I wanted to share an experience about the CISSP exam I’d recently taken, and I'd like to receive exam beneficial feedback. In short, I had failed. In the last 6 weeks, I had clocked over 216 hours of concentrated study. Here’s what I had accomplished:
1) Read the entire CBK 4th edition cover to cover
2) Memorized all the questions and answers in the CBK (why the right are right and why the wrong are wrong)
2) Watched an entire CISSP video training series on Safaribooksonline… twice
3) Memorized all of the practice questions in the video series (why the right are right and why the wrong are wrong)
4) Read the Shon Harris book
5) Memorized the Shon Harris book “Quick Tips” portion of each domain
6) Memorized all the questions and answers in that book (why the right are right and why the wrong are wrong)
In effect, between these three resources, the facts, and I use that word specifically, were all in 100% alignment. In fact, in my last week, I basically reread through all the material in skim fashion and learned nearly nothing new. In my mind, I was 110% confident and ready for the exam ( counted over 500+ test questions memorized from multiple sources!).
The exam.
I’m going to be as literal as possible, and try my best not to exaggerate my anecdotal figures. Within the first 10 - 15 questions, I already knew there was no way I felt like I was going to pass if the question format kept going the way it was. It was as if though the exam came from a completely different set of material. At the 150th question, I concluded that all that I’d studied was about 80% irrelevant. I’d say 70% or more of the questions were “What is the BEST…,” “What is the MOST likely…,” and “What is the MOST important…” In effect, all the FACTS I’d learned, studied, and committed to memory were completely useless with regard to passing the exam.
Erroneous terms which are not even in the CBK were used in questions. THIS IS UNFAIR TEST PRACTICE. The test felt nothing like what a CISSP exam is supposed to be. In fact, If I had luckily passed the exam, I’d feel slightly undignified in that there's an entire bank of CISSP information in my head that was never even used. I would have been shocked if I did pass, given the questions. I would have thought, "How did I pass this thing anyway? Sheer luck? My knowledge on CISSP was barely touched..."
This is the part that really killed me; fact-based questions. Cold hard facts that you read in the book that I filled my notebook with never appeared on the test. Questions that I should have gotten 100% right because the answers are binary (either is or isn’t correct) were no where to be seen. The way I felt was that this test was not fact-based, it was subjective-opinion based. When I read questions that were almost fact based, there were answers I was expecting to see, and was ready to select. They oddly didn't appear, and I was sitting there with my arms crossed and head tilted to the side wondering, "What on earth are they expecting me to answer? The answer is "X" and it's not on the list!!!"
THIS TEST IS DESIGNED TO FAIL YOU.
Even if I had the CBK to reference on the test, it would have done me no good. The questions and answers to the test were not reference worthy. The mark of a good test is that the questions have to have a correct answer that is attributable to official study material. PERIOD. Otherwise, you're just making things up, and the test is whether or not I can read someone's mind and see the world as they do. That's just wrong.
I don’t know what to feel at this point. I felt so confident, and I was completely shot down, and down $700 with not a thing to show for it. I feel scammed. The sad thing, is that I love IT and cyber security. I’ve been doing it in my career over 15 years. Truthfully, when I started the CBK study, I’d say a solid 60-70% of the material in the book I already knew just from doing it as my job. There was no reason I should have failed this. This cert wasn’t supposed to help me really improve my career as much as it was supposed to validate all that I’d already done.
This is not my first professional grade certification! I am TOGAF 9, PMP, and CompTIA Security + certified. CISSP is the worst test I've ever taken in my life!
Frankly, I don’t even know how to study for this test anymore. How does one study for questions like “BEST, MOST likely, MOST important thing to do…” I want APPROVED material that contains the answer to EVERY possible question that test has for me. If i cannot trace back a test question to a direct answer in a book, then the question needs to be thrown out. Period. You're testing my knowledge on facts written in a book. ISC2 does not have the right to just take someone's money for a certification that is suggested to represent the knowledge found in their CBK and totally rick-roll you into a test with questions that have nothing to do with the CBK official test material. If you have ANY advice to give me, I’d be happy to take it. I still want this cert.
