cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ISCMAC802
Newcomer I

CISSP Exam Failure Feb 2018

Just come out of my CISSP exam and found I had failed for a second time.

 

I have studied using multiple sources.

 

One Week Training Course.

ISC2 Offical Guide

ISC2 Offical Practice Tests

11th Hour 

Cybrary

 

Does anyone else find the wording of questions ambiguous. The questions never appear to be constructed in the most articulate manner? They certainly do not follow the same style as the practice test questions in the official guide.

 

Additionally our test centre was evacuated mid exam so that didn't help the focus. 

 

Any guidance would be great as I have another 90 days until resit.

 

Thanks

 

Mac

47 Replies
ebirtel
Viewer II

One thing I have noticed in many IT exams is that there are three different areas - 

 

1. Study World

 

2. Exam World

 

3. Real World

 

These are three different areas and all three are mostly unrelated when compared to each other.

 

 I have taken the CISSP twice now. The first time was the original exam pre-December 2017. Went well I thought. I knew most of the answers and felt really good at the end. Failed. Took the exam a second-time post-December 2017. Felt even better and thought the questions were going even better than the first exam. The exam at this point is adaptive and at question 100 the exam stopped. All of the answers I chose leading up to that point felt right. Failed. Now, I am going for a third try in the next month or so.

 

Study for your tastes and style. Use your combined habits, along with what you can find online and in books. This will always be different from the Exam and Real-world scenarios. You will NOT find any Study or Real-world questions even close to the Exam questions.

 

What I have used to study - 

 

ISC2 Official CISSP Exam Outline

ISC2 Official Study Guide 7th Edition

ISC2 Official Practice Tests Latest Edition

11th Hour CISSP 3rd Edition Study Guide

CISSP Summary 2017

FedVTE

 

Sylvia589
Newcomer I

This exam is a con and it is a shame as I always repected those who are CISSP certified. All the official books are a con. Dont buy them and don't pay 600 pounds for this exam.

 

It does not test your knowledge it just cons you to take your money.

 

I took the exam and not 1 question from any of thier official books came out and the questions were at least 80% trcik questions so it is like the playing the lottery if you take this exam.

 

I dont know how the exam was a few years ago but this one is 100 questions and a complete con. I feel I just got absolutely cheated after spending more that 600 pounds for the exam and more than £100 on their official books as well as the official one with over 1200 sample test questions. 

 

I certainly will not be pursuing this certificate again and I want my money back.

 

Those who designed this exam have no clue how to set exams and test someones knowledge.

Sylvia589
Newcomer I

Re: CISSP Exam 2018 is a con from my perspective

This exam is a con and it is a shame as I always repected those who are CISSP certified. All the official books are a con. Dont buy them and don't pay 600 pounds for this exam.

 

It does not test your knowledge it just cons you to take your money.

 

I took the exam and not 1 question from any of thier official books came out and the questions were at least 80% trcik questions so it is like the playing the lottery if you take this exam.

 

I dont know how the exam was a few years ago but this one is 100 questions and a complete con. I feel I just got absolutely cheated after spending more that 600 pounds for the exam and more than £100 on their official books as well as the official one with over 1200 sample test questions. 

 

I certainly will not be pursuing this certificate again and I want my money back.

 

Those who designed this exam have no clue how to set exams and test someones knowledge.

 
 
 
rslade
Influencer II

> Sylvia589 (Viewer) posted a new reply in Certifications on 12-18-2018 05:07 AM

> This exam is a con and it is a shame as I always repected those who are CISSP
> certified. All the official books are a con.

Hmmmm ...

While I can understand your frustration, I've also just published a column on
"fighting" the exam in the ISSA Journal ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Count no day lost in which you waited your turn, took only your
share and sought advantage over no one. - Robert Brault
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II


@Sylvia589 wrote:
I took the exam and not 1 question from any of thier official books came out and the questions were at least 80% trcik questions so it is like the playing the lottery if you take this exam.

