Updated: Jan 15, 2020
Becoming CISSP certified is something that many security professionals strive to achieve. It is an internationally recognized credential that enables all security professionals around the world to speak the same security language and understand the common fundamental best practices of information security. With an average salary of $100,000 (in large U.S. cities) and a greater demand than supply of qualified security professionals around the world, its a great credential to have no matter what country you are in. Here’s more on my experience in the journey to CISSP.
I decided to take the exam a few weeks before my final dissertation defense in my PhD program, with only about 2 weeks of preparation time. (I thought I’d spice things up and challenge myself a little more lol – you never know your true limits until you push them right?!). Anyway, it helped that I had already worked in the field for a few years and also completed an extensive amount of formal education in the topic.
I did 2 main things to prepare in the 2 weeks leading up to the exam:
Pre-tests: I took a practice test to first understand what kind of shape I was in and which domains I needed to focus more on. I found that similar to my experience, I did well in the security management domain for example, but didn’t do so well in software development where I had absolutely no educational or professional experience. Once I understood my weaknesses, I knew where I needed to work the hardest to ensure I was up to speed.
Training and Prep: Next, I registered for the ISC^2 boot camp, which included 5 days of reviewing a textbook and many examples. While I paid attention to all of the content, I used this opportunity to really focus in on those areas where I knew I needed improvement. Every evening, I spent a few hours rereading the domain content and coming up with systems/analogies to help understand and memorize some of the concepts. One of the biggest lessons that I learned from training was the importance of separating realistic practice from security “best” practice, as recommended by ISC^2. I quickly learned that if I answered the questions according to how we do things at my company or based on my experience, I would fail the exam. I had to separate the two and look for the best practice answer if we worked in a perfect world. This is not to say that your company does not follow best practice, but your companies’ practices may take into account a specific technology and its limitations, the availability of funding, and more. I had to remind myself that the CISSP exam is not based on me or my current environment, but instead aims to teach universally good security.
Most people in the training took the exam on the 6th day. I waited a few days before taking the exam just to let the information soak in and re-review my weak areas twice. I also did more practice exams to make sure I was confident in each and every domain.
On exam day, I did not do any additional cramming or studying. Anytime I study something, I always like to allow a night of sleep for my brain to program and soak in. So, if I didn’t review it the day before, I would not stress myself out with a last-minute cram session the day of. During this time, I was also a full-time senior security analyst. That day, I worked my normal job during the daytime, and then headed to my exam in the evening. I walked in the room, confidently thinking I would breeze through the exam in 3-4 hours, based on how my practice exams went. Ha! I was wrong. I finished with about 54 seconds left on the clock. It’s a 6 hours exam, and I took all of 5 hours and 59 minutes.
One mistake that I did make, was not eating enough prior to the exam. Halfway through, I found my stomach growling, which was a huge distraction. I was able to take a break and snack on pretzels at one point, but would encourage all to make sure you eat enough to sustain yourself for 6 hours beforehand. Or, if you are like me and find it hard to eat leading up to high pressure moments, have some fulfilling snacks available so that hunger is not a distraction during the exam.
After the exam
One great thing about the exam is that you get your results right away, so there is no extended period of nerve-wracking uncertainty. The anxiety I felt when my results were immediately printed off by the test proctor was almost unbearable. I took the folded sheet of paper, got on the elevator, and covered my eyes with my hand while sheepishly unfolding the paper. I squinted towards the results through a small crack between my middle and ring finger, and read “We are pleased to inform you…” and the rest was history. What a rush of relief and happiness I felt in that moment. I celebrated for a few minutes (did a happy dance in the elevator and then called my mom) before bringing myself back to the reality of PhD defense preparation I also had to complete that week. I went home and the real work began!
Taking the CISSP exam is not an easy feat, but it is one that is definitely attainable and well worth it! Good luck to everyone pursuing a career in security and/or planning to take the CISSP exam.
Helpful Free Resource: cybrary.it