Another look on tech

My thoughts on tech.

My CISSP journey

22 May 2016

In this post I’m writing about my CISSP journey. For those who aren’t aware of what CISSP stand for, it’s (probably) the most respectful security certification. It’s under (ISC)2 portfolio and you can find more information here.

My journey started in November 2015, when I asked myself “What about now?”. Back then I’d some career considerations, and floating in the back on my head was the idea to continue to build a solid software development career, but what was the next step? Until then I did the typical technical certifications, without a major challenge. The first step was to research the market, building my opinion for the next move. During the research, the (ISC)2 certifications always popped up, and I decided to give it a go, pursuing the CISSP certification.

Moved to the next round of research, I started to collect information about similar experiences in order to start the exam preparation. Among them I can point out the Facebook group CISSP Exam Preparation - Study Notes and Theory as the main source, due its social nature. I found out interesting testimonials, helping me to gauge the CISSP level of difficulty. Plus, during a business trip to Paris to prepare a product presentation with a partner, I had an amazing talk with a security expert about the pros and cons around CISSP. Having the opportunity to ask all the questions that had been floating in my mind, gave me the clarity into the right path.

When I returned to Dublin, I had a great conversation with my wife. Explained the nature of the exam, the time that would be consumed during the process, and the potential moments that we needed to give out in order to achieve the goal. As always, she supported my decision, and her effort was the biggest contribution towards the certification. I can’t express my gratitude for all the support that I had received!

The first (real) step to crack the exam was to draw the “My CISSP” project plan. I laid down hard figures about the time it would take me to study and be ready. My assumptions were:

  • Study every week days and 1 day over the weekend
  • The study periods should never be less than 1 hour nor longer than 3 hours
  • Read at least 2 good books

Based on this assumptions I assumed that I would be ready in 3 months. To make myself into it, I scheduled the exam for the 16th of August 2016. It was late April and until the exam date, I would have my summer holidays and I was leading a team in charge of delivering a mission-critical component for our company product. I added some time for it, knowing that, time may arise when I would be so busy that I couldn’t handle the high demand of manage the release of a new component and focus on the CISSP exam.

During my research, 3 books stood out from the crowd:

From this list I chose CISSP Study Guide and CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide because:

  • In 2015 (ISC)2 change the CISSP CBK domains from 10 to 8 and update the contents, e. g., included topics about DevOps and Cloud Computing
  • The contents of each book needed to be updated to match the updated CBK. Due to the unfortunately decease of Shon Harris, the CISSP All-in-One Exam Guide was out of date (but what the time that I’m writing this blog post a new edition is in the market)
  • From my analysis I didn’t like the writing style in CISSP All-in-One Exam Guide
  • CISSP Study Guide summarize the CISSP CBK domains in an helpful way
  • CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide go one step further and have a logical chapter separation and repeat concepts throughout the chapters in order to reinforce it, plus have the perfect amount of information around each CISSP domain topic

The second step was to design the study strategy for the chosen resources. I chose to build a mind map and start with the CISSP Study Guide book since it have a good summary of the CISSP CBK; then move to the CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide to get a comprehensive understanding of all the concepts details. As a fellow says “Dot the i’s and cross the t’s”! The final piece in my master plan was to do as many exams/questions in the last 2 weeks before the exam date. Back then it was unclear to me the questions source, but the runners were Skillset and CCure. I left this decision closer to the big date.

I ordered the CISSP Study Guide and started the study in early May 2016 and started to build my mind map (I used the SimpleMind Android app to build it). At the same time I started to use the Official (ISC)2 CISSP Android app, in order to test my knowledge throughout the domains during my commute time. I found it useful, testing the knowledge with the domain flashcards and questions. Back to the first book, it really paid off as first resource. Concise, well written, lots of diagrams to illustrate the concepts/use cases, giving the core information. After it I moved on to the CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide in early July. The book is more detailed than CISSP Study Guide, and I found it the best complement that I could get. Well written as well, have a lack of diagrams comparing to CISSP Study Guide, but compensates with the huge amount of details. From the 2 books I´ve answered all the chapter questions, following the tips from the authors to try to get a mark of 80% or higher in order to be prepared for the exam. My lowest mark was 75% in 2 of the 8 domains, and that pointed out what were my weakest domains of knowledge.

