Search This Blog

Monday 17 September 2012

My CISSP Journey.

On Sunday 16th September 2012 I sat, and passed the CISSP exam.

I won't say this was an entirely pleasant experience and certainly not something I plan on repeating anytime soon.  For those that maybe don't know the CISSP is a gold standard professional qualification for security in the business. Made up of 10 domains, each a 'common body of knowledge'.  An inch deep and a mile wide is the phrase often associated with this qualification.  Not sure I agree, at times it felt like a mile deep and I was standing at the bottom looking at a tiny shard of light.

My journey began in March 2012 when I decided to pursue the qualification and so ordered what some people review as the holy grail of resources, Shon Harris All in One CISSP Exam Guide (5th), commonly known as the AIO.  This is a behemoth of a book!  The instant it arrived I sought out a PDF which was hooked up to GoodReader (highly recommended app) on my iPad.

Around mid April I had finished chapter 3.  A seriously PAINFUL read. Security Architecture & Design.  I was ready to quit on more than one occasion.

By this time I had stumbled across plenty of decent online resources. cccure.org, with its excellent test engine (pay up people) and forums and a blog by Richard Rieben.  I emailed Richard to say thanks for taking the time to post and in return he kindly volunteered as a resource if I had any questions.  Which of course I had loads, I had inadvertadley gained a mentor.  And what a valued resource that was!

Richard recommended some other, lighter reading.  CISSP Prep Guide: Mastering the 10 Domains. A pretty old book but bang on the money for a resource.

I had set my self a target of a summer exam and was also considering taking the (ISC)² seminar along with self learning.  I (somehow) managed to get my employer to commit to paying for the bootcamp at Firebrand.  Listening to the reps you could just turn up with zero knowledge, 7 days later walk away with a CISSP.  Yeah, maybe, but not me.  I wanted that course to be the icing on the cake and so continued with the self learning.

Skip forward 6 months, a number of freak outs, LOTS of reading (I could easily have put in over 1000 hours!), NIST docs, watching videos, making copious notes, 2000+ questions taken on cccure and the day of the class had arrived/snuck up on me rather sharpish.

When the chit chat started it was quickly apparent that I was the guy who had done the most prep, most owned a book but gave up.  I was shocked, but not as much as they when the class started at 100mph.

I was booked on the Boot Camp, 6 days with the exam on day 7.  An all encompassing learning experience which started on the Sunday we arrived.  Dennis Griffin from (ISC)² would be our tutor and I can still hear his US Southern drawl, and I heard it all through the exam, like a mini Dennis sitting on my shoulder.

When I got the (ISC)² Seminar book I quickly realised that every piece of CISSP material out there, most of which I had consumed, including the Official (ISC)² Guide (OIG) had loads more info than the class, to a much greater depth and much of the information was out of date.

We stormed through the domains at an average of two a day, nothing we tackled was new to me and I started to feel comfortable,  maybe too comfortable.  As the test day approached I started to wonder what would happen if I failed.  Where would I go? how could I improve? I knew that content inside out.  Shortly after that realisation I started to freak.  Thursday PM I left the class early and just went for a long walk.  I think the whole week was starting to get to me, 14 hour days and reading before and after class was exhausting.

I followed the instructors, and Richards advice and packed up learning Saturday afternoon.  Went for a walk and had dinner at the local golf club, went back to the room and watched a couple of movies.  I slept surprisingly well considering every other night had been restless.

Sunday, test day.

The class had agreed a 09:00 start.  We were all ready by 08:00 and the guy said we could start if we wanted.  We all did.

The next 5 1/2 hours are a bit of a blur.  We'd been told the average time for the CBT test was 3 hours and the fastest 56 mins!  I already had my test plan, 50 questions, break, pee, drink, start again.  Any question I wasn't 100% on I would flag, note down and come back to.  The first time I looked at the clock 50 questions had taken me over an hour and my review sheet was growing at a horribly fast rate, a 6 question flag run somewhere in the 80s had me on the back foot.

I hit 250 at about 4:45.  Had a break and started to review the 50-60 I had marked.  Some immediately jumped out, the majority not.  By 5:30 I was clock watching and knew that I was mentally breaking so just started doing the remaining questions as if it were a practice test.  Maybe that helped with the stress and I hit some correct choices, I actually didn't care by then.

I ended and went through the multiple 'are you sure ?' boxes and walked out.  I felt shit, I didn't think I had a pass but also not a fail.  I was broken.  Nothing came out of the printer, "did you press exit?" - bugger.  The procture went and ended the test, the printer started, paper came out.

Congratulations! I made her read it twice to be sure and then did a little dance, really, I did.

My thoughts

If I were to advise someone who was considering this journey then I would strongly suggest they get hold of a Seminar course book, beg, borrow, buy, steal.  Get that book.  Read it and use it as the template to branch out using other resources but staying within the confines of the book.  If you can, take the seminar, if you go for a boot camp/fire hose then do the prep.  Don't turn up and hope to be drip fed.

The exam

The CBT actually worked OK and I think I would have preferred to a paper test.  Marking questions for review, navigation etc all works well and they even provide an on screen calculator if you need.  Once you get to the end you are prompted with marked questions, you can either review them individually or in order, unmarking as you go.

Half way through the exam I actually realised that even if was an open book exam it would probably only give you 20-30 questions, max!  The questions are clever and conceptual, wanting you to understand the question and apply knowledge and judgment.  Some questions had the obligatory 4 right answers but none of them were tricks, no double negatives.  Just a fair few WTF does that mean! In general I didn't have a problem with the way they worked but did find the majority of the 'scenario' questions rather pointless.  I of course can't give any details but came up with this analogy.

"You have been hired as a chocolatier for XYZ.  They make dark, milk, white, buttons, bars and eggs.  They have recently acquired a new company who make biscuits, they are moving to a bigger premises and will be recruiting 100 more people in the next 6 months.
The CEO has declared they need to :
  • Increase domestic growth 
  • Move into new markets."
 What is the main ingredient in chocolate?
  1. coca
  2. milk
  3. sugar
  4. paper
The actual question stands alone, the scenario mostly just kills your time.

What to learn

The Seminar book and everything else has lots of content.  Know this, but, and this what everyone says, understand it ! (see comments about open book)

The material I used:
My thanks to Richard and my long suffering girlfriend.  (in that order, she never reads my blog)