July 27

CISSP Essentials: Why It’s Crucial Beyond IT and My Best Exam Prep Tips

0  comments

What is the CISSP (for non-IT people)?

Most people in my social circle aren’t involved in information security, nor are they in IT. So when I shared my achievement of passing the CISSP exam, they congratulated me, but I could see in their eyes that they were uncertain about how much of a celebration I deserved. Is this just another IT certification? What makes it so special? Here is a brief explanation of the CISSP for non-IT individuals:

“[…] the CISSP has been recognized as the ‘gold standard’ in cybersecurity, with acknowledgment from governments and accreditation by international bodies, including the International Organization for Standardization (ISO), the U.S. Department of Defense (DoD), and the U.K. National Academic Recognition Information Centre.” (ISC2)

The "gold standard" is not merely a marketing claim by ISC2 — the non-profit organization that issues the CISSP — but the program won "the Excellence Award for Best Professional Certification Program at the 2021 SC Awards" (ISC2) and is considered to be as challenging as a master’s degree:

“UK NARIC, the UK’s designated national agency for the recognition and comparison of international qualifications and skills, has found the CISSP Certification comparable to RQF Level 7 Master’s degree standard.” (ISC2)

It is particularly special for me that I passed it in the year when ISC2 celebrates the 30th anniversary of the program!

Despite its high reputation, there are not many people who have achieved this certification yet.

“Launched in 1994, the gold standard certification in cybersecurity is now held by more than 165,000 practitioners globally and remains the most sought-after in the field for cyber leaders.” (ISC2)

In 2018, only 2,029 people held the CISSP certificate in Germany. Unfortunately, there are no current figures.

So, obviously, CISSPs consider themselves something special. This invites some fun and parody, which I personally enjoy a lot! 😂😂😂

I'm a C I Double S P (CISSP Parody)

3 Resources on How to Pass the CISSP

If you are reading this article, you likely already understand the value of the CISSP and are probably looking for resources on how to pass the exam.

There are countless blogs offering tips, and entire books dedicated to strategies for success. Therefore, I won’t attempt to add another article in this category. However, similar to my experiences with CompTIA Sec+ and CompTIA Network+, here are a few key insights I wish I had known before passing the CISSP exam.

Think Like a Manager

Brandon Spencer wrote in his article Don’t Fail The CISSP Exam! Avoid These 3 Common Mistakes.:

I see students ignore what they think they already know…and focus on what they don’t.

“I already know this…so all I have to learn is this” is a very common CISSP mindset. This is also a significant cause of failure on the exam.

It’s not that your experience is right or wrong; it’s just that most companies implementing security rarely do it “by the book.” Instead—in the real world—schedules and budgets take precedence, while security and other considerations take a back seat.

(ISC)2 understands this. That’s why they phrase the questions a certain way on the exam. They play on your experience (which may not align with best practices) and also try to invoke your instinct to “fix things,” which is typically not the best approach to applying security.

I completely agree! With my background in software development, I initially overlooked concepts like the software development life cycle.

You must "think like a manager"! Consider what would be "right" to do instead of how things are done in your experience. This was the single most important tip I received from a class with Kelly Handerhan.

She refers to it as "the CISSP mindset": take on the role of a risk advisor, not a technical problem solver. Focus on cost efficiency.

"Security should be baked in, not sprayed on." – Kelly Handerhan

Pareto is the Benchmark

There are many excellent resources available for practicing questions for the exam.

My favorite was the CISSP-CCSP-SSCP ISC2 Official App. While it is not free, it provides an "overall readiness score" based on the number of questions you answered correctly and offers concise explanations for any missed questions.

The magic number for this "readiness score" appears to be 80%. Again, this aligns with the Pareto principle: 80:20.

I scored 78% and still passed.

Additionally, I enjoyed participating in Adam Gordon’s "Q of the D" on X. His questions are challenging, but you always receive a thorough explanation if you answer incorrectly.

The amount of work and knowledge he shares for free is invaluable.

Just Another Book?

The CISSP is "one mile wide and one inch deep," as Adam Gordon puts it. Therefore, you need to be familiar with all topics in the CISSP Common Body of Knowledge (CBK).

Most students seem to read it at least once from front to back.

However, one book that was particularly helpful for last-minute review and preparation is Eleventh Hour CISSP®: Study Guide. I cannot recommend it enough.

The Exam

When I prepared for Sec+ and Net+, I reached a point where I felt confident enough to pass those exams.

For the CISSP, while an "overall readiness score" of 80% might be a benchmark, I must admit that I wouldn’t have registered for the exam without attending an in-person boot camp course from Firebrand.

This course was truly intensive — "drinking from the firehose" for an entire week with little sleep. But it ultimately paid off.

As a non-native English speaker, both I and other students in the class were uncertain whether to take the exam in English or German. I ultimately chose English, despite concerns about unfamiliar vocabulary. It seemed that this was a lesser risk than relying on potentially inaccurate translations that could alter the meaning of questions. Most questions do not require memorized knowledge but present scenarios where multiple answers could be correct. Therefore, it is crucial to read questions carefully and grasp their nuances; I doubt this can be easily translated.

The English test is now a CAT (Computer Adaptive Test), allowing up to three hours to answer at least 100 questions and up to 150 questions total. The computer adjusts question difficulty based on your answers. Consequently, it is no longer possible to determine which domain in the CBK might be more important; you must be knowledgeable about all of them.

For me, it was quite a stressful situation. When I received a message indicating that I should see the facilitator, my first thought was that I had failed. It was a huge relief when he informed me that I had passed. It seems common for 30-40% of students not to pass on their first attempt.

The document does not specify how many points I earned; it simply states that I passed. But in the end, that’s what truly matters.

What’s Next?

Michael asked me on LinkedIn what my next exam will be. I must admit that I don’t know yet.

After passing the exam, I experienced a sort of "post-certification blues." I achieved a goal that was very important to me without knowing what milestone to focus on next.

Now, after some weeks have passed, I’m working toward my next goal. However, I’ll only discuss it when I’m closer or have achieved it.

One very helpful resource for developing a plan is Paul Jerimy’s Security Certification Roadmap.

What is your goal? Which certification do you consider most desirable and why? Please leave a comment here; perhaps you also have suggestions for what I should focus on next!

Sources


Tags

certification, CISSP, learning, online exam, tips


You may also like

Play a quiz while learning for a multiple choice test

Play a quiz while learning for a multiple choice test

“BSI IT-Grundschutz Praktiker” certificate

“BSI IT-Grundschutz Praktiker” certificate
Leave a Reply

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit markiert.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}