This post tells my journey into becoming a Certified Information Systems Security Professional (CISSP), not just the happy flow, also my doubts and struggles. The last couple of months were very tough and demanding of not only myself, but also of my family. Without their support I would not have been able to even start this journey, let alone bring it to the finish. This post is (currently) one of my most elaborate ones, buckle up, it is a read.
What Certification to get?
In January 2023 I decided to try to achieve a certification that would be a serious challenge. And since I want to move forward in the field of information security and preferable in the role of (Information) Security Officer, there is only one certification that holds real value: Certified Information Systems Security Professional, in short this is the certification to achieve.
What are the next steps and most importantly when to do this? Also before committing, it is reasonable to do some investigation into the feasibility of this certification for me. In other words do a feasibility assessment.
According to the COMPTia IT Certification Road Map this certification is one te be classified under the expert category. The expert certification’s listed are the really tough ones.
- And do I feel myself expert enough to even try this?
- Is this certification not a “bridge too far” for me?
- Would I be able to get the “stuff”?
All valid questions to me.
As part of this assessment, I bought a couple of books from Amazon, the cost was not so high and these books would give me the needed insights. After checking out the site of (ISC)2 I found a number of books: (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide & Practice Tests Bundle and also on Amazon I found the CISSP for Dummies A book for dummies, should not be too hard, right? Nice simple book to get the basic understanding of the topics required. Wrong, seriously wrong. This certification is not to be underestimated. It is a lot, a serious lot of ground to cover.
Doubts Are Rising
The bloody dummies book is over 550 pages! That is really a lot to grasp and understand, and if the dummies is over 500 pages, what would the Official Study Guide be? Some real doubt are rising….
- Is this really something for me?
- Would I be able to even achieve this?
- Is it not simple too much for me?
- Am I not “smart” enough?
- This is something for the really ‘smart’ people, not for someone like me?
If one is not careful a down-ward spiral of thoughts/questions to failure is looming close by.
After reading a couple of chapters in the dummies and official study guide, a realization came, I do understand the different topics, I have experience in these so called domains! I even think to understand what is needed. So the decision was made to achieve this certification. Off-course after some serious talks to my better half, the missus. Without her support this adventure would be been not possible.
When to achieve this goal?
Now the question remains when to do this, for me a bootcamp approach works best, not really a lot to choose from. But ok, not a problem. In the Netherlands there is one that is certified for CISSP, Firebrand and since I want to know the prices of this course, I had to have a interesting call. The price was a serious investment, and considering that our savings already to a hit with the purchase of a car. Initially I decided to postpone this bootcamp to later this year or early next year. First priority is finding a assignment in my desired roles. After talking with multiple recruiters and others and since I had the time to invest in a training we found the means to fund this bootcamp now. Let’s plan this in, end of April 2023, the bootcamp is being given in a nice location in Sint-Michielgestel.
After the week of training some doubts were there again, this exam is going to be hard. Not really one to take lightly, the questions and answers need to be read more then once and very, very careful. It is a really demanding exam. The topics themselves are not that hard, if you have experience in 3 to 4 of the 8 domains. Individually the depth of knowledge per topic is doable, the amount of topics combined make the exam soo bloody hard. I understand the reasoning for the exam in this matter, however there a number of challenges to overcome:
- Think like a (American) manager. Not always as easy as it seems.
- Understand the american lingo, we in Europe are taught British English, really not the same as American English. And English is my second language.
- What would be the desired answer that (ISC)2 would want me to give?
At the end of the week I felt I was ready for the exam, did a trial exam, part of the Official Study Guide. The result was over the minimum of 70%, so let’s do this. I should be fine. (Famous last words! 😏 )
Saturday, 22nd of April I took the exam. And boy was I wrong about being ready. Failed. And failed hard. Of the 8 domain not a single one above proficiency. Seven below and one near proficiency. What happened? I honestly do not know. Most of questions I simply misread or did not understand the question. I completely blacked-out. 😕 I seriously got the feeling that I was in the wrong exam, that I did not have a bootcamp just prior to the exam. The doubts of before were definitely back, and then some.
This type of adaptive examination is one of the toughest types I know. Not being able to go back a question, questions that keep on getting tougher and as far as I understood, in this case not simply scoring 70% in total, no you have to score 70% in each domain. And lastly the bloody timer. That one is for me always one of the biggest struggles. The pressure I perceive with a clock, always make me do stupid mistakes. For me the option to hide and show the clock when I would like, would give me a peace of mind. But alas, not possible.
What to do next?
After the drive home, in a slightly depressed state of mind, mostly angry (😠) with myself. I clearly was not prepared enough. At home and after having some serious talks with the missus we decided to try again. Worst thing that could happen is the loss of money. Failure does not mean that no longer can come home, it does not mean that I would loose my employment. However, easier said then done, the pressure (I put there myself) to achieve is there. The cost of it all is still a hefty sum. Nevertheless the opportunity is there, do not waste it.
Initially I was planning to do the course remotely and be there for the last day and exam and I should be ready then. This is the approach one of the other candidates took, however the candidate did not pass the second time. And considering the amount of disruptions and distractions I would have to be subject to, if I would be attempting to follow a course of this magnitude like this remotely. No, that approach does not work for me. The only viable solution is doing the bootcamp again on location.
Thanks to the Firebrand “Pass first time or train again for free” guarantee I only had to pay for another exam voucher and the accommodation, I booked for the next course week that would fit and when I would be allowed to attempt the exam again. After the first failure I had to wait at least 30 days before my next attempt. I believe if I would fail again, I would have to wait at least 60 days before attempting again. That is some incentive to do the work and pass.
Better be prepared this time. Way better! Shortly after the 22nd of April 2023 we went away for a short holiday to Madeira, Portugal. A nice, very nice island in the Atlantic and with some very nice weather. Took some preparation books with me. The week helped me putting it all in perspective. I already learned a lot from the first week. And even the second attempt I would be scoring better then before, for sure. On the airport in the very early morning of departure I did an assessment quiz of 40 questions, while queueing for Starbucks, scored around 80%. So some of the “stuff” did stuck. Not all is lost. I hope.
Preparation for the second attempt
Back home, I realized that I made a calculation error. I was under the impression of having three weeks to prepare, then the bootcamp and exam. Gives me enough time to plan the reading of the complete course. Wrong, I had two weeks of prep, not three. Damn this is going to be tough. I wanted to read the complete coursebook again from front to back. In the preparation for the first attempt I had already a 3-month subscription of the one and only certified iOS app to help study and practice questions. My days in the weeks 19 and 20 were fully focussed on reading the chapters and doing a shit load of questions..
What for me worked was answering questions on all 8 domains every moment I had; riding the tram into Amsterdam, waiting for the Chinese food to be ready to take home, being at birthday celebrations, watching the TV. Every day I spend on CISSP. I would have to drive to Sint Michielgestel on Sunday, 21st of May. Saturday, 20th of May I had read all chapters and had a overall readiness score of around 70% in the application. So everything was in the “green” Did another quick assessment exam of 40 questions and scored 82%. I did realize along the way that it is starting to “click” in my head, there were a number of questions from which I could deduce the correct answer, even the reasoning for the answers made sense.
Nice! Very nice! Becoming more and more confidant that I am ready for another week of CISSP training…
Course Week 2
Arriving on Sunday was two-fold, on the one hand I was pissed that I had to be there again and at the same time glad to be given this opportunity to do the course again. Anyway I am here let’s make the best out of it. The biggest benefit is that I know what to expect. That is already helpful.
Since I know that the WiFi reception has room for “improvement” and that I know that the ethernet-jack in the room is live, this is something I can improve myself.
I do still have a nice fanless PC with a i3 and 6 ethernet ports. Why not setup OPNSense and create my own WiFi network in the room, this way I would have a better FaceTime experience. And it is a nice exercise in some routing and switching. Configuring the router and access-point, pretty simple. even added AdGuard Home to be running on the router.
So even away from home, less ad’s and stuff. Additional wish; since I have a working WireGuard VPN to home that allows all traffic to breakout at home, why not see if I can create a S2S tunnel that also sends all traffic from the road LAN, via home, to the internet. Preferable using WireGuard. Any way that is how I spend my nights doing something different from CISSP to keep some sanity.
Not a bad setup, nice views and quite secure in my connectivity online. Sadly I did not get the breakout via the S2S working. Probably had to do something the routing and NAT. Ah, well, the S2S works. Next trip it will be a matter of tweaking the configs in both OPNSense routers to get it to work. It should, in theory, work. When I have the setup working I will write a blog post about it.
The group was a very nice group of people. Made some nice contacts and the collaboration was also very nice in the group. We had similar interests and backgrounds, that made the situation even more pleasant. The amount of topics stayed the same, a huge lot to cover in a very short amount of time. Anyway since this was my third time I hearing/reading explanations of the topics, the power of repeating is setting in. Also being taught the course by a different instructor also helped a lot. It is all about how the message is being brought across.
The complete week I kept doing additional questions on the different topics. Still some mistakes but way less then before my first attempt. On Wednesday evening four of us did together around 50 question from the Study Book Practice Tests. A very helpful evening. Most of these questions I had correct, so very comforting to experience. Also there are some security models on confidentially and integrity explained in the course that I simply did not get. The instructor came with a matrix explanation that really hit home. Now I did get it and answered thank to this matrix these questions correctly. The first two days moved slowly. The exam is far away. Wednesday the speed came back and before you know it, it is friday. Last day before the exam. Deliberately did I take my rest on Thursday and Friday evening. From the first week I still had a trial exam of 100 questions. Friday afternoon we are “ready” around 15:00, first some relaxation followed by the doing the trial exam, end result: 85%, so just 15 questions wrong. I should be ready. I have done everything that I could possible do. And as the saying goes: I did my best. Trying to get a goods night rest.
Exam Attempt 2
Although I went to bed early the night before the exam, I was still up around 05:30… Better pack and bring already some stuff to the car. Nothing else to do. Exam start around 08:45. Stress levels are rising, and doubts as well. Any way let’s focus. And do another quick assessment quiz. Again 85%, so should be ready. Still troubling feelings of stress and uneasiness. Lots of 😟 and 😰
During the exam I took deliberate breaks, first around question 80, just the need to be outside the exam room. In the first attempt, the exam stopped at question 125. It was done. This time at question 125 the longest 15 seconds of my life took place. Scrolling indicator came and stayed for way longer then I would have liked, stress levels again through the roof. I tried to regain my calm and continued to question 132, now I had to really step out. I have to have a bit of fresh air and some other stuff to read. Some thoughts that went through my head: “This is really tough, and really important not to slack now. Get your focus back, time is not an issue. I still have over 1.5 hours to complete the remaining 43 questions.” Back into the room and tried to focus. Suddenly question 175, this is it, the last question and no turning back. Either I spent another exam voucher with no success or I passed. Nothing more to it. And like my wife told me, if it is not enough, it should show enough progression to pass in a third attempt.
The moment I received the congratulations, it was such a relieve. 😌 I had to keep quiet. I could not stop 😀! Others were still in the exam. Outside some other were waiting. So happy that I have passed this exam. It is one of the toughest exams I ever took.
Last steps in becoming a CISSP
In order to become a CISSP, there are a couple of steps in the procedure:
- Pass the exam
- Get an endorsement of an existing CISSP
- The endorsement is vetted by (ISC)2 and thus approved
- Pay the yearly fee
On Sunday, 28th, I already received the email providing me to move the next step. I have found a CISSP willing to endorse me, so that was the easy part. Now it is a matter of filling in a form, listing my work experiences of the last 10 to 12 years. Next is the steps 3 and 4. The step 3 took some time. The waiting game was there, something I find to be very hard to endure. The endorsement was completed on the 30th of May. In the confirmation email I received it was mentioned that it could take up to 4 to 6 weeks before. And if I had not heard back after 6 weeks, get into contact with (ISC)2.
For me the wait on confirmation was quite nerve-racking, to me it seems to be without end. Doubts are rising:
- Did I fill the form in correctly?
- Is there some other hickup?
- Are they waiting for some response?
Upcoming Tuesday it would have been the 4th week of 6. Any way, yesterday we went sailing on the “Markermeer” with my in-laws, Son had a day off school, weather very nice. And being able to just go out and spend the day on the water sailing, is richness in it self. Yesterday evening around 20:00 I received the conformation, the endorsement is approved! The last step is easily done, just pay up!
The certification is a fact, I have achieved the goal I set in January 2023, it was tough, it really took some serious effort. This certification is not something to do on a rainy Friday afternoon. It really takes dedication and lots of effort to get there.
For me the following sources worked best:
- (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide & Practice Tests Bundle
- Official CISSP CBK Reference
- Doing the course twice, the amount of material is too much (in my opinion) to handle in one week. Another two days might be more feasible. This is due to the fact that the course is in American English, there are differences between this and the Britisch orientated English being taught in school.
- Limit yourself to a fixed number of sources. Stay as close as possible to the (ISC)2 approved sources.
- Try to relax in the process. The topics and material is already tough enough.
Being able to tell everyone I am CISSP, that I am member of an exclusive group that have a high standard and a code of ethics to commit to is something I am happy to announce. Thanks to the endless support of my family, the opportunities given to me, the hard work I had to put in, the end result is something to be very proud of, which I am.