Recently, I completed my journey to acquire the Certified Information Systems Security Professional (CISSP) certification. The CISSP is generally regarded as one of the de facto standards for security professionals and is frequently used as a screening requirement for moving up to more senior information security positions. Requiring at least five years (four years if you meet the waiver requirements) of security work experience, the CISSP is not for rookies. It truly is a test of your accumulated security knowledge and experience.
For those of you pursuing your CISSP in the near future, I would like to offer up my tips for getting the most out of studying (and passing) your CISSP:
#1 Study schedule
Plan out a study schedule (and stick to it) - there are ten security domains that need to be covered so you need to pace yourself and leave enough time to absorb the material. I laid out a five-month schedule (leaving two-three weeks to study each domain). This allowed me to slowly absorb the material without overwhelming myself. I stayed away from marathon study sessions, opting for daily 30 minute chunks instead. Smaller regular reinforcement is better than infrequent, larger last minute cram sessions.
#2 Four-hour exam
Take no more than four hours to complete the exam - you have up to six hours to finish the exam but if it takes you more than four hours you definitely do not fully know your stuff. Save yourself from the additional agony of the final two hours. Cut your losses and find out which areas require additional studying (this is included on a printout if you do not pass the exam.)
#3 The endorsement processAfter successfully passing the exam, you technically are not certified until you are endorsed by another CISSP (who is in good standing). The endorser verifies your security work experience and submits the endorsement application on your behalf. If you do not know another CISSP the (ISC)2 — the governing body for CISSP — will assess your experience. Once the endorsement process is completed (around five weeks or so), your certification will become official.
#4 Computer based test (CBT)Unlike previous years, the CISSP test is computer-based (not the manual scan-tron method). This way you will know if you pass or fail immediately upon completion. CBT may take some getting used to (it's quite different than the old pencil and paper). The trick is to read the questions and answers carefully. The discrepancy between the potential answers is razor thin so focus on choosing the best answer.
#5 Practice, practice, practice
You're probably scoffing and wondering "how in the name of Gerald Rudolph Ford do I select the best answer?" Unfortunately, there is no easy way of explaining how to choose the best answer. My advice? Do as many practice questions and simulated exams as you can. Study the wording of questions as they often provide hints and clues. You have to answer 250 multiple choice questions, so be sure to work your mental endurance up to the state where you can answer all those questions in one sitting.
#6 Take down notes
We all learn and study in different ways, so find the method(s) that best suit your learning style. For me, I like taking notes and making flash cards that emphasize important concepts. Don't get bogged down in minutiae or intricate details. The CISSP exam doesn't focus on that.
#7 Find one or two excellent study tools
I prefer self-study and didn't attend a CISSP "boot camp". I found Shon Harris's All in One Study Guide (6th edition) to be incredibly well written, blending humour and insight, that made tedious material easier to study. I also recommend her accompanying practice exam book (2nd edition) to be a great source of practice questions and exams. Total cost for both is well under $100 (excluding the $500 to pay for the exam).
#8 Recognize your limitations
Focus your limited study time to areas that you are unfamiliar with or do not know the material as well. The CISSP exam is incredibly broad (covering ten different security domains). It doesn't require you to be an expert in all domains but you need to have working knowledge in each one.
# 9 Nerves of steel
Writing an exam is a stressful exercise and is a skill in its own right. Test writing can fluster even the best of us. The key is to remain calm and let your hard work shine through. If you truly studied well and have a strong body of experience, you have nothing to fear.Just do it
Completing the CISSP designation is one of the more rewarding experiences I have had in my security career and the whole process has made me a more well-rounded security professional. The treasure wasn't in the result, it was truly in the journey. Happy trails!
Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.