Last Updated on November 26, 2015 by Dave Farquhar
As my crazy week wound down, I had a number of visitors, including someone who’s been on the fence about taking the CISSP. She wanted some advice. The (ISC)² Code of Ethics says to give generously of such things when asked, so we talked for about 30 minutes.
I’m sure I’ve written most of this before, but I’ll write it again. Going to a class won’t be enough on its own. Reading a book won’t be enough on its own. Nothing on its own will. If you can pass the test just by doing one thing, chances are you would have passed it regardless.
After taking the test, most of us milled around in the hotel lobby for a while, because right after that rite of passage, you feel like a zombie. Several of the guys milling around attended a boot camp, then took the test. One of them told me he was lost on half the questions on the test. Half.
Now, doing the math, there’s still a chance he passed. 25 of the questions aren’t graded. You should be able to get 20-25% of the questions right just by guessing. If he aced the 125 questions he was sure about, then guessed right 25% of the time, 66% is within reach. Passing is 70%. A good test-taker should be able to guess correctly nearly 50% of the time.
I was lost on 10 percent of the questions. In the couple of weeks before taking the test, whenever I faced a set of questions I’d never seen before, I always missed somewhere between 10 and 20 percent of them, even if I was confident that I was right. I’ll never see my test score, but I’d be surprised if I answered any more than 90% of the graded questions properly. And if I scored 70%, which is the minimum for passing, I wouldn’t be surprised in the least.
I had until April 30 to pass the test. I scheduled the test in late January, hoping I would find out the results sometime in February. Then, if necessary, I could take the test again in March and hopefully have the results by April 30.
I would do things differently if I were doing it over again. First, rather than taking a job that requires a CISSP, I would get the CISSP, then apply for a job that needs one. I had my reasons for doing things the way I did. But if I had a time machine and could go back a year or two or three and tell myself something, here’s what I would tell myself.
1. Buy and read the big green CISSP CBK. It’s a rite of passage in itself. Then keep the book as a reference.
2. Fill in the gaps with another book. CISSP for Dummies is a much better book than it sounds like, and I’m not just saying that because I’ve met the author. I found it helpful before I met him, but when I met him, I shook his hand and thanked him for helping me pass the test. His goal, he told me, was to be concise. He can say to have a well-lit parking lot. He can show a picture of a well-lit parking lot. Doing both just wastes space.
If there’s something you don’t understand in one book, read what the other book has to say on the same topic.
3. Take lots of practice tests. The CCCure web site’s questions are closer to the real thing than anything else I’ve seen, and I’m not the only CISSP who thinks that. It costs $40, but I think it’s worth it. It helped me, and my only regret is that I didn’t rely on it more heavily.
Now, since several people have asked me this question, I’ll address it. There are a lot of “braindump” CISSP questions out there. The CISSP questions get retired quickly enough that you won’t see any of those “actual” questions on the test. Out of curiosity, after I got my test results, I got my hands on a couple of collections of those questions and looked them over. I’d be willing to testify under oath, under the penalty of perjury, that I didn’t see a single one of those questions on my test. I think they came from bootcamps, from retired CCCure questions, and books. A large subset of those questions have been circulating around my employer for years and years, but never as the real thing.
Those questions are useful, but not a fair representation of what you’ll see on the test. There were questions in the collection about the OSI model, and about various attacks, like what a Smurf attack is. But here’s a question very, very similar to one I saw on my test (and not in that illicit collection):
At what layer of the OSI model does a Smurf attack occur?
I probably missed the question, because the real question asked about an obscure attack I’d never heard of before. In all honesty, if I got the question right, it’s because I misunderstood it.
Here’s the thing. Most real CISSP questions require you to know several things in order to answer them correctly. The question above is really asking you what protocol the Smurf attack uses, and what OSI layer that protocol lives in. Some questions on the test will require you to break the question down into four or five subquestions to answer them correctly.
So that’s what you do. You break the question down, note what you know, and reach a conclusion. If you’re missing some pieces, come back to it later. One or more subsequent questions may jog your memory.
I answered 300 questions per day for two months. I learned a lot of material that way, and it built up my endurance. Taking the real test was still hard, but not as hard.
4. Take a class if you can. Some things are better explained in lecture than in a book. I was fortunate enough to be able to take an online class from CERT (a joint venture between Carnegie Mellon and the U.S. government). The Bell-LaPadula model never made sense to me until I saw the CERT lecture on it.
5. Take the SSCP test as a warm-up. SSCP is (ISC)²’s answer to the CompTIA Security+. It’s half as long as the CISSP and only covers 70% of the material that CISSP covers. Since the same organization produces both tests, it will give you a better feel for how (ISC)² writes questions, and if you fail the SSCP, it doesn’t matter much because the SSCP wasn’t what you wanted anyway. And if you fail the SSCP, you weren’t going to pass the CISSP anyway, so you’re out less money.
If you pass the SSCP along the way, then you have one more credential. It’s a totally redundant credential, but some people will be impressed with it.
I haven’t answered the question of how long it takes. It varies, of course. I read the big green book in 2010, re-read some chapters in mid-late 2011, took the CERT class in November 2011, started taking my 300-question-a-day regimen in December 2011, and took the test in late January 2012. I probably studied the equivalent of four months. I know people who spent less time on it, but I really didn’t want to have to take it a second time. I think four consecutive months is a reasonable pace but wouldn’t blame someone who stretched it out to six months. I know someone who did it in a month, but that’s why he’s one of my heroes.
Then again, he told me that he really knows his stuff because he’s taught dozens of CISSP classes. I don’t think 30 days is long enough to learn and retain all of that material, so I took longer. I think it made a difference. As I read the news accounts of Linkedin getting hacked, I understand what they did wrong before I even get to the paragraph with the specifics. And I know what I would do if I were on the team tasked to fix the problem. So I’d say I retained quite a bit.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.