UPDATE: As I'm going through the official courseware again, I'm finding I need to backtrack my statement about no overlap between course and test. There are a lot of hidden nuggets in both the courseware and the instructor's lectures. As it turns out there was coverage of IoTs, etc. In fact there a very comprehensive treatise on securing IoTs.
NISTIR 8228
Considerations for Managing
Internet of Things (IoT)
Cybersecurity and Privacy Risks
https://csrc.nist.gov/publications/detail/nistir/8228/final
And back to the excellent instructor, Frank S, he mentioned in the first class that one needs to have an understanding of the concepts rather than merely regurgitate definitions.
So I'm listening again to each one of the lectures and taking some notes. I'll start with the 3 or 4 sections I didn't do so well on.
It looks like I failed to pass by two questions. I did a brain dump of all questions I could remember, the possible answers and how I actually answered. Just based on that I could feel confident passing it on the second try.
What tripped me up was a lack of alignment between the official class curriculum and the test. Very little overlap there. I could have not taken the course and done just as well. I was also surprised that you couldn't mark a question and return to it. This is essential in my opinion for a test of this length.
The official curriculum lists about 20 extra sources to read. Well, if you bought each book, you'd have spent about a 1000 dollars and read about 10,000 pages of material. Definitely not realistic or practical for someone studying for the test. This curriculum needs to be revamped or made more practical in nature.
I did not read the CBK (2013) but will get that soon.
I got a free retake and so will be doing that in six weeks.
I'm not sure what the protocol is but I did notice a few questions on IoTs that were not covered in the official material. Where are you going to find information on securing IoTs or a network of IoTs. That's not something you normally run into in a normal work week. There were a lot of scenario-based questions, based on a condition or occurence, what would you do?
Well a lot that wasn't covered in the official material. The flash cards are cool but utterly useless for passing the exam. The version 5 booklet is a nice overview but not an accurate reflection of what's on the test.
@terpsfanatic wrote:
The official curriculum lists about 20 extra sources to read. Well, if you bought each book, you'd have spent about a 1000 dollars and read about 10,000 pages of material. Definitely not realistic or practical for someone studying for the test. This curriculum needs to be revamped or made more practical in nature.
I think you will find that throughout all the (ISC)2 exams, there's a lot that you won't find in third-party resources that supposedly cover the CBK. While the additional resources may seem to be a lot, bear mind that when sitting for the exam, you supposedly have many years of industry experience (e.g., CSSLP is four). The logic being that over time you've come across these resources.
The exams - like any test - have their weaknesses. I've never liked the adaptive test - it's a bit antithetical to real-world problem-solving, especially in security. We often have to go back and forth to piece things together. And as to "scenarios," these often can be biased as the question may have certain assumptions in their mind that never make it onto paper.
At the end of the day, though, our industry is about dealing with imperfection. Sometimes the best answer is stick with your strategy, and just go at it a second time.
Sorry to hear that. Unfortunately, I also failed in the CSSLP exam attended last week. It seems that the ISC2 CBK latest edition (edition 5) alone is not sufficient to pass the exam. I went through the entire book twice and additionally solved all the sample questions with 100% accuracy still failed. I also had a five days of Bootcamp training with a third party vendor. Not sure how do I prepare for the retake! Really disappointed.
Do you have a few minutes for a quick chat?
Commiserations.
I would look at the exam outline/references (I'm not sure but these might be used by exam writers) and see which are free or have other references pointing towards them.
If the exam told you which domains, you needed to improve on then you might focus there, the fact that you also recalled some of the questions will help, however remember not to share any specifics on content, but say you didn't do much there, then you might just go for the public resources - you'll run out of time before money:
Internet of Things (IoT) | NIST
Quite often the questions are presenting imperfect answers and you are supposed to pick the least bad, scenario-based questions need careful parsing, and you should consider the rationale behind your answer to see if it is OK. It's as much comprehension as it is stored knowledge.
If it's moved to Computer Adaptive Testing(CAT), then that IMHO makes it harder as you won't get a chance to review and have questions trigger your mind on answers you were not sure of.
I've sat CSSP twice (I let it lapse), CCSP and CSSLP, never using CAT(it pays to take your time with this testing mode as it penalizes fast and loose), and luckily never failed. I find that for questions I don't know for sure that you can usually ID two candidates, and thinking back to concepts can help make a difference on a choice.
For all exams in ISC2, you cannot just memorize all stuff from the book and take the exam. You always need to change your mindset into project/product manager to fix the root cause rather than the situation itself. I had used CISSP and spend years to change myself from the technical engineer to the managerial thinking. After the change, it could found the way to pass the exam
I'm neither saying it was a bad test or an unfair exam; I'm merely saying I was disappointed with the overlap between the official 8-week course and the material on the test. I'm not expecting an instructor to provide a braindump of answers obviously.
One thing I'm going to do is go back and listen to some of the lectures again because I think he may have touched on some of these topics that were apparently outside the curriculum.
I've passed two AWS exams this year so I am pretty adept at testing. And even in those, you'll get some questions that seemingly want you to think "out of the box."
I do remember the instructor saying that he would buy the official CBK when I asked about other resources. I was thinking I could save some money and reading time.
I don't view this as some tragedy. This is an opportunity to fill in the gaps. I think in several cases I probably didn't think the answers through properly. You usually can eliminate two of the answers right away.
Thanks for that NIST reference. And I'm starting to realize that one of the best references for this exam is a library of NIST documents. I'm finding answers to a lot of my queries there.
The 5th edition seems to be only available in the latest CSSLP course you can take from ISC2. It's a 500-600 page booklet. This is not the same as the CBK (2013), which remains as the latest edition of the CBK.
I got this from the training vendor.