topic Re: Failed CISSP, Where do I go from here? in Exam Preparation

Failed CISSP, Where do I go from here?

atk — Fri, 31 Aug 2018 00:46:37 GMT

So...after 4 months of solid study (at least 2-3 hours / day), reading multiple books cover to cover, subscribed to 2 practice exam sites (Boson & Cccure - where I consistently was at 80-90%, at 200-400 questions daily), attended a week-long bootcamp and availed myself of more resources than I can fit in this post, I finally took the test. And failed after taking 150 questions - from what I understand, that means I was not too far away from passing. I was a little dismayed that many of the questions didn't even sound familiar to me, and I've been working in the field for years!

Don't get me wrong, I'm very disappointed in my test result, but I know my failure wasn't due to unpreparedness. I've come to the conclusion that perhaps I've been focusing on the wrong things / resources - and I'm humbly asking the CISSP community for advice and guidance. I am not afraid of hard work and study, and MORE than willing to do that. I don't want the answers handed to me, or just to skate by. I just need to know where to find the right content to study. I know about the "management mindset" - and as a cybersecurity manager, I believe I've developed them, but how do I learn the ISC2 way?

At this point, I'm wondering if I should even try this again. I'm pretty down about the whole thing and just read a long post by an ISC2 member saying that people who fail probably aren't good enough to be CISSPs to begin with. As a woman in cybersecurity, I have been faced with the "you don't measure up" for my entire career. It's very easy to believe that.

Anyone care to point me in the right direction? One of my biggest frustrations was that there was no way I could gauge whether I had enough knowledge to take the test - there was no "take this practice exam and if you get at least X%, you're ready". Maybe there is such a thing and I haven't found it?

Thank you all in advance for your help.

Re: Failed CISSP, Where do I go from here?

Jaesimpson — Fri, 31 Aug 2018 00:37:38 GMT

Are you using the ISC2 book and test prep? Was the boot camp ISC2 endorsed, there is only like 1 provider I think its training camp? I too studied and prepped for a month using the Shon Harris book. I scored a 658 then a 695. Then I went back using the ISC2 book and test prep material and took the week-long book camp via Training camp, and the third test I passed right at the 100 question mark.

Re: Failed CISSP, Where do I go from here?

atk — Fri, 31 Aug 2018 00:57:25 GMT

Jae - thank you so much for responding. I really appreciate it. Congrats on passing your CISSP! As for your questions...

This is what I used:

1. Sybex ISC2 Official Study Guide

2. 11th Hour CISSP - Eric Conrad

3. Infosec Institute 1-week boot camp (didn't help as much as I had hoped it would...)

4. Read bits of Shon Harris' book, CISSP for Dummies, 11th hour CISSP and as much info as I could find on the internet

5. Lecture on Cybrary

6. Boson practice tests (was getting nearly 90% consistently on all tests - about 300 questions a day, sometimes more)

7. CCcure practice tests (was getting about 85% consistently on all tests - about 200 questions a day, sometimes more)

8. YouTube videos

Which Test Prep materials did you use? I am not familiar with that - and that could have come in handy by explaining to me how ISC2 reached their answers. Do you mean the Sybex practice exams? If that's the case, I just bought it an hour after returning home from my failed test.

After speaking with some other folks, it seems that maybe - just maybe - having been eliminated at 150 questions meant I was somewhat close to passing. I didn't fail any domains. I was below proficiency in 4 of them, near proficiency in 3 and above proficiency in 1.

I'm willing to put in the time and effort to complete this goal, but it's hard to make a change in thinking or mindset if you don't have an idea of what you need to change your mindset TO.

Re: Failed CISSP, Where do I go from here?

Early_Adopter — Fri, 31 Aug 2018 01:38:15 GMT

Sorry to hear that, and Chin up.

I actually think the ‘management mindset’ is a little misleading as most of it seems to be to me down to elimination, logic and reduction. The minute some advice sounds mystic to me I tend to try to avoid it, or if lots of people it trust the judgment of say it’s right i’ll to reduce it to an axiom - if you think about it we do this a lot in the world as the tech works but no one can really understand it all.

