Buckle Up for CISSP!

Following on from my last blog – this year I have decided (and been actively encouraged by my boss!) to get some certs tucked away and so for the past 3 years – it has been a target of mine to achieve CISSP.  The ISC2 flagship credential for information security.

In order to make the dream happen and to ensure that I didn’t put it off any longer – Kiely (the boss) enrolled me on one of our residential, accelerated learning courses at Wyboston Lakes.  Speed to competency and speed to certification is the aim.

Before I explain my thoughts with you – full transparency in the fact that I work for Firebrand Training as head of the cybersecurity curriculum and I regularly train on cybersecurity and cyber crime courses.  So, you may think that I will have a bias towards the company (which of course I do).  But the aim of this post is to give you a ‘warts and all’ guide to my thoughts on what it takes to do CISSP at Firebrand and prepare you before you decide to ‘buckle up’ and head into a classroom.

You can probably apply a lot of this to any of our accelerated learning courses.

The first question you need to ask before embarking on CISSP is do you need it? 

There is a huge difference between ‘need’ and ‘want’.  If it is needed to do your job or advance your career – that’s great.  If you want it just in case or because it looks like something that you might need – go back and do your homework.  Although in fairness, I took it more out of ‘want’ than ‘need’ but I will circle back on this.

The reason why I say this is because there are lots of alternative paths to success with a whole host of security courses and vendors who all make a big impact on careers and the job market.  CISSP is aimed at security managers and professionals with at least 5 years of proven experience in at least 2 of the 8 domains and this alone – is a big ask.  You can still achieve ‘associate’ status by taking the exam but it might be worth considering taking smaller steps within your chosen skill set and requirements.

So, my first tip is – think carefully about what your objectives are or those required by your organisation.  Do you need to acquire knowledge and skills in other areas first – and do you need to go straight in at the deep end with CISSP in the first place? 

Oddly enough, meeting the needs of the business and achieving their objectives is a key concept within the CISSP course.

My next tip is – be prepared.  If you are going to do it the Firebrand way, make sure that you have your courseware activated and set up.  I must admit, I didn’t read all of the book before I went on my course.  As (without sounding too lofty), I knew a lot of it and certainly a lot of the technical domains.  So, I concentrated only on the bits I knew I would be ropey on (in my case Software, Application Security and some of the risk management concepts). 

Pre-reading leads to pre-learning and in my opinion, this is a dangerous game.  I have experience of being an instructor on a course when delegates have read the book before attendance and got the wrong end of the stick on something. They have then found it very difficult to re-learn something.  In one case a student actually argued with me that I was wrong despite me physically showing them how it all worked in a demonstration.  Their response was “but the book says….” despite them actually seeing the reality of the situation.

Concentrate on the bits that you don’t know.  There is no point reading stuff that you are already good at but keep an open mind in class.  The other point here is that ISC2 have a different approach and angle on some other vendors and courses that I have experience of so you just have to suck it up in some aspects and adopt a different approach.  Life’s rich tapestry and all that.

The Firebrand residential course experience is amazing.  And if it isn’t amazing for you – please feel free to get in touch with me to let me know why not.  From Sunday evening at 1800 (yes that’s when kick off is) to the following Saturday lunchtime/early afternoon you will be totally immersed in training. 

It takes a couple of days to get into the routine but you will.

Another tip!  Be prepared at home.  Make sure that you have sorted your personal life out before you travel to Wyboston.  Do your weekly jobs.  In my case, I chopped enough logs for the wood burner for a week, put the bins out, tidied my office, cleaned the garage and sorted out the fish tank!  Obviously, it is important to keep in touch with your family and friends over the week but it’s great when you don’t have to worry about anything and know that they will survive without you for a week. Alarmingly, my wife survives well without me!?  She may actually state that she is better off when I am away but that’s another story!

The plus points with residential learning are that you will be well fed and watered, the accommodation is clean and comfortable, the staff care about you and will support you every step of the way and if a problem occurs, it is dealt with immediately with no fuss or bother.  You will also meet some incredible people on your course from all walks of life and industry sectors and quite often from different parts of the world.

