True, The best approach I find is to condense all 3 sources into your own hand written notes, then check that they're in agreement. If there are discrepancies look into that further and correct your notes. Then simply put the books away. You deliberately limit the notes you take to length so a 1000 page Shon Harris warrants only 30-40 pages of notes, if you are me. Similar approach with Hal Tiptons dull official text etc. At the end of day 5 or 6 your're ready, but unsure so go over your notes several times. Take the practice tests until you overshoot in every CBK and you're ready. Then if you've any sense you'll have the exam booked to take almost immediately. That's just exam technique, nothing special about it.
And it's essentially organising your own boot camp and doing it on the cheap, but it works if you can get the space on your own away from family/friends for a week. If it works for you actually go camping or use a shack in the woods with no distractions. I used an 8 by 8 room, my study.
And I'd do that because recruiters think CISSP is an entry ticket and don't read or understand resumes. You're simply avoiding the reject pile. The jobs market is broken. You do not need a CISSP to be in a security department or run one in my view. And asking for it at minimum entry level just attracts paper tigers. They may work out, but that depends on if they've the humility to really learn their trade craft from the bottom up. So good exam results != great job performance even with the 5 years experience in some cases. I'd hire for can do attitude over paper any day of the week.
After having passed CISSP in the first attempt, my approach is exactly what you described in the later part of your post. I am now learning through hack-the-box and Vulnhub images. I am not good at this but every opportunity at this I am learning new stuff. This really complements my work experience and my understanding of the subject. Appreciate your detailed post!
My CISSP Journey..
I cleared CISSP after about 7 months of preparation. In the hindsight, 7 months is a very long time. You should finish in 3-4 months or else desperation creeps up as you will start getting bored of the topics and very soon, with life itself..:-) .
The Exam is 150 questions to be solved in 3 hours. Since this is a CAT exam, there is no going back on a question and reviewing it. Once answered/submitted, you have no choice of correcting it. The exam takes decisions on the basis of how well or bad you are performing. 100 questions is the first checkpoint. If you are performing really well or really bad you will be given a decision at 100 questions. If 101 question comes up, it could mean that you could be a borderline case and the computer from this point is just giving you more opportunities to pass, all the way upto 150 questions. So, if the exam has not ended at 100, then don't lose heart, it can end at 103 as well.
Out of 100 questions, 25 are unmarked questions i.e you will not be marked on the 25 questions, but you will have no knowledge which of them are unmarked. Hence, you got to keep answering every question as if your life depends on it.
Selected 3 books to prepare. Shon Harris (All in one exam guide), Mike Chappell (Sybex official), Official CBK (Adam Gordon). I had no idea which was good, so I went from one book to another week after week. I learnt that Shon Harris was the best book, because it fired the eagerness to learn more about the topic, not just for CISSP but like “Oh wow!! So, that’s the way this works” kind of interest.
Subsequently, through the time period, I read Shon 4 times, Sybex 2 times, Official CBK 1 time. All in all, I practiced with about 400 questions, here and there from all the 3 books. That’s it. I did not watch videos or audios etc., though I tried couple of them like Kelly, Sari Greene, some sections of Udemy courses etc. I just thought they were all very superficial and just not anywhere close to the Shon Harris book. However, some of them that are available in YouTube like Luke Ahmed, Thor are good for a one time watch. I watch about 3 videos each of Luke and Thor. Maybe I should have heard their videos more but they don’t have much for free (And I did not want to pay, the exam and the books having cost me already so much).
I have a problem. I start with Panic and then steady down in due course. This was not going to help in this exam (or in any exam for that matter). So I did not have a great strategy in preparing but I prepared an exam strategy that worked very well for me. The first thing is that you need to know yourself. As I mentioned that I was very prone to Panic, I decided to fight that.
I decided that I will not look at the clock for the first 20 questions and take as much time required to answer them. By that time I should have settled in the exam pattern and that should handle the panic part. From 21st question, I assumed that I will be able to work faster and aimed for 100 questions in 2 hours (I finished at 1 hr 53 mins). If the questions went beyond 100, I still had good time for the rest. This plan worked in handling my panic very well. Though I could not stick to the plan completely as such, but all in all, I balanced myself.
I did not listen to any of the “Consider this as a management exam and think like a risk manager only” part and just stuck to “Select what is best for the question”. Honestly, you don’t get the time to put yourself into the risk manager’s shoe, eliminate 2 wrong answers and then introspect. Sometimes, all answers look right. I also got a lot of technical questions, even CIDR and IP address type of questions.
Hence, I don’t think there is an expert out there who can authoritatively give you an exam cracking strategy. Honestly, you should just read well, understand the concepts, attempt practice questions and have a strategy to handle yourself in the exam as such. There are a lot of people misleading out there. This exam is not as tough as people make it out to be and that’s the first thing that came to my mind after 40 questions.
The next fact is that there are actually questions that are out of all the CISSP materials available in the market. Even the official CBK. I have no idea why that is the case but thinking positively, maybe ISC2 really wants you to know inside out of your stuff.
Another important thing that comes to my mind. DON’T WASTE YOUR MONEY in all the online tutorials and Udemy, Boson, Sagar Bansal’s video kind of junk. They are very substandard, have hardly any resemblance to the way the exam is and will give you knowledge nowhere close to what the books can give you. In fact, these will only tell you what you have read in the books in a much substandard manner. That many a times will only confuse you. You have to understand that this is a money churning industry now and all kinds of quacks spring up. They cannot help you, Period. Yes, you may come under the illusion that all this knowledge is helping you somehow to prepare, but if you just sit back and think, all of them mostly are only drawing from the books and then representing in the weirdest of manner possible to just make you feel that they are presenting something different. Believe only in the books, practice and experience.
I cleared CISSP in 100 questions at 1hr 53mins on the clock. Everyone can do it. Just follow the right knowledge sources.
My personal Opinion about the exam:-
Having studied and cleared this exam, I can authoritatively say that CISSP is really not worth for people with real passion for cyber security. It can get you onto the interviewing table and then onto the job as well, but that is the incompetence of the interviewers. This is primarily for GRC professionals who generally act like arm chair critics. If you are real passionate and want to get your hands dirty, do something like Cisco or Offensive security, SANS (very costly though) kind of certifications. Even playing around with Vulnhub or HacktheBox is a zillion times better than any of the ISC2 or ISACA courses. They are just using the opportunities created by clueless interviewers who don't know how to assess candidates and think its easy job to screen candidates with these certifications. I have at least a couple of senior people in my organisation with CISSP and spew dirt when they talk. Questions like what is CVE? and what is Patch and Vulnerability Management? is very common from these guys.
But having said this, I will again say, Read SHON HARRIS, multiple times if possible. Its a great book to obtain knowledge and then if you are passionate, go ahead and do real certs that I mentioned (That people made of steel do) and prove your worth.