(If you are not a test taker post April 2018, then I don't think I want your opinions or words in this forum as it's probably irrelevant. I want help from someone who has passed it after this date, and the correct material I need to study for the exam. The ISC2 CISSP CBK, Shon Harris book, and the latest Sybex book, which I am reading now, is regurgitating all the information I already know, and KNOW FOR A FACT is not on the test.)
Thank you. I'll be the first to admit it was difficult. But obtaining a solid understanding of the domains is really only part of passing the CAT exam.
Your points are spot on. I've stated them (albeit far less succinctly), and many others have expressed them as well.
My question is not necessarily for you, but for anyone else on this forum. Why does it seem to come as a surprise to "Select the BEST answer for an executive, not an engineer," and "avoid overly technical answers and stick to what is pragmatic," as you put it?
(ISC)2 makes no secret that this is a "leadership and operations" certification; in other words, executive level. I would like to hear from folks with little or no experience in cybersecurity leadership positions who have taken, or are currently preparing to sit for this exam.
Here's what I don't understand:
They receive their certification, but they don't really have the experience, knowledge, skills, or other qualifications to perform as an executive in cybersecurity, or perhaps even in other areas of IT. How many jobs will they get fired from, each diminishing the value of the CISSP in the eyes of hiring managers, before they realize they're not qualified for the corner office?
Perhaps my thinking on these certifications is backwards. I only sat for the exam in 2017, after spending over twenty years working in every domain. Consequently the test wasn't any more of a challenge than my morning meetings with my clients, wherein I get asked many of the same questions day in, and day out. I took the same approach to my CCSP, only sitting for the exam after 8 years working in every domain (of course with much overlap with the CISSP). The same with the PMP, my Lean Six Sigma Blackbelt, my Agile certs and so on.
I look upon the certs as being the last thing you get, as a way of demonstrating that you can do more than pass a test, but you have the years of hands-on experience and mastery of the skills. However all of the posts from people who are new or mid-level yet are taking the CISSP exam (and often struggling with it) tell me that in their view my approach is wrong; I should have sat for this exam twenty years ago.
I've never once blamed a cert for a bad hire. If people only hired because of the cert they need a class in management because they should have interviewed and done at least a preliminary background check. Even with those precautionary steps, I have seen bad hires be made. Certifications to me enhance the candidate, they do not define the candidate.
Why are people surprised by pick the best from 3-4 good choices? Probably because the way a lot of multiple choice tests were previously structured were pick the right answer from 1 correct and 3 incorrect choices. So you had a 25% chance of getting it right and it was sometimes very easy to see the 2-3 incorrect choices which skewed the percentage of getting it right higher. So technically your odds are still the same at 25%, but it becomes more difficult if your odds remain at 25%.
Also I remember what my boot camp instructor said, "If you are heavy into IT technical work you will struggle with the test. You will fight the test and in your mind defend your choices. That still leads to a failure. Do not fight the test. Seek out the best answers."
I liked the challenge of a tougher test. It shows not only knowledge but the ability to apply knowledge to a certain situation.
I am sorry you did not pass the test. I know that it can be frustrating to work hard and not be able to accomplish your goal. One item that seems to be a focus of your review is that you memorized questions. I think its inappropriate to think you memorize the questions and should pass the test. The test is supposed to be about applying skills and knowing facts.
I passed the test after a week of study. I watched one set of videos, used the Kaplan/Transcender test, the wisdom prep CISSP phone question app, and went through all questions for Kaplan, and the app, as I had free time. I did not use books. That being said, I do have 20 years of experience, a MS in IT Assurance & Security, was a certified CISM, and had just worked through the Comptia Net+, Sec+, CySA+, and CASP+ materials to help my youngest daughter gain entry level non-experienced based certs to start her career.
I did not find the test to be exactly like the practice test, but found the questions to be shorter and more to the point than I anticipated. I think the real challenge to the test is be able to find the best answer applying the ISC2/best practices to the problem. Many sources provides rules to guide this philosophy such as:
1.People Safety First
2.Management buy-is is Critical
3.Everyone is responsible for Security
4.Training is Essential
5.Policy is the Key to (nearly) everything
The test certainly is passable. However, I do believe experience is very useful in negotiating the qualitative assessment slant to the material.