I wouldn’t say that the CISSP course lends itself to a major networking experience as if you do it properly, you will have very little time to socialise in the bar. At the end of the day it is great to chat over dinner and perhaps the occasional glass at the end of a busy study day.  However, I met some brilliant people and have a few new LinkedIn friends to show for it and will keep in touch with them.

The course is intense.  It is a full day of learning followed by several hours of practice tests and personal study and if required, the instructor is on hand beyond the end of lecture hours and you have access 24/7 to the classroom for study.  I can honestly say that even though there were sections of the domains that I knew reasonably well – the delivery was such that I did not drift off at all during lectures.  That was mostly down to the way the instructor delivered it (very animated and interactive) and my desire to keep on top of the learning.

You will be tired after a couple of days of training.

Another tip.  Don’t burn the midnight oil.  You know when it’s time to stop as your body and mind will tell you.  A couple of my fellow delegates studied beyond midnight a couple of nights and they were pretty rubbish the day after.  So don’t do it.  Know you daily limits of activity and stick to it.  It is important to stay alert and healthy for the week.

Thursday is the crunch time as you are nearing saturation point and for me it was the worst day as it was application security – so I knew I had to be on it.  Luckily it panned out okay and I did okay (not brilliantly) on the revision tests which put my mind at rest somewhat.  The instructor was amazing.

The last learning day of the course (Friday) was an easier subject and we had a couple more hours to revise, read and abuse (not literally) the instructor.  Mentally, it felt like an easy day but you will still be tired.

Another tip!  Use the practice questions as a revision aid to highlight your weak areas.  They bear no resemblance to the real exam and contain content which is not ‘testable’.  Use them as a guide to revision but don’t get hung up on the results and certainly don’t go hell for leather doing practice tests until the early hours.

I used the tool LearnZapp which was recommended to me by the instructor.  It was £15 for the CISSP exam questions for a month’s access and had a huge test bank of questions.  I preferred it to the Sybex questions (which you get included in your Firebrand courseware) as it was a great application for tailoring exam questions and types.  If you are familiar with MeasureUp – it’s a bit like that.  However, other delegates on my course used the Sybex questions and liked them also.

I found (as I always recommend to my students) that doing blocks of 25 questions in study mode and making a note of areas that I got wrong helps.  In between each block of questions, I dug out the bits in the book that I was weak on and spent 10 minutes or so just reading back through the book or my notes to solidify my understanding. 

I worked up until 2030 every day and then stopped.  Quick call home and then settled down for an hour of TV before calling home to say goodnight! It was nice to ‘declutter’ watching crap TV for an hour.

I generally work better in the mornings so I was up for early breakfast (avoiding the temptation to have full English!) and I was in the class an hour before lessons to read or do a couple of quick practice tests before the new learning began.  That worked for me.

Another study tip.  Study on your own and in your own way.  You will soon find a rhythm (like the one I have mentioned above) but I like to do tests and read in quiet.  So that is either the classroom or your hotel room.  Not the restaurant or bar.  If the instructor is doing some extras in the class either go back to your room or sit out in the reception area. 

I never find the ‘study buddy’ approach to learning helps.  Study groups normally result in people being left behind or dangerously assuming the knowledge of the strongest member of the group.  People that work together on the practice tests, generally have a shock in the exam when they can no longer rely on the person who was more knowledgeable than them.  The stronger members are also held back by the weaker members when they have to either discuss or explain answers.  It sounds brutal but every delegate of the CISSP course has to learn to set their own agenda and they own objectives and outcomes.

Exam tip.  The very strict NDA and ISC2 rules means that nobody can tell you about the exam questions.  I have suggested that they are nothing like the practice questions but of course they are based on the subjects and concepts that the practice questions offer.  And that’s the thing about CISSP.  It tests you to think like a manager – conceptually, strategically, non-vendor but with a good understanding of technology and a very good understanding of the principles behind areas such as governance, risk and compliance.

