Thank you. I'll be the first to admit it was difficult. But obtaining a solid understanding of the domains is really only part of passing the CAT exam.
Your points are spot on. I've stated them (albeit far less succinctly), and many others have expressed them as well.
My question is not necessarily for you, but for anyone else on this forum. Why does it seem to come as a surprise to "Select the BEST answer for an executive, not an engineer," and "avoid overly technical answers and stick to what is pragmatic," as you put it?
(ISC)2 makes no secret that this is a "leadership and operations" certification; in other words, executive level. I would like to hear from folks with little or no experience in cybersecurity leadership positions who have taken, or are currently preparing to sit for this exam.
Here's what I don't understand:
They receive their certification, but they don't really have the experience, knowledge, skills, or other qualifications to perform as an executive in cybersecurity, or perhaps even in other areas of IT. How many jobs will they get fired from, each diminishing the value of the CISSP in the eyes of hiring managers, before they realize they're not qualified for the corner office?
Perhaps my thinking on these certifications is backwards. I only sat for the exam in 2017, after spending over twenty years working in every domain. Consequently the test wasn't any more of a challenge than my morning meetings with my clients, wherein I get asked many of the same questions day in, and day out. I took the same approach to my CCSP, only sitting for the exam after 8 years working in every domain (of course with much overlap with the CISSP). The same with the PMP, my Lean Six Sigma Blackbelt, my Agile certs and so on.
I look upon the certs as being the last thing you get, as a way of demonstrating that you can do more than pass a test, but you have the years of hands-on experience and mastery of the skills. However all of the posts from people who are new or mid-level yet are taking the CISSP exam (and often struggling with it) tell me that in their view my approach is wrong; I should have sat for this exam twenty years ago.
I've never once blamed a cert for a bad hire. If people only hired because of the cert they need a class in management because they should have interviewed and done at least a preliminary background check. Even with those precautionary steps, I have seen bad hires be made. Certifications to me enhance the candidate, they do not define the candidate.
Why are people surprised by pick the best from 3-4 good choices? Probably because the way a lot of multiple choice tests were previously structured were pick the right answer from 1 correct and 3 incorrect choices. So you had a 25% chance of getting it right and it was sometimes very easy to see the 2-3 incorrect choices which skewed the percentage of getting it right higher. So technically your odds are still the same at 25%, but it becomes more difficult if your odds remain at 25%.
Also I remember what my boot camp instructor said, "If you are heavy into IT technical work you will struggle with the test. You will fight the test and in your mind defend your choices. That still leads to a failure. Do not fight the test. Seek out the best answers."
I liked the challenge of a tougher test. It shows not only knowledge but the ability to apply knowledge to a certain situation.
I am sorry you did not pass the test. I know that it can be frustrating to work hard and not be able to accomplish your goal. One item that seems to be a focus of your review is that you memorized questions. I think its inappropriate to think you memorize the questions and should pass the test. The test is supposed to be about applying skills and knowing facts.
I passed the test after a week of study. I watched one set of videos, used the Kaplan/Transcender test, the wisdom prep CISSP phone question app, and went through all questions for Kaplan, and the app, as I had free time. I did not use books. That being said, I do have 20 years of experience, a MS in IT Assurance & Security, was a certified CISM, and had just worked through the Comptia Net+, Sec+, CySA+, and CASP+ materials to help my youngest daughter gain entry level non-experienced based certs to start her career.
I did not find the test to be exactly like the practice test, but found the questions to be shorter and more to the point than I anticipated. I think the real challenge to the test is be able to find the best answer applying the ISC2/best practices to the problem. Many sources provides rules to guide this philosophy such as:
1.People Safety First
2.Management buy-is is Critical
3.Everyone is responsible for Security
4.Training is Essential
5.Policy is the Key to (nearly) everything
The test certainly is passable. However, I do believe experience is very useful in negotiating the qualitative assessment slant to the material.
I know this is very frustrating, but once you've had a chance to step back from it, perhaps you'll consider trying it again. If you do, maybe consider a course.
Best of luck.
