So...after 4 months of solid study (at least 2-3 hours / day), reading multiple books cover to cover, subscribed to 2 practice exam sites (Boson & Cccure - where I consistently was at 80-90%, at 200-400 questions daily), attended a week-long bootcamp and availed myself of more resources than I can fit in this post, I finally took the test. And failed after taking 150 questions - from what I understand, that means I was not too far away from passing. I was a little dismayed that many of the questions didn't even sound familiar to me, and I've been working in the field for years!
Don't get me wrong, I'm very disappointed in my test result, but I know my failure wasn't due to unpreparedness. I've come to the conclusion that perhaps I've been focusing on the wrong things / resources - and I'm humbly asking the CISSP community for advice and guidance. I am not afraid of hard work and study, and MORE than willing to do that. I don't want the answers handed to me, or just to skate by. I just need to know where to find the right content to study. I know about the "management mindset" - and as a cybersecurity manager, I believe I've developed them, but how do I learn the ISC2 way?
At this point, I'm wondering if I should even try this again. I'm pretty down about the whole thing and just read a long post by an ISC2 member saying that people who fail probably aren't good enough to be CISSPs to begin with. As a woman in cybersecurity, I have been faced with the "you don't measure up" for my entire career. It's very easy to believe that.
Anyone care to point me in the right direction? One of my biggest frustrations was that there was no way I could gauge whether I had enough knowledge to take the test - there was no "take this practice exam and if you get at least X%, you're ready". Maybe there is such a thing and I haven't found it?
Thank you all in advance for your help.
Are you using the ISC2 book and test prep? Was the boot camp ISC2 endorsed, there is only like 1 provider I think its training camp? I too studied and prepped for a month using the Shon Harris book. I scored a 658 then a 695. Then I went back using the ISC2 book and test prep material and took the week-long book camp via Training camp, and the third test I passed right at the 100 question mark.
Jae - thank you so much for responding. I really appreciate it. Congrats on passing your CISSP! As for your questions...
This is what I used:
1. Sybex ISC2 Official Study Guide
2. 11th Hour CISSP - Eric Conrad
3. Infosec Institute 1-week boot camp (didn't help as much as I had hoped it would...)
4. Read bits of Shon Harris' book, CISSP for Dummies, 11th hour CISSP and as much info as I could find on the internet
5. Lecture on Cybrary
6. Boson practice tests (was getting nearly 90% consistently on all tests - about 300 questions a day, sometimes more)
7. CCcure practice tests (was getting about 85% consistently on all tests - about 200 questions a day, sometimes more)
8. YouTube videos
Which Test Prep materials did you use? I am not familiar with that - and that could have come in handy by explaining to me how ISC2 reached their answers. Do you mean the Sybex practice exams? If that's the case, I just bought it an hour after returning home from my failed test.
After speaking with some other folks, it seems that maybe - just maybe - having been eliminated at 150 questions meant I was somewhat close to passing. I didn't fail any domains. I was below proficiency in 4 of them, near proficiency in 3 and above proficiency in 1.
I'm willing to put in the time and effort to complete this goal, but it's hard to make a change in thinking or mindset if you don't have an idea of what you need to change your mindset TO.
Sorry to hear that, and Chin up.
I actually think the ‘management mindset’ is a little misleading as most of it seems to be to me down to elimination, logic and reduction. The minute some advice sounds mystic to me I tend to try to avoid it, or if lots of people it trust the judgment of say it’s right i’ll to reduce it to an axiom - if you think about it we do this a lot in the world as the tech works but no one can really understand it all.
I treat questions these kind of ‘multi-guess’ exams as exercises in knowledge, reading and comprehension first and then if I’m not able to be 90% sure of my answer I switch to a more expensive in time method of coming up with rationales for the possible option after eliminating obvious wrong answers. The CAT test means you need to have better pacing as you can’t identify these questions at the end anymore.
This seems to work for me as I’ve taken a load of them over the years and not failed one yet(though I have an opportunity to do so in the near future as I just sat the CIPT beta and there was some stuff I really wasn’t so sure of, they get the results back in a few weeks or so.)
Prep wise I read for 40 mins, rest(mind blank)for ten mins and summarise the things I know and don’t know from memory And look they up via different sources than the one I just read. In addition to this approach I’d see two different things you might try:
1. Get a ‘study buddy’ or two and sync up and cover everything with them in regular sync ups - you have a shared goal then and levearage on a lot of our ‘chase the mammoth, push the mammoth over the cliff, everyone eats mammoth’ group dynamic. Shared experience with peers, is probably the best thing you can do here;
2. Find a CISSP in the forum and ask them to mentor you. Recent exam passer is best, and you could talk it out to some extent and ask their thoughts on scenarios.
