I passed the CISSP exam on 11/17 and I figured while it was fresh I’d record a few observations about the studying/testing process.
Why the CISSP
I am applying for a few jobs that either strongly encourage or specifically require the CISSP, so that’s one reason. The other is more complex. Over the 18 years I’ve been in IT and working with security, I’ve read a lot and taught myself a lot. It’s been a great ride and there’s no substitute for learning the fundamentals and practicing them day in and day out. With that said, for every given concept I’ve got 10 different names and number of conflicting best practices to go along with them. I wanted a standard dictionary, not necessarily to always follow, but at least to be able to reference it. I wanted to have roughly the same vocabulary as someone who didn’t take the same path I did, and the CISSP provided that standardized platform.
Book vs. CBT
I chose to buy the paper version of the Official Study Guide from Wiley/Sybex on a recommendation from a friend who is also studying for the exam. I knew it was going to be a lot of memorization, and at 1000 pages of material it was going to take me awhile. It’s the first standardized test I’d taken in over 8 years, so I also knew it was going to require focus and self-discipline. So I bought the book so that I could get away from the computer, the ipad, the TV, and pretty much every other source of distraction.
I looked into a test prep course, but given I’m footing the bill myself I didn’t have $3500 to throw at a weeklong class. With that said, the guide does come with online access to flash cards and practice exams, which I’ll touch on later.
I started studying on 10/12 and scheduled my exam for 11/17, which gave me 36 days of prep. With 21 chapters to cover, that gave me one chapter a day to cover plus a self-quiz. The quiz at the end of each chapter not only reinforces the material, it also gets you ready for the specific syntax and nuances of the exam questions. More than a few times I would find myself arguing with the book over how one answer COULD BE more correct and how I’d run across specific situations that ran contrary to their BEST answer. I got that out of my system long before the exam, and learned to turn off that part of my brain and focus on ISC2’s way of thinking. That was an invaluable skill I learned in studying for the MCSE, and it paid off with the CISSP exam as well.
There were days where everything clicked and I found myself nodding along with the reading perfectly. There were other days where I was either tired, stressed, or just couldn’t lock in on the material and retain anything. Initially 36 prep days sounded like it was going to be fairly easy, but the pacing ended up pretty close. I finished the reading with about 5 days to go and began taking the sample tests. This was much less than ideal, but it worked out for me, albeit I was feeling a lot of pressure for those 5 days. If you can pace yourself to 50% reading time and 50% exam prep, that’s where you want to be.
Pre-Assessment and Sample Tests
The book comes with a pre-assessment test which is 40 questions (actual exam is 250) and covers a good deal of the material. I took it prior to reading any of the book and got an 80%. I knew that 70% was a minimum passing grade, and that didn’t give me a ton of comfort, but at the very least I knew my work experience had contributed to a good deal of the material that was going to be covered. My goal was to hit somewhere between 90-95% on the practice exams after studying and reviewing the material. (Spoiler: I did not hit my goal.)
Each practice exam is 250 questions, and Wiley/Sybex provide 4 practice exams on their site. I was somewhere in the neighborhood of 30 seconds per question on average, which meant each practice test took just over 2 hours of focus time. The actual exam took me roughly 3.5 hours.
The wording of the questions on the practice exams were incredibly frustrating. There were times when I stood up and paced, got angry with the test designers, and cursed the entire certification as useless. To make matters worse, once you submitted a question you could not return to it (you could go back and forwards in the actual exam). While that was harsh, it did force me to focus and didn’t allow me to glean hints from later questions. With that said, I would have preferred if the practice tests more accurately simulated the actual exam experience.
During one practice exam my Comcast connection dropped about 1.5 hours in. I lost that session and could not return to it upon logging back in. From then on I copied and pasted the URL into a text file and found it had a session ID token in it, and I used that to get back to the exam if it timed out.
Upon finishing the practice exam, you are given a correct/wrong rating and an overall percentage. You can go back and review either all answers or you can click on individual question numbers, but there is no function to review all incorrect answers or review all marked questions. In short, they didn’t spend a lot of coding time on the practice exams. I learned to just be grateful they came with the book and take them for what they were.
I developed my own marking/scoring method which helped me a bit, but your mileage may vary. I used the “mark this question” option to mark the ones I had to make semi-blind guesses at. If I got those wrong, I tabulated those as “wrong guess” and then marked which chapter they came from. I also counted the unmarked wrong answers as “confident wrong” and noted whether I missed a nuance of the question or disagreed with what was correct. I spent a lot of time retraining my brain to those, and coming up with a dialogue or a pretend situation where their answer would be true. More than a few times on the actual exam I recalled those simulations, so I like that strategy for the “confident wrongs.” I really would have appreciated if Sybex had referenced the chapter/page where a given question came from, but for $40 I guess you get what you get.
