How a GRC consultant passed the CISSP exam in six weeks
Ask any IT security professional which certification they would consider to be the “gold standard” in terms of prestige, credibility, or difficulty, and almost invariably they will answer: the CISSP.
If an organization is seeking some peace regarding information security, governance, and risk, they will hire someone who has obtained this certification. It signals that the holder has experience, knowledge, and a strong command of the eight domains covered in the exam, related to information security, risk management, and asset protection from a management point of view.
As a Director of Governance, Risk, and Compliance advisory at Infoedge, I know I can apply my CISSP knowledge to deliver value for our clients.
It’s rumored the CISSP examp pass rate is about 20%. I scheduled my exam for the spring of 2024, and I have set aside precisely six weeks to prepare for it. Here’s what I did in anticipation of the exam.
Baseline your knowledge
It may seem trite, but take an Udemy or Coursera class. Or, if you have the time and discipline, read the entire Body of Knowledge textbook. Even if you’re an expert on Asset Security, this ensures you’re comprehensive and close knowledge gaps because very few individuals are experts in all the domains covered by the CISSP exam.
YouTube is your friend
There is a wealth of very credible material online, especially on YouTube. Augment your baseline with material such as Destination Cert’s Mind Map Series and Pete Zerger’s 8-hour-long exam cram video. Review this to take note of weaknesses, fill in knowledge gaps and expand on your comfort areas.
Get in the mindset
Exam-taking is a skill that can be learned. Knowing the exam is half the battle, but it’s important to understand the types of questions you can expect and have a tactic for each. Andrew Ramadahl’s “50 CISSP” questions and Kelly Handerhahn’s “Why you will pass the CISSP” are solid mindset tools to align your thought process to how the ISC2 likes to challenge test takers.
Practice, practice, practice
After four weeks of vacuuming up as much material as possible, I set aside the final two weeks for test-taking tactics. As someone who used to compete in Judo and similar sports, it’s important to “peak” at the right time just like an athlete. It’s not just about good test-taking tactics, but also exam “stamina” so you can be prepared to sit from between 1.5 hours to 4 hours. Practice tests also expose weaknesses, so you can go back and drill some more or apply different memorization and mnemonic techniques.
The exam experience
The CISSP is a computerized adaptive test, which adapts to your performance. While it’s impossible to know if you’re doing well or not, I would recommend test takers not focus on that since some questions are even experimental and are simply not counted. Instead, focus on being disciplined on eliminating bad answers and managing your time well (around 1 minute 30 seconds is the general recommended average per question).
Consistency is king. From my experience the first 50-60 questions were a mix of difficult and relatively easy questions. But as time progressed, the questions became incrementally harder and harder until I hit the hardest question at two hours which happened to be 136. When I selected the answer and pressed submit, there was a pause of what felt like several minutes.
Suddenly the exam stopped. I was expecting the full 175 questions and four hours, so when I walked up to the proctor, and I received a single white sheet of paper that said “Congratulations,” I was truly elated.
Reflection
While my exam experience as a consultant with a focus on GRC is somewhat unique, this background was most definitely an asset. The exam challenges test takers to think like a senior executive rather than a network engineer or sysadmin. This is the key to answering questions correctly for this exam – making decisions from the standpoint of an executive.
Overall, while the CISSP is a tremendous accomplishment, it is by no means a substitute for skills, knowledge and experience. Still, it signals a very high standard of professionalism. In fact the actual process of studying for the exam is just as invaluable in itself. In my case, it made me a more comprehensive professional by providing context on areas such as physical security and encryption techniques.
While I would certainly not recommend giving yourself six weeks, the process of internalizing the knowledge from all 8 security domains and the implicit time pressure helped add a great deal of breadth to my existing knowledge and validated the depth of my experience. Furthermore, I know I will be able to directly apply the overall experience directly towards helping clients and organizations at Infoedge and beyond.
Fill out the form to get your guide: