How I Passed the CISSP in 2021
Updated: Feb 6, 2022
Author David Lee
Pursuing cybersecurity as a career is a daunting mountain to climb. This highly competitive job market is riding a wave of popularity with job seekers; however, even the most entry level job listings demand applicants’ resumes be lined with years of tech experience along with the most popular industry credentials.
One of the most desirable credentials in cybersecurity is the CISSP certification. I recently passed the CISSP exam on my second attempt. My journey to this place in my career has not been easy; in fact it has required a complete shifting of my life focus for the past few years.
This article delves into what the CISSP is, who should be going for it, how I went about preparing, and what resources I found most helpful.
Certified Information Systems Security Professional (CISSP) is a vendor-neutral certification from ISC2. The emphasis of this certification is around preparing an experienced security operator for the challenges involved in transitioning into a leadership role, including principles and concepts for launching an information security management program for a client company. CISSP carries the broadest appeal amongst cybersecurity certifications; there is a steep industry demand for it. Cyber Seek lists CISSP in virtually every security role.
You might be wondering who should pursue CISSP certification. I recommend anyone building an optimal security resume (regardless of niche trajectory) pursue the CISSP due to its desirability by security recruiters. However, the design of the CISSP is not geared for beginners (in fact, if you don’t have enough years of relevant experience, you can’t get officially endorsed; I’ll discuss this later). Certain subject matter domains were too difficult for me in my first exam attempt. If you don’t have any security certifications or experience, I strongly advise taking CompTIA Security+ first in order to solidify foundational concepts. Another CompTIA certification that will ramp you up to CISSP is the CASP+ which has a similar policy/managerial focus.
While the aforementioned credentials are fantastic on a security resume, I suggest not pursuing industry certifications in a vacuum; this kind of knowledge is best pursued while employed full time in security or a related field such as IT or software development. While certifications are desirable credentials, they are often sought after in tandem with years of relevant experience.
The CISSP has been a goal of mine since I first started specializing my IT career towards cybersecurity back in 2019. In Fall 2019 I made a first attempt after using audiobooks and videos to get me primed for some of the concepts. I failed. It was heartbreaking (a devastating blow to my self esteem AND my bank account), but upon analysis of my performance I recognized that the domain of secure software development and testing was foreign to me at the time.
After spending over a year training students at Code Fellows, however, that quickly changed after I picked up some experience with GitHub and software development in Python. During my time both teaching and developing security curriculum, it became apparent that in modern cybersecurity even beginners cannot afford to overlook the significance of application security (AppSec). I ended up weaving in a substantial amount of AppSec into the program and was able to internalize some secure software development principles in the process.
By day I am a Security Engineer, a role that exposes me to much of the subject matter spanned in CISSP on a daily basis. This gave me an upper hand in terms of how much internalized knowledge I could tap into while being bombarded by such a broad range of questions.
Without industry experience, you will have a tougher time internalizing the broad swath of knowledge to be exam-ready, but passing the CISSP is still achievable with the right mix of determination and study time. As with many certifications, you will hear astonishing stories of aspiring security professionals passing CISSP and receiving a job offer shortly thereafter because of it. However, be aware you will only qualify for an Associate of ISC2 and not be considered an endorsed CISSP holder by ISC2 until you work full time in a security role for the requisite number of years required by ISC2.
Here are the resources I used to prepare for the CISSP. Get ready to budget not only for the voucher, but for the study materials as well. Most of the below materials are not free. You’ll need to spend in the ballpark of $900 for a single attempt voucher along with essential study materials like the study guide and Boson question bank.
CISSP exam voucher pricing is high compared to others like CompTIA and AWS, clocking in at a wallet-crunching $749 per attempt. Another major consideration is how far booked out your area test centers are. I had to book mine for several months out from my voucher purchase date.
If you need to reschedule, make sure you understand that you’ll need to do so 24 hours before you exam time otherwise you’ll forfeit if you no-show. There’s also a rescheduling fee.
This is a solid video series for dipping your toe into CISSP subject matter. Take notes and synchronize with your study guide readings. Kelly does a great job breaking down what the test is all about and priming your perspective for the managerial nature of the test questions. This was the first study material I used and don’t regret it.
CISSP Master Class by Sagar Bansal on YouTube
I can’t find this on YouTube anymore but it was quite good. Looks like Sagar is rolling his content into FreeCodeCamp’s offerings, it may have moved there.
(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide & Practice Tests Bundle
This was my main study guide but I never read through it cover to cover. Rather, I skimmed areas where I felt weak in as identified by my performance in practice questions. If you’re new to security though, I’d advise taking it slow and soaking up the knowledge in the book cover to cover.
Clocking in at a whopping $99, this is not the cheapest study resource but it was by far the most important for me to go into the exam feeling confident in the subject matter. The Boson practice questions are generally regarded as the best-aligned to what you’ll face in the exam.
CISSP Exam Audio Study Guide! Practice Questions Edition!: Ultimate CISSP Test Prep Review Book! Covers All CISSP Body of Knowledge By Seth Castro
Not a huge fan of the narration but good practice questions.
Essential CISSP Exam Guide: Updated for the 2018 CISSP Body of Knowledge By Phil Martin
Good enough narration, and useful knowledge for certain domains of the exam, particularly around access controls and compliance. This resource reinforced many of the concepts that I did not engage with regularly on the job.
How to Prepare
Decide early on if you’re going for Associates of ISC2 or the actual CISSP endorsement, then apply accordingly before you register for the exam. Like any other certification exam, schedule the exam up front and hold yourself accountable to being prepared by that deadline.
Next, take some practice questions early on to get a feel for which domains are going to be your nemesis heading into this, and study those the hardest. For me it was the software development security category, since I came from a traditional IT background. Keep testing yourself with practice questions and make sure to read the solution justifications carefully in Boson to soak up the rationale for which answer is indeed the best. The audiobooks are especially helpful if you’re multitasking. I would listen to them while working out or running to try and internalize the knowledge into my more durable memory instead of keeping it in “crunch mode.”