This is not an exam that tests rote memory.  It's an exam that tests your understanding, your experience and judgment, your critical thinking ability.  No, you won't see any practice questions "word for word" on the exam.

 


Those who designed this exam have no clue how to set exams and test someones knowledge.


 

I'm afraid that this exam is written by people who know how to set exams.  I'm afraid that you have simply never encountered an exam of this type before.  Check out https://community.isc2.org/t5/Career/CISSP-Failed-Exam-11-2018/m-p/16254/highlight/true#M1623


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
j_M007
Community Champion

@Sylvia589 wrote:
I took the exam and not 1 question from any of thier official books came out and the questions were at least 80% trcik questions so it is like the playing the lottery if you take this exam.

It's an exam that tests your understanding, your experience and judgment, your critical thinking ability.  No, you won't see any practice questions "word for word" on the exam.

 


Those who designed this exam have no clue how to set exams and test someones knowledge.


 

I'm afraid that this exam is written by people who know how to set exams.  I'm afraid that you have simply never encountered an exam of this type before.  Check out https://community.isc2.org/t5/Career/CISSP-Failed-Exam-11-2018/m-p/16254/highlight/true#M1623


Failure is only failure until it becomes success. I never read much Shon Harris, but I suspect even she would have counselled her students to have lived a few years in IT and the `real world`of late nights and early (real early!) mornings of trying to keep the lights on of all kinds of crufty old cr@p.

 

I am (sort of) relieved that not everyone is finding the exam a cakewalk.Having said that, and having written it and thankfully passed it, I might suggest that whoever wants to write it (and PASS IT!) should treat it and those who have designed it, and those who have written it, and those who will write it and pass or fail, with some courtesy and respect.

 

If you pass, you have yourself to blame. If you fail, you have yourself to congratulate. Be a big boy or girl and take some responsibility.

j_M007
Community Champion

@cissptaker -- I am sorry you failed it. The language is ambiguous, and it is meant to prove understanding of the content. 

 

If one can see through the murk and provide the best answer, then the candidate shows she or he can handle the challenges.

 

The challenges of this exam are minor in comparison to the challenges a professional must face. Moreover, part of the exam in my mind is how the candidate handles the stress of not achieving success at first blush.

 

I have admiration for those who have failed and then commit to succeeding. Finding a way. 

 

I am sure there is a way to overcome the challenges; I know many people for whom English is not a first language and they pass. I many many who fluently speak English, and they flunk. To me, this means it must be more than language fluency. 

 

Good luck on the path and keep chipping away!

CyberLead
Contributor I

@Sylvia589,

 

Before writing off the CISSP program as a con, kindly consider this:

 

  • A cybersecurity incident has crippled an organization, damaging its information systems, its reputation, the morale of its personnel, and its financial health.
  • The previous CIO is gone, along with the CISO and other IT executives. The auditors have delivered a slamming report, and you’ve been brought in from the outside to clean-up the mess, rebuild the IT Department – both technology and staff – all while working under an externally imposed deadline, with a mandate to save money, not spend it, due to the phenomenal costs the company has already incurred.
  • Your first few days on the job reveal the problems to be systemic, and not just with security. Portfolio, program, project, process, procedural, personnel, supply chain, asset, financial, and change management are train wrecks, occurring in silos that don’t communicate with each other.
  • Your name came up as part of the candidate search. The keyword “CISSP” put your resume at the top of the list. None of the other C-suite executives know what that means, and know little about IT in general, much less security, but the audit report recommended that the new CIO hold the CISSP accreditation.

Why?

 

     The eight domains that are tested in the CISSP exam cover the areas that are pain points in this—and many other—organizations. You need not be a subject matter expert in all eight (although, I’ve found it helps tremendously). You should know enough about each to delegate as needed, and know whether the technical people that report to you are truly competent, simply appear competent, or worse.

