So...after 4 months of solid study (at least 2-3 hours / day), reading multiple books cover to cover, subscribed to 2 practice exam sites (Boson & Cccure - where I consistently was at 80-90%, at 200-400 questions daily), attended a week-long bootcamp and availed myself of more resources than I can fit in this post, I finally took the test. And failed after taking 150 questions - from what I understand, that means I was not too far away from passing. I was a little dismayed that many of the questions didn't even sound familiar to me, and I've been working in the field for years!
You are doing the right thing by stepping back to assess what happened, and what you should do next. One tip I have for you is to make sure you recognize that not passing a professional competency exam is not the same as failing an academic exam. We have all been conditioned by the academic world and tend to react emotionally to not passing a professional exam with depression like we might have gotten after failing a school exam.
Repeating for emphasis, not passing a professional competency exam is NOT the same as failing a school exam. Keep that in mind, and look at how physicians, lawyers, and accountants approach their medical board, bar, and CPA exams. They know that the pass rate on those exams ranges from under 50% to 90%.
See my blog post, Pass Rates for Professional Exams for more detailed discussion and links to detailed exam pass rates in accounting, law, and medicine.
Side note: @rslade pointed you to the writings of Ross Anderson. He is right. I read Security Engineering cover to cover, in both first and second editions, and continue to recommend it for CISSP prep study. The entire book is free online, but I recommend a dead tree copy for annotation and study.
Once more for emphasis:
Not passing a professional competency is a setback, but is not a failure!
Agree with your points. Thanks for the recommendation on the Security Engineering book - that's a weak area for me.
Also your comment about the professional exams - I took the CPA years ago (and passed). But at the time the JD exam had a very high pass rate, and I learned they had a VERY high (95+) % of people taking a review course - thus the pass rate. While the CPA exam had about 50% of the folks taking a review course.
Thanks for the post.
In retrospect, I believe I approached the test thinking like a cyber SME, and not a manager
Notably, this is in direct opposition to your topic-starting post and, I suspect, exactly what is needed. There is much wisdom in questioning assumptions when solving a problem.
Do keep in mind that being "a manager" (e.g. coordinating the activities of other people) is not the same thing as "management mindset", which is more about thinking holistically. A few examples:
I was/am a bit embarrassed about failing, as that is not something that happens often with me. So glad that I did; not only have I gotten to interact with some wonderful folks, but gotten some great advice and encouragement.
Failure is a better teacher than success. We have a 20-year old reminder on our fridge that everyone fails. The important part is how one moves on. It does seem that you have gotten yourself back on the path towards success.
Also, thanks for sharing your story. It reminded me that failing the CISSP exam can be significant enough to invoke the grief process. I had been getting frustrated at others who's response was to blame the training materials or to declare the test unfair. I now realize that they are simply in the "anger" stage of grief and that our response should focus more on compassion than on adjusting their opinion.
Such great responses, and really helping me to think about how to approach my next phase of study and testing. I am humbled at how many people have jumped into this post to help a veritable stranger, sharing your experiences and advice. Believe me, I have read everyone's post multiple times in order to digest it and see how I can incorporate what was said here into my next phase of study.
I agree with the "grief" feeling, although I the only person I'm angry with is myself. I don't blame the test, or the study materials or ISC2 or anyone else. I have come to the understanding that although I might know the material backwards and forwards, it's how I have applied the material to real-life situations that was the issue. I've gotten quite a bit of feedback - online & offline - that stated because I answered 150 questions means I was on the cusp of passing, which makes me feel like I wasn't a *total* failure <<grin>>. My takeaway is that I just have to focus on thinking like an exec and not as a SME, and I should be in a better place to succeed.
I know I've said this before, but I am so grateful for all of you jumping in to help and share what you know. I'm very impressed with the ISC2 community and their willingness to help others in the cybersecurity field - I am looking forward to joining your ranks and paying it forward as well!
Hope everyone (in the US) is having a fun, safe and relaxing Labor Day weekend!
A key phase I tell the girls that I coach in basketball, volleyball, and softball is this: "It's not how hard you fall that counts, it's how well you bounce after the fall." As another famous person once said "Brick walls are not in our paths to stop us, they are put there to see how badly we want our goal." You pick yourself up, keep studying and go take the test again. I know it can be discouraging but you have to reassess why you failed. If you are like most tech savvy people, you probably fought the test, trying to prove in your mind why your answer was right instead of looking for the best answer. The CISSP can be word dependent, which means this: You have to pay particular attention to what each question is asking you, independent of other questions.
1) The key benefit of implementing cloud solutions is A), B), C), D).
2) A key benefit for cloud implementation in small businesses is A), B), C), D).
The 2 questions ask different things. If you use the same answer for both you are likely to get one of them wrong.
Look at each question. What is each question asking you? Then forget it for the next one.
As far as women in cybersecurity, you can't let a few bad apples stop you from your goal. Maybe you are in a whole stinking orchard of bad apples, don't let the stench deter you. The cyber world, well the whole world as a whole, benefits from people with different opinions and life experiences. One of the experiences that helped me learn how to deal with people came from working with a mentally retarded man. He didn't want to listen to any advice on how to do his work because so many people had set him up for failure and then laughed at him. By working with him and treating him with respect and dignity I slowly earned his trust and helped him become more productive. Management could have fired him and got a more productive worker but they didn't. I taught him to become more productive. Even though he couldn't do 100 parts a night like most capable people could, he could do 20-30 and on a good night 50!. I think he was the most upset to see me leave when I got promoted.
So bloom where you are planted. If your orchard stinks too bad, keep bettering yourself and then uproot yourself and find a new orchard.
Sorry for the late response I didn't realize this didn't send when I originally wrote it. Hopefully it provides you a pick me up when you may need it.