I Passed the CISSP Exam!

“…The people who pass are those that simply start and keep going. They have grit and determination. They show up. Then there is everyone else. They don’t.” – Nathan House, CEO, StationX

Preface

On December 27th, 2023, I passed the CISSP exam on my first attempt at question 125 at roughly 2 hours and 5 minutes in. This post is to share how I managed it, what helped me, and what didn’t.

About the CISSP Exam

At the time of writing, the English language CISSP exam is only offered in CAT (Computerized Adaptive Testing) format and is between 125 and 175 [multiple choice] questions in length.

For those who are taking the exam on or after April 15, 2024, be aware of the following changes:

  • Domain 1’s weight increases 1%, and Domain 8’s weight decreases 1%
  • The total number of questions will be reduced from 125-175 to 100-150
  • The time limit will be reduced from 4 hours to 3 hours

Preparation Strategy

Beginning in August, I committed to spending 5-7 hours a week on CISSP study, which included books (physical and digital), video courses, and practice questions.

Courses and videos:

  • Derek Fisher’s Ultimate Cybersecurity Course & CISSP Exam Prep (StationX, August-October 2023)
  • Thor Pedersen’s CISSP Video Bootcamp series (StationX, October-December 2023)
  • Peter Zerger’s CISSP Exam Cram (YouTube, December 2023)

Derek Fisher’s course is a good introduction to the CISSP material but doesn’t go into much detail. I object to the use of the word “ultimate” in the title because this implies that it’s the final word when it should really be the first.

Thor Pedersen’s course goes into much more detail and includes other goodies such as external links, downloadable study notes, and practice quizzes for each domain.

Peter Zerger’s CISSP Exam Cram was the best of both worlds, concise and complete.

Books:

  • The Official (ISC)2 CISSP CBK Reference 6th Edition
  • (ISC)2 CISSP Official Study Guide (both 8th and 9th editions)
  • All-In-One CISSP Exam Guide 8th Edition
  • How to Think Like a Manager for the CISSP Exam

I didn’t read any of these books cover-to-cover. Instead, I used them as reference material and for their practice questions.

Practice Questions:

  • End-of-domain course quizzes
  • Peter Zerger’s CISSP practice test
  • CISSP Official Practice Tests
  • TotalTester CISSP practice exams (came with All-In-One CISSP Exam Guide)
  • WannaPractice CISSP practice exams
  • Boson CISSP practice exams

Altogether, I completed about 3,000 practice questions. This helped me develop my time management, question analysis, and answer evaluation skills. It also helped me to identify which areas I was weakest in so I could focus my study efforts.

In the last week leading up to my test date, I was averaging 80-84% on my complete practice exams across multiple sources.

Additional Activities:

  • I actively participated in an online study group hosted on StationX. I’d post a summary of my weekly progress, screenshots of quiz/test results, and articulate my intentions for the following week. This helped to keep me on track and accountable.
  • I explained the CISSP concepts I was learning to friends and family members. Thor Pedersen is a big advocate of this, and I can attest that if you can’t teach it, you don’t really understand it.
  • I invented mnemonics to memorize concepts I was struggling with but was unlikely to ever use in my day-to-day work.
  • I researched topics from sources that were not CISSP-specific/centric (e.g., cryptographic systems, networking concepts, security models, etc.). The CBK doesn’t always go into detail, so having additional sources of information helped to contextualize what I was learning.

Afterthoughts

In a conversation with Nathan House, CEO of StationX, shortly after passing the exam, he said to me:

“I knew you would pass. If not the first time then the next. Because I see it all the time. The people who pass are those that simply start and keep going. They have grit and determination. They show up. Then there is everyone else. They don’t.”

I think there’s a lot of truth to that. Passing the CISSP exam has been a professional goal of mine for years, and I wasn’t entirely sure I could do it until I did. It’s also important to understand who it’s for and what it’s supposed to represent.

This is not an entry-level certification, despite many job postings that would elude to the contrary. It’s intended for experienced professionals with 5 years of experience (or 4 years of experience and a four-year degree or one of a handful of certifications).

That’s not to say that you couldn’t study hard and pass it with little to no preparation or experience; some have, but why would you want to? What would this prove other than to suggest that you’re a good test taker? Waiting until I had the requisite experience, desire, and incentives made the process all the more worthwhile to me.

