I also ran through a few CCCure quizzes to make sure I understood the material. I also used the practice tests in each book as well.

Although I planned to, I did not read CISSP All-in-One Exam Guide. Instead, when I needed help in a particular area, I looked to that book for clarity.

These books further reinforced the lessons from the CISSP “review course” and expanded on many of those areas. I think each of these books were fine, but I was not thrilled with any of them. I think CISSP for Dumies and Eleventh Hour CISSP both cover the material at too high a level to be the CISSP book, but CISSP All-in-One Exam Guide sits at the other end of the spectrum: it covers the material in too low a level to be the CISSP book, either. Still, I recommend all CISSP candidates find some sort of book to aid in their study, and these three were pretty good.

Preparation #

Roughly speaking, my preparation strategy looked like this:

I found concentrated bursts followed by breaks helpful in actually understanding the material. Although study over such a long period made some retention difficult, I think the tradeoff in true understanding versus retention of superficial facts ultimately helped me pass the test on my first attempt. I also know people who passed their test around week three or four, though, so choose the approach that suits you best.

Other Tips #

More so than anything else, I think immersion in the information security field played the biggest role in passing the CISSP exam on my first attempt. If you work in another industry and want to use this certification to break into this field, I think you will have a significantly harder time than someone who works in information security already. This should not discourage you from trying, but it should encourage you to alter your plan of attack. For those outside the information security field in particular, I recommend pursuing beginner-level certifications first. CompTIA’s A+, SEC+, and NET+ will help introduce many of the concepts necessary to succeed on this exam. I would not consider them a pre-requisite for taking CISSP, but they would not hurt.

The CISSP exam is a tough exam. This worked for me, though, and helped me pass it on my first attempt; it might work for you, too.