In this post, I am going to share my personal experience to obtain the CISSP certification. CISSP is one of the most renowned certifications for the information security career and it is said that it is very hard to earn. Earlier this year (2020), I decided to give CISSP a try and in the following lines, I describe each step of my journey which includes my background, study strategy, exam experience, the endorsement process, analysis of the material I used, my certification numbers, final notes, and the mind map I created as part of my study strategy. Hope you enjoy this reading and that this post may help someone to grab this certification too.
I am a Brazillian bachelor of computer science living in Brazil, working in IT since 2007. Started working in the IT support area, moved to governance, then moved to another company to work in IT infrastructure, focused on Unix and Windows servers. Until here I had ITIL, COBIT, and ISFS certifications.
Since 2013, I have been working in the information security area for an energy utility. For 4 years I have worked in security and risk governance and security auditing then moved to lead the security operations team, which is my current position. Since this company provided me no help for certifications (and they do not care about it), I stayed away from certifications. Later in 2019, the company gave me training and a voucher to take CompTIA's Security+ exam, which I enrolled in and got the certification in ~1.5 months. This gave me confidence (and the will) to take other certifications.
Coming back from vacations, due to the remote work, I decided to take another certification, and I chose CISSP because it is widely accepted as one of the best certifications on security, and the price fitted my personal budget --my employer would not pay for that.
Due to Covid-19, I decided to extend my preparation time span, because Belo Horizonte locked down in March and obviously, the exam center was closed, so I would study less per day for more days until the lockdown had finished. I decided to take the CISSP later in March 2020 and after collecting some material, started studying by April. Finally, I decided to use the Pomodoro Technique to study because I wanted to make sure I would always be focused on while studying without any distractions.
The review for all material is in the next sessions (including the links), but my strategy was:
Basically, my studying consisted of a lot of reading, taking notes, and exercising, because it is the best way for me to really understand the concepts. Since I studied so little per day, I also had the opportunity to think about all the concepts I had learned each day, which also helped me really understand all of the topics.
I was reviewing the material for the last three weeks before the exam and felt very confident. Since I had so much time to prepare, I used some time to get me set for the exam day, separating the necessary IDs, reading the NDA, selecting some snacks to take to the exam (eventually I could feel hungry), and also taking a backup mask.
One day before, I went walking to the test center (2 Km away from my house) to map the route, and to minimize the anxiety. I also watched the WYWP for the last time and avoided studying. Spent the day listening to music, watching TV series, and eating healthy meals. My strategy was to save the more energy I could to spend it during the exam.
On the day of the exam, I woke up early and completed my morning routine, including taking a shower and stretching my neck and my back to be physically well prepared. My exam was scheduled for 9:30' AM, but I left my house around 8:20' AM. Usually, I walk very fast, but on this day I was walking slowly. Despite leaving my house so early, I was feeling very calm and confident.
I was allowed to enter the test center exactly 30 minutes before the scheduled time and followed the usual ritual: some signatures, photos, water, bathroom, and kept my stuff in the closet. Finally, I was ready for the exam. Sat down in the position indicated by the test administrator (TA) and started passing the CISSP!
Around question 20, the internet connection was lost and my station froze, so I lost a few precious minutes. After asking TA for help, it was solved and I continued, but around question 30 the system got unresponsible again, and this time the TA explained about the internet connection and put me in another station. Despite the exam time being stopped each time, I noticed I had lost a couple of minutes on each freeze --guess it is the time between the connection interruption and the remote system noticing the issue. After ~10 minutes, the connection was re-established and I started from the point where I had stopped, but around question 50 the system froze another time and I lost more minutes and concentration.
At this point, while the TA was trying to get the system running, I closed my eyes and used some meditation techniques, like focusing on breathing and avoid thinking about the problem. It helped me a lot, so I stayed calm and focused. When I got back to the game, I noticed I lost ~10 minutes in the exam (total for all of the three freezes), plus the time I needed to get fully concentrated again. I started thinking about asking for cancellation, but I decided on another approach: I had to be strong, use all the things I learned and answer fast because, in the worst scenario, there would have 150 questions!
From question 50 to question 90 fortunately the connection stabilized and I was 120% concentrated, answering really fast, without overthinking. At this point, the questions were pretty easy and by question 95 I was pretty certain I had passed. I was so sure, I was thinking even in check any answer until question 100 to finish the exam ASAP --of course, I dropped this idea and kept solving the questions appropriately.
The exam finished at the question 100, so I went to the TA, filled a few forms, more signatures, bathroom, took my stuff, and only then I received the final print stating: "Congratulations! We are pleased to inform you that you have provisionally passed the Certified Information Systems Security Professional (CISSP) examination."
It worth saying that I followed the tip of reading each question and each choice at least two times, especially those that looked too obvious. Another thing to have in mind is that you will not get all questions right, so assume that some questions can be wrong and avoid wasting time. I remember that in two questions they were asking for things I had never heard about, thus for both of them, I chose not to waste time, guessed any answer based on intuition, and moved on. Of course, if you repeat this behavior for too many questions, it indicates that you need to study more and the chances of failing are higher, but it is OK to not knowing a couple of questions. Do not overthink the questions!
Approximately 30 hours after finishing the exam I received the famous endorsement email. The first thing I did was to be certain that my personal information was OK in the (ISC)2 portal, and it was not (my name was wrong), so I emailed them asking for a correction. At the same time, I contacted a pal who was already CISSP and he said he would endorse me.
Two days after the first contact, I discovered that I had duplicate accounts, so both should be merged. In the end, it took ~3 weeks to merge both accounts, fix my name, and fix a problem when submitting the last form. After that, my endorser approved my request in ~24 hours and I finally received an email telling me to wait 4-6 weeks for the endorsement to be reviewed. Fortunately, it took only one week and I received an email to pay the annual membership fee, which I paid immediately.
After that, I finally received an email from (ISC)2 congratulating me for becoming a Certified Information Systems Security Professional (CISSP)!
During my preparation, I felt difficult to know if I was already prepared for the exam or not. Since most of the exercises are not equal to the real exam, they cannot be considered as a good metric. This way, like a good computer scientist, I measured some numbers from my preparation, especially the exercise scores and anyone could use them to benchmark their level of preparation.
** considering only the first try.
CISSP is such a MONSTER of certification. There are A LOT of things to learn and most of them require a good level of understanding, so you must dig each one to learn everything that is required to pass the exam. I had been working in the security information area for seven years when I started my studies and was surprised by how many topics I wasn't aware of. But the major gain for me was to really understand how each term I had contact in all of those years was related to each other and better understand how they fit in the whole set which we call "security".
In my opinion, having the courage and trusting in yourself is as important as studying all the terms and concepts in the CBK. You must understand that despite this being a tough exam, it is not impossible. If you roll up your sleeves, study hard, and be confident, you can do it. My final tip is to enjoy the study process and have fun. Take your time: focus on really understanding everything this exam is proposing for you. Face CISSP as a marathon, not as a sprint-race, so studying every day even for a few hours is better than study a few days for 20, 22 hours. Breath! Trust yourself! Relax! You can do it!
As pointed out, I created a mind map to help me in my studies and after passing the exam, I decided it could be useful to more people. This way, I am releasing it in the links below.
I called it Sunfish because the final mind map plotted as a fishbone resembles an Ocean Sunfish skeleton.
Here are the three flavors of this mind map: