Certification Series: CISSP in 2012

Mike wants to do cool security stuff

Picture it, federal contracting, twenty eleven.

Mike is a senior consultant at a consulting company that was bought by a military contractor who is trying to get into the cyber security space. Mike takes full advantage.

This post is part 2 of a 5-part series on Mike’s certification history.

  1. A+ in the ’90s
  2. CISSP in 2012
  3. PMP in 2014
  4. CKA in 2021
  5. CKS in the future

These are not meant to be instructive or helpful in any way in terms of achieving the certifications. They’re simply an account of my deciding to become certified and how I got it done.

For the record, I haven’t tried other certifications.

Collecting the knowledge to be tested

The years between my A Plus certification success and the CISSP certification attempt were years of extreme personal and career growth full of opportunities and learning. I had been a News Systems Specialist, an IT Administrator for a financial company, an IT consultant, a programming consultant, and a manager of programming consultants.

All of these roles had a little bit of security peppered into them at various times.

  • During the News Systems Specialist time, I was traveling the country configuring a news production system on NT 4 and 2000 Servers which had some basic connectivity and security configurations.
  • During the financial services company role, Sarbanes Oxley passed and I had to understand it and implement controls to meet compliance with little external support since it was just after the financial crisis and hiring wasn’t going to happen
  • As a general IT consultant, I helped some organizations meet PCI compliance and supported some larger firms that had significant risk mitigation controls
  • The current employer was a military contractor so CISSP was a labor category keyword so they were happy to boot camp and certify as many folks as they could

Despite that for many of those years, most of my time was spent fixing PC LOAD LETTER, the security interactions were sufficient to meet the requirement to sit for the exam.

The aforementioned boot camp covered all the content areas though the only domain knowledge I learned was some of the cryptographic algorithm stuff.

Boring but helpful reference book with good diagrams and tables

CISSP Exam Guide

Boring but helpful reference book with good diagrams and tables

Testing strategy

For the test taking strategy, the boot camp had a lot of suggestions. The content of the exam is so arbitrary that the book and course focus on the ISCĀ² way and drill in a bunch of rote memorizations. This is where the “very correct” and “nearly correct” lines came down to complete guesses since both were technically true enough and neither was actually technically truer than the other, but ISCĀ² says it’s “b” so it’s “b”.

Flashbacks to school

Flashbacks to school

The format was also pencils on scantron in a big conference room at a hotel in Maryland outside DC so it was a bit more school-feeling than either the A+ or PMP when I took those (at computer testing centers). Since it was 4 hours in a chair writing, the pencil and snack and rest room situations were covered and probably overdone a bit.

The book also had practice exams in the back which I was able to just barely pass by the end of the course. I downloaded some additional practice tests and took those prior to test day and performed okay.

Test day

Like most of my testing experience, I read a question, know the answer or don’t, answer, and then do the next one. My memory works pretty well and the boot camp was pretty recent so I didn’t have trouble answering everything relatively quickly.

With just about half the exam time passed, I turned in the paper with a 70% confidence that I had passed. No need for a bathroom break or snack or 6 spare pencils.

I Passed!

Took a few weeks for grading to come back since like 400 of us took the test at the same time.

Follow-on activities

The CISSP was the first time I realized that belonging to a professional organization required annual fees and continuing education credits. Over the years these annual fees were paid for by whoever my current employer was.

The continuing education credits were easy to get when I worked as a Security professional for a financial institution but were tougher to come by as a DevOps consultant.

The next certification I received was the PMP.