cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
JoeB_IG
Newcomer II

Failed the CISSP on the First Try

All concerned, 

 

I post this not looking for pity or guidance, but simply to share my experience with you.  Today, 25 June 2018, I failed the CISSP exam.

 

Background: 

I have only been in the InfoSec space for about 2 years.  I have experience in physical security, incidence response, access control, and otherwise arguably enough experience to satisfy the CISSP requirements for certification.  However, until early 2016, I didn't start learning about IT security.

 

In August of 2016 I started my MS in Information Security and Assurance.  While the class load wasn't particularly tech-heavy, I can see now that the classes were preparing me for the CISSP... especially those concerning risk management and business continuity practices.

 

So anyway, to the exam.  I arrived at PearsonVue an hour early and they let me start before the scheduled time.  I took nearly 160 (of 180) minutes to complete 150 questions.  By the time I was at question 125, I really figured I had bombed the exam (I have heard if the exam stops at 100, it means I earned enough points for provisional certification).  With my intent to respect the (ISC)2 code, I can say that none of the questions I had looked anything like the prep questions I had from the (ISC)2 CISSP exam book or from the Shon Harris or 11th Hour books.  Most of the questions were of a technical nature.  I went in "thinking like a manager" but I didn't think like a "manager" that knew a whole lot about technology.  

 

My exam did not seem to be "heavy" in any particular domain; but I would say that I wish I had learned more about penetration testing.

 

Admittedly, I scanned my text books rather than actually did a deep-dive into any of them.  I typically studied anywhere from 1-2 hours a day, 4 days a week, for the last 3 months.  Clearly, it just wasn't enough studying married with experience.  I would take practice tests and consistently scored in the 80s... but it was a lot of the same questions over and over again as the question bank was only about 1200 unique entries.

 

My plan is to take a break, focus on some other training opportunities (log analysis, network security, and vulnerability management) and reassess in about six months.  

 

Anyway, not passing doesn't impact my life too much.  I don't need it for my job (not right now, anyways) but it was painful to my pocketbook.

 

My recommendation is if you are new to InfoSec, you should probably study more than 1-2 hours a day for 3 months... and you should probably have a solid understanding of both the technical and managerial aspects of IT.

 

Good luck!

15 Replies
HarryMurdani
Viewer

Don't give up.
same as you, i also failed in my first exam.
but that doesn't stop me to go again.
I've earned my CISSP on my second exam.
Read and understand the CBK and Official Study Guide.
4d4m
Newcomer III

Don't give up! If something isn't hard it is probably not worth doing anyway, as someone said.

 

I used a load of post-it notes stuck on the wall to help try remember all the "facts", and I wrote a single pictorial slide to cover all topics - the act of making my own content helped me remember stuff. CISSP is very wide, but also quite thin - in other words it covers a lot of topics but not too deeply.

 

Good luck.

 

Adam

Flyslinger2
Community Champion

My only encouragement would be to not wait so long.  You do not want to loose what you worked so hard at to remember.  Sadly, over time, we all loose memory. Some faster than others.  Don't waste all that hard work you put into it.

 

I'd take a week or two at the most to rest your head from CISSP.  Fill that time with good exercise of your mind but not CISSP related stuff-read a good novel, memorize a chess game and play it back, add another dimension to a hobby you have that requires you to conduct research and to think and analyse.  Keep exercising your mind. Just don't exercise it with CISSP data.

 

Once you resume do not prep the same way you did last time.  Think outside the box.  Cybrary has a great series on CISSP. Listen to what is delivered to you. Maybe find some other presentations on Youtube that could further train you.  Read the CBK end to end several times.

 

I don't get the fascination with all of the quizzes and tests that people use to confirm whether they are ready or not.  I don't care how hard someone tries to emulate the questions that you will see on the test they aren't close.  I also realized after taking the exam that it's not the data that's important. Of the 4 options they give you most likely NONE of them are correct.  But it is up to you to critically analyze that one that is most closely related to what the real answer should be.  2 of the options are always wrong.  Of the two remaining, if one is completely encapsulated by the other then that one is also not an option.  I've used this example many times but it bears repeating.  I had a question where 3 of the 4 options had the word "All" in it.  There are no absolutes in CISSP. All is an absolute word.  If options have absolutes in them they are most likely noise. And speaking of noise, if a question has a big paragraph and there is a one or two line question underneath it do not read the paragraph. It is most likely noise trying to distract you.  Just read the question and the options. Then if you need a little more help go back and read the paragraph.  Use your gut instinct also. After you read the four options and you have an immediate idea as to the correct option and then start doubting yourself, your initial response will probably be correct. 

Get back in the saddle and nail that test.  Once you get it, and you will, put the badge on LinkedIn and watch the interest in your experience go through the roof.  I am constantly getting emails and reach outs in LinkedIn from recruiters.  

roboex1
Newcomer I

Thanks for this.  It takes courage to reach out after disappointment.  I hope that you keep at it, and give it another try.  You can do it!!  

j_M007
Community Champion

Don't give up. In fact, it shows a lot of courage and guts to persist, MAYBE MORE than for others! You know you have the drive! You know you WILL succeed.