I treat questions these kind of ‘multi-guess’ exams as exercises in knowledge, reading and comprehension first and then if I’m not able to be 90% sure of my answer I switch to a more expensive in time method of coming up with rationales for the possible option after eliminating obvious wrong answers. The CAT test means you need to have better pacing as you can’t identify these questions at the end anymore.

This seems to work for me as I’ve taken a load of them over the years and not failed one yet(though I have an opportunity to do so in the near future as I just sat the CIPT beta and there was some stuff I really wasn’t so sure of, they get the results back in a few weeks or so.)

Prep wise I read for 40 mins, rest(mind blank)for ten mins and summarise the things I know and don’t know from memory And look they up via different sources than the one I just read. In addition to this approach I’d see two different things you might try:

1. Get a ‘study buddy’ or two and sync up and cover everything with them in regular sync ups - you have a shared goal then and levearage on a lot of our ‘chase the mammoth, push the mammoth over the cliff, everyone eats mammoth’ group dynamic. Shared experience with peers, is probably the best thing you can do here;

2. Find a CISSP in the forum and ask them to mentor you. Recent exam passer is best, and you could talk it out to some extent and ask their thoughts on scenarios.

The whole you don’t measure up as a woman in cybersecurity is I think ridiculous, and by your doing all of the questions as you pointed out you were probably close to a pass. It is very possible that any preening CISSP with a boys > girls mindset would do well to dwell on the fact exams are random and could have stood a chance of failing the questions you got on the day, with CAT if you get a number wrong at the start you are in recovery mode(IMHO it’s harder as you don’t get to review questions that will jog your memory).

Re: Failed CISSP, Where do I go from here?

atk — Fri, 31 Aug 2018 09:37:42 GMT

Thank you for your kind reply...so much of what you said really made sense to me. I am getting some good advice by reading responses on this board. I'm already adding to my study repertoire - and may actually take another CISSP class at my local community college to supplement what I might not have gotten before. Mind you - in addition to the significant chunk of cash I've already invested in this process, all tests / resources / classes are my responsibility, so I have to be judicious about the financial burden I can bear.

In retrospect, I believe I approached the test thinking like a cyber SME, and not a manager - I mean, when's the last time my CIO logged onto a SIEM to monitor the company's network or configured a firewall? Certainly not as a CIO!

I agree, the "good ol' boy" culture in cybersecurity is kind of ridiculous - but it is very real and somewhat ubiquitous in my geographic area, independent of industry or company. There are reports that women make up 11% of all cybersecurity professionals, and even fewer women are seen in cyber leadership (https://womenscyberjutsu.org/?). My years of experience backs that claim up. I can't count all the times I was dismissed as the "IT secretary", or treated like I was something less than my male counterparts, even if I had double their experience or knowledge. Nothing like waiting for the client to arrive, and when they do, they look at you and say, "Oh. When are the technical staff going to show?"

Truth is, one of my main motivations for taking the CISSP is to encourage my IT security colleagues to treat me as a respected counterpart, and perhaps help me take on more leadership roles.

Re: Failed CISSP, Where do I go from here?

Early_Adopter — Fri, 31 Aug 2018 10:42:06 GMT

No worriies/hope it helps.

On the dispositions of roles in IT/Cyber security I’ve read a fair bit up on it and I do get the barriers and I don’t think it differs a huge amount where I’m based (Asia) , however, I don’t think we’ll fix that here. IMHO(and I’m aware I’m massively simplifying) the whole mess started because one sex happens to be biased to being bigger and stronger than the other over many years. I realise this is not apples to apples as survey to survey goes, but it is at least interesting if you consider IT/InfoSec as a subset of STEM:

https://www.theatlantic.com/science/archive/2018/02/the-more-gender-equality-the-fewer-women-in-stem/553592/

If your colleagues are dismissive of you based on sex, I’d say that they might not be the best colleagues to have, you can at least get CISSP and move on.

