GUEST BLOG: My CISSP Success Story

My CISSP Success Story

By Sean D. Goodwin

Laying the foundation

I have worked very hard for every academic success I have achieved. For some people, excelling at school work and acing exams came easy to them, sometimes with little to no preparation on their part. But, that’s not my story. I am sharing my Certified Information Systems Security Professional (CISSP) success story with you to show that a dedicated drive to achieving your goals can be done.

In addition to all the study and practice I did for the exam, my work experience was a tremendous asset in my preparation. I have been working as an information security consultant for just over four years. That puts me in roughly one hundred different client environments from which I’ve gained experience and knowledge.

In all the different industries and client environments I have worked in, the CISSP is one of the more common certifications for those charged with InfoSec responsibilities. Many times, this is referenced as a rite of passage, or a minimum standard to be obtained to be accepted into these groups of professionals as a valued member. Most of the conversations around certification end with a joke about never again sitting down for six hours, and if CPEs are missed, the individual will not attempt to re-certify. I knew I had a daunting task ahead of me.

Get ready…get set…

I decided in the fall of 2016 that it was time I went after the CISSP. This was around the time of our annual goal-setting process at work, so what better time was there? I was going to be matching up a personal goal with a work goal, which can have a direct financial impact! I knew to put myself in the best position possible, I first needed to identify a training toolset that would fit my learning style. I wanted to immerse myself in exam prep, but I didn’t want to get lost in all the hundreds of third-party study guides available online. I wanted to knock this out of the park on my first attempt, so I opted for study materials in several different formats.

The resources I found most useful were:

  • Official CISSP Study Guide
  • CISSP Practice Tests
  • Official Android App

There were two other resources I tried to use, but ended up ditching them as they didn’t fit my learning style as well as I had hoped:

  • CISSP Podcast – I am a HUGE podcast junkie, and figured a CISSP-Exam based podcast could be a great way to lock in some of the required terminologies while commuting to work. The episodes are based on each chapter’s key vocabulary, and the lack of interaction on my part made this tough to digest. The podcast host also runs a weekly CISSP Exam “Jeopardy!”-style game every Saturday night, which may be a great way to mix up your study schedule.
  • Sybex Online Question Database – This was included in the Official Study Guide, so I wanted to give it a shot. A similar product proved to be the most useful tool in my CISA preparation, so I had high hopes here. I did not have issues with this tool but found myself studying in the parking lot at clients before work or hotel rooms afterward. The hard copy practice tests proved easier to use in both scenarios.

Initially, I was extremely motivated to dive into the textbook and absorb the approximately 1000 pages of content. I started off with the self-assessment test to gauge my level of knowledge before testing and ended up with a 70%!! This gave me a boost of confidence that this goal was going to come sooner than expected. Then life happened. Work project deadlines fast approaching, work travel requirements piling up, and personal events consuming nights and weekends. Suddenly, a few weeks have gone by and the books have gone unread on my desk.

Put up, or Shut up

New Year’s came and went, and I still had not made much of a dent in my study efforts. It occurred to me that there was a reason I was not making progress – I had not made a concrete goal with a specific timeline, which is contrary to the successful S.M.A.R.T goal process of Specific, Measurable, Achievable, Results-focused, and Time-bound. I decided it was time to turn the heat up on myself and book the exam for mid-May. This gave me four months to prepare. Once I had some money on the line, the finish line felt much more real. To further this feeling, I selectively told a few individuals about the exam booking. I informed a select group of co-workers and superiors as a form of motivation. This technique adds personal reputation to the stakes, which can be quite an incentive to do well!

Grinding out the study method

Immediate feedback to testing was the key to my success. As I worked through each chapter of the textbook, I was marking sections to revisit, dog-earing pages, and taking notes. The textbook also included both “Written Labs” and “Review Questions” for each chapter.

After each chapter, I would attempt to answer the “Written Lab” questions first by memory, then by going back to my notes, highlights, and scribbles in the margins of the textbook. Before moving to the next question, I checked my answer against the textbook’s answer. I made notes on my answer with items I missed, or reasons why my answer was not the “most-right” answer. Once I completed the “Written Lab” using my notes and the chapter, I would move on the “Review Questions”. I would work through all twenty questions without using any of the notes or resources used for the “Written Lab”. As soon as I finished the questions, I would use the textbook to grade the answers. The answer bank was a huge resource here, as each answer explains why the other options were wrong. I used this information to directly re-read the question, see why the other options were incorrect, and go back to the specific chapter section as needed.