My overall practice test scores were 78%, 79%, 82%, and 80%. I fell very short of my target of 90-95% and did not have a lot of confidence going into the actual exam. I considered rescheduling, but there were a few job interviews pending where I needed to provide proof that I’d passed, so I went for it.
I took the exam at the Pearson Vue center in downtown Chicago, right by Union Station. The test was at 8am, and I planned on getting there by 7am. I needed to take my passport and drivers license, and I also brought along my CISSP book, a few snack bars, and a bottle of water. No Apple Watches allowed, so I swapped in an old wristwatch so I could keep track of time.
I spent the hour on the train reading the Exam Essentials at the end of each chapter, and reviewed a few of my mnemonics. OSI Model: All Presidents Since Truman Never Did Pot. Got the jitters, got over them, focused on what needed to be done. Got to Union Station and had a quick breakfast sandwich and a large coffee.
Upon getting to the exam center a few things became clear. One thing was that I wasn’t going to be able to take anything in with me to the exam. No passport, no wallet, no watch, no sweatshirt, no snacks, no water, no nothing. I’d anticipated some of this, but I really wasn’t keen on leaving the passport in a locker. The thought of no snacks for 6 hours also seemed like I was going go be hurting at hour 4. I figured if I started to get light-headed I’d see if I could talk them into it, but I turned out not to need it.
Another oddity was probably due to my lack of having done this for many years. I’d assumed because the scheduling was spaced weeks apart that everyone taking the CISSP was going to show up at the same time and we’d all start the exam together, old-school classroom style. That was dumb. I was in a room with doctors and nurses in scrubs taking toxicology tests, EMT tests, and all sorts of other exams. I don’t think there were any CISSP exam takers in my room at all. Also, the test started whenever I was ready, so I started at 7:30 and didn’t have to wait until 8am.
I took the exam and got through about 120 of the 250 questions before taking a quick break. I walked away just to clear my head as I could tell I was starting to get a little fuzzy from decision fatigue and stress, so I grabbed some water and paced a bit just to get my blood moving again. Then I went back in and got to about 230, took another quick bio break and finished up the exam. I was able to go back and read over all of my answers, and I changed 2 or 3 answers from the first half, the rest I left alone. First hunch is usually correct.
I knew there were 25 experimental questions that didn’t count and didn’t have to relate to the current material, and I knew I’d seen a few of those that came out of left field. I also knew I needed a 180/225 to pass, and that some questions would be weighted higher than others due to difficulty. I’d marked the questions I’d thrown a semi-blind guess at, and counted those. 30. Ugh… 30? I went through those again and left almost all of them alone. Resisted the urge to throw up or cry, stifled thoughts of good job opportunities disappearing. Deep cleansing breath, click submit.
I didn’t have a lot of confidence I’d passed, but I hit submit a bunch of times and called the proctor. Saw that message saying “congratulations, you’ve completed the exam” and laughed at how sadisticly that was worded. No muppet arms yet. She submitted the exam with me and I took the long walk to the printer. I passed. No score given as per the rules, so I have no idea how close I was. Big sigh. Done.
Post Exam Low
I’d read on CCCure.org that a lot of people after taking the CISSP exam feel fairly depressed after taking it, regardless of pass or fail status. I definitely felt this, even while I read over the congratulation letter. I wondered why I wasn’t grinning from ear to ear. More than anything I think it has to do with the placement of the experimental questions in the material. As a psychology student from way back when, I get why they need to sprinkle those into the live material as a blind to the test subjects, but it still hurts. They want us to try as hard at those as they do at all of the legitimate questions, but mentally the pressure of not knowing which questions truly count was significant. I felt dumb after taking the test, even after knowing I’d passed.
If you’re low after the exam, the only advice I have is this: It’s not a measure of what you’re worth or your intelligence. It’s an estimation of your comprehension and retention of those particular study materials, and your ability to adapt your thinking to their particular perspective. I have years of successes in InfoSec and I still felt really dumb after that exam. Don’t fall prey to doubt.
Important Note: After You Pass, HIC SVNT DRACONES
Because the CISSP is necessary for a few of the jobs I’m applying for, I felt the urge to immediately update my resume and LinkedIn profile. Claiming the credential before it’s been awarded to you is fraudulent. There’s no accepted lingo you can put in writing for “I passed the CISSP exam, awaiting full certification” so just don’t. If you want to verbally tell your prospective employer that you’ve passed the exam and you’ll have the cert soon, that seems to acceptable as far as I can tell. Everything else that you’d want to put in writing seems to be forbidden. Resist temptation.