I wanted to share an experience about the CISSP exam I’d recently taken, and I'd like to receive exam beneficial feedback. In short, I had failed. In the last 6 weeks, I had clocked over 216 hours of concentrated study. Here’s what I had accomplished:
1) Read the entire CBK 4th edition cover to cover
2) Memorized all the questions and answers in the CBK (why the right are right and why the wrong are wrong)
2) Watched an entire CISSP video training series on Safaribooksonline… twice
3) Memorized all of the practice questions in the video series (why the right are right and why the wrong are wrong)
4) Read the Shon Harris book
5) Memorized the Shon Harris book “Quick Tips” portion of each domain
6) Memorized all the questions and answers in that book (why the right are right and why the wrong are wrong)
In effect, between these three resources, the facts, and I use that word specifically, were all in 100% alignment. In fact, in my last week, I basically reread through all the material in skim fashion and learned nearly nothing new. In my mind, I was 110% confident and ready for the exam ( counted over 500+ test questions memorized from multiple sources!).
I’m going to be as literal as possible, and try my best not to exaggerate my anecdotal figures. Within the first 10 - 15 questions, I already knew there was no way I felt like I was going to pass if the question format kept going the way it was. It was as if though the exam came from a completely different set of material. At the 150th question, I concluded that all that I’d studied was about 80% irrelevant. I’d say 70% or more of the questions were “What is the BEST…,” “What is the MOST likely…,” and “What is the MOST important…” In effect, all the FACTS I’d learned, studied, and committed to memory were completely useless with regard to passing the exam.
Erroneous terms which are not even in the CBK were used in questions. THIS IS UNFAIR TEST PRACTICE. The test felt nothing like what a CISSP exam is supposed to be. In fact, If I had luckily passed the exam, I’d feel slightly undignified in that there's an entire bank of CISSP information in my head that was never even used. I would have been shocked if I did pass, given the questions. I would have thought, "How did I pass this thing anyway? Sheer luck? My knowledge on CISSP was barely touched..."
This is the part that really killed me; fact-based questions. Cold hard facts that you read in the book that I filled my notebook with never appeared on the test. Questions that I should have gotten 100% right because the answers are binary (either is or isn’t correct) were no where to be seen. The way I felt was that this test was not fact-based, it was subjective-opinion based. When I read questions that were almost fact based, there were answers I was expecting to see, and was ready to select. They oddly didn't appear, and I was sitting there with my arms crossed and head tilted to the side wondering, "What on earth are they expecting me to answer? The answer is "X" and it's not on the list!!!"
THIS TEST IS DESIGNED TO FAIL YOU.
Even if I had the CBK to reference on the test, it would have done me no good. The questions and answers to the test were not reference worthy. The mark of a good test is that the questions have to have a correct answer that is attributable to official study material. PERIOD. Otherwise, you're just making things up, and the test is whether or not I can read someone's mind and see the world as they do. That's just wrong.
I don’t know what to feel at this point. I felt so confident, and I was completely shot down, and down $700 with not a thing to show for it. I feel scammed. The sad thing, is that I love IT and cyber security. I’ve been doing it in my career over 15 years. Truthfully, when I started the CBK study, I’d say a solid 60-70% of the material in the book I already knew just from doing it as my job. There was no reason I should have failed this. This cert wasn’t supposed to help me really improve my career as much as it was supposed to validate all that I’d already done.
This is not my first professional grade certification! I am TOGAF 9, PMP, and CompTIA Security + certified. CISSP is the worst test I've ever taken in my life!
Frankly, I don’t even know how to study for this test anymore. How does one study for questions like “BEST, MOST likely, MOST important thing to do…” I want APPROVED material that contains the answer to EVERY possible question that test has for me. If i cannot trace back a test question to a direct answer in a book, then the question needs to be thrown out. Period. You're testing my knowledge on facts written in a book. ISC2 does not have the right to just take someone's money for a certification that is suggested to represent the knowledge found in their CBK and totally rick-roll you into a test with questions that have nothing to do with the CBK official test material. If you have ANY advice to give me, I’d be happy to take it. I still want this cert.
(If you are not a test taker post April 2018, then I don't think I want your opinions or words in this forum as it's probably irrelevant. I want help from someone who has passed it after this date, and the correct material I need to study for the exam. The ISC2 CISSP CBK, Shon Harris book, and the latest Sybex book, which I am reading now, is regurgitating all the information I already know, and KNOW FOR A FACT is not on the test.)
Firstly, it's ok to be frustrated. Your post is similar to my OP. However, just don't give up. I posted the following after I'd passed:
"After taking the exam a second time, I almost got the impression that failing it once just to see how the exam is presented is part of studying for the exam. It sounds demented, but I don't know how else to put it. The way the questions are presented are like no other exam prep book presents test questions. You must:
1) select the BEST answer for an executive, not an engineer
2) avoid overly technical answers and stick to what is pragmatic
3) be an expert with the CBK concepts regarding CIA; whether it's in the test or not, it just makes you an expert
Never give up."
