Becoming a CISSP, Part I: E-Day

Introduction

My previous post was intended to be a no-nonsense walkthrough of how I prepared for and ultimately passed the CISSP. I wanted to document how I felt then, and this is my attempt to capture that experience as well as I can describe it.

The Night Before…

It started snowing the night before my CISSP exam. After work, I replaced my windshield wiper blades and topped off my gas tank. To save time, I laid out my clothes for the following day and set my alarm for 6 AM. I was leaving nothing to chance and wanted no distractions.

At around 8:30 PM, I took an over-the-counter sleep aid and watched a CISSP Practice Question video. I answered the questions until my eyelids told me it was time to pass out.

Exam Day

I awoke at about 5:11 AM on Wednesday. I couldn’t get back to sleep, so I got up. While I got ready, I listened to a review video on cryptography and then drank my coffee while watching a review of Domain 4.

At 6:35 AM, I set out for the testing center. It was dark out, and snow further impaired visibility. Thankfully, the water on the roads wasn’t quite cold enough to freeze, but I took my time anyway, much to the annoyance of drivers behind me.

I arrived at the test center at 7:05 AM, parked my car, and spent another 15 minutes finishing my review. At this point, I was as prepared as I was ever going to get; no point putting it off any longer! I got out and made my way inside.

The testing center was on the 7th floor, and I was the first inside. I took a number, was handed some paperwork to read, and waited while others filed in. I was instructed to turn off my phone, so I had nothing to do but read notices posted on the walls while I waited to be processed.

After verifying my two forms of identification, palm vein scans were taken of both hands, and I was escorted to the testing area. I was briefed again on the rules, provided ear plugs and a dry-erase board, and seated in a cubicle.

I re-read the (ISC)2 NDA, accepted, and began the test.

The first question appeared on the screen. I studied the text, looking for clues as to what it was asking, and after one reading, I was stumped! I had no idea what they were on about… So I read the question again, slowly… no good!

I read through the answers, hoping for some insight. After what must have been 5 or 6 minutes, I clicked on what I thought was the best answer based on the scenario and clicked “Next”…

About 50 minutes in, the corner of the screen indicated that I’d only answered 35 questions (~1.5 minutes per question). Each question was just as confusing and difficult as the last one, indicating that I was either doing very well or poorly. In either case, I needed to pick up the pace.

At about an hour and a half in, I was up to question 70, averaging about 45 seconds per question. I was beginning to get the hang of the format, and neither hurried nor took my time – I focused only on what was in front of me, answered carefully, and then moved on to the next question.

For the next 35 minutes, my entire reality collapsed into the particular question in front of me. The question I’d just answered no longer existed, nor did the next question. My attention was focused solely on the fuzzy monitor, with no attention paid to anything outside its bezel’s boundaries. Before I knew it, I’d reached the dreaded Question 125

About the Computerized Adaptive Test (CAT)

When I sat for the exam in December of 2023, it was done via their Computerized Adaptive Test (CAT) format. The way (ISC)2 explains this is as follows:

CISSP CAT is a variable-length computerized adaptive examination. Each candidate will be presented with a minimum of 125 items and a maximum of 175 items. To receive a pass or fail result, a candidate must answer a minimum of 75 operational, or scored, items and may not answer more than 125 operational items. Each exam will contain 50 pre-test, or unscored items, as part of the minimum length examination. Pre-test items are items being evaluated for inclusion in future exams. A candidate will not be able to distinguish between operational and pre-test items; consequently, a candidate should consider each item carefully and provide the best possible response based on the information presented.

The CISSP exam has eight weighted domains, as mentioned in the exam outline. As an adaptive exam, exam items adjust to the candidate to allow for demonstration of minimal level level of mastery of concepts within each domain.

Candidates who pass the exam at 125 items have mastered enough concepts throughout all domains to prove proficiency. Candidates who do not pass the exam at 125 items have not shown the proficiency required throughout enough domains to achieve the minimal passing score. Candidates who exceed 125 items could be proficient in some domains, however, the presentation of additional items allows the candidate the opportunity to continue to prove proficiency in other domains so that they may achieve the minimal passing score.