We all know the time flies. I found myself in early August 2016 and I only had read the first chapters of the second book! Plus I’d just return from my holidays, and I was catching up with the latest company developments (we all know how hard it is to get back from vacations). I was not prepared for the exam, and I known that I would fail! So I decided to postpone the exam date to the 13th of September 2016, giving myself an extra month to prepare. I finished up the book 2 weeks before the exam date, and started the final preparation stage to it. Started with the research for the best suited exam questions to push my preparation. After a trial run, the option fallen over the Skillset website. To warm up I just used the CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide online exams (it offers 4 training exams with the full 250 questions) and ticked the weakest domains (again) from the failed questions. During the 1st and ½ week I did 3 exams and revisited the contents where I felt that I would fail. The clock was ticking and I was 5 days from the exam date. I’d the Skillset account and 1 last training exam to do. I just dived into the Skillset questions, testing my knowledge throughout the domains, gauging my skills. Doing it this way, I just polished the outstanding concepts, and left the last training exam for the last day. Doing it as a rehearsal I’ve got a good mark, and it took me less than 4 hours to do the first round and review the exam. Not bad at all!

The last piece of the master plan was to get the right strategy for the exam. The exam has 250 questions and we have 6 hours to complete it. Seems a lot of time, but in average we only get 90 seconds per question. Doesn’t give room for blackouts… My plan was:

  • Do regular breaks, ideally every 45/60 minutes
  • Eat even if I wasn’t hungry. That would keep the energy levels up, avoiding hunger distractions
  • Be prepare to do a first round of questions, mark down the questions that the answer didn’t pop up to my head for a second review, avoiding waste of time
  • Keep calm, and write down the progress in paper (number of expected questions and the expected time to do it vs number of actual answered questions and the time used)

Sounds a reasonable plan, and I felt prepare to do it. The 13th of September 2016 arrived, and my exam was schedule for 9.30AM in New Horizons facilities. I’d a good breakfast and prepared a few snacks for the upcoming challenge. Light sandwiches’, Red Bull, chocolate bar and peanut snacks. In addition to that, New Horizons provided fruit, cookies, water, tea and coffee. It was just enough for what I needed. I’ve arrived to the test centre and did the usual security process in order to start the exam. After the procedures were done, I walked into to testing room and sat down at my workstation. The final step of the challenge had just begun! A spike of adrenaline just rushed into my body and I took a deep breath and started to read the exam instructions. That was the moment to relax and get into it!

I went along with my plan. Did the questions that the answer popped up into my head, didn’t waste time with more complicated questions, and marked some questions when I was not sure about the right answer. Followed the breaks that I planned, ate and drank in regular breaks and kept the focus. At one stage of the exam my mind started to drift away (is not easy to keep the focus for more than 2 hours), and I took a longer break to refocus. The exam started with some odd questions, and I just marked then down, and thought WTF?! and moved on. Then I’d some no-brainer questions that gave me the right level of confidence and I did the first round over the exam in 2:15 hours. Not bad, around 70% of the exam was done in less than 3 hours, 2 breaks done and anxiety under control! I took a longer break, and prepared myself for the second round of the exam. Kept the strategy and finished up the review after around 2:30 hours (4:45 hours in total). Just decided to commit to the exam, there was no point to have a brain meltdown, however I was not 100% sure that I would pass due the exam difficulty. But wait, I just prepared myself during 4 months, studied 2 books, answered more than 3000 questions, and I was having second thoughts? Naaa, it can’t be! Submitted it and left the room… Once I arrived to the clerk desk, she just said: “Congratulations, you passed the exam!”. The final spike just went down my spine. The task was done! Happy days, all the hard work paid off. A sense of realization just fulfilled my mind.

Next day I received the e-mail with the result confirmation and the invite to start the endorsement process. At the moment that I’m writing this post I submitted my career evidences, and I’m waiting for the endorsement process to finish. From now on a new challenge began, maintain the certification in a good condition.

As summary of this long post my advices are:

  • Analyse if CISSP is the right career path
  • Be prepare for a tough challenge
  • Invest your personal time to prepare it, be on board to give up some quality time
  • Get good resources
  • Have a study strategy, measure the progress during that time in order to fill the gaps
  • Do a lot of questions near the exam due date
  • Revisit the weakest domains/topics to enforce the concepts
  • Have an exam strategy, avoiding pitfalls
  • Do not stress during the exam. Keep it together!
  • READ all the questions properly, the devil is in the details. Some of the questions are tricky, pay attention to vital keywords