Let me cut into the chase. I know you have looked at so many resources regarding preparing for CISSP. One thing, I am sure that you have already assumed that CISSP is a difficult exam. Well, you are half right, CISSP is tough but can be very easy to pass. I did it even I had not any strong IT background. However, I succeeded because I am very passionate about Cyber Security and I am a good risk manager.
Before you raise any doubts, I want you to know this when there are different things said about the same subject; it is opinion only, not fact. CISSP exam for any person is a unique experience because it is Computer-Adaptive Test(CAT). Let me share with you one interesting thing about CAT, in the 1950s, some educational psychologists developed a method where they break down the large textbook, into small digestible sections in a logical sequence. Then, they ask the multiple-choice question to confirm students’ understanding. Then, depending upon whether he/she has answered correctly or incorrectly, they either gave him the next segment or branch out to the remedial section. This is the reason some candidates get more cloud-based or other similar nature of questions relating to the single domain before they receive challenges from another domain of CISSP.
Now, that is out of the way, let’s clear some myths first.
1. CISSP is difficult
Understand this, every certification has a certain aim. If you talk about Certified Information System Auditor(CISA), its purpose is to prepare candidates to be good IT auditors. CISSP is to make you a better Risk Manager. This is what it means to have the right mindset. If you go to this exam as a technician rather than a manager, you will fail. Let me, tell you this, before I even enter the exam center I had a gut feeling that I was going to pass. I know how to answer the question. I completed the exam about 90-100 questions with 1.2 hours remaining. This is what mindset is, you exactly know what they expect out of you. Don’t worry, I will give you some tips that will help you out.
2. The question was not from the official study guide.
There is the reason, it is called the official study guide. The exam will test you on the concepts from the study guide. As put by Shon Harris, It is not like that some random guys at ISC2 sat down in a pub and drinking beer and said “Let there be a CISSP”. The study guide includes the minimum concepts that security professionals should master.
3. Should have strong technical knowledge
Yes, it is a technical exam but you don’t need to go into detail. I had some long scenario questions, with a lot of technical mumbo, jumbo, but I never care to review that technical stuff or matter of fact pronounce them. Your role is Risk Manager, analyze cost and benefit and select the solution that gives a high advantage to your organization. That’s It.
I know, some of you are thinking, come on man just give us tips, that magic pill or some formula to succeed. Sadly, there is none, but I will give you something better, something that will channel your preparation effort and time in the right direction.
A. Resources
In the words of Kelly Handerhan, “How much security is enough, just enough”. How many resources are sufficient, just enough to help you understand the theories. Let me list the sources that I have referred.
i. Books:
CISSP official study guide (To know about all the required concepts in CISSP)
AIO, Shon Harris (As a reference book to clarify the concepts in CISSP official study guide)
11th Hour, Eric Conrad. (For Final Review)
Sunflower CISSP study notes
ii. Videos:
Kelly Handerhan CISSP videos(For overview of CISSP)
Larry Greenblatt Record CISSP training videos( Real gold mine!!!)
Thor CISSP videos( Ok, only!!!)
iii. Practice Test:
BOSON CISSP Practice Exam
CISSP official practice test
Now, let me tell you how I have used them. I started with an official study guide to know the concepts. Shon Harris, AIO, helped me to clarify some ideas in the study guide,11th Hour to review them including Sunflower CISSP study notes (not that deeply).
The primary objective of watching videos was to interrelate all these ideas. Thor videos just describe the components. It may be helpful for some people but I didn’t find it very helpful. Kelly Handerhan Videos give you a general overview of CISSP concepts, she also provides some helpful tips. Larry Greenblatt’s videos were very good. He tells how these notions are interrelated. I suggest you go through his videos. His online training recorded videos are 30 hours long, so you need to spare some time for it.
BOSON and CISSP official practice tests are enough but again keep in mind, these questions will not teach you to how to answer, they just help you clarify concepts. I will later tell you how to answer exam questions. This is not that type of exam where you will get better with practice. These kinds of simulation tests will not tell you about time management as your exam may end before the stipulated time. The key here is not to put more focus on a practice test but on the CISSP domain knowledge and its application.
B. About Practice Test
Don’t leave this at the end of preparation. Try to cover all the practice questions of the official test right after you have gone through the official study guide or Shon Harris. The benefit is that it will serve you to understand the subject deeply and also identify your weak domains. After that, go through again study guide and Shon Harris. If you are using BOSON, I suggest you configure BOSON in a such way that you assess yourself domain-wise. This will benefit you to pinpoint what domain or materials that need focus on.
Can you see what are we doing here, with each successive study and review we are narrowing down our scope and concentrating on the domain that warrants our attention? In this way, we are saving our time and effort. There were some candidates who have gone through the books several times but could not grasp the ideas. This happens when you are reading without understanding. Do you want to know when you are ready? You are ready when you look at the keyword for e.g. Parallel Computing and you can tell what is it, where it is used, why to use it when to apply it. In most contexts, how to configure technology is not important as to why and when to use it.
You can also start practice CISSP question by download THIS APP. But let me tell you this, it is not going to be easy.