Source: https://www.isc2.org/certifications/cissp/cissp-cat

Note: On April 15, 2024, the number of questions will be lowered from 125-175 to 100-150, and the time allotted will be reduced from four hours to three.

As such, “125” is the magic number; as soon as you click “Next,” you can expect one of three outcomes:

  1. You answered the minimum number of questions to provisionally pass the exam
  2. You answered below proficiency in so many questions that you could not pass, even if you were given another 50 to try to raise your average.
  3. The test continues at question 126 and gives you additional questions until one of the two conditions above is met. It ends at question 175, pass or fail, provided you don’t run out of time beforehand.

Just over two hours in, my test ended at question 125. The screen indicated it was over, so I raised my hand and waited for the test administrator to escort me out of the testing area.

I remember having mixed feelings just then; while I was relieved that it was over, I didn’t yet know if I’d passed or failed. If what I’d read was to be believed, getting lots of hard questions indicated that you were doing well. To me, the test started at an 11/10 difficulty (compared to the 2,500-3,000ish practice questions I’d taken) and never let up!

Once she noticed me, the test administrator quietly escorted me out of the test area. Then I noticed a handful of other people still taking various other exams; I had not previously noticed them, being so engrossed in my own test. She had me sign out with a second palm vein scan and then instructed me to return to the front desk to collect my results.

Three or four other testers were in line in front of me, so I got into the queue and patiently waited my turn. When I reached the front, I presented my ID again, and a few keystrokes later, my test results spat out of the printer. The employee collected a single sheet and presented it to me face down.

I quickly turned it over, and as my eyes scanned across the page, they settled on the word “Congratulations!”

I let out a deep yelp, gave the test administrator a high five, and then returned to my vehicle. Before setting off for home, I notified a friend, my wife, and my manager, then set the page on the passenger seat and made the journey home.

I celebrated with a couple of breakfast burritos (I elected not to eat breakfast that morning) and reached out to a co-worker for endorsement.

To be continued…

I Passed the CISSP Exam!

“…The people who pass are those that simply start and keep going. They have grit and determination. They show up. Then there is everyone else. They don’t.”
– Nathan House, CEO, StationX

Preface

On December 27th, 2023, I passed the Certified Information Systems Security Professional (CISSP) exam on my first attempt at question 125, roughly 2 hours and 5 minutes in. This post is to share how I managed it, what helped me, and what didn’t.

About the CISSP Exam

At the time of writing, the English-language CISSP exam is only offered in CAT (Computerized Adaptive Testing) format and is between 125 and 175 [multiple-choice] questions long.

For those who are taking the exam on or after April 15, 2024, be aware of the following changes:

  • Domain 1’s weight increases by 1%, and Domain 8’s weight decreases by 1%
  • The total number of questions will be reduced from 125-175 to 100-150
  • The time limit will be reduced from 4 hours to 3 hours

Preparation Strategy

Beginning in August, I committed to spending 5-7 hours a week on CISSP study, which included books (physical and digital), video courses, and practice questions.

Courses and videos:

  • Derek Fisher’s Ultimate Cybersecurity Course & CISSP Exam Prep (StationX, August-October 2023)
  • Thor Pedersen’s CISSP Video Bootcamp series (StationX, October-December 2023)
  • Peter Zerger’s CISSP Exam Cram (YouTube, December 2023)

Derek Fisher’s course is a good introduction to the CISSP material but doesn’t go into much detail. I object to using the word “ultimate” in the title because this implies that it’s the final word when it should be the first.

Thor Pedersen’s course goes into much more detail and includes other goodies such as external links, downloadable study notes, and practice quizzes for each domain.

Peter Zerger’s CISSP Exam Cram was the best of both worlds, concise and complete.

Books:

  • The Official (ISC)2 CISSP CBK Reference 6th Edition
  • (ISC)2 CISSP Official Study Guide (both 8th and 9th editions)
  • All-In-One CISSP Exam Guide 8th Edition
  • How to Think Like a Manager for the CISSP Exam

I didn’t read any of these books cover-to-cover. Instead, I used them as reference material and for their practice questions.