 

How would a certifying body test for this?

 

There will undoubtedly be some either/or binary questions, “Does a given technical concept provide both integrity and confidentiality? True or false.”  However, those point to purely technical knowledge, and do not query you on your ability to decide what is the “best”approach to a given situation. Questions that test for this may be in a multiple choice format, and the majority of the choices may “answer the mail” from a purely technical standpoint, but only one choice is practical from a business, legal, financial, or human resource standpoint. Even the most experienced technologist may know little or nothing about their business from the viewpoint of those departments and thus fail to answer correctly.

 

An underlying precept that’s sets a CISSP apart from his or her peers is that they are more than competent engineers, more than team leads, more than project managers. Yes they have “been there, and done that,” but nowadays the CISSP accreditation is supposed to tell an organization that you are qualified to serve as a trusted advisor to the company’s President, the CEO, and the Board of Directors. They are called upon to demonstrate technically competent leadership, not management or administration, and they can parachute into a disaster on day one and hit the ground running.  From there, they can develop an architecture and strategies to minimize risk, inculcate a culture of security, and save money doing so.  That is what the certification is intended to show, and candidates preparing for it must realize what they're signing up for; what organizations will expect from people with those initials next to their name.

 

@Ben_Malisow, an (ISC)2 instructor exhorts his students to avoid buying “a $10 lock for a $5 bike.” If you ask the security person which is the “best” lock, they may point to the one offering the most security, even if it costs $10. If you ask the business person, they’ll want to consider the cost – and do so from a risk management perspective. It’s unlikely that they’ll want to spend $10 to protect a $5 asset. We call this “wearing the CEO hat” and I exhort my clients and students to do it.

 

I see many posts from people who are attempting this test while still learning the fundamentals.

 

That is a mistake, and may be the cause of many of the frustrations expressed here.

 

This exam does test knowledge of certain undisputed facts, and those can be studied for. However factual knowledge alone does not make a good leader. The ability to think on your feet, process dozens of incoming and conflicting pieces of information, and quickly decide (with a large measure of self-confidence) that your decision is the “best” one, or does the “most” to appropriately respond to the incident, is the hallmark of leadership and grace under fire.

 

Those qualities are difficult to test for in a written exam, and practice tests face the same limitation, which is why I caution strongly against most of them.

 

In my previous careers in the military and law enforcement written exams were part of comprehensive testing, with role-playing, physical testing, and on-the-job training, among other things. That is probably a better approach, but isn’t available through (ISC)2, so if you haven’t got the material down cold you’ll need a mentor or coach who knows how to get you there, unless you’re autodidactic and possess enough self-awareness to know what you don’t know.

 

I’m fortunate enough to have come to terms with the vastness of my ignorance a long time ago, so I’m self-taught, and it took me more than 20 years to get where I am. That timeline is fine if it weren’t for the drastic global workforce shortage, so when one of my staff approaches me about becoming a CISSP, I run them through a thinking exercise that I noted in a different post.

 

If the CISSP is still the most appropriate certification for them, I start bringing them to my client meetings, so they can see the depth and breath of questions and concerns I’m expected to answer and address (without preparation) at 6 or 7 AM every morning.

 

I also begin “walk-around” testing. For example, we’re walking past a wiring closet and I tell them that we smell smoke, and say “talk me through how you’ll respond.”

 

On another walk, I’ll ask them – in rapid fire – to give definitions of “due diligence”, “personally identifiable information (PII),” the difference between RAID 10 and RAID 15, how the annual rate of occurrence is calculated, describe the components of COBIT, and why we salt hashes. You may never see questions like this on the test, I can ask the person I’m coaching these questions all day long, as my clients ask them of me. My environment is a bit unforgiving. Today I was asked about MPLS and firewall configurations, CMMI, SQL injections, Disaster Recovery plans, hypervisors, and legal liabilities.

