CISSP Study Tips

A former student recently checked in and shared this. A darned good read.

“For some quick background, when we had our class I had been working in IT for about 15 years as a sort of jack of all trades at almost every level between help desk and IT Director. Every position I've held included some aspect or consideration of security so I had a decent background coming into the class and had already been studying the Pluralsight and Cybrary CISSP courses.

After the class, I was very intimidated by what I felt was my lack of depth of knowledge about some of the domains. I was so busy at work that I wasn't making time to study at first. Instead of dedicated study time, I had been studying ad-hoc on flights, in the evenings, on morning and evening commutes; basically, I tried to make CISSP my background noise. I think in the end this helped a little, but looking back, at the time it added to the anxiety since I wasn't spending dedicated time reviewing the material. My work slowed down a little in January around the time I needed to refresh my goals for our performance review process at work, so I took advantage of the opportunity to set a goal to study for 4 hours each week, take at least two practice tests per week, and sit for the exam by the end of June thinking it was far enough out.

Setting up the goal to have dedicated study time and take practice tests made a huge difference for me. I realized that I knew a lot more of the content than I thought and taking the practice exams (I started with the questions in the books and then later caved and bought the Boson ExamSim so I could get through more questions) helped me gauge more accurately what I needed to work on. Around March, I was still sticking with my study schedule and had even shifted the time around to take a practice exam each morning before work so I could note anything I wasn't familiar with and look it up during those few minutes of down time between tasks during the day. Anything I didn't recognize or any questions I got wrong I would jot down, and I would go through the items I was interested in during the day. A key piece of advice I received: Don't carry a running list for stuff like that beyond one day, if you don't get to everything by the end of the day just scrap it and start again the next day. It helped relieve a lot of the stress I had in trying to cover everything before moving on.

Another concept that played into my approach a lot was absorptive capacity. I think it's applied more commonly to organizations than people, but basically: the more knowledge you have, the more effective you are at integrating new knowledge. Or, the more you already know, the better you are at learning new things. I figured out that I need to be able to contextualize a concept to really understand it, so when I was trying to learn a new concept or term I tried to find resources that related the term back to something I was already comfortable with. For example, when learning more about the different encryption ciphers, I had to get down to the fundamentals first since so much of that content is specific to encryption. But once I was able to contextualize and visualize the basic concepts the rest of it just became different variations and combinations of those base concepts. To help remember those variations, it helped me to look at the situations in which those ciphers and combinations of protocols would be most effective or optimized for a specific situation (encrypting data for transfer vs. storage, encrypting for strength vs. performance, etc.). That was more beneficial for me than rote memorization. Since I work as a consultant, I was able to put some of those concepts into play at work, which helped me further solidify the knowledge.

One of my friends was ribbing me about not having even taken the exam yet since so many of our colleagues had already passed, so on a whim I scheduled an exam for a few days later on May 11. I sat for the exam, was convinced as I was taking the exam that I did not know the content well enough, and was convinced when, immediately after question 100 when the screen told me I was done and I needed to go see the proctor to get my print out, that I had failed so badly that the system wasn't even going to let me try the last 50 questions. I walked to the proctor convinced I had wasted $699 and beating myself up for stressing so much about time that I rushed through the first 100 questions in about 55 minutes. I was resigned to going home, taking a break from studying for the weekend, then starting again with practice tests and Pluralsight videos on Monday. But I passed. The proctor handed me the print out saying I had provisionally passed the exam and that I would receive an email when they confirmed I had passed. Awesome! Cue awkward, involuntary smile.

After the fact, I remembered not being worried about failing going into the exam because I knew I had been putting in the time and effort and my manager and the people in my support system knew I had been putting in the time and effort. I wasn't confident that I would pass, but I was confident that I had prepared and would be able to adapt my approach if I needed to retake the exam. I was taking the adaptive exam, so I expected it to be more difficult and that I would need all 150 questions to pass. In my head this meant that I would likely need to take more time on later questions since I figured I would get questions on domains I had not done well on earlier, so I tried to push through the first 100 questions quickly and if I wasn't confident in a question I made a best guess and moved on without waiting. Since I was expecting to need the additional questions and time, when I hit question 100 just before the hour mark I felt pretty good that I would be able to take my time on the last 50 questions. When the exam told me I was done, it was a huge surprise and such a big turn against my expectations that I was convinced I had failed. Ultimately, going into the exam confident that I had put in good time and effort on an effective study plan and being confident in my strategy helped a lot. I know I have a tendency to over-analyze, so relying on my ability to understand the intent of the questions without allowing myself to over-analyze every aspect was an inadvertent but important effect of my strategy for taking the exam.

Last thing: treat the endorsement process seriously and expect it to take a long time. After waiting for 6+ weeks, they let me know that I had not entered enough information to show 60+ cumulative months in at least two of the domains so my first endorsement application was declined. They're re-reviewing now and I submitted more information going all the way back to 2003, so hopefully there are no issues this time. I'm still getting some of the jokes from my group since I'm technically not a CISSP yet, so not doing the endorsement application correctly the first time led to a facepalm on my part.

Lessons learned for me:
1. Using the study material as background noise can help as long as it doesn't add to the anxiety about the volume of content.
2. A dedicated study plan focused on the process of studying effectively - not focused on passing the exam - worked best for me.
3. Practice exams exposed me to concepts, terms, and perspectives that helped me to build context around content I wasn't fully familiar with.
4. Using a variety of sources (our class, the (ISC)2 books, the Sybex books, the Pluralsight courses, the Cybrary courses, and the various practice exams) gave me different angles for the content, which helped me build context around some topics I struggled with.
5. It's important to have confidence going into the exam as long as that confidence is the result of following through on a good study program and a strategy for the exam that emphasizes your strengths and helps compensate for your weaknesses.
6. Support from the people around me allowed me to integrate studying into my daily routine so that my time studying could be dedicated and effective.”