I post this not looking for pity or guidance, but simply to share my experience with you. Today, 25 June 2018, I failed the CISSP exam.
I have only been in the InfoSec space for about 2 years. I have experience in physical security, incidence response, access control, and otherwise arguably enough experience to satisfy the CISSP requirements for certification. However, until early 2016, I didn't start learning about IT security.
In August of 2016 I started my MS in Information Security and Assurance. While the class load wasn't particularly tech-heavy, I can see now that the classes were preparing me for the CISSP... especially those concerning risk management and business continuity practices.
So anyway, to the exam. I arrived at PearsonVue an hour early and they let me start before the scheduled time. I took nearly 160 (of 180) minutes to complete 150 questions. By the time I was at question 125, I really figured I had bombed the exam (I have heard if the exam stops at 100, it means I earned enough points for provisional certification). With my intent to respect the (ISC)2 code, I can say that none of the questions I had looked anything like the prep questions I had from the (ISC)2 CISSP exam book or from the Shon Harris or 11th Hour books. Most of the questions were of a technical nature. I went in "thinking like a manager" but I didn't think like a "manager" that knew a whole lot about technology.
My exam did not seem to be "heavy" in any particular domain; but I would say that I wish I had learned more about penetration testing.
Admittedly, I scanned my text books rather than actually did a deep-dive into any of them. I typically studied anywhere from 1-2 hours a day, 4 days a week, for the last 3 months. Clearly, it just wasn't enough studying married with experience. I would take practice tests and consistently scored in the 80s... but it was a lot of the same questions over and over again as the question bank was only about 1200 unique entries.
My plan is to take a break, focus on some other training opportunities (log analysis, network security, and vulnerability management) and reassess in about six months.
Anyway, not passing doesn't impact my life too much. I don't need it for my job (not right now, anyways) but it was painful to my pocketbook.
My recommendation is if you are new to InfoSec, you should probably study more than 1-2 hours a day for 3 months... and you should probably have a solid understanding of both the technical and managerial aspects of IT.
Don't give up! If something isn't hard it is probably not worth doing anyway, as someone said.
I used a load of post-it notes stuck on the wall to help try remember all the "facts", and I wrote a single pictorial slide to cover all topics - the act of making my own content helped me remember stuff. CISSP is very wide, but also quite thin - in other words it covers a lot of topics but not too deeply.
My only encouragement would be to not wait so long. You do not want to loose what you worked so hard at to remember. Sadly, over time, we all loose memory. Some faster than others. Don't waste all that hard work you put into it.
I'd take a week or two at the most to rest your head from CISSP. Fill that time with good exercise of your mind but not CISSP related stuff-read a good novel, memorize a chess game and play it back, add another dimension to a hobby you have that requires you to conduct research and to think and analyse. Keep exercising your mind. Just don't exercise it with CISSP data.
Once you resume do not prep the same way you did last time. Think outside the box. Cybrary has a great series on CISSP. Listen to what is delivered to you. Maybe find some other presentations on Youtube that could further train you. Read the CBK end to end several times.
I don't get the fascination with all of the quizzes and tests that people use to confirm whether they are ready or not. I don't care how hard someone tries to emulate the questions that you will see on the test they aren't close. I also realized after taking the exam that it's not the data that's important. Of the 4 options they give you most likely NONE of them are correct. But it is up to you to critically analyze that one that is most closely related to what the real answer should be. 2 of the options are always wrong. Of the two remaining, if one is completely encapsulated by the other then that one is also not an option. I've used this example many times but it bears repeating. I had a question where 3 of the 4 options had the word "All" in it. There are no absolutes in CISSP. All is an absolute word. If options have absolutes in them they are most likely noise. And speaking of noise, if a question has a big paragraph and there is a one or two line question underneath it do not read the paragraph. It is most likely noise trying to distract you. Just read the question and the options. Then if you need a little more help go back and read the paragraph. Use your gut instinct also. After you read the four options and you have an immediate idea as to the correct option and then start doubting yourself, your initial response will probably be correct.
Get back in the saddle and nail that test. Once you get it, and you will, put the badge on LinkedIn and watch the interest in your experience go through the roof. I am constantly getting emails and reach outs in LinkedIn from recruiters.
Thanks for this. It takes courage to reach out after disappointment. I hope that you keep at it, and give it another try. You can do it!!