I wound up being sick in bed the two weeks leading up to the scheduled exam so my study time went out the window. However I have been teaching security concepts for the past twelve years which apparently helped me to pass the exam. In fact, some of my past students encouraged me to take the exam based on the information I passed out in class.
I had the new CAT exam which is a methodology that has been used and discarded in the past by both Microsoft and CompTIA as an unsuitable testing format so I expect ISC will discover the same in the coming future.
The hardest part of the exam for me was trying to figure out the questions. I think my high school English teacher would have shot herself to read the disjointed grammar in use.
The questions Yoda I think better could ask.
The Army said "Hey you, you look smart, come take this test." I sat down in the chair and the Army said "Number 1 is C, they are always C. Remember, when in doubt, C your way out." So I answered C for all of them and passed.
At the time I was in an information security unit with the Army Reserves. They had slots open for a 2 week boot camp, I asked if I could go since I have a security background, they approved it and I went. After two weeks of death by PowerPoint, I took the test and passed.
I was happy that I passed this time around since it was my second attempt. I attended trainingcamp.com CISSP week long boot camp a few months prior. It was too much information, too fast for me to process in time for the exam.
Luckily the new CAT version of the test lets you know immediately if you have provisionally passed or not. The test can max out at 150 questions for three hours I believe. I completed mine in 70 minutes with 100 questions. Very difficult test and the CAT format was really good at addressing my strengths and weaknesses. I was surprised at question 100 when the test just stopped and told me I was done. Didn't find out I passed until I was escorted by the proctor back to the front desk where they then gave me the provisional pass paperwork.
So I guess I am one of the old fogeys around here. I took and passed mine back in 2009. Paper-based. 6 hours 250 questions. Then you had to wait for the email telling you of a pass or fail. I think that was back when ISC2 really liked torturing people, LOL.
I took Security+ and Network+ and passed both in preparation. then I took a whole year of studying and then went to a boot camp. I was scoring around 40% when I first started preparing, made it to about 60% before the bootcamp and the last day of bootcamp I was scoring in the 70-80% range on the practice tests.
I took my exam a little differently. I started from the back of the book, at question 250 and went backwards on it. My reasoning was this: I would be able to tell at a quick glance how many questions I had left when they announced how much time was remaining. We got an hourly countdown in our exam session (1 hour has passed, you have 5 hours remaining, etc). I wanted to be able to know exactly how many questions I had left when they made their announcement, without having to do any math. When I got to a multiple question problem (i.e. The following applies to questions 61-65) I wrote those question numbers in my exam book so I could go back and do them later. I was glad I did it this way because when I got to questions 1-7 (or 7 through 1 in my case) I swear that the questions were from outerspace. Something like "If there is dust on the planet Mars, what color would the inner lining of the spaceman's spacesuit be?" (not an actual exam question by the way. But that is how they felt!) I don't know if I was just tired or what, but those first 7 questions were like another language to me. But at that point I only had 7 questions left plus a few scenario based ones so I didn't panic.
I finished the test in 3 hours. I am a fast reader. Waiting for the email was like looking for a ship returning in the 1600's. I waited and waited. Constantly refreshing the email client. Then one day it came. At 10:30 in the morning. I had a new dilemma to face. Do I open it now and if I failed have to live with the feeling of failure the rest of the work day? Do I wait until the end of the day and then I would be able to go home either way?
Aww, who am I kidding? I went ahead and opened the email. No clues were immediately available. The standard ISC2 stuff. Slowly I scrolled the email down, using the arrow keys instead of doing it quickly with the mouse scroller. Looking for that glorious sign of my fate.....
And then I saw it.
Congratulations! I leapt out of my chair. I accidentally kicked the trash can over in my jumping for joy. Luckily I was in a very small office all by myself so no one could see my silly dance I did. A couple of fist pumps in the air and then I went back and read the rest of the email. Since they didn't provide the score when you pass, I can only, logically, assume I got a perfect score of 1000. First person to ever ace the test. Who can prove me wrong, right? I fell somewhere in the range of just barely passing to completely acing it so why not just assume I aced it?
Ahh the good ole days.....
Well that was almost a decade ago. Now the new people know right away their fate. I don't know who has it better....
Took mine in Summer 2015 - in my time and at my expense. I've been working in operational IT for long enough to know how to change the ribbon in a lineprinter without getting my fingers black and how many reels of 9-track tape I can stack on my forearms and still be able to open a door, and I've been doing security-related stuff since the working life of a password really was predicated on how long it would take to brute-force the hash. I just never bothered with formal qualifications except when they were mandated by the job.
