Throughout my 26-year career, I held three MCSE certifications, the CCNA, two Citrix certifications, two 6Sigma certifications, the PMP, the CSM, Security+, and the CISM, for a grand total of about 27 exams.
I began working toward my CISSP within a few days of completing my CISM. Like nearly everyone, I had been told that the CISSP was a different test. “An inch deep and a mile wide”, accompanied by dissuading statements like “only 20 percent of test takers actually pass”. I’d read stories of people who had taken the test many times and failed. And believe it or not, I had not even gotten beyond reading the Official Study Guide (OSG), let alone sitting for the test, before I had already failed. I say that, because I began studying for the CISSP in March of 2021, by taking a course at one of the major training providers. Yet, I only passed the CISSP exam on August 3rd, 2023. Most of the time in between those two dates, the CISSP had beaten me, because it scared me. Can you believe that? I am a former 9/11 first responder, who ran into the World Trade Center. (Pictured below)
Many called me fearless, and I always responded by saying that I did my job. And there’s your proof. I was afraid of the CISSP exam, and I had failed it every day for roughly two years before I made the humbling realization that my fear of failure was holding me back. I needed to figure out a plan of action to make this exam the mark of success I wanted, rather than the embarrassment it had become. I had often quoted Michael Jordan to others, and it was time for me to pay attention to his advice myself. Michael said: “I’ve missed more than 9,000 shots in my career. I’ve lost almost 300 games. Twenty-six times I’ve been trusted to take the game-winning shot and missed. I’ve failed over and over and over again in my life. And that is why I succeed.” As I got into my study groove, I tried several things, some recommended by others who had passed the exam. Most of those things did not work for me. There is no way to sugar coat it. The OSG and the All-in-One CISSP book (AKA the Shon Harris book) are insanely dull. If you have insomnia, I highly recommend either of them, and I’m not even joking. I offered one to my dad, who was having trouble sleeping. I had a hard time getting it back from him. However, they contain what you need to know. So, here is the study plan that worked for me with the pieces that did not work, taken out. 1. Buy the Official Study Guide (OSG), the All-in-One CISSP (Shon Harris), and the Official Practice Tests (OPT), 500 index cards, some medium sized binder clips, and a few highlighters. 2. Read the OSG SLOWLY. Use your highlighter to distinguish concepts that are new to you, or things you can safely assume will be important to know well. For some concepts, there is an order that you should be familiar with. Your goal here is for you to highlight everything that you will need to read in your second, and perhaps third time reading the OSG. Yes, I’m serious. 3. As you read the OSG, and you come across things you think you need to memorize, break out your index cards and start writing. You don’t need to write things like a question. Your goal is to remember definitions, processes or steps, and details. As I read the book, I did not walk away from reading with the four modes of Triple Des committed to memory. I used index cards for that. The cool thing about the index cards is that you can take them with you to places when you think you’ll have a few minutes of downtime. Repetition is key, and the more times you can run through your cards, the better your retention will be. You don’t have to take all your cards everywhere, every time either. Take a few and flip through them when you have some down time. 4. Re-read the highlighted portions of the OSG. Don’t sweat it. It won’t take this long the second time. 5. The OSG is laid out a little differently than the Shon Harris book. You may need to read multiple chapters in the OSG, whereas the Shon Harris book is one long chapter per domain. As you complete each chapter in the OSG, answer the chapter tests at the end, and use the online tests that come with the book too. If you get an 80 or better on the chapter tests, and you are doing well at remembering everything from your flash cards, move on to the next chapter in the OSG. 6. Once you have completed all the chapters and tests in the OSG for a given domain, move over to the Shon Harris book and read the corresponding chapter for the domain you just completed in the OSG. You will likely find that the Shon Harris book contains more detail than the OSG and you can use this to sharpen what you already know. Keep using your highlighters and index cards. When you get to the end of the chapter, and you’ve flipped through your flashcards enough to feel comfortable with them, take the Shon Harris practice questions in the book, and the ones they offer online with your book purchase. If you get an 80 or better, move on. If you do not, review what you got wrong in the chapters. If you still need clarification, you can do some online research, or ask Luke for help. He is truly an asset; avail yourself of his help. But do not move on until you know the material and why the correct answer is correct. But also, understand why your answer was wrong. Doing so may help you correct something easy, like the way you interpreted what the question was asking. 7. Once you have completed both books and you have gotten 80s on all the chapter tests, and you know your flashcards well, it’s time to see what you’re missing. Open your Official Practice tests, but don’t get ahead of yourself. Before you read the questions and try to answer them, I suggest that you read all the answer options. While it is critical to know the right answer and why it is right, it can also be helpful to understand why an answer is wrong. For example: In the Official Practice Tests, Domain 1, Question 2, the possible answers were “Inherent risk”, “Residual risk”, “Control risk”, “Mitigated risk”. I wanted to ensure that I knew what each was. At this point, it did not matter what the correct answer to the question was. If I knew what each of these options was, I could easily pick the right answer to whatever the question was. Having taken so many exams in my career, I was sure that I would encounter questions on the real test that I had no clue what the right answer was. However, the more things I knew, would make it easier for me to eliminate some possible answers. 8. Next, I went domain by domain, answering each question in the Official Practice Tests. My goal was 85 percent at this phase before moving on. 9. I continued flipping through my flashcards, even though I had done well in memorizing them before moving on to the next domain. This was to keep it fresh. The material is dry and easy to forget. 10. After I finished the OPT book, I felt very confident. By this point, I guess I had answered about 2,500 questions, but I felt like I wanted to do more. I’d read a lot of success stories where people had answered 3000 – 5000 questions. I’d heard of LearnZapp and downloaded it to my phone. The app contains hundreds of questions from each of the 8 domains, as well as full practice tests. I methodically worked my way through all the ~ 2500 questions. Fair warning, I recognized some from the OPT, but it was well worth the $15 monthly price. Each question, when answered, will tell you if you got the question right or wrong, and there is a good explanation that appears at the bottom. When I finished all eight domains, I had gotten an overall average of 83 percent. Still, as I worked through the questions, I used the bookmark feature to revisit the ones I got wrong. You can go to your bookmarked questions at any time. I went to review them and got over 90 percent right, this time, understanding why the correct answer was correct. I took the exam about 2 days after I finished the app’s questions. I did not study the day before, but I did take a bunch of flashcards to the test center that I reviewed in my car prior to going in. These were the last couple of ones that were just tough for me to keep in my memory. Passed the exam at the 125-question mark in about 90 minutes. Last recommendations. It can be hard to retain all this stuff. What are the block sizes and key sizes of AES? Are you serious? And while it is important to take your time going through the material, it is also easy stuff to forget. Make a commitment to trying to get through one domain a week. This means you will have absolutely no life for 8 weeks, including weekends. And whatever time you take to do additional questions will only add to that. But try to maintain a schedule that is as aggressive as you can to help you retain as much as you can. One final word: don't let your fear of failure overpower your desire for success as I did. There are over 159 thousand CISSP holders out there. And the law of averages suggests that you are smarter than, at the very least, some of them. You can do it! Andrew Valcich, CISM, PMP, CSM,