I agree completely with @Syne07,
The five rules that he spelled out are indeed a "philosophy," as he observed, and require a holistic understanding that is gained through years (perhaps decades) of experience. The knowledge is tacit, as much as - if not more than - explicit.
While people have successfully attained this certification with very little - if any - leadership experience, or the ability to make business-centric decisions about risk and security in the enterprise, the "meaning" of the certificate is lost, to some extent.
Its intended application is for people who perform as a CEO, CIO, CISO, CTO, CKO, and other C-suite executives (or a consultant to them, who has previous years of experience in those roles, like me).
However, even though (ISC)2 clearly makes that point about how this certificate stands apart from other certificates with a more hands-on technical focus, most of the people who are struggling with this exam are not yet at that executive level in their careers.
I am curious to hear from them, either here, or by private message, as to why they have chosen to pursue this certification at this point in their career, without the corresponding executive experience; are they expecting that this accreditation will gain them a promotion to the C-suite?
Sorry to hear about your unsuccessful attempt, but approaching the CISSP from a security administrator/advisor is the best advice. There are obviously technical questions, but most are founded by the premise of how to approach the risk and apply the best solution. The CBK is a great reference, but it will do very little, as you mentioned to memorize and solely rely on the questions you may find in the books or other "practice" question tests.
I have begun to study for the exam, and have just about every book for CISSP, but am reading those just to build my base knowledge level of the domains. Besides experience, other resources are vital t supplementing insight towards helping build your knowledge. Memorizing concepts may be helpful for certain questions, but understanding and application is the key, especially questions that are very wordy.
When I prepared for the HCISPP exam, I read every book available, but then also attended an onsite (4day) boot camp which I found very helpful (day and evening review session, 11-12 hours of class time per day). We reviewed the entire HCISPP CBK and I knew all the terms, general concepts, etc.. especially as I never missed a question in the book. Although the very last day prior to taking the test, we were provided a self-created practice test, which I totally bombed. Like you, after about the 5th question, I was like "What kinds of questions are these?". These types of questions I have never seen in any book or prior question, but guess what.. it is perhaps the reason why I passed the exam the next day. Without it, I would have bombed, as I would have not been in the right mindset and a feeling for how to approach the exam.
Don't despair, you can do it! All I can say is that I know of "someone" who has participated in creating test questions for certain exams and the sources for the CISSP exam is jaw-dropping, let alone remembering the concepts from each article or book. The test is created to test those with the general requirements of the certification and not someone who is an expert and knows everything, but one who should have the required knowledge and approach based on the requirements. The questions are not created to trick the test taker or overly challenge with difficult concepts that cannot be referenced, but they are challenging indeed. I wish I could elaborate more, but just like the domains are evenly distributed, to some degree, so are the types of questions in the exam, hence the CAT format from 100-150 questions.
My suggestion would be to sign up to Cybrary for their insider pro membership (they have a discount rate at this time), plus a 7day trial. Once you watch some of the videos from Kelly, it will help you dramatically. I also recommend subscribing to studynotesandtheory, as they have 10 free practice questions and I bet they will remind you of the test, if not appear more difficult. Give it a try and you may be surprised by the quality of the questions, how they are written and how to approach them. Videos from Larry Greenblatt on youtube are awesome... and once in awhile he will offer free bootcamp certificates for a few vacancies. The next bootcamp will be with the occulus platform and free hardware ThorTeaches is another great resource also. I wish I had the one all be all source, but there is not and short of some experience, which you already have, I feel the right mindset and approach will dramatically help you.
I hope my feedback and suggestions will help you in some way, but never give up, as you can do it! You now what to expect, which you have to regroup and strategize your next plan of attack.
I look forward to your "I passed the CISSP!!!" post! Believe in yourself and never tell yourself you cannot!
Thanks for the tips. I did finally pass it though. I retook it 30 days later.
Dr. Christopher Lace, TOGAF 9, PMP, CISSP
Principal Architect - Kaiser Permanente
Mobile | 702.480.8470
eMail | firstname.lastname@example.org