CISSP is assuredly tractable, isn’t in my view really anything helped by the old boys man of action management gut feel or even female intuition at that... it’s just a comprehension test, and as long as you prep well and take a statistical approach on the things you don’t know you will be able to pass. Approaching as an Operator, or an analyst isn’t the best option as these roles tend not to allow to much ambiguity it’s an exploit, incursion through RAT, account compromise and you can see it in the logs - however if you acheive the mystical ‘flow state’ at work try to think to how you fill in the gaps when you don’t have a complete picture - I tend to sit back and try to infer - and that might be as good as it will get, but it’s probably good enough “least bad” is quoted a lot.

Frankly I don’t think the money really matters a whole lot for prep(official text books are OK, al in one is good, and as a supporting anecdote Its not wrong say that the late great Shon Harris is the Spiritual Mother of all CISSPs). So please hold fire and get some more opinions before you spend any more money, I think with the right help you could get through it for the cost of the exam(books are consumer durables after all).

I know of quite a few female CISSPs At my employer and a load of them are based in the US so I’m pretty sure I could ask a couple to have a chat with you if you like(ping me offline and i’ll ask someone in the same timezone). All we do is cybersecurity and from where, I stand they are very good at it(plus I’m pretty sure we do have a group of interested people for this kind of thing.)

Re: Failed CISSP, Where do I go from here?

Flyslinger2 — Fri, 31 Aug 2018 13:20:55 GMT

I took the InfoSec boot camp. My first instructor was very frustrating. I did not connect with him at all. He pounded us with example questions for 90 minutes at the end of each day. This is after heavy doses of reading and quizzes that were assigned prior to the start of each day.

I failed my first crack at the exam. I knew what my issue was. I was so focused on the questions that I got wrong in class that I completely failed to get my head wrapped around the bigger picture.

I went back to InfoSec to claim my guarantee pass offer and audited the class again with a different instructor. The second instructor rocked! Not once did he hammer us with example questions. He taught us the major components of each domain and prepped us for the larger picture which is exactly how a CISSP should think.

Took the exam again and it was 100 questions in 120 minutes. Pass! I firmly believe the second instructors methodology was all the difference in the world. This same instructor is well thought about on other CISSP message boards also.

PM me if you want to discuss the instructor in greater detail.

Re: Failed CISSP, Where do I go from here?

mtcook — Fri, 31 Aug 2018 13:37:47 GMT

Great advice! Focus on the content and make it a learning experience. Use side research if the material you're using doesn't explain it satisfactorily. While some people dismiss the idea of Certifications, the process of studying for them never fails to teach me new things, which I greatly appreciate.

The chin up is also good advice. Try and work on a positive, "I can do it" attitude. Good luck!

Re: Failed CISSP, Where do I go from here?

atk — Fri, 31 Aug 2018 14:18:44 GMT

Flyslinger - holy Toledo...you're right. I did focus so much on the questions and details that I forgot to approach the test with the manager's mindset. If nothing else, the CISSP journey has helped me learn that much.

So grateful for all the advice and encouragement here. My supervisor (a CISO and CISSP as well) said the same thing - that this is only an event on the journey, and not a statement on my worth to the team or my abilities as a cyber professional.

I was hesitant to come onto this board and post. I was/am a bit embarrassed about failing, as that is not something that happens often with me. So glad that I did; not only have I gotten to interact with some wonderful folks, but gotten some great advice and encouragement.

Thank you all.

Re: Failed CISSP, Where do I go from here?

rslade — Fri, 31 Aug 2018 17:33:21 GMT

> atk (Viewer) posted a new topic in Certifications on 08-30-2018 06:52 PM in the

> I've come to the conclusion that perhaps I've been
> focusing on the wrong things / resources - and I'm humbly asking the CISSP
> community for advice and guidance. I am not afraid of hard work and study, and
> MORE than willing to do that. I don't want the answers handed to me, or just to
> skate by. I just need to know where to find the right content to study.

Do a search on "anderson" and read those topics. (You'll find out.)