 

I was sure I had flunked the exam too; somehow, however, I hadn't. I was confused as !"/$% too by the questions. I had a moment of panic as well by the thought that this in no way looks like anything I have been studying!

 

I think that the questions and answers, all of the materials, etc are great: IFF you realize that the exam is there to test your thinking about topics and about what is the TRUTHIEST answer. The question to ask at crunch time is "What is the best option here?"

 

You have the benefit of experience now, so study three times longer; delve into your weakest areas; read as much as you can from the NIST special publications series (just summarize and get the core ideas.)

 

Understanding the CBK is the key to success, so whatever you study must be regarded in that light.

 

What worked for me fantastically was DRILLING EVERY DAY with as many exercise questions as you can find!! Look for them in books, look for them in forums, look for them wherever INFOSEC people discuss this art and science. Find as many as you can and mix them up; ask colleagues to make questions for you.

 

Whatever you read or study, relate it to the CBK taxonomy.

 

Best success to you and everyone.

rslade
Influencer II


@JoeB_IG wrote:I have only been in the InfoSec space for about 2 years.  I have experience in physical security, incidence response, access control, and otherwise arguably enough experience to satisfy the CISSP requirements for certification.

Yeah, two years is maybe a little shy, even with some formal education.  That's kinda why full certification requires five years.  (And, as I often told my seminars, not just one year five times over.)

 

Physical security, incident response, and access control do give you some breadth, but, as you noted later, it might be a bit thin on management, as well as some of the technical areas like crypto and telecom.

 


@JoeB_IG wrote:In August of 2016 I started my MS in Information Security and Assurance.  While the class load wasn't particularly tech-heavy, I can see now that the classes were preparing me for the CISSP... especially those concerning risk management and business continuity practices.

A lot of the formal infosec programs are now modelling after the CBK.

 


@JoeB_IG wrote:With my intent to respect the (ISC)2 code, I can say that none of the questions I had looked anything like the prep questions I had from the (ISC)2 CISSP exam book or from the Shon Harris or 11th Hour books.

Having reviewed an awful lot of the study guides, I've got to say that I cannot recommend any of the sets of sample questions.  The (many) sample sets that I've seen all seem to try to reach the proper level of difficulty by concentrating on minutiae  and trivia, rather than dealing with the real synthesis, analysis, and critical thinking realms of Bloom's taxonomy.

 


@@JoeB_IG wrote:

My exam did not seem to be "heavy" in any particular domain; but I would say that I wish I had learned more about penetration testing.


I know someone else said to try and pin your study to the CBK structure, but I wouldn't worry about that too much.  The CBK divisions are to aid you in managing your study and, if they don't, don't worry too much about them.

 

I'd echo the advice to take some time off and get some perspective back.  Don't worry too much about what you feel you don't know right now.  (I remember, when I took my exam, I got fixated on RADIUS, and figured if I didn't know absolutely everything about it I'd fail.  Of course, on my exam, there wasn't a single question about RADIUS ...)

 


@JoeB_IG wrote:Admittedly, I scanned my text books rather than actually did a deep-dive into any of them.

Yeah, scanning is not going to do it for you.  Give it time.  Give it concentration.  Get a copy of "Security Engineering," by Ross Anderson (or just read the free online version) and read it thoroughly.

 


@JoeB_IG wrote:My recommendation is if you are new to InfoSec, you should probably study more than 1-2 hours a day for 3 months... and you should probably have a solid understanding of both the technical and managerial aspects of IT.

See if you can find a group of people in your area, and set up a study group, meeting every week or two.  Dive deep while you meet, and have some time between sessions to think about specific topics, and, if possible, apply them.

 


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
j_M007
Community Champion

Excellent comments rslade. The test isn't a cake walk, nor is it meant to be -- that is a GOOD THING. If you're merely a techie, you need to be aware of the many other facets of infosec from application development security to legal frameworks to asset protection -- there are many ways and means an infosec professional needs to be aware of.

The exam is merely a first step; the challenge is to keep learning and to keep the cert in good standing.
unixgeek21
Newcomer III

I couldn't possibly add any more tip/advice to the replies in this topic as everything said here is so true...the only thing I can say is please never ever give up.  Rest if you must but please keep on going...

 

If you're subscribed to sub-reddit r/cissp, there's one handle named CryozenicZero whom I've read all the posts and admired the tenacity and courage in taking the exam and made it only on the 3rd try.   The persistence and dedication are so evident in the quest/journey...truly remarkable!

 

 

green20151
Newcomer III

1. Don't get discouraged.

2. When I took the CISSP exam, I already had CEH and another cert (I think the ISACA CISM) already.  I found the CISM helped me prepare for the CISSP, but I knew it would be hard.

3. I took a CISSP prep class from a provider that lets you audit the class afterward if you desire.  So I took the class once in a whole-week format, but I did not feel ready, and then again in a weekend format (auditing).  Believe it or not, I went through a very similar experience with the CEH.  A good instructor can make a big difference.  In both of these classes, I had the same provider (Secure Ninja in Alexandria, VA near DC) but different instructors.  They were all good but I think in the first iteration of the class there was just a lot of material to absorb.  

4. For someone who is only a few years into this, you are doing great.  Best of luck to you!