 

Sitting in a roomful of people and saying to a client, “I’m sorry, I need to research that and get back to you,” is not an acceptable response, any more than the surgeon who says “Oops!” In the middle of a procedure.

 

Accordingly, I have a higher bar than (ISC)2; I won’t invest my limited time in a person if they haven’t paid their dues by working in every domain, not just two of them. That’s because you might master the test, but you won’t last very long as a CISO, CTO, CIO, or consultant like me if you’re only truly competent in 25% of IT.

 

On walks, over coffee, and at lunch each day, I’ll drill, drill, drill. This can go on for several months. When they can answer my questions correctly, calmly and understandably, time and again, they’ll realize that they have the knowledge—and the confidence—to become a CISSP, if they so choose.


Lloyd Diernisse

ISC2 Authorized Instructor and Learning Tree International Certified Instructor
Lean Six Sigma Black Belt | CISSP-ISSMP | CCSP | CGRC | PMP | TBM | CSM | CMMI-A | ITIL-Fv3
Lamont29
Community Champion

For the most part, I give you kudos except on your second to last sentence
where you are insisting that you have a higher bar than (ISC)2, and
candidates would have to master more than 25% of the domains for you to
consider them competent. Over the years after retirement from the military,
I can't tell you how many jobs I happily said NO to where at the interview,
it was made clear to me that my job would be filling three or more
positions, but I'd only get paid for one of them. While I am all for
working hard, I'd like the salary to reflect all of that.

IT is the 'easy' part of all of the domains. Then there's GRC which many
security professionals write off. I see that the federal agencies are
splitting IT and IS/IA which is very appropriate in my opinion, and I say
that even though I don't like it. Now as a consultant, I am paid quite well
to satisfy a particular need of a client - when I am done, I go home. I
think that's fair. Far more fair than the quagmire of my regular job where
on the most part, I have to do EVERYTHING! But I cannot complain about that
either, because when you carry the prestige of the CISSP designation, much
is expected of you.

--
Lamont Robertson
CISSP, CISM, CISA, MCSE
Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, CRISC, CDPSE, MCSE
CyberLead
Contributor I

@Lamont29,

 

     Thank you for the kudos, and your explanation about where you disagree with the last part of my post. You made a very good point, which I can relate to, when you shared that "I can't tell you how many jobs I happily said NO to where at the interview it was made clear to me that my job would be filling three or more positions, but I'd only get paid for one of them. While I am all for working hard, I'd like the salary to reflect all of that."

 

I did not do a good job of communicating my thoughts when I expressed my belief that candidates should demonstrate experience in more than 25% of the eight domains to serve competently under the accreditation of a CISSP.

 

You noted that in your role as a consultant you fill a particular need for your client. My world is quite the opposite, more in keeping with your other statement, “…because when you carry the prestige of the CISSP designation, much is expected of you.”

 

In my consultancy, I’m only filling one role, not two or three, but to serve organizations that need to build—or rebuild—what information they handle, and how they handle it, I must have skill in all of the other roles.

 

Accordingly, I sit for a given exam only after I’ve spent a few years working in a given arena.  I hold over two dozen, and I keep my skills current in each.  When the time comes to look for new business I present the most applicable certs to the client.

 

I look at a person with the CISSP as holding the highest level of cybersecurity accreditation and thus meeting one important qualification to serve as a CIO, CTO, CISO or other role in the C-suite. As a consultant, I serve as a trusted advisor to everyone sitting in that boardroom, not just the technologists, who sometimes only hold a narrow focus and range of experience.  As I mentor people who strive to attain the CISSP, I do so with the idea that they will eventually sit there in my place.


Lloyd Diernisse

ISC2 Authorized Instructor and Learning Tree International Certified Instructor
Lean Six Sigma Black Belt | CISSP-ISSMP | CCSP | CGRC | PMP | TBM | CSM | CMMI-A | ITIL-Fv3