Updated: Feb 6, 2022
Author David Lee
Pursuing cybersecurity as a career is a daunting mountain to climb. This highly competitive job market is riding a wave of popularity with job seekers; however, even the most entry level job listings demand applicants’ resumes be lined with years of tech experience along with the most popular industry credentials.
One of the most desirable credentials in cybersecurity is the CISSP certification. I recently passed the CISSP exam on my second attempt. My journey to this place in my career has not been easy; in fact it has required a complete shifting of my life focus for the past few years.
This article delves into what the CISSP is, who should be going for it, how I went about preparing, and what resources I found most helpful.
Certified Information Systems Security Professional (CISSP) is a vendor-neutral certification from ISC2. The emphasis of this certification is around preparing an experienced security operator for the challenges involved in transitioning into a leadership role, including principles and concepts for launching an information security management program for a client company. CISSP carries the broadest appeal amongst cybersecurity certifications; there is a steep industry demand for it. Cyber Seek lists CISSP in virtually every security role.
You might be wondering who should pursue CISSP certification. I recommend anyone building an optimal security resume (regardless of niche trajectory) pursue the CISSP due to its desirability by security recruiters. However, the design of the CISSP is not geared for beginners (in fact, if you don’t have enough years of relevant experience, you can’t get officially endorsed; I’ll discuss this later). Certain subject matter domains were too difficult for me in my first exam attempt. If you don’t have any security certifications or experience, I strongly advise taking CompTIA Security+ first in order to solidify foundational concepts. Another CompTIA certification that will ramp you up to CISSP is the CASP+ which has a similar policy/managerial focus.
While the aforementioned credentials are fantastic on a security resume, I suggest not pursuing industry certifications in a vacuum; this kind of knowledge is best pursued while employed full time in security or a related field such as IT or software development. While certifications are desirable credentials, they are often sought after in tandem with years of relevant experience.
The CISSP has been a goal of mine since I first started specializing my IT career towards cybersecurity back in 2019. In Fall 2019 I made a first attempt after using audiobooks and videos to get me primed for some of the concepts. I failed. It was heartbreaking (a devastating blow to my self esteem AND my bank account), but upon analysis of my performance I recognized that the domain of secure software development and testing was foreign to me at the time.
After spending over a year training students at Code Fellows, however, that quickly changed after I picked up some experience with GitHub and software development in Python. During my time both teaching and developing security curriculum, it became apparent that in modern cybersecurity even beginners cannot afford to overlook the significance of application security (AppSec). I ended up weaving in a substantial amount of AppSec into the program and was able to internalize some secure software development principles in the process.
By day I am a Security Engineer, a role that exposes me to much of the subject matter spanned in CISSP on a daily basis. This gave me an upper hand in terms of how much internalized knowledge I could tap into while being bombarded by such a broad range of questions.
Without industry experience, you will have a tougher time internalizing the broad swath of knowledge to be exam-ready, but passing the CISSP is still achievable with the right mix of determination and study time. As with many certifications, you will hear astonishing stories of aspiring security professionals passing CISSP and receiving a job offer shortly thereafter because of it. However, be aware you will only qualify for an Associate of ISC2 and not be considered an endorsed CISSP holder by ISC2 until you work full time in a security role for the requisite number of years required by ISC2.
Here are the resources I used to prepare for the CISSP. Get ready to budget not only for the voucher, but for the study materials as well. Most of the below materials are not free. You’ll need to spend in the ballpark of $900 for a single attempt voucher along with essential study materials like the study guide and Boson question bank.
CISSP exam voucher pricing is high compared to others like CompTIA and AWS, clocking in at a wallet-crunching $749 per attempt. Another major consideration is how far booked out your area test centers are. I had to book mine for several months out from my voucher purchase date.
If you need to reschedule, make sure you understand that you’ll need to do so 24 hours before you exam time otherwise you’ll forfeit if you no-show. There’s also a rescheduling fee.
