Friday, January 17, 2025

CISSP Journey + Tips

At the time of this blog post, a search for "CISSP" on ZipRecruiter yields 693 results for remote positions. It almost needs no introduction - if you've worked in the information security space for any amount of time, you've probably heard of the cert. Recent professional circumstances have made pursuing the CISSP a worthwhile endeavor for me, so I thought I'd share some things that helped me obtain it with about 3 weeks of preparation. (Disclaimer: this may not be one-size fits all advice).

Some quick background: I've worked in infosec for nearly 7 years, the majority of which has been in penetration testing, both as a consultant and as an internal security researcher. I have about a year of experience working as a SOC analyst for a fairly large MSSP. In addition, I have an OSCP which I obtained in 2016 and a (now expired) GXPN that I earned in 2020. My actual work experience, beyond a shadow of a doubt, is where I picked up the vast majority of my knowledge relevant to the exam. If I was starting from scratch, it would have been a much more time consuming study process.

I am not an expert in all 8 domains - and I would venture to say that the majority of CISSP-holders are similar in that regard. But total expertise is not a pre-requisite to pass. I've found the "mile-wide, inch-deep" allegations to be absolutely true. That said, the CISSP isn't a non-technical exam and its technical aspects cannot be ignored. As such, when looking for good, compact technical study material, I happened across Pete Zerger's exam cram on YouTube. This is an amazing resource - and for the material that was mostly new to me, I watched it on repeat until I was nearly finishing his sentences. He'll also opine on whether or not something is likely to come up on the exam and I recommend giving extra attention those parts. There's also the official ISC2 study guide, which I did not personally use, but I've read good things. If I was preparing for longer than 3 weeks, I probably would have used it.

For practice exams, there are two that I can wholeheartedly recommend. The first of which is LearnZapp. You can quiz yourself on each domain separately (which is both good and bad, considering the questions on the CISSP are multi-domain), allowing you to allocate your study areas more effectively. If you get a question wrong, try to understand why, and if you can't, do some research on your own. The questions themselves are far more technical than what you see on the exam, so it's not necessarily going to put you in the exam mindset, which is where Quantum Exams comes into the equation. QE's practice questions are brutally hard, but exceptionally useful. On my final practice exam, I scored a 53/100 and was content (this score is within the standard deviation for folks who've passed). What makes this practice exam useful is that it forces you to slow down, read, and interpret the questions - and it doesn't shy away from the multi-domain aspect of the real thing. I can't say for sure, but I doubt I'd've passed the CISSP on my first attempt if I didn't use QE.

The exam itself is essentially what I expected (mostly thanks to QE). Be prepared for questions that may seem subjective, like "what is the BEST option" or "what is the MOST cost effective solution". The important thing to remember is that it's a multiple choice exam, so don't be afraid to employ relevant strategies. For me, elimination was the key. It was usually easy to eliminate two wrong answers (though picking from the remaining two often felt like a coin flip). I'll be honest, though - I wasn't feeling good about my chances midway through. With 80 minutes left, I clicked submit on question 100 and when the exam ended, I thought I failed, but was pleasantly surprised when I was handed the piece of paper that said "congratulations".

A few final notes: don't rely solely on practice exams to provide the necessary foundation to pass, don't really worry about "thinking like a manager" (just answer the question), don't just practice the areas you're already strong at, and get good sleep the night before the exam.