I am not going to lie to you and say that I was confident going into it because, I reckon there is a fine line between confident and complacent and the CISSP exam will bite you if you are complacent.

Make sure that you get a good night’s sleep or as best as you can.  Here is what I did.

Woke up at the normal time and went though my normal routine.  You have to pack your bags and check out by 1100 at Wyboston – so you don’t have to rush.  The exam registration starts at 0700 and you have to be in the exam at 0900, so again there is no major rush. You can leave your bags in your car or securely with the hotel or Firebrand Operations.

I got up and had breakfast nice and early.  Again, not too heavy and not rushed.  Then I went over to the training centre and registered.  If it is your first time with ISC2 this can take a good 5 minutes or so as you have to have your palms scanned, photo taken and ID checked for the records.

I set myself the time of 0830 to go in, which gave me an hour to myself.  I read though my notes and the key areas that I was weak on throughout the week.  I did not start cramming in practice tests as that is like running to the start line of a marathon!

I went for a walk for 10-15 minutes and got some fresh air and thought about the seagulls and rabbits.  None of this came up in the CISSP exam (I don’t think that is part of the NDA).

I checked in with the Operations staff on the front desk (in my case it was Kate) who took me into the exam room and settled me in.  A couple of deep breaths, signed the NDA on screen and hit start test…..

I did my questions in blocks of 10.  After each block, I took a deep breath had a ‘blink break’ from concentrating on the screen and mentally calculated how well that 10 had gone.  A couple of dodgy answers perhaps but the rest were okay.  A couple were ‘easy’ the rest were just okay.  And so it continued, block after block.

You slowly start to get into the pattern and this calms you down.

At question 50, I needed a toilet break and that came at a good time as I could see that question 50 was going to be a beast.  So rather than try and concentrate with a full bladder – I took a natural break!  All under the rules of engagement with the Operations team.

It didn’t make question 50 any easier but it meant I could focus on the answers rather than anything else.

The exam is adaptive – which kind of works in your favour but I found that the last 10-15 questions I had were brutal.  The majority I could get down to a 50/50 but then it was a toss up between the two. Luckily I still had the words of wisdom from the great Firebrand Operations guru ‘Paul’ ringing in my ears saying “go with your gut” and that’s what I did.

Paul gives you a great exam overview and pep talk during the course and has about 150 years of experience of putting delegates into the exam process. (Not sure that figure is correct but it is a lot!)

I had 101 questions in total before it thought about it and then ended the test.  This is generally a good sign or a really bad sign!  So no indication of pass or fail at this point! All I could think of was Room 101 or Dalmatians for some strange reason!

The delay between doing the exit poll, exiting the test and receiving a print out at the reception desk seemed like an eternity.  But it was worth the wait.  Congratulations and Pass is all you want to hear.  And for the majority of my course – those were the great words that they did hear.

To be honest, even if I had failed the final exam – I would have had a positive experience on this course.  I learned stuff.  I solidified stuff that I thought I already knew and I rounded off knowledge areas that will help me in my current role. And like any training course – it opened my eyes to a whole heap of areas to develop further and apply in the real world. It’s all about the impact!

So even though I didn’t need CISSP, that fact that I now have it has certainly put a spring in my step and added to my ‘street cred’ in the world of cyber and information security.  I am now thinking that it was less of a want and more of a need in my case. I am very grateful for the opportunity and overjoyed with the way that Firebrand do this.

I am waiting to get the certification ratified by the good people of ISC2 and when that comes through, I will definitely be putting the letters after my name.  That’s how much it means.

Firebrand Training is the home of accelerated, vendor certification.  My experience, even though it was on my home turf, was amazing and the results (which were by no means a certainty) speak for themselves.

The experience will stay with me for sometime and as an instructor has also allowed me to experience what it is like as a student – which is invaluable. 

I hope that some of the tips here work for you.  I am always available for advice and guidance – especially around the subject of what course might be a good fit for you. 

CISSP has its place but there are plenty of alternatives that would do the trick.

I have a couple of other learning adventures lined up for this year and I will keep you posted on how that all pans out.

Learn long and prosper!

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.