Times change, though, and I found myself considering a job change in a world in which long experience and a fund of anecdotes just doesn't cut it. My research led me to (ISC)2 and CISSP in particular - it's more broadly based than many of the other security qualifications (I didn't want to confine myself to auditing, hacking, technical security or ISMS implementation, for instance) and it had a reputation for being hard. Hard for me means worthwhile.
I took a week's leave, parted with some money and headed off to boot camp. No work calls, no emails and no conversation other than with family in the evening or with other course delegates. It was slightly intimidating to see quite a number of (much) younger, brighter and tech-savvy folk in the same room, and the instructor knew the material and things around it like the back of his hand. Six days' hard work followed, with a long exam on the Sunday and the knowledge that I needed 700 marks or better to pass.
Yes - the exam's hard, and if I hadn't spent a week learning about the mindset that's needed for it and how to approach the questions, as well as attacking the gaps in my knowledge, I wouldn't have had a prayer. I did like the idea of seeking the best answer rather than one that seems right, though. Don't get me wrong - a lot of the time the choice felt subjective rather than objective and that was uncomfortable in the extreme. It's also a lot like what we often face in our jobs, though. Information security is seldom cut-and-dried, so we have to be able to demonstrate an ability to deal with risk appetites, business drivers and realpolitik. Those questions test that part of us, exhausting though it is. I made full use of the opportunities to take on fuel and caffeine.
Like most others, I have no idea whether I scraped 700 marks or did rather better, or whether I passed because of my "best" choices or despite them. I remember the wait between signing out and getting the mark back from Pearson, while the exam admin staff wore the kindest, most supportive poker faces I have ever seen, bless them.
One of the most satisfying results I've ever had, pleased for others on the course who also passed, and deeply sorry for those who didn't on that occasion. I'm proud to have earned my place in this organisation.
"I've been working in operational IT for long enough to know how to change the ribbon in a lineprinter without getting my fingers black"
And I assume you know the WD-40 trick?
"how many reels of 9-track tape I can stack on my forearms and still be able to open a door"
For those of us with short arms it was harder ...
"It was slightly intimidating to see quite a number of (much) younger, brighter and tech-savvy folk in the same room"
As the guy standing up at the front (many times), I can tell you it was much easier and more fun to have people like you than people like them. They know every port number ever registered: you know how things actually work, and that's what the exam is based on.
"and the instructor knew the material and things around it like the back of his hand"
And, again, as the guy in that position, let me say that it looks more impressive from your side than from mine. Sure, I had a ready patter to go with the slides (and a lot more, besides), but , when faced with a seminar attended by half a dozen guys with fifteen years (or more) of experience in specialized areas of security, it could be a little daunting, too
"It's also a lot like what we often face in our jobs, though. Information security is seldom
cut-and-dried, so we have to be able to demonstrate an ability to deal with risk appetites, business drivers and realpolitik. Those questions test that part of us, exhausting though it is."
I know I’m going to catch some flak for this story but, here goes:
In 2002 I registered for and eventually sat for the exam. It was a little intimidating checking in, turning in personal belongings, and going into a somewhat crowded conference room in a hotel that was eerily quiet. The mood was close to that of attending a funeral service. Nobody dared make eye contact. Eventually the test began, and we were warned about the rules for taking breaks and about the length of the exam in number of questions and in time. I dove in, expecting to not complete the test in time and racing through as many questions as I could.
I finished. I reached the end. I checked the clock, and I had spent about 100 minutes of my time. I looked around the room and everyone was still buried in their test. Nobody had even taken a break yet. I must have missed something. I went back to the beginning and double checked every answer. I re-erased corrections just to be sure. I was now just over two hours in, and nobody had gotten out of their chair. I sat there quietly. I looked around, and still everyone was buried in their test. I checked my answers a third time. I dutifully made sure that the entire circle was filled all the way up to the line. I swapped pencils and refilled the dots in case the machine didn’t “pick up the lead.” Finally, at two and a half hours someone stood up with their exam and walked to the administrators’ table.
I did the same. When I got to the desk, the proctor told me that only one person could go to the restroom at a time because there weren’t enough escorts. I leaned in, embarrassed, and whispered, “I’m done.” I thought to myself, “I failed this exam. There is no way I passed this thing. I must have screwed something up.” I bought a study guide book. I couldn’t tell you which one, it was almost 20 years ago – Maybe a Sybex guide? I started going through it, getting ready for my retake. Everything I read made perfect sense and I started thinking that maybe I did better than I thought. A few weeks later I was notified I passed.