My best advice to anyone considering taking CISSP is to ensure that you have as much time as you feel that you need to; think of it as a marathon rather than a sprint. For me, this was about four and a half months. As you work your way through the process, test your knowledge often and focus your time on the areas you’re weakest.

Above all, try to learn, retain, and apply something new every day.

Microsoft CSAT Survey II: Someone Listened!

It’s not often something changes for the better, but I’m always pleased when they do!

Once again, I’ve found myself tasked with attaining Microsoft Gold level partnership for my employer. For those who have never had the pleasure, the process consists of attaining a combination of competencies (associated certified professionals, tested products etc.), customer references and the dreaded CSAT (Customer Satisfaction) survey.

In the past, the CSAT consisted of 30 questions, many of which applied to Microsoft product resale, which isn’t applicable to many would-be partners.While questions could be added (though I can’t imagine why anyone would want to), none could be removed.

Since then (about April of 2013 or so), the survey was reduced to only 5 questions that actually pertain to customer satisfaction – imagine that!

It’s hard enough asking for a customer’s time to fill out a survey, but if I must, I’d prefer it be short and to the point. I believe this iteration of the CSAT does just that.

So why the change? Did someone at Microsoft read my 2009 rant on the subject and act accordingly? Doubtful, but it’s a nice thought anyway :). Regardless, I’m happy it did, and hope this trend continues!

Blogging with Purpose

When I decided to create this blog, I did so with the expressed purpose of helping others (and myself) find answers that were difficult for me to come by. Either the information I wanted was scattered across several websites, buried deep in some forum, or worse still, phrased in an unclear or misleading way.

On very rare occasions, I’ve somehow managed to solve the problem and be the first (to best of my knowledge) to publish it! In my role, the emphasis is on proven technologies, so it isn’t often that I encounter an issue that’s so obscure that no one else has bothered to write about it.

Even after I’ve decided what to write about, I then will spend hours, sometimes days editing my article for spelling, grammar, readability and clarity. Not every article I write makes the cut, and I’ve got about a half dozen of these sitting in my queue that might never see the light of day.

As one might expect from this focus and model, I don’t publish many articles. I rationalize this by inferring that perhaps (content) quality is more important than quantity. But then how does an author define, “quality?”

That depends on the purpose of the blog. Some blogs are written to entertain, some for profit, others to inform while others still are a collection of seemingly random thoughts and ideas the author wanted to capture.

Does a Blog need an excuse?

For instance, suppose you’re an eccentric Welch change management consultant named ‘Rich’ with a blog whose URL suggests that it’s all about the intricacies of bovine partner-dance.

You could write about everything from social media, to technology to a badger you met on the way to the bathroom wearing a tiny badger-towel with “New Forest 1994” written on it (surprisingly, I’m not making this up – although you’d think I were given that that cheeky brit had since taken down the post it referred to)…

Whose Blog is it anyway?

Can we blog for the sake of writing? Why not!

Does every blog post have to contribute something useful to humanity? Certainly not. As Andy Leonard infers, one shouldn’t worry about what to write – time and practice will solve that for you – only that you write at all; Taking that first step.

So next time your Saudi-American friend’s eyebrow raises and suggests in an ever-so-slightly mocking tone, “You should blog about that…” Smile back and say, “Yes Yousef, I think I will!”

Disclaimer: No talking badgers, Welshmen or change management consultants were harmed in the writing of this post.

P.S. Rich, Stu and Adam – thanks for helping me retain my sanity and sense of humor in a time and place where both were hard to come by.

Chess is a Great Teacher: Life Lessons from Chess Grandmaster Henrik Danielsen

Note 10/30/2018: This post refers to a series of over 100 internet blitz games recorded and published by Henrik Danielsen. While his channel was lost due to his email account being hacked, I elected to republish the original post for posterity.

I discovered Mr. Danielsen’s work on his YouTube channel. His self-styled variant of the Bird’s Opening called the “Polar Bear System” is very interesting to watch, but perhaps more interesting for me was his live-game commentary.

So what does Chess have to do with IT Management? More than you might think! Understanding how components work together, making the most of strengths and weaknesses, planning ahead, perseverance in the face of adversity, execution and timing are all critical in the IT field, but also happen to be central themes in Chess!

In the process of watching his games, I collected little snippets of wisdom he imparts along the way. Amazingly, he does this while playing Live opponents in Blitz games (3 minute timer)!

