Who Should Take the CISSP Exam and How to Pass?

estimated read time = 5 minutes

Introduction and Context

The Certified Information Systems Security Professional (CISSP) is one of the most well known cybersecurity certifications offered to professionals today. It is an independent and vendor neutral certification offered by The International Information System Security Certification Consortium, better known as (ISC)². This certification is highly sought after by many industry professionals and recruiters in talent acquisition, thus it is often listed as a minimum requirement for many jobs ranging from junior to senior levels and management roles in information security.

The (ISC)² recently increased the annual maintenance fees required to maintain their certification with a good-standing membership in the organization. This increase, along with attention due to the the annual cycle, brought some increased scrutiny by several professionals within the Infosec community, many of whom publicly stated their willingness to let their membership and certification lapse at the time of expiration.

These recent issues tie into a historical criticism of the CISSP within the community that appear to question its claimed status as a prestigious certification, particularly by those that are highly experienced and possess advanced technical skillsets.

In this post I will briefly address some of these criticisms and attempt to identify some of those situations where it does make sense for professionals to take the CISSP exam and maintain their membership within (ISC)². The primary focus will then be on my own personal experience in taking the exam and the resources that I believe (and hope) will be helpful for readers who wish to make the attempt to be successful.

Who Should Take the Exam?

The CISSP isn’t for everybody. The registration is expensive. It also requires annual maintenance fees of dubious value. The certification carries a minimum requirement for time-in-field-experience in order to be granted. And despite the claims from (ISC)² and the impressions of recruiters, it really isn’t all that prestigious. Yes, the exam is challenging and requires a degree of study commitment in order to master the material and be successful. But the CISSP simply isn’t rigorous enough to truly denote the cert holders as industry elites. Some highly skilled and technical practitioners may even scoff at those claiming the CISSP certification. There are a lot of ways in which taking this exam and retaining the certification just doesn’t make practical sense.

That being said, there are several positive outcomes that may be associated with the certification that suggest it is in fact definitely worthwhile to take the exam and earn the achievement. As with many things, the value of the CISSP is all relative and will depend on an individual’s particular circumstances and goals. Let’s take a look at who the CISSP makes sense for and who it doesn’t.

You Should Consider Taking the CISSP if:

• You have at least 5 years of Experience in the field.
• You are likely to seek a new job in the near-term.
• You are likely to seek a salary negotiation at your current job.
• You want to enhance your resume.
• You have managerial aspirations.
• Your job is related to Risk Assessment and/or Governance.

If you are mid-level in experience, job seeking, and looking to either level up your career with a new organization or simply advance beyond your current role, then taking the CISSP is highly recommended. If you also have a desire to move into management roles at some point and continue your career as a people leader, you are also ideally suited to take this exam. What the CISSP lacks in technical rigor, it more than makes up for in areas of Risk Management and Policy Governance that could really pay off in the future for those following these types of career paths. But the real value of the CISSP certification is in beefing up a lacking resume, getting past hiring filters, and landing an interview for a new role. As I noted above, this cert is highly sought after by recruiters and many job postings will include it as a minimum requirement. In this sense, the CISSP is a good level-setter and indicator of a base level of knowledge. If you were to perform a job search in pretty much any metropolitan area, it is likely that a significant number of cybersecurity positions require that the applicant be CISSP-certified.

I tried to find a few examples of quantifiable metrics to back-up my claims, and here is what I found. Pretty much as expected, the CISSP is the most in-demand certification on the job market.

A 2017 analysis from Rutgers University found that the CISSP had a commanding lead over other certs, with the CISSP by far representing the most requested cert in job postings.

Another data set gathered from JobsEQ “real time intelligence” shows the dominance of the CISSP in job advertisements.

Ok, just one more. The data from the study below was from an analysis by Andrew Aken, PhD. The data was scraped from over 4.6 million job ads collected since 2007. If you are thinking the CISSP was on top, you would be right.

Ok, enough of that — I don’t want to beat a dead horse. I hope this just serves to illustrate my point that if you are in the job market, it will likely pay off to take the CISSP exam.

You Probably Shouldn’t Take the CISSP if:

• You have less than 5 years experience
• You already have “Senior” or “Manager” in your title
• You are unlikely to seek a new role in the near term
• Your role is highly technical

The CISSP is not intended for junior levels: “Candidates must have a minimum of five years cumulative paid work experience in two or more of the eight domains of the CISSP CBK.” This can be reduced to 4 years with a degree, but you should only take the exam if you meet these requirements. The one caveat to this suggestion is if your employer is willing to pay for it, then it could arguably make sense to take the exam now and get it out of the way. Lacking the desired experience the exam taker is designated as an “Associate of (ISC)²” until the experience requirements are fulfilled.

