Reasons to get (or not get) the CISSP
Getting my CISSP certification has been at the back of my head for the last few years as many consider it the gold standard for information systems security professionals. But no one likes taking tests and I found that I could never motivate myself enough to get it done for several reasons:
- The certification is aimed at manager-level types, and I didn’t see any direct benefit of having it at the engineer-level.
- The jobs I had been applying to or the recruiters that reached out to me didn’t seem to care about the certification.
- The thought of reading a self-study book for a couple hours after already spending 8+ hours at work was, let’s say, less than exciting. How about just studying on the weekends? Yeah, not so much.
- What about a bootcamp? I found it funny that I knew people who had no real experience or knowledge of systems security could take a five day class and pass immediately. It made me question the certification further.
- Nobody likes taking tests! Especially ones at 8AM and six hours long.
Despite all this, I decided that this would be the year I’d make it happen. I figured it’d be worth it mainly because more and more information security jobs are starting to require at least one certification. Any guess as to which is the most popular?
Studying for the exam
So in late January, I cracked open my Shon Harris hand-me-down study guide (5th edition!) and forced myself to get through it. My plan was to just read through the book and take lots of practice exams. A few weeks later, to ensure I took studying seriously, I scheduled my exam for late April. FYI, paying $599 out of your own pocket is a good motivator.
A month into reading I felt like I wasn’t retaining the material well, so I decided to write up summary notes for each chapter as I went along so that I could use them as a condensed study guide. This slowed my reading down significantly as I reread the chapters I had already finished in order to create the summaries. Soon I was afraid that I wasn’t going to finish in time and I started questioning the value of the summaries.
A month and a half before the exam I started reading about other people’s experiences studying and sitting for the exam. Most said that taking as many practice tests as possible was critical to passing. There were also several book suggestions for those that didn’t like the Shon Harris book. One book that came up more often than not was Eric Conrad’s CISSP Study Guide. It’s about half the size of Shon Harris’ encyclopedia and promised to only teach what was absolutely necessary to pass the exam. So upon finishing Shon Harris’ study guide after about two months, I purchased Eric Conrad’s and finished that in about two weeks.
The two books couldn’t be more different in style. Shon Harris’ guide is incredibly detailed and wordy, while Eric Conrad’s uses high-level easy to read summaries. For the purposes of the exam, Eric Conrad’s book is more efficient for those that already have some security experience. It’s written solely to help one pass the exam whereas Shon Harris’ book is better for those that maybe aren’t as experienced. Her guide serves better as reference material for any particular subject that one may want to learn more about.
Given this, I found Shon Harris’ book to be overwhelming in its depth and detail and would many times think “Do I REALLY need to know ALL of this for the exam?” And the answer was, I didn’t. But by reading her book first I was able to learn a LOT about each domain. Then when I moved to Eric Conrad’s book, I was able narrow down what I should really focus on for the exam. I think it was a good combination and I’d highly recommend reading both for anyone studying on their own.
Regardless of what guides or classes you use, you’ll need to absorb vast amounts of information. You’re almost guaranteed to learn something new given that no one person deals with each domain every single day in their daily work. Given how much material there is, the important thing to remember is to focus on understanding concepts. You only need to understand a little bit about each domain, not highly detailed processes or specifics aside from obvious things like the OSI model — but everyone knows that already, right? 🙂
By the way, I only used the practice quizzes and exams provided by the books. I didn’t purchase any separate exams such as those from the popular cccure.org site. From what I could tell, there is no singular source that offers similar exam questions so I didn’t see a point in purchasing additional practice tests outside the ones that came with my books. I used the practice tests to determine which areas I needed to spend more time studying.
Taking the exam
My exam was scheduled for 8AM Saturday morning. That morning I woke up around 6:30 AM after a lackluster night of sleep. I arrived with plenty of time at the testing site which had separate waiting and testing rooms. After filling out some paperwork and storing all my personal belongings in a locker (note that no food is allowed), a proctor took me into the testing area and sat me down at one of the cubicles with a computer and a pair of noise canceling headphones.
Since it was a general testing location, there were several other people taking different exams. There were a few people who were constantly typing on the keyboard for the first couple of hours. Needless to say, it was rather distracting. I tried using the noise canceling headphones but found that I could hear all my own body movements and my ears got hot and eventually started to hurt. So that was the end of them.
My strategy for taking the exam was to do a first pass whereby I would try to answer each question within 60 seconds. If I couldn’t answer a question within that timeframe, I’d mark it and move on to the next. Using this strategy I had probably about 50 or so questions that I had either not answered at all or was unsure of the answer and wanted to review. So on my second pass I went through each of these questions and gave myself a few minutes to answer each before moving on to the next. Eventually after about three and a half hours of doing this, I clicked submit and hoped for the best.
I thought the score would be immediately displayed on the screen once I hit submit but instead I got a message about being able to pick up my score results from the front desk. I felt that I had put in a pretty good effort and knew most of the answers but still wasn’t quite sure if it was enough to pass. When the front desk handed me the official results that said I had passed I was so relieved! All that reading and studying had been worth it!
Getting my CISSP
The final step after passing the exam is getting your experience endorsed by a current CISSP certified member. I asked a former coworker to fill out the endorsement form for me and then submitted a copy of my resume to (ISC)². I had read that the endorsement process could take several weeks but within five days (!) I had received confirmation that I was officially CISSP certified. A month or so afterwards I received a packet from (ISC)² with an official paper certification and a card — you know, in case someone on the street asks me to prove my credentials.
All in all, not the most fun process. Admittedly, I did learn a few things about some of the domains I was unfamiliar with but I’m glad I don’t have to worry about this exam any longer. I’m not sure how much having the certification means anymore, but it does seem to be one of those “checkboxes” that for better or for worse, information security professionals must accomplish.
Hope this was informative and good luck!