Here are some of my favorites:

“Every young child is elastic, so keep your position elastic!”  (Live Blitz #106)

Are you keeping an open mind when it comes to evaluating new technologies? Is your production network capable of scaling to meet the demands of future growth, even if it grows quicker than what you’d originally anticipated? The most important thing to remember about change is that it’s going to happen, with or without you; either learn to adapt or be left behind!

 

“If you know where you’re going, you can get there very fast.”(Paraphrased in many of Live Blitz games)

No matter what you do to prevent them, problems will occur. Knowing your way around your management tools and network is the key to solving issues quickly!

 

“Everything has it’s own Rhythm…try to use the Rhythms that are successful.” (Live Blitz #51)

To me, this speaks to the importance of forming good habits. Whether it’s maintaining a healthy work/life balance, continual professional growth and learning or proactively managing your infrastructure (checking backups, testing fail-over capability, keeping up with documentation etc.).

 

“..It’s like you have to keep the pillow in front of his face and not let him breath.” (Hunting with the Polar Bear #2)

This one’s a bit sadistic, but a touch humorous as well, so I just had to throw it in :). The point he’s trying to get across is that you can’t let up when you’ve got your objective on the run!

 

“…remember our thoughts and our feelings are creating our reality, so you better think big, and you better be positive about your life.” (Live Blitz #81-82)

Set realistic stretch goals, determine what steps you’ll need to take to achieve them, then set a timeline for completion. Most importantly, stay positive!

Honesty in Sales

One of the most effective ways for me to evaluate vendors is to speak directly with a representative. This saves a lot of time and effort spent picking through the fluff to try to get to meat of what you’re after.

When I approach a sales person, whether it be over the phone or in person, I get right down to the point, explain what I’m looking for and declare my budget. Generally, we’ll know within 5-10 minutes whether or not we’re wasting each other’s time.

Today, I placed such a call, intending to reach a representative I’d previously worked with on an unrelated project. The rep was no longer with the organization, but I decided to press on with the next available person. Our conversation went something like this:

I opened by explaining my requirements and budget to the sales rep, we’ll call him “Don”. Don explained that he had both on-premise and SaaS offerings. I expressed interest in the later, and asked what pricing was like. Instead of responding appropriately, he continues to pitch me the on-premise solution. I ask again, how much his solution costs. He dodges the question again, this time going into more detail about the application’s features. I ask him a third time, and he finally confesses that the cost is 4 times greater than what I’d already defined to him as my budget, but he wasn’t finished.

There was also support, training, and another feature I listed in my requirements which he had previously claimed was a ‘standard’ feature, was actually available only at an additional cost. After all of the ancillary fees, the total solution came to just over 5 times my stated budget.

At that point, I was ready to end the call, but decided to entertain the SaaS offering. I was equally disappointed there as well, the cost still being well above my constraints. I explained him that my budget was neither negotiable nor arbitrary, so he played the quality card.

While his product was good, he could not identify any direct competitors (which there were many), nor could he articulate what was so unique about his product that warranted a premium price tag. I let him go at that point and moved on, but invited him to talk to his superior and see if he could come back with an offer that met our requirements.

Within an hour, I had a quote from him that equally insulting – the price had not changed, and he even went so far as to say (in not so many words) that we weren’t big enough to bother with, and that he was puzzled about how we came up with such a low budget for this project. He even went so far as to infer that our constraints weren’t realistic, or that we hadn’t done our homework.

Two calls later, I found a solution that offered all of the functionality Don’s product did, but at 1/3 of our budgeted cost per user. It included:

  • Free support
  • No multi-year contract
  • Setup in minutes instead of months.

It was clear to me based on Don’s attitude and pricing that SMBs were not one of their target markets, and that’s okay. A Mercedes is not for everyone! Whether the car can park itself or make julienne fries, these features mean little to a person looking to get from point A to point B, and can’t spend an extra $35K to get there.

While Don didn’t have anything that could help me today, his behavior guaranteed that I would never do business with his firm again, either in this, or any other organization later down the road. I can only wonder how much this kind of carelessness costs organizations every year in damaged reputations and missed opportunities? I replied to his email with a lengthy explanation of why I we weren’t going to do business in hopes that he might learn from the experience. I hope he does.

What kind of experiences has everyone else had with dodgy vendors?