I know this is very frustrating, but once you've had a chance to step back from it, perhaps you'll consider trying it again. If you do, maybe consider a course.
Best of luck.
I agree completely with @Syne07,
The five rules that he spelled out are indeed a "philosophy," as he observed, and require a holistic understanding that is gained through years (perhaps decades) of experience. The knowledge is tacit, as much as - if not more than - explicit.
While people have successfully attained this certification with very little - if any - leadership experience, or the ability to make business-centric decisions about risk and security in the enterprise, the "meaning" of the certificate is lost, to some extent.
Its intended application is for people who perform as a CEO, CIO, CISO, CTO, CKO, and other C-suite executives (or a consultant to them, who has previous years of experience in those roles, like me).
However, even though (ISC)2 clearly makes that point about how this certificate stands apart from other certificates with a more hands-on technical focus, most of the people who are struggling with this exam are not yet at that executive level in their careers.
I am curious to hear from them, either here, or by private message, as to why they have chosen to pursue this certification at this point in their career, without the corresponding executive experience; are they expecting that this accreditation will gain them a promotion to the C-suite?
Sorry to hear about your unsuccessful attempt, but approaching the CISSP from a security administrator/advisor is the best advice. There are obviously technical questions, but most are founded by the premise of how to approach the risk and apply the best solution. The CBK is a great reference, but it will do very little, as you mentioned to memorize and solely rely on the questions you may find in the books or other "practice" question tests.
I have begun to study for the exam, and have just about every book for CISSP, but am reading those just to build my base knowledge level of the domains. Besides experience, other resources are vital t supplementing insight towards helping build your knowledge. Memorizing concepts may be helpful for certain questions, but understanding and application is the key, especially questions that are very wordy.
When I prepared for the HCISPP exam, I read every book available, but then also attended an onsite (4day) boot camp which I found very helpful (day and evening review session, 11-12 hours of class time per day). We reviewed the entire HCISPP CBK and I knew all the terms, general concepts, etc.. especially as I never missed a question in the book. Although the very last day prior to taking the test, we were provided a self-created practice test, which I totally bombed. Like you, after about the 5th question, I was like "What kinds of questions are these?". These types of questions I have never seen in any book or prior question, but guess what.. it is perhaps the reason why I passed the exam the next day. Without it, I would have bombed, as I would have not been in the right mindset and a feeling for how to approach the exam.
Don't despair, you can do it! All I can say is that I know of "someone" who has participated in creating test questions for certain exams and the sources for the CISSP exam is jaw-dropping, let alone remembering the concepts from each article or book. The test is created to test those with the general requirements of the certification and not someone who is an expert and knows everything, but one who should have the required knowledge and approach based on the requirements. The questions are not created to trick the test taker or overly challenge with difficult concepts that cannot be referenced, but they are challenging indeed. I wish I could elaborate more, but just like the domains are evenly distributed, to some degree, so are the types of questions in the exam, hence the CAT format from 100-150 questions.
My suggestion would be to sign up to Cybrary for their insider pro membership (they have a discount rate at this time), plus a 7day trial. Once you watch some of the videos from Kelly, it will help you dramatically. I also recommend subscribing to studynotesandtheory, as they have 10 free practice questions and I bet they will remind you of the test, if not appear more difficult. Give it a try and you may be surprised by the quality of the questions, how they are written and how to approach them. Videos from Larry Greenblatt on youtube are awesome... and once in awhile he will offer free bootcamp certificates for a few vacancies. The next bootcamp will be with the occulus platform and free hardware 🙂 ThorTeaches is another great resource also. I wish I had the one all be all source, but there is not and short of some experience, which you already have, I feel the right mindset and approach will dramatically help you.
I hope my feedback and suggestions will help you in some way, but never give up, as you can do it! You now what to expect, which you have to regroup and strategize your next plan of attack. 🙂
I look forward to your "I passed the CISSP!!!" post! Believe in yourself and never tell yourself you cannot!
@Dr_C_Lace wrote:
Thanks for the tips. I did finally pass it though. I retook it 30 days later.
Dr. Christopher Lace, TOGAF 9, PMP, CISSP
Principal Architect - Kaiser Permanente
Mobile | 702.480.8470
eMail | christopher.lace@gmail.com
Well done.