Also http://victoria.tc.ca/int-grps/books/techrev/mnbksccd.htm

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
The Auditors avoided death by never going so far as to get a
life. They strove to be as indistinguishable as hydrogen atoms,
and with none of the latter's joie de vivre.
- `Thief of Time,' Terry Pratchett
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade

Re: Failed CISSP, Where do I go from here?

CraginS — Fri, 31 Aug 2018 18:43:38 GMT

@atk wrote:
So...after 4 months of solid study (at least 2-3 hours / day), reading multiple books cover to cover, subscribed to 2 practice exam sites (Boson & Cccure - where I consistently was at 80-90%, at 200-400 questions daily), attended a week-long bootcamp and availed myself of more resources than I can fit in this post, I finally took the test. And failed after taking 150 questions - from what I understand, that means I was not too far away from passing. I was a little dismayed that many of the questions didn't even sound familiar to me, and I've been working in the field for years!

Andrea,

You are doing the right thing by stepping back to assess what happened, and what you should do next. One tip I have for you is to make sure you recognize that not passing a professional competency exam is not the same as failing an academic exam. We have all been conditioned by the academic world and tend to react emotionally to not passing a professional exam with depression like we might have gotten after failing a school exam.

Repeating for emphasis, not passing a professional competency exam is NOT the same as failing a school exam. Keep that in mind, and look at how physicians, lawyers, and accountants approach their medical board, bar, and CPA exams. They know that the pass rate on those exams ranges from under 50% to 90%.

See my blog post, Pass Rates for Professional Exams for more detailed discussion and links to detailed exam pass rates in accounting, law, and medicine.

Side note: @rslade pointed you to the writings of Ross Anderson. He is right. I read Security Engineering cover to cover, in both first and second editions, and continue to recommend it for CISSP prep study. The entire book is free online, but I recommend a dead tree copy for annotation and study.

Once more for emphasis:

Not passing a professional competency is a setback, but is not a failure!

Good luck,

Craig

Re: Failed CISSP, Where do I go from here?

miketcook — Fri, 31 Aug 2018 19:25:06 GMT

Craigin:

Agree with your points. Thanks for the recommendation on the Security Engineering book - that's a weak area for me.

Also your comment about the professional exams - I took the CPA years ago (and passed). But at the time the JD exam had a very high pass rate, and I learned they had a VERY high (95+) % of people taking a review course - thus the pass rate. While the CPA exam had about 50% of the folks taking a review course.

Thanks for the post.

Mike

Re: Failed CISSP, Where do I go from here?

denbesten — Fri, 31 Aug 2018 19:53:52 GMT

@atk wrote:

In retrospect, I believe I approached the test thinking like a cyber SME, and not a manager

Notably, this is in direct opposition to your topic-starting post and, I suspect, exactly what is needed. There is much wisdom in questioning assumptions when solving a problem.

Do keep in mind that being "a manager" (e.g. coordinating the activities of other people) is not the same thing as "management mindset", which is more about thinking holistically. A few examples:

It may be necessary to continue running in a compromised state so that the a shipping deadline can be met.
At an accident, EMS treats the victims. Management mindset is on safely reopening the road.
A technician focuses on problem resolution ("what caused it to break and how do I repair it?"). Management mindset focuses on impact mitigation ("how bad is it and how can we get back to production?").

I was/am a bit embarrassed about failing, as that is not something that happens often with me. So glad that I did; not only have I gotten to interact with some wonderful folks, but gotten some great advice and encouragement.

Failure is a better teacher than success. We have a 20-year old reminder on our fridge that everyone fails. The important part is how one moves on. It does seem that you have gotten yourself back on the path towards success.

Also, thanks for sharing your story. It reminded me that failing the CISSP exam can be significant enough to invoke the grief process. I had been getting frustrated at others who's response was to blame the training materials or to declare the test unfair. I now realize that they are simply in the "anger" stage of grief and that our response should focus more on compassion than on adjusting their opinion.

