Grueling. That’s the adjective most used by security professionals who have labored through the CISSP certification process. Certified Information Systems Security Professional is a comprehensive, vendor-neutral credential that the global IT security industry recognizes for requiring a “common body of knowledge that ensures security leaders have a deep knowledge and understanding of new threats, technologies, regulations, standards, and practices.”
Severe, demanding, and nerve-wracking are a few other descriptions that come up with regularity when newly-minted CISSPs compare their experiences preparing for the certification. (Ask them to describe the actual six-hour exam process and they’ll share a few other choice words.)
Two NetGain Technologies engineers sat through the CISSP exams in April and added the esteemed credential to their already-impressive alphabet soup of technology and security certifications. I asked Scott Logan and Joey Lee to share some of their experiences from training and studying for the CISSP.
How did your IT experience, educational background, and prior security certifications factor into your CISSP studies?
Scott: I have been in an engineering role for IT systems for the past 30 years. My focus shifted to security around five years ago as “break-fixing” was becoming more and more of a common occurrence and a burden. Switching focus to a proactive approach was a parallel move with security. Learning how to prevent (as Spock would say) just seemed logical.
Joey: I have had an ever-growing interest in security for quite some time now. My education and degree is in Information Systems Security. I graduated in 2009 before security breaches were a hot topic that garnered front-page headlines. The CISSP and CEH certifications have definitely been highlights in my IT career thus far.
- From your initial decision to sit for CISSP to the actual test, how long was the process of studying and preparation?
Scott: The CISSP covers ten different domains with each domain worthy of its own certification. When I initially scheduled for this exam around December of last year, I committed to video and book review almost nightly. My studies increased the closer I got to the actual class.
Joey: I started heavily focusing and studying for the CISSP around October 2014 in preparation for the exam. Study materials came from a wide variety of sources, in either paperback or hardback flavors, weighing in around 30 pounds.
- After the self-guided study, there’s a CISSP class just prior to the certification exam. How did that work?
Scott: Right. There’s a boot camp that ran 12 hours every day for five days, with two 45-minute breaks for food per day.
Joey: I had been studying for almost a half of a year before leaving for Chicago. But the real studying didn’t begin until we started Day 1 of our CISSP boot camp. Little did I know what long hours were ahead of us.
Scott: The information flow was continuous and almost too much to take in. So studying every night after class for another three to four hours made sure the information could sink in a little farther. By test day (Saturday) we were all mentally exhausted and nervous about the pending six-hour exam.
- The CISSP class and testing took place in Chicago. Did you get to see much of the Windy City?
Scott: Every night after class, Joey and I would sometimes perform practice tests on the day’s domain topics, or I’d head back to my room and cram study to the point of waking up with books and flash cards laying all around me. We had made plans to see the sites of Chicago during our trip—downtown skyline, a Cubs game—but all we ever saw was the view from our rooms. We both agreed the certification outweighed a night on the town.
- In a nutshell, how did the CISSP exam go? Was it really six hours of testing?
Scott: The exam wasn’t until noon, so Joey and I took the morning to refresh, throwing questions back and forth, flash cards, anything to bring the knowledge from the week to the front of our thought process. The test is grueling. Once the clock starts, that’s it for the next six hours. You have 250 question to complete in 360 minutes, that’s a little less than one and a half minutes per question. The questions vary across the 10 domains and range from multiple choice to scenario-driven questions and drag-and-drop solutions.
- How long were you kept in suspense over your CISSP exam results?
Scott: When you have completed the test, you raise your hand and within a few minutes discover your fate. I was so happy to receive the news that both Joey and I had successfully completed the studies and qualified for our certifications.
- Did you have mentors, organizational support, or other encouragement and guidance during the CISSP study process?
Joey: Scott was a key player throughout the whole process at CISSP. He helped me remove my “engineer hat” and take a more comprehensive look at things (AKA wearing the “security management hat”). There were also quite a few people from our training class that we studied with. It REALLY helped studying in a group setting.
Scott: The people in the class were very friendly and professional. We all were able to assist each other throughout the course. A lot of knowledge was present and information sharing from real-time experience was especially helpful.
- Why would small businesses (in medical, manufacturing, banking, legal, and other professional industries) value CISSP certification from a technology provider?
Scott: The CISSP is a perennial certification achievement in the security arena. Having a CISSP on staff provides a level of accreditation needed for business security offerings, so that a CISSP will be involved with customers’ security needs. Clients that know security will recognize the value of a CISSP being involved in the solution.
Joey: Security professionals can help guide small businesses in making strategic decisions for protecting Information Systems, company data, and regulatory compliance.
Scott: Having a CISSP involved with the information provided during an audit presents a high level of assurance. FDIC and other audit mediums respect the value of a CISSP’s involvement with a client’s security platform.