Practice Questions:

  • End-of-domain course quizzes
  • Peter Zerger’s CISSP practice test
  • CISSP Official Practice Tests
  • TotalTester CISSP practice exams (came with All-In-One CISSP Exam Guide)
  • WannaPractice CISSP practice exams
  • Boson CISSP practice exams

Altogether, I completed about 3,000 practice questions. This helped me develop my time management, question analysis, and answer evaluation skills. It also helped me to identify which areas I was weakest in so I could focus my study efforts.

In the last week leading up to my test date, I averaged 80-84% across multiple sources on my complete practice exams.

Additional Activities:

  • I actively participated in an online study group hosted on StationX. I posted a summary of my weekly progress and screenshots of quiz/test results and articulated my intentions for the following week. This helped me stay on track and accountable.
  • I explained the CISSP concepts I was learning to friends and family members. Thor Pedersen is a big advocate of this, and I can attest that if you can’t teach it, you don’t understand it.
  • I invented mnemonics to memorize concepts I struggled with but was unlikely to ever use in my day-to-day work.
  • I researched topics from sources that were not CISSP-specific/centric (e.g., cryptographic systems, networking concepts, security models, etc.). The CBK doesn’t always provide detailed information, so having additional sources of information helped me contextualize what I was learning.

Afterthoughts

In a conversation with Nathan House, CEO of StationX, shortly after passing the exam, he said to me:

“I knew you would pass. If not the first time then the next. Because I see it all the time. The people who pass are those that simply start and keep going. They have grit and determination. They show up. Then there is everyone else. They don’t.”

There’s a lot of truth to that. Passing the CISSP exam has been a professional goal of mine for years, and I wasn’t entirely sure I could do it until I did. It’s also important to understand who it’s for and what it’s supposed to represent.

This is not an entry-level certification, despite many job postings that would elude to the contrary. It’s intended for experienced professionals with 5 years of experience (or 4 years of experience and a four-year degree or one of a handful of certifications).

That’s not to say that you couldn’t study hard and pass it with little to no preparation or experience; some have, but why would you want to? What would this prove other than to suggest that you’re a good test taker? Waiting until I had the requisite experience, desire, and incentives made the process all the more worthwhile.

My best advice to anyone considering taking the CISSP is to ensure you have as much time as you need. Think of it as a marathon rather than a sprint. For me, this took about four and a half months. As you work your way through the process, test your knowledge often and focus your time on the areas you’re weakest in.

Above all, try to learn, retain, and apply something new every day.

Microsoft CSAT Survey II: Someone Listened!

It’s not often something changes for the better, but I’m always pleased when they do!

Once again, I’ve found myself tasked with attaining Microsoft Gold level partnership for my employer. For those who have never had the pleasure, the process consists of attaining a combination of competencies (associated certified professionals, tested products etc.), customer references and the dreaded CSAT (Customer Satisfaction) survey.

In the past, the CSAT consisted of 30 questions, many of which applied to Microsoft product resale, which isn’t applicable to many would-be partners.While questions could be added (though I can’t imagine why anyone would want to), none could be removed.

Since then (about April of 2013 or so), the survey was reduced to only 5 questions that actually pertain to customer satisfaction – imagine that!

It’s hard enough asking for a customer’s time to fill out a survey, but if I must, I’d prefer it be short and to the point. I believe this iteration of the CSAT does just that.

So why the change? Did someone at Microsoft read my 2009 rant on the subject and act accordingly? Doubtful, but it’s a nice thought anyway :). Regardless, I’m happy it did, and hope this trend continues!

Blogging with Purpose

When I decided to create this blog, I did so with the expressed purpose of helping others (and myself) find answers that were difficult for me to come by. Either the information I wanted was scattered across several websites, buried deep in some forum, or worse still, phrased in an unclear or misleading way.

On very rare occasions, I’ve somehow managed to solve the problem and be the first (to best of my knowledge) to publish it! In my role, the emphasis is on proven technologies, so it isn’t often that I encounter an issue that’s so obscure that no one else has bothered to write about it.

