I am happy and relieved to say that I cracked the CISSP on March 18th. I was inspired and motivated by reading how others studied for this exam and the challenges they overcame to do so, and I’m pleased and humbled to add my own story.
First a bit of background: I’m 53 years old and I’ve been in IT for 20 years, first as an IT manager in a small company, then in corporate IT Field Services after my company was acquired. A few years ago I recall my manager saying that IT Governance had been a godsend to corporate IT, as they are one of corporate IT’s biggest customers. After surviving several rounds of downsizing, and seeing diminishing opportunities for advancement within my own group, I decided to retool my skillset and pursue what I hope will be greater opportunities in computer security.
A network meshing project gave me exposure to reading Nessus reports and remediating vulnerabilities. I found the work really interesting so I looked into the CompTIA CySA+ exam. I spent about six months preparing for the test, and I passed the exam in May 2018. Encouraged by this achievement I started thinking that the CISSP was a goal worth attaining, but I was intimidated by the prospect that I could pass a high-level security exam. To help allay my concerns I decided to take the SSCP to get a sense of the (ISC)2 testing experience. There is a lot of overlap between CySA+ and SSCP, so I was able to sit for the SSCP and pass the exam after only three weeks of preparation.
Passing the SSCP made me want to jump right in and prepare for the CISSP, and I set goal of being ready by the end of 2018. I started by watching Kelly Handerhan’s CISSP Prep videos on Cybrary. I read the Madunix CISSP Process Guide for the overview, and started reading the Sybex 8th edition.
Soon after I found Luke’s SNT site and signed up for a three-month membership. I read through all the stories of how others had prepared for the CISSP, and again the intimidation factor set in. (Full disclosure: I’ve dealt with anxiety and depression most of my adult life and they can have a huge impact on self-worth, getting motivated, staying motivated.) The big takeaway I got from SNT was to think like a manager. I noted that a lot of CISSPs were also PMPs and ITIL certified. ITIL and project management, as they relate to the SDLC, risk management, continuity planning, and change management, are addressed in the CISSP, so I decided to take a step back from CISSP study and focus on getting into a managerial mindset. I emailed Luke that I wanted to suspend my SNT membership, but I would pick it back up again in the future.
I passed the ITILv3 Foundation exam in late September, which reinforced the importance of proper change management and following established processes. I completed Project+ in early November, which boosted my knowledge of the concepts around Agile, Waterfall and various development and review methods. (I opted not to go with PMI exams because I wouldn’t meet the experience requirement and Project+, which is based in part on the PMBOK, has no experience requirement.)
I didn’t study much toward the end of the year, but I made passing the CISSP one of my New Year’s resolutions. I reactivated my SNT membership, dove back into the Sybex study guide and resumed studying in earnest. I read the Sybex guide all the way through and parts of the Shon Harris AIO. Practice questions were from the Sybex study guide and practice tests, the free McGraw-Hill questions, Total Seminars (included with AIO and on Udemy), and Thor Pedersen’s Udemy prep courses. My scores were in the low 70s, though I was doing worse on Luke’s practice questions and the McGraw-Hill questions. I felt like I was plateauing and my confidence was starting to wane, but I really wanted to prove to myself that I could get the CISSP and move into a job that would offer more challenge, greater satisfaction, and more job security.
I started taking Focus Factor to see if that would help with memory and concentration (can’t say for sure if it did), and added CCCure practice questions and Mike Chappel’s CISSP prep courses on Lynda.com to my study materials. Over the span of a few weeks my practice scores gradually rose, so I started looking at available test dates and times. I wasn’t sure if I was ready, but I figured worst case I’d know where to focus my studies for the next attempt. I decided on March 18th, a Monday, so I’d have the weekend before to focus exclusively on preparation.
Setting the date sent my stress and anxiety into overdrive. I studied as much as possible at work (my supervisor knew what I was doing), and at home. I scanned the Telegram feed looking for subjects I hadn’t seen before. I did several hundred practice questions per day, scoring consistently in the low to mid 80s. As St. Patrick’s Day weekend approached I stopped taking practice tests and reviewed my notes and the PDF reviews on SNT (Sunflower, the Memory Palace, and the CISSP Process Guide). I read sections of AIO on the areas I was still shaky on (encryption and hardware concepts like cohesion and coupling), and I re-read tips on the right test mindset.
I had a restless sleep the night before the test, and I started reviewing notes again when I woke up. My nerves were so bad I put the notes away and focused on calming down. I took a Xanax, practiced deep breathing, and headed for the testing center.
After all the anticipation and all the anxiety and insecurity the test itself was almost anticlimactic. The questions were tough but not insurmountable. I was keeping up a good pace, nearing question 100 after about 100 minutes. Once I hit 100 I started wondering when the test would end. As I went past 110 and then 120 my anxiety started rising. After question 130 I felt like the interval between questions was increasing, the test engine toying with whether I was proficient enough then deciding to throw out another question. When question 150 came and went I had no idea if I had passed but I was relieved the test was over and I was looking forward to a break, pass or fail.
I gathered my belongings and proceeded to the front desk, where the sheet was waiting. All I saw was the word Congratulations. Holy crap I passed! I started tearing up and sighed deep sighs of relief. I texted my family and my supervisor that I passed and headed back to work.
Here are my takeaways:
Heed the advice of others who have passed already. The recommended study materials were spot on.
Know what study method works for you. Auditory, visual or reading. Written notes, flashcards or mindmaps. No two minds work alike.
If you see a mnemonic device write it down and see if it works for you. I still use All People Seem to Need Data Processing for the OSI layers from my CCNA prep in 2001. I used DEREKS for asymmetric algorithms and Dr. SHA for hashing algorithms.
Think like a manager. Fix the process and not the problem. Look for the macro fix, not the micro.
Believe in yourself and the greater goal. I don’t want to be just “the IT guy.” My ultimate goal is to be able to say I work in IT security. I may be 53 but I’m not ready to stop learning and taking on new challenges. In a way I’m just getting started.