If you are already a seasoned professional at the senior level or above, then the CISSP may not make a lot of sense. This is counter-intuitive to the typical justification for obtaining the cert, its target audience, and its literal raison d’être. However, in my experience this has been largely true and the cert does not benefit its target market as much as those in the groups outlined above. The CISSP is intended for senior management, but it has dubious benefits for the intended population. Established pros will usually already have high salaries, possess the knowledge, and have bona fides in other areas that more than make up for holding this certification. So the CISSP isn’t great for Juniors or Seniors, but there is a sweet spot of Mid-career pros who will find the most benefits.

The above is particularly true if you are a practitioner in a more technical role such as Digital Forensics and Incident Response (DFIR) or penetration testing/red teaming. If you goals will likely take you down these types of career paths, then the various Global Information Assurance Certifications (GIAC) or the ones offered by Offensive Security such as the OSCP will serve you better.

How to Pass the Exam

Ok, so if you are still with me, that likely means you are in the former group and are eager to learn a little more about how to approach the exam in order to be successful. Your mileage may vary (YMMV), and I don’t make any claims to any absolute efficiency of my strategies, all I know is that the following was my experience in preparing for and taking the exam. With the following sections, I simply want to share what I learned in the hope that they may help someone else out who is considering taking on the challenge, or help reassure those currently in the trenches and actively preparing for the exam. I will present a mixture of what I felt worked and what did not.

Resources

There is a bewildering array of study materials, approaches, and media types that are available to those who are preparing to take the exam. Here, I will briefly try to cut through the expansive options within the cert education industry to identify the most helpful and effective resources — from my experience. Everyone’s learning style, budget, and access will be different, so please keep in mind that these are opinions and feel free to take them with the proverbial grain of salt. What worked for me, may not for you…and vice versa.

CISSP Bootcamp

This is where I started with my study efforts. The bootcamp I attended was one week-long, instructor-led, and in-person on my employer’s campus. This bootcamp was almost a complete waste of time. It was really just a week of death by PowerPoint. The presentations were simple copy/pastes straight out of the “course textbook”. The instructor basically recited that material out loud without providing much insight or actionable test-taking strategies.

I could have saved myself a whole lot of time and my organization a whole lot of money by skipping this training and just reading the book. However, the primary benefit from the bootcamp was that I got a free exam registration in exchange for being trapped in that dreary classroom all week. This is one area that may be highly personalized based on learning style, because I believe some of my colleagues found the bootcamp helpful.

Books | Study Guides

Certified Information Systems Security Professional (CISSP): Fourth Edition | Choice, Logical Operations | cost = $264.40

This was the first book I accessed as it was provided along with the bootcamp I attended. I honestly didn’t read this in entirety, as it was mostly read aloud to me, so I just skimmed a few sections that were identified as my weak areas. This book was OK, I guess, but there are better options available. If you are like me and it gets provided as part of a training course, this could be sufficient as a resource to get you by, but I would not spend any money on it. The high cost noted above does include some additional digital resources.

(ISC)2 CISSP: Certified Information Systems Security Professional Official Study Guide, Eighth Edition by Mike Chapple, James M. Stewart and Darril Gibson | Sybex | cost = $34.69

This book from Sybex is the official study guide sanctioned by (ISC)² and includes extensive information from all of the CISSP CBK domains. This book literally includes all of the information you need to pass the test and nothing you don’t. If you were to only use one resource for your studies, this is the one. I read this book twice, cover to cover. The first time I took a very casual approach and breezed through it like I was reading a novel. I didn’t linger on my weak sections or areas that didn’t make sense. I would read while sitting on the couch and hanging with friends/family, and I didn’t try to actively commit much to memory — this read-through was simply intended for absorption. I then read it a second time, at a much slower place while taking notes and ensuring I revisited any domains or sections where I was not 100% solid. My only criticism of this book and/or word of caution is that the sample questions are very simple and do not accurately reflect what you will encounter on the actual exam. You can pick this as a stand-alone or as a bundle with practice questions.