C. How much to Memorize
The only best method is to burn in your memory is repetition and practical application. Yes, you require to remember a lot, in this test, but if you try to memorize them at once, you will overload your brain. Another question may be what to recollect. Remember, the aim of this certification is to make you a better cybersecurity manager/risk advisor. So, maybe you require to recognize what are types of symmetric encryption. You may need to know about different standards of NIST, what is their purpose but do you don’t need to learn its full text. The wise advice I can give you at the time of memorizing is asking yourself, do I need this to fix some kind of technical issue? Then, it is probably safe to ignore, but if this information helps me to develop some kind of system or risk management process, then yes, you need to memorize it.
D. EXAM!EXAM!EXAM!
There is a saying in Nepal, “ The OX that goes blind in July, will always see green.”. This is important when there 1-2 days left for the exam. I want you to do this, just review your notes, then watch some of these videos;
1. How will you pass CISSP- Kelly Handerhan
2. Best tips to pass CISSP- Larry Greenblat
Don’t read technical stuff just before the exam, because, at the exam, your mind will be auto switched to look for technical solutions when answering the question. This is not the intention of this exam. I want you to think of yourself as Cyber Security Risk Advisor. You should watch these videos at least 2-3 times and let them sink. After that, watch some movies or do something that will relax your nerves. Then, go straight to bed. This will help to condition your brain in thinking that you are a risk advisor. This was my personal experience, so it may work for you as well.
Now, when answering questions, follow this approach. For a one-liner question, read the question first and then look at the answer. Then, re-read the question again. You may want to serve me salad because it’s healthy, but I am asking for a big, juicy steak. Always understand the requirements of the question. I cannot stress this enough.
For a long scenario question, look at the end of the question and be watchful for the words like most likely, which of this, what should, and then look at the answers. It will give you a rough idea, what are the keywords that you should look for. This is true in most scenario questions, the longer the question, the more the first few sentences are a bunch of crap. They are distractions. They may include complex technology terms that you may have never heard before. Most of the time it is safe to ignore them and focus on what key thing the question is asking about. Is it a risk management process, is it asking to develop a security policy? In other words, is the question asking you to think before you act. In that case, thinking always proceeds to do any action.
You may find following video useful, which includes brief overview of all the domains of CISSP from a Cyber Seurity Risk Manager Perspective, that you may find useful at the time of preparing for the CISSP exam.
E. Some Pitfalls/assumption that may you want to avoid:
Some sites may provide you free questions to practice. The questions are overwhelmed with technical details. Then, they offer you to buy some products at a discount. You may jump to purchase them. DON’T DO THAT. You will spend more money to create an unnecessary hassle for you. Don’t get into the hype that CISSP is difficult, it is a tactful exam. You should act in the same way.
Whenever buying videos or doing Bootcamp, look at the instructor, is he/she is or was a lecturer in ISC2? How many years of experience she or he has. Anybody can be a teacher nowadays. Notice at the review of pupils, how many students have passed after taking this course.
There are not any particular websites or YouTube channels that are best for CISSP, there are many. Whenever you want to know more just google it. If you don’t understand, look for other resources. There are so many sites that provide you with useful materials. Always focus on understanding of the key ideas no matter what source it is from.
Don’t be overwhelmed, when somebody says, that they have passed CISSP in 2 weeks, 3 weeks so on. It depends upon the experience of the people. Some individuals are highly experienced in all the CISSP domains, so they may find it easy but some guys like us have to do more effort. Don’t attempt this exam unless you are comfortable. Let it be 2 weeks, 2 months, or 2 years. You are a risk manager, risking money for CISSP without risk management (adequate preparation) is not bravery, it’s plain stupidity.
CISSP is not THE certification in Cyber Security. There will not be employers lining your doorstep to give you a job after you have completed CISSP. It is one of the certifications and there will be a lot when you progress in your career. What I have learned from CISSP, the more you learn more you become respectful about this profession. It’s a jungle out there and the world needs us to make a difference.
So you passed CISSP
After you pass CISSP, well I don’t know, you may have your own plan. But please, after you have passed, either you are religious or not, I don’t care, but before you party with your friends and family, go to shelters or elderly house or temple, and share what you have. Give some money or offer to do voluntary jobs. This is because, when good things are happening, be humble to unfortunate ones. This prevents success to go into your head. Remember is CISSP is not the end but a means to end. Your main is to be the best cybersecurity expert and CISSP is one tool in your arsenal to achieve that goal.
So, to help you in this journey, you can download these apps developed by Siorik Consultancy Team. They like to call themselves Risk Simplifiers, as they manage the overall risk of their client.
1. Sioriks’ Certifications Made Easy App (contains practice exam questions for CISSP and other tons of features)
2. Siorik Study Smart App(contain useful videos, downloadable helpful pdfs, latest new and many more)
Siorik Consultancy also has a team of cybersecurity experts who will help in any cybersecurity issues that you may have, so if you have any, please contact them at risksimplifier@siorik.com.
Also share this article, if you found it useful so that it will be helpful for others. To know about me, please find me at the following LinkedIn profile.
Kiran Kumar Shah
||FCCA||M.A in Economics||DipIFRS||CAMS||CFE||CISA||CISSP||