The grading process for both the “Written Lab” and “Review Question” sections took more time than the act of answering the questions, and this helped me solidify my understanding. Once I felt comfortable with the areas of added focus, I turned to the CISSP Practice Tests and the Official Android App. The CISSP Practice Tests were great for locking in this information. There are extra questions for each Domain, with the same breakdown of the answers. I kept a running list of Chapters and Domains I was struggling with and used both the flashcard and quiz functions of the Official Android App in any downtime I had throughout the day. This became a constant feedback cycle of questions and answers.

A week before the exam I thought I was in decent shape, but still had a few concerns on some of the questions I had gotten wrong regarding the OSI Model and some of the encryption questions. I had drilled these domains through all the materials at my disposal, except for the full-length practice tests. I decided to break the exams down into small chunks to continue working with immediate feedback. I have taken several other lengthy exams, and I saw more value for me in focusing on getting the data right, rather than working on my brain’s endurance. I broke the practice tests into roughly twenty question sets and continued through my practice. This process brought me right through Thursday, two days before the exam. At this point, I have either adequately prepared, or I haven’t either way, I was taking Friday to relax the brain.

Exam Time

I chose the very first test slot available to take the CISSP exam, 8 o’clock in the morning. I arrived at the test center roughly forty-five minutes early and relaxed in my car waiting for the security guard to open the building. “Relax” here is subjective – I was still not very confident in the two areas I mentioned above, and was trying not to focus on the anxiety.

I was distracted from the anxiety going through the exam check-in process – Two forms of ID and a palm scan both at the front door, and again before entering the testing room. Having been the first person there, I was also the first tester to start. The room was comfortable enough, and it was a relief to have one less thing to worry about. The one speed-bump along the way was some noise from other testers typing their respective exams, but the testing center provided earmuffs for just such an issue.

The testing process was straightforward with the computer-based testing (my first exam using this method), and the software made it easy to bookmark questions for later review. Having reviewed a few questions, I was initially unsure of, I finally raised my hand and let the exam proctor know I was complete with my exam, but I was not out of the anxiety woods yet.

The CISSP exam is somewhat unique, in so much as you get an immediate “provisional” result of Pass/Fail. I was pointed back to the front desk where I initially checked in and was told to present my ID and receive my results, if available (exam proctors do not necessarily know what exam you were taking). I had settled into the groove during the exam, but I could feel the stress levels rising as I walked down the hallway to the front desk. After the woman checked my ID and confirmed it matched, she dramatically took the paper from the desk, turned her head away, and turned it over to pass it to me without the results visible. I couldn’t help but laugh at this last spike in my anxiety, thinking she somehow saw my results and didn’t want me to react right in front of her.

The great news is that I passed! This, of course, was the provisional pass, there was still the review of the workstation and audio/video recording to ensure there was no foul play during the exam. The only step left for me was to wait for the official email, which came within a week. From there I needed to request an endorsement from my boss and then I was officially certified as a CISSP!

#CISSP vs. #NOTCISSP

In the recent Twitter chatter, many folks have been weighing in on the true value of the CISSP certification, mainly through the #NOTCISSP posts. While I am proud of the certifications I have obtained, I am also the first person to say any of my certifications make me an expert in anything.

Passing the standardized tests shows that you can learn the required information that has been identified as the “baseline” for the given certification. Obtaining various certifications also indicates that you have invested in yourself, both monetarily, as well as with your time to study for, and pass the exam.

While passing a certification, exam is not a silver bullet to expertise, there is certainly value in preparing for, and obtaining information security certifications. These certifications will need to be supported by real-world experience for the true value to come through.

In conclusion

There has been no substitute for experience. By far, I have learned the most by doing the work, and not just reading about it. It has not been easy, but persistence has been my friend. Not only have I spent over four years working with many different clients and respective industries, but I constantly pushed superiors to assign me more challenging assignments. This exposed me to many of the CISSP Domains through many repetitions in daily tasks and helped build a solid foundation of understanding.

Immediate testing feedback was the second major factor in my success. This style of studying made sure I did not lock in any incorrect answers by letting too much time pass between answering the question and reviewing the correct answers. This process also forced me to go back and review the sections I was struggling with and provided additional context around why my initial answers were incorrect.

If you decide to pursue a CISSP, I hope this blog post is helpful to you. Good luck!

About Sean

Sean D. Goodwin
Sean D. Goodwin

Sean D. Goodwin, CISA, CISSP, QSA, PCIP (@SeanDGoodwin)

Sean is a Senior Consultant in Wolf’s Information Technology (IT) Assurance Services group where he is responsible for coordinating and executing IT audit services for our financial, healthcare, educational and investment planning clients. Sean has over three years of experience in the IT auditing and information security fields, and is a Certified Information Systems Auditor (CISA), Qualified Security Assessor (QSA) of the Payment Card Industry Data Security Standards (PCI-DSS), and Payment Card Industry Professional (PCIP).

Contacting Sean

Twitter
Blog
LinkedIn