Re: Failed CISSP, Where do I go from here?

atk — Sun, 02 Sep 2018 14:50:23 GMT

Such great responses, and really helping me to think about how to approach my next phase of study and testing. I am humbled at how many people have jumped into this post to help a veritable stranger, sharing your experiences and advice. Believe me, I have read everyone's post multiple times in order to digest it and see how I can incorporate what was said here into my next phase of study.

I agree with the "grief" feeling, although I the only person I'm angry with is myself. I don't blame the test, or the study materials or ISC2 or anyone else. I have come to the understanding that although I might know the material backwards and forwards, it's how I have applied the material to real-life situations that was the issue. I've gotten quite a bit of feedback - online & offline - that stated because I answered 150 questions means I was on the cusp of passing, which makes me feel like I wasn't a *total* failure <<grin>>. My takeaway is that I just have to focus on thinking like an exec and not as a SME, and I should be in a better place to succeed.

I know I've said this before, but I am so grateful for all of you jumping in to help and share what you know. I'm very impressed with the ISC2 community and their willingness to help others in the cybersecurity field - I am looking forward to joining your ranks and paying it forward as well!

Hope everyone (in the US) is having a fun, safe and relaxing Labor Day weekend!

Re: Failed CISSP, Where do I go from here?

CISOScott — Wed, 21 Nov 2018 12:57:19 GMT

A key phase I tell the girls that I coach in basketball, volleyball, and softball is this: "It's not how hard you fall that counts, it's how well you bounce after the fall." As another famous person once said "Brick walls are not in our paths to stop us, they are put there to see how badly we want our goal." You pick yourself up, keep studying and go take the test again. I know it can be discouraging but you have to reassess why you failed. If you are like most tech savvy people, you probably fought the test, trying to prove in your mind why your answer was right instead of looking for the best answer. The CISSP can be word dependent, which means this: You have to pay particular attention to what each question is asking you, independent of other questions.

1) The key benefit of implementing cloud solutions is A), B), C), D).

2) A key benefit for cloud implementation in small businesses is A), B), C), D).

The 2 questions ask different things. If you use the same answer for both you are likely to get one of them wrong.

Look at each question. What is each question asking you? Then forget it for the next one.

As far as women in cybersecurity, you can't let a few bad apples stop you from your goal. Maybe you are in a whole stinking orchard of bad apples, don't let the stench deter you. The cyber world, well the whole world as a whole, benefits from people with different opinions and life experiences. One of the experiences that helped me learn how to deal with people came from working with a mentally retarded man. He didn't want to listen to any advice on how to do his work because so many people had set him up for failure and then laughed at him. By working with him and treating him with respect and dignity I slowly earned his trust and helped him become more productive. Management could have fired him and got a more productive worker but they didn't. I taught him to become more productive. Even though he couldn't do 100 parts a night like most capable people could, he could do 20-30 and on a good night 50!. I think he was the most upset to see me leave when I got promoted.

So bloom where you are planted. If your orchard stinks too bad, keep bettering yourself and then uproot yourself and find a new orchard.

Sorry for the late response I didn't realize this didn't send when I originally wrote it. Hopefully it provides you a pick me up when you may need it.

Re: Failed CISSP, Where do I go from here?

jrtisevich — Tue, 12 Mar 2019 20:46:26 GMT

Hello -

I'd be very interested in finding out the name of the instructor for CISSP that you used for InfoSec for your CISSP exam. You can PM me at jrtisevich@yahoo.com

Thank you!

John

Re: Failed CISSP, Where do I go from here?

s_carter — Thu, 06 Jun 2019 11:35:06 GMT

I would love to find out more about the instructor.

Re: Failed CISSP, Where do I go from here?

clavezza — Mon, 22 Jul 2019 23:20:37 GMT

Hi Flyslinger2,

Can you provide the information for the Boot Camp that you took.

Took exam today and did not pass it.

Sincerely

Christopher

Re: Failed CISSP, Where do I go from here?

tellsplatte — Fri, 08 Nov 2019 17:45:42 GMT

atk, did you pass the CISSP yet? If not, do it one more time after doing Greenblatt's videos from https://internetworkdefense.com/our-cissp-prep-programs/