... has anybody found anything I could study that was even close to being on the test? ...
See the CISSP questions thread. Although none of the questions are on the exam (that would be an NDA violation), they do match the spirit and the followup discussion offers great insight into how to approach the exam.
My background: I've been working in this industry close to 40 years. I'm a former ArpaNet Engineer.
If you don't know what the ArpaNet is/was or who my former employer was (BBN, Bolt Beranek and Newman) You shouldn't be in this industry.
As someone on the older side of the age spectrum myself, here's an analogy that might work. Imagine an excellent mechanic well versed in the muscle-car era being asked to certify on modern vehicles. My response to a lot of the stuff I deal with today vs. 20 or 30 years ago is that it is that it is crap - not technology - much like that imaginary mechanic might shake his or her head at all the electronics and junk packed under a hood today. Then once I get passed my curmudgeonly response, I find some value in what I initially dismissed, but also realize that the new stuff isn't all that different, just old concepts repackaged with new or re-used acronyms (how many different definitions of MAC can we get?).
The Test stopped at 101 questions, it mostly asked, “What is the BEST…,” “What is the MOST likely…,” and “What is the MOST important…”, the format of those questions never saw any of the practice questions we did in class.
I think the test has always had that wording. There's seems to be consistent complaint about the quality of the questions. My sense is (ISC)2 is discovering some growing pains. As certification bodies go, I think the (ISC)2 has done a better job than most, but to blunt, certification is a great concept, but something very hard to implement and maintain. What (ISC)2 did ahead of others was the CPE and experience requirement. I think to be more genuine, it would be good to see it do more to qualify experience (maybe an apprenticeship model) because let's face it, security is not a multiple-choice exercise. But to shorten my comment, I think the (ISC)2 faces the challenge of having enough questions. Especially an adaptive test, you need a lot of questions, I think it is still working on building this massive database of good questions, but you have to fight through the poorly or incorrectly worded ones.
I hold numerous certs in other IT area's in fact too many to list last one being Security+.
There's a difference between IT and infosec, and even then there is a difference between infosec management (something the CISSP applies to) and an infosec technician/administrator. Sure there is a lot overlap, and ideally, there would be no such thing as security certification - I mean shouldn't security be part of everything and not this sort of separate concept? I digress, what I'm most curious about is what are the most useful certs or the best-done ones you have come across? I struggle with that, especially at hiring time. The biggest challenge is finding people who can genuinely do the job. The certs don't seem to prove that (to be honest). You have a lot of people who get the cert but have no experience. On the flip side you have some great folks out there who have no certification at all.
As I tell my students, "think like a manager!" and relate everything back to the CIA triad. How does _____ effect the C, the I, and/or the A?
Dr. Warren Mack, CISSP
I could not express my sentiments any better than you did. I took the CISSP in the old format 2 years ago and failed. Sat for the exam again last week and failed miserably AGAIN. Like you and many others, spent hours studying, felt confident I knew the material as presented in the ISC2 study material, spent the $700 again, got about 10-15 questions in and knew there was no chance I was going to pass. I agree that this test is designed to fail you. Not one question had "key" words that resembled the study materials or practice questions. I have several other industry certifications as well and they actually test you on the material you study. I don't know how to "study" for this absurd test either. It is a complete waste of time doing "practice" exams. If the actual test was like the practice exams, then I would actually pass. The real test is from left field. I am beyond frustrated at this point. I have been thru several books, practice tests, etc. Like you and many others, I have several years experience in Cyber. At this point, I feel like I would be better off taking the test and just guessing at the "BEST" answer. I think it's sheer luck if you pass. Why present such detailed material in the study material if you are not going to be tested on it? It's a total money making scam, not to mention wasted hours of my life that I cannot get back.
I had the exact same experience. I am wondering now if the system is set up that each time I try the test remembers and gets even harder because I failed the first 3. I am not sure I should go for a 4th just to waste 700.00. I was passing Boson and Sybex with 80 or higher. I had taken it twice and thought this time I got this.....then the same experience. Nothing I studied was on the exam so now I have no idea how if I should continue...Advice? ISC2 has taken nearly 5K of my money and this exam ON 3RD TRY WAS RIDICULOUS...
A few of my friends that are Defense contractors believe that the certifications are a scam to take people's money because the tests are so unrelated...feedback on that?
I am in same boat.....do I or don't I.... how to if I do and the waiting 6 months and study just to encounter even more ambiguous test questions that were never even discussed in any material....ISC2 needs their own help for those that fail more than 2x. certain vendors they have contracted to are in now way helpful ... the exam is so unrelated... is there hope?