Eleventh Hour CISSP®: Study Guide 3rd Edition | Conrad, Misenar, Feldman | cost = $22.77

This is a great little book that checks in right around 200 pages. It is not in any way comprehensive, but covers the most important information that you are likely to encounter on the exam. This book is an easy read and is intended as “last minute” preparation as you go into take the exam. My exam was scheduled on a Thursday and I read this one on Monday/Tuesday, and it did a great job of reinforcing knowledge at a high level. I highly recommend this book as it helped me a lot, but if you feel you have the material down cold, you can probably get away with skipping it.

CISSP All-in-One Exam Guide, Eighth Edition 8th Edition | Harris, Maymi | cost = $43.13

CISSP Study Guide 3rd Edition | Conrad, Misenar, Feldman | cost =$56.67

I am listing these last two books as honorable mentions, as I did not use them. However, it is my impression that they are fairly well regarded as I see them frequently recommended as good study materials and many exam takers have had success with them. I can’t say if they are better or worse than the Sybex book, so you will need to weigh your options.

Practice Tests

CISSP Official (ISC)2 Practice Tests 2nd Edition | Chapple, Seidl | cost = $17.85

This is a book of practice tests that is the official companion to the official study guide. I think these test banks are worthwhile to get, especially if you pick it up as a bundle with the Sybex study guide. The book includes 4 full practice tests, plus another 2 that are available in the online portal. I felt the tests were helpful in preparation for what material would appear on the test, but again, these questions do no accurately reflect the format and structure of how the questions are actually presented, nor do the reflect the difficulty level. I took each of these once and scored in the low 70’s on my first attempt. By the last couple of runs, I was scoring in the mid 80’s and felt confident with how well prepared I was (although admittedly, also just tired of taking exams).

Boson ExSim-Max for CISSP | cost = $99.00

These question sets are another honorable mention as I did not utilize them, but they are highly recommended by the community. It is my understanding that the style of the questions themselves are closest to what you might actually encounter on the exam, but I cannot confirm this. These sets also come along with in-depth explanations of why certain answers are right or wrong and are reportedly where the primary value of these practice exams are realized. YMMV, so please do your own homework and assessment before dropping nearly a hundred bucks.

Video Courses

Similar to the books above, there are a plethora of available video resources to help you prepare for the exam. I only used two, both of which I though were highly valuable. My two recommended video courses are quite different in both content and time commitment. You can probably do fine without them if you are really strapped for prep time, but I think both of these courses will offer you an edge when sitting for the exam.

Kelly Handerhan’s CISSP course on cybrary.it

This is an in-depth course offered on Cybrary, which can be viewed for free after registration with an email address. The course is extensive, containing eight modules that map to each of the eight CISSP common body of knowledge (CBK) domains. I found this course to be highly informative and helpful in ways that the bootcamp I attended should have been. Kelly Handerhan provides significant insight into how the exam questions may be weighted from each domain and offers advice on what material is most “testable,” offering viewers an opportunity to focus on areas from which they are most likely to receive questions. The presentation is conversational and focuses less on simply presenting the material (although she does that) and more on what to expect from the exam and how to be successful. Fifteen hours is a sizable chunk of time, so I realize this might not be for everybody. I was able to knock this course out fairly easily by watching the videos over lunches for about the two weeks leading up to my exam date. These helped me a lot.

Larry Greenblatt’s CISSP Exam Tips

Larry Greenblatt is a highly regarded CISSP instructor who teaches a variety of programs from pre-recorded bootcamps to interactive/instructor led courses, and private 1 on 1 sessions. These materials are available for a price ranging from $99 to $995 dollars at the Internetwork Defense web portal. However, there are excerpts from some of these courses that outline his overall philosophy for approaching the test and these are posted on Youtube. I will not link to them here, because I do not know if they are authorized by Mr. Greenblatt or Internetwork Defense, but if you search Google or Youtube you should be able to find them.

There is a playlist that includes an introduction and one with more specific exam tips. There are then multiple videos going over some sample practice questions in his “Spock & Kirk” themed teaching style. This approach to the exam essentially guides test takers to analyze questions with both logic and instinct. The best approach is to review each question thinking logically at first (like Spock), and attempt to whittle away the subtly incorrect answers and narrow done to a choice between two remaining.

This leads to thinking with your gut instinct (like Kirk) to ultimately select your final answer from the remaining two questions. I honestly found this to be one of the most helpful strategies in taking the test. Many questions on the CISSP exam have multiple “correct” answers and it is ultimately your job to select the “most correct.” I found that using this initial logical filter and then going with your best guess was really useful. The playlist on Youtube is only about two hours long, and well worth it in my opinion.

