I recently passed the CISSP exam! This post is about my journey to CISSP, Why I choose to do it, the study material I used and how I prepared for the exam.
In my university days, I started doing freelance penetration testing, bug bounties and then joined a company where I used to do on-site penetration testing for clients. Over the years I realized that penetration testing as a field is getting saturated and shrinking because of a number of reasons, for example, introduction of framework based applications running on cloud-based architecture means my penetration testing skills are down to running a few tools to check for misconfigurations at best. Those days of ‘or”=’ are over! Now, either you have 0days you can flaunt around or you are smooth enough in redteaming/social engineering, I don’t see the point of penetration testing anymore. I mean, it will still be around, and companies will still hire penetration testers or vendors for third-party penetration testing assessments, but the charm is not the same for me.
So I transitioned my career from Penetration testing to application security. Appsec is about finding and fixing threats/vulnerabilities as early as possible within the SDLC, think of the buzzword “shift-left”. Closely knitting with developers in helping them design/develop/deploy application securely.
Having done appsec for about 5 years now, I decided to kick it up a notch and learn about other broader InfoSec topics, like the policies that define the security posture, the risks to the business, etc. Both penetration testing and application security are very focused on the technical aspects of infosec, but its all about the business you are trying to protect, and alot more goes into protecting a business than technical controls. Another aspect that I wanted to explore was security architecture, what goes in into the development, design, and review of enterprise security architecture?. So these factors made me pursue CISSP certification.
Here is the chronological order of my CISSP journey
2017 – Bought CISSP Sybex official study guide, went through the first chapter and lost interest, after a few months lost the book as well.
2020 – Bought the book again, and the official practice tests, tried to study, and lost interest, then COVID happened, well, truth be told COVID got nothing to do with me not studying but its makes a good excuse.
April 2022 – I have been lingering CISSP for 5 years now, and I finally gave myself an ultimatum, I have to do in a month, and booked the exam on 28th of May, I needed a good motivation, now that I booked the exam, losing the exam fees was a good enough motivation to study hard. In hindsight, preparing for CISSP in a month was not the best of ideas, its too much work and not enough time, unless you are like me who thrives under pressure.
28th May 2022 (D-Day) – Woke up 5:30 AM, took the train and went to London, exam time was 8:15 AM (again, not the best time choice, only had 4.5 hours of sleep). As I went through a few initial questions I realized that this is harder than I thought. The beauty of CISSP exam was that all of the answers looked correct. It makes you doubt your preparation. As I was muddling through the exam, I started pondering about the possibility of not passing the exam. The exam is purely logical, I probably had about 5/100 questions that were technical, all others were you making your best judgment about a scenario, this was better for me because I suck at remembering detailed technical intricacies. I realized that as I was getting closer to the 100th question, the questions started getting a bit easier, in CAT styled exam it is usually an indication of either you have already shown your competence in all domains or you have already failed and there is no point to ask difficult questions now, after 2 hours and 35 minutes I went through the 100th question, Only had 45min left and I asked myself If I had to go through the entire 150 questions it would be very difficult to get the next 50 questions in 45min. At the 100th question the exam stopped, I went out to get my result, half-heartedly opened the letter and it said CONGRATULATIONS!
Sybex official study guide: That’s the only study book I have used, I haven’t seen anything in the exam that I thought is not covered by the book.
Official practice tests: Highly recommended! The questions are logical where you are presented with a scenario and you have to select the best option, the format is same as what you see in the exam.
Boson exams: Nah, didn’t work for me. The questions are way too technical compared to what you see in the exam, you see a question about the length of a certain type of cat cable, not something you expect in the real exam. Not recommended.
Willey Efficient learning app: Recommended, you load up your official study guide and official practice tests on this mobile app, it was very convenient for me to do practice questions using the app. Attaching a screenshot of what it looks like:-
The right study material is important but what is also important is the way you study, how do you make sure you don’t miss out important concepts, consolidate and build upon what you have already learned. The flowchart below explains how I prepared for the CISSP exam.
So what’s next for me? There are three CISSP concentrations, the one i’m more interested about is ISSAP. It focuses on the development, design, and review of a secure architecture. As I previously mentioned my next career move is to switch from application security to enterprise security architecture and ISSAP would be a good stepping stone to it. In fact I have already bought the ISSAP CBK book.
Some other materials I used once/twice and I think they are worth checking out:-
- Kelly Handerhan’s CISSP exam video course
- Luke Ahmed’s “Think Like a manager”
- Why you will pass the CISSP exam