This is a solid video series for dipping your toe into CISSP subject matter. Take notes and synchronize with your study guide readings. Kelly does a great job breaking down what the test is all about and priming your perspective for the managerial nature of the test questions. This was the first study material I used and don’t regret it.
CISSP Master Class by Sagar Bansal on YouTube
I can’t find this on YouTube anymore but it was quite good. Looks like Sagar is rolling his content into FreeCodeCamp’s offerings, it may have moved there.
This was my main study guide but I never read through it cover to cover. Rather, I skimmed areas where I felt weak in as identified by my performance in practice questions. If you’re new to security though, I’d advise taking it slow and soaking up the knowledge in the book cover to cover.
Clocking in at a whopping $99, this is not the cheapest study resource but it was by far the most important for me to go into the exam feeling confident in the subject matter. The Boson practice questions are generally regarded as the best-aligned to what you’ll face in the exam.
Not a huge fan of the narration but good practice questions.
Good enough narration, and useful knowledge for certain domains of the exam, particularly around access controls and compliance. This resource reinforced many of the concepts that I did not engage with regularly on the job.
How to Prepare
Decide early on if you’re going for Associates of ISC2 or the actual CISSP endorsement, then apply accordingly before you register for the exam. Like any other certification exam, schedule the exam up front and hold yourself accountable to being prepared by that deadline.
Next, take some practice questions early on to get a feel for which domains are going to be your nemesis heading into this, and study those the hardest. For me it was the software development security category, since I came from a traditional IT background. Keep testing yourself with practice questions and make sure to read the solution justifications carefully in Boson to soak up the rationale for which answer is indeed the best. The audiobooks are especially helpful if you’re multitasking. I would listen to them while working out or running to try and internalize the knowledge into my more durable memory instead of keeping it in “crunch mode.”
When exam day comes around, get adequate rest the night before and prepare for the worst. It’s better to be surprised by a positive outcome than take a huge morale hit that causes you to stop pursuing it. Again, we’re talking about the most popular cybersecurity certification. Prepare for the worst and use it to get stronger for your next run. If you’re having trouble being motivated, find yourself an accountability partner that’s also striving for the same cert and use that as fuel to motivate yourself to study.
Like most exams, your test center will likely provide you a blank paper to write on. If you need to brain-dump some rote memorization, write it down right away before answering the first question.
Good multiple-choice test-taking habits will help a great deal here. If you don’t feel confident in the answer, try eliminating obviously incorrect answers. A 50/50 guess is not the worst outcome if you’re unfamiliar with the concept.
The CISSP adapts to how well you perform in a given domain. For example, if it sees you scoring poorly in software development questions, you can expect the test to adjust accordingly and start leaning into those more heavily as you progress.
Ultimately, you only know what you know. Don’t burn precious time on a single question, but do read carefully and always try to give the best possible answer.
This is a lengthy test. Spend your energy wisely and don’t get discouraged when the occasional question stumps you or inflicts doubt. Think of it a distance run with hills, not a sprint.
What’s Next for Me
For the CISSP, I completed my endorsement process which took a few weeks. At this stage of my career, the on-the-job experience I am gaining is by far the most valuable towards developing a marketable skillset in cybersecurity. Aside from that I am currently working towards AWS-specific certifications such as Solutions Architect.
Overall I am doing things that I find interesting, having already been a Business Analyst, IT Manager, Cybersecurity Instructor, and now Security Engineer. Putting myself in unfamiliar situations and technical domains is how I stay motivated to keep on learning, so that’s really the name of the game for me these days.
By no means was CISSP required for my day to day work, but it was a career benchmark that I had set for myself two years ago. I am pleasantly surprised to have passed it this year. I hope this writeup helps you build a strategy for becoming a CISSP yourself one day.
For me, earning the coveted CISSP is a validation of all the hard work I’ve put into my specialization into cybersecurity. If you have questions feel free to bug me on LinkedIn. Good luck on your security career journey!
About the Author: David Lee A security engineer by day, David is passionate about shaping the future of cyber skills training as well as building innovative security automation.