Flash Cards

I didn’t use any flashcards because I don’t have the patience for creating them. However, there are a few mobile apps that have some flashcard-like questions that some people use and find success with. I have heard mixed reviews from most of these, so I wouldn’t recommend spending any resources here, unless this fits your individual study style and/or you think you need the extra help. I am simply mentioning these here for general awareness. Since I didn’t use any of these materials, I won’t link to anything specific here, because I don’t want to lead anyone astray.

Online communities

This is less of a tangible resource and more of just a final recommendation of where else to check for some useful information to help you be successful. I’m sure there are a ton of great communities on your favorite social media platforms, but my recommendation is:

Reddit and r/cissp

I found a lot of helpful leads here, including most of the recommended resources included above. I only used Reddit here in my approach, but there may be some Slack channels or Discord group that might be useful too.

Exam Approach

Once you are armed with these formidable resources and the requisite knowledge they impart, it is time to sit for the exam. The good news is that if you have studied effectively, you should be well-positioned to succeed. However, the bad news is that possessing this knowledge of the CISSP CBK material is only a part of the battle when sitting the exam. The other part is knowing how to approach the questions in order to select the correct answers. This is not as easy as it sounds. On many questions you will encounter questions where multiple answers are correct or even all of them are correct in some way. In these cases, your job will be to select the “most correct” answer in the context of the question. Below are a few of my final recommendations to help you accomplish this.

• Relax, slow down, and read the questions carefully. The correct answer can very often be found in the question. This may seem intuitively obvious, but my meaning is that it is critical to understand what the question is asking. There will often be a certain keyword or turn of phrase that should ring some bells and lead you to the desired answer.
• Utilize the Spock/Kirk methodology as stated above. I will stress this again here as this approach was very helpful for me. This tactic is especially useful on the questions where all of the answers seem correct.
• Think like a manager, not an engineer. Don’t try to simply fix things yourself. When sitting this exam, you need to be in the mindset of someone in leadership with budgetary responsibility who must balance the speed, effectiveness, impact, and cost of a solution or implementation.

Conclusion

I hope these suggestions will help others who are unsure about whether they should take the CISSP exam, and how to beat the test once they decide to go for it. Holding this certification is highly sought after by many recruiters and hiring managers, so it certainly can behoove anyone wanting to level-up to achieve this accomplishment. As I mentioned before, everything is relative, so I urge candidates to take into consideration their own circumstances, before following all my suggestions. I hope these tips can simply be used as a guide and combined with individual learning styles for the greatest effect. .

I will close with one final piece of advice as you prepare for success. Be sure to find balance with your studies and ensure you still make quality time to relax and spend time with loved ones. Also, please take a day or two to relax and clear your head in the immediate run-up to exam day. A long walk in the park or hike in the woods will serve you far better than trying to frantically cram material at the last minute. Be confident, believe in yourself, and then go out and crush the exam!

References

[1] https://www.isc2.org/Certifications/CISSP
[2] https://community.isc2.org/t5/ISC-Updates/Important-Member-Update-AMF-Changes/ba-p/18161
[3] https://www.isc2.org/Certifications/CISSP/experience-requirements#
[4] https://mbs.rutgers.edu/articles/update-cybersecurity-jobs-demand
[5] http://www.chmuraecon.com/blog/2017/september/21/what-are-the-hottest-it-certifications/
[6] https://www.em360tech.com/business_agility/featured/andrew-aken-ph-d/
[7] https://www.isc2.org/Certifications/CISSP/experience-requirements#
[8] https://store.logicaloperations.com/certified-information-systems-security-professional-cissp-fourth-edition.html
[9] https://www.amazon.com/Certified-Information-Security-Professional-Official/dp/1119475937/ref=sr_1_2?s=books&ie=UTF8&qid=1529444389&sr=1-2&keywords=CISSP%3A+Certified+Information+Systems+Security+Professional+Study+Guide+%28Sybex%29https://www.amazon.com/Eleventh-Hour-CISSP%C2%AE-Study-Guide/dp/0128112484
[10] https://www.amazon.com/CISSP-All-One-Guide-Eighth/dp/1260142655/ref=dp_ob_title_bk
[11] https://www.amazon.com/CISSP-Study-Guide-Third-Conrad/dp/0128024372
[12] https://www.amazon.com/CISSP-Official-ISC-Practice-Tests/dp/1119475929/ref=pd_lpo_sbs_14_t_1?_encoding=UTF8&psc=1&refRID=D361N67RTY8VPK12J0ZW
[13] http://www.boson.com/practice-exam/cissp-isc2-practice-exam