Even after I’ve decided what to write about, I then will spend hours, sometimes days editing my article for spelling, grammar, readability and clarity. Not every article I write makes the cut, and I’ve got about a half dozen of these sitting in my queue that might never see the light of day.

As one might expect from this focus and model, I don’t publish many articles. I rationalize this by inferring that perhaps (content) quality is more important than quantity. But then how does an author define, “quality?”

That depends on the purpose of the blog. Some blogs are written to entertain, some for profit, others to inform while others still are a collection of seemingly random thoughts and ideas the author wanted to capture.

Does a Blog need an excuse?

For instance, suppose you’re an eccentric Welch change management consultant named ‘Rich’ with a blog whose URL suggests that it’s all about the intricacies of bovine partner-dance.

You could write about everything from social media, to technology to a badger you met on the way to the bathroom wearing a tiny badger-towel with “New Forest 1994” written on it (surprisingly, I’m not making this up – although you’d think I were given that that cheeky brit had since taken down the post it referred to)…

Whose Blog is it anyway?

Can we blog for the sake of writing? Why not!

Does every blog post have to contribute something useful to humanity? Certainly not. As Andy Leonard infers, one shouldn’t worry about what to write – time and practice will solve that for you – only that you write at all; Taking that first step.

So next time your Saudi-American friend’s eyebrow raises and suggests in an ever-so-slightly mocking tone, “You should blog about that…” Smile back and say, “Yes Yousef, I think I will!”

Disclaimer: No talking badgers, Welshmen or change management consultants were harmed in the writing of this post.

P.S. Rich, Stu and Adam – thanks for helping me retain my sanity and sense of humor in a time and place where both were hard to come by.

Chess is a Great Teacher: Life Lessons from Chess Grandmaster Henrik Danielsen

Note 10/30/2018: This post refers to a series of over 100 internet blitz games recorded and published by Henrik Danielsen. While his channel was lost due to his email account being hacked, I elected to republish the original post for posterity.

I discovered Mr. Danielsen’s work on his YouTube channel. His self-styled variant of the Bird’s Opening called the “Polar Bear System” is very interesting to watch, but perhaps more interesting for me was his live-game commentary.

So what does Chess have to do with IT Management? More than you might think! Understanding how components work together, making the most of strengths and weaknesses, planning ahead, perseverance in the face of adversity, execution and timing are all critical in the IT field, but also happen to be central themes in Chess!

In the process of watching his games, I collected little snippets of wisdom he imparts along the way. Amazingly, he does this while playing Live opponents in Blitz games (3 minute timer)!

Here are some of my favorites:

“Every young child is elastic, so keep your position elastic!”  (Live Blitz #106)

Are you keeping an open mind when it comes to evaluating new technologies? Is your production network capable of scaling to meet the demands of future growth, even if it grows quicker than what you’d originally anticipated? The most important thing to remember about change is that it’s going to happen, with or without you; either learn to adapt or be left behind!

 

“If you know where you’re going, you can get there very fast.”(Paraphrased in many of Live Blitz games)

No matter what you do to prevent them, problems will occur. Knowing your way around your management tools and network is the key to solving issues quickly!

 

“Everything has it’s own Rhythm…try to use the Rhythms that are successful.” (Live Blitz #51)

To me, this speaks to the importance of forming good habits. Whether it’s maintaining a healthy work/life balance, continual professional growth and learning or proactively managing your infrastructure (checking backups, testing fail-over capability, keeping up with documentation etc.).

 

“..It’s like you have to keep the pillow in front of his face and not let him breath.” (Hunting with the Polar Bear #2)

This one’s a bit sadistic, but a touch humorous as well, so I just had to throw it in :). The point he’s trying to get across is that you can’t let up when you’ve got your objective on the run!

 

“…remember our thoughts and our feelings are creating our reality, so you better think big, and you better be positive about your life.” (Live Blitz #81-82)

Set realistic stretch goals, determine what steps you’ll need to take to achieve them, then set a timeline for completion. Most importantly, stay positive!