The whole you don’t measure up as a woman in cybersecurity is I think ridiculous, and by your doing all of the questions as you pointed out you were probably close to a pass. It is very possible that any preening CISSP with a boys > girls mindset would do well to dwell on the fact exams are random and could have stood a chance of failing the questions you got on the day, with CAT if you get a number wrong at the start you are in recovery mode(IMHO it’s harder as you don’t get to review questions that will jog your memory).
Thank you for your kind reply...so much of what you said really made sense to me. I am getting some good advice by reading responses on this board. I'm already adding to my study repertoire - and may actually take another CISSP class at my local community college to supplement what I might not have gotten before. Mind you - in addition to the significant chunk of cash I've already invested in this process, all tests / resources / classes are my responsibility, so I have to be judicious about the financial burden I can bear.
In retrospect, I believe I approached the test thinking like a cyber SME, and not a manager - I mean, when's the last time my CIO logged onto a SIEM to monitor the company's network or configured a firewall? Certainly not as a CIO!
I agree, the "good ol' boy" culture in cybersecurity is kind of ridiculous - but it is very real and somewhat ubiquitous in my geographic area, independent of industry or company. There are reports that women make up 11% of all cybersecurity professionals, and even fewer women are seen in cyber leadership (https://womenscyberjutsu.org/?). My years of experience backs that claim up. I can't count all the times I was dismissed as the "IT secretary", or treated like I was something less than my male counterparts, even if I had double their experience or knowledge. Nothing like waiting for the client to arrive, and when they do, they look at you and say, "Oh. When are the technical staff going to show?"
Truth is, one of my main motivations for taking the CISSP is to encourage my IT security colleagues to treat me as a respected counterpart, and perhaps help me take on more leadership roles.
No worriies/hope it helps.
On the dispositions of roles in IT/Cyber security I’ve read a fair bit up on it and I do get the barriers and I don’t think it differs a huge amount where I’m based (Asia) , however, I don’t think we’ll fix that here. IMHO(and I’m aware I’m massively simplifying) the whole mess started because one sex happens to be biased to being bigger and stronger than the other over many years. I realise this is not apples to apples as survey to survey goes, but it is at least interesting if you consider IT/InfoSec as a subset of STEM:
If your colleagues are dismissive of you based on sex, I’d say that they might not be the best colleagues to have, you can at least get CISSP and move on.
CISSP is assuredly tractable, isn’t in my view really anything helped by the old boys man of action management gut feel or even female intuition at that... it’s just a comprehension test, and as long as you prep well and take a statistical approach on the things you don’t know you will be able to pass. Approaching as an Operator, or an analyst isn’t the best option as these roles tend not to allow to much ambiguity it’s an exploit, incursion through RAT, account compromise and you can see it in the logs - however if you acheive the mystical ‘flow state’ at work try to think to how you fill in the gaps when you don’t have a complete picture - I tend to sit back and try to infer - and that might be as good as it will get, but it’s probably good enough “least bad” is quoted a lot.
Frankly I don’t think the money really matters a whole lot for prep(official text books are OK, al in one is good, and as a supporting anecdote Its not wrong say that the late great Shon Harris is the Spiritual Mother of all CISSPs). So please hold fire and get some more opinions before you spend any more money, I think with the right help you could get through it for the cost of the exam(books are consumer durables after all).
I know of quite a few female CISSPs At my employer and a load of them are based in the US so I’m pretty sure I could ask a couple to have a chat with you if you like(ping me offline and i’ll ask someone in the same timezone). All we do is cybersecurity and from where, I stand they are very good at it(plus I’m pretty sure we do have a group of interested people for this kind of thing.)
I took the InfoSec boot camp. My first instructor was very frustrating. I did not connect with him at all. He pounded us with example questions for 90 minutes at the end of each day. This is after heavy doses of reading and quizzes that were assigned prior to the start of each day.
I failed my first crack at the exam. I knew what my issue was. I was so focused on the questions that I got wrong in class that I completely failed to get my head wrapped around the bigger picture.
I went back to InfoSec to claim my guarantee pass offer and audited the class again with a different instructor. The second instructor rocked! Not once did he hammer us with example questions. He taught us the major components of each domain and prepped us for the larger picture which is exactly how a CISSP should think.
Took the exam again and it was 100 questions in 120 minutes. Pass! I firmly believe the second instructors methodology was all the difference in the world. This same instructor is well thought about on other CISSP message boards also.
PM me if you want to discuss the instructor in greater detail.
Great advice! Focus on the content and make it a learning experience. Use side research if the material you're using doesn't explain it satisfactorily. While some people dismiss the idea of Certifications, the process of studying for them never fails to teach me new things, which I greatly appreciate.
The chin up is also good advice. Try and work on a positive, "I can do it" attitude. Good luck!