Attending a CISSP certification bootcamp should be the final step in your preparation for taking and passing this highly sought and often required cybersecurity certification exam. How should you prepare for the bootcamp itself?
I teach about three CISSP bootcamps a month. A bootcamp is a full time, eight hour per day, 5 or 6 day exam cram experience. It is drinking from the firehose. The goal of most bootcamps is to provide intensive and extensive instruction to teach the information you will need for the CISSP exam. It should also provide insights, tips, and skills required to actually take and pass the test.
Many people come the the bootcamp expecting it to be the complete solution to preparing for the CISSP exam. For some professionals with a lot of cybersecurity experience, and other security certifications such as Security+, CySA, CASP+, or CISM, it very well could be. But the majority of students usually need more preparation than you can get in a 40 hour boot camp. So what should you do to prepare for the bootcamp experience.
The CISSP exam has been characterized as “a mile wide and a foot deep.” This means that you must know quite a lot about just about every conceivable cybersecurity topic. You need to know something about everything. This is a “managerial level” exam, NOT a technical exam. (ISC)2 has targeted this exam toward current cybersecurity managers and to cybersecurity technical staff who aspire towards management. People who do well with this exam usually have over 10 years of Information Technology and 5 years of Cybersecurity experience. It is important to have a background in computer and network fundamentals, as well.
If you have less experience than this, the CISSP will be difficult for you. (ISC)2 expects you to be a cybersecurity professional with at least 5 years of experience in two or more of the 8 Domains. If you have a college degree, you will only need 4 years of experience. If you do not have the experience, my recommendation is to pursue other IT and security certs first, such as the A+, Net+, Sec+, CySA+, and get the time in title you need to have some real-world experience.
But many HR departments and IT and Cybersecurity departments want all their staff to have this certification, so waiting and learning the old-fashioned way, through experience, may not be possible. Just accept that you will have to work at this exam longer and harder than others with more experience.
Take a look at the exam topics in the CISSP course syllabus. This 16 page PDF shows all the topics you will need to know. Look through this list and be brutally honest with yourself. How many of these topics are you familiar with and at what level? These are the topics you will be tested on. The computer adaptive test algorithm is designed to identify subject matter proficiency in the 8 domains and hundreds of individual subjects and concepts. You must meet an average level of proficiency in all of the domains to pass. The test algorithm is designed to identify weaknesses and will exploit them during the exam. Many people struggle with encryption, secure software development, business continuity planning, and security frameworks. Definitely focus extra effort on these topics if necessary.
Get yourself a good practice exam and take an assessment test to see how you score and where you have room for improvement. I like the Boson Exam Sim, and the practice test that is included with the Sybex CISSP 8th edition book, provided by Wiley on the Efficient Learning platform. If you bought the Sybex book, instructions for connecting to the free practice exam is on the last page of the book, just before the back cover. You will need 700 out of 1000 points to pass the real exam. Where are you now?
If you register for a bootcamp, often the supplied book is the (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide 8th Edition by Mike Chapple, James Michael Stewart, and Darril Gibson. Another good text is the Official (ISC)² CISSP CBK Reference, Fifth Edition. Read one of these textbooks prior to your bootcamp experience. You might need a few weeks of dedicated study, about 4 hours a day, combined with practice testing. Your goal is to complete the book before the bootcamp. If your bootcamp is schedule for next week, you will have to plan to attend the 8 hour bootcamp, and put in another 4 hours of reading and testing per evening. It will be less physically and mentally demanding to get the reading out of the way before bootcamp.
In my own case, I studied for about for about 4 months, reading and testing, before my taking bootcamp. I had a generous employer at the time that needed a CISSP on staff to meet a compliance requirement, and I was the nominee. I was able to use two to four hours of my work day just studying. You will probably need to study on your own time, so make appropriate plans.
Once you have registered for the bootcamp of your choice, familiarize yourself with their Learning Management System (LMS) or training platform. Make sure your computer system meets the technical requirements. In these days of COVID-19, most training is happening online through a platform like Zoom. Test everything technical.
Then engage in whatever preparatory exercises they provide. There should be a pre-boot camp assessment test. There may be study materials and even videos you can preview.
Dedicate time to the bootcamp experience. Remove yourself completely from whatever day-to-day activities your job requires. Treat this like an expensive vacation to France or Bermuda, no interruptions! The cost of a bootcamp is pretty comparable to that vacation, except without all the fun. Isolate yourself from work and family demands as much as possible. No email, except maybe at the lunch break.
Show up on time every day, even early. Some instructors may have open time for questions prior to the official start time of the class. Stay focused. Take notes. Ask questions about material you don’t completely understand. Do the required homework. Practice questions every evening. You want to keep testing until you are scoring in the 90th percentile.
Form a study group on Slack or by email with your classmates, and sign up for the CISSP Reddit at https://www.reddit.com/r/cissp
None of the practice exams I have used really provide questions in the format you will see on the exam. Use them anyway, it can be a great way to study, using study mode in your test engine. Practicing the exam helps prepare your mind for the exam experience, just like running 5Ks can help train you for a marathon.
The questions are usually based on a scenario description, followed by a related question, and four possible answers. The scenario and question are asking you to think and analyze like a manager, not a technician. The “best” answer, or the one you thought they were looking for may not be one of the options, but you need to choose from those options. Go back and re-read the scenario and question, find the answer the best applies, and make a managerial decision.
I often get questions about how soon to take the test. If you have used the bootcamp experience correctly, the best time to test is right away, with in a few days or a week after class ends. Information you picked up in the bootcamp starts to leak away as soon as class is over. If you did the recommended pre-study, you are now as ready as you will ever be. Take it. Especially if your bootcamp offers any sort of guarantee to pass that offers a second chance to test, take the first exam as soon as you can. If you fail the first time, you will have to wait 30 days to test again, and that should give you plenty of time to study and review. Plus you have the advantage of having seen the exam. The second set of exam questions will be different, but the format and experience will be the same. The examination results page you will get from (ISC)2 after your exam will show you the areas that need improvement.
For those of you heading into the exam, good luck. During the exam it is NORMAL to feel that you are failing. All I can say is stay focused, stay positive, and carry on. Everyone feels this way, and most pass the exam anyway. For information on the exam itself, see my previous post Comments on the CISSP Computer Adaptive Exam. This is mostly a compilation of comments by students who have taken an passed the exam. Also check out the excellent Reddit post by Zarius, My personal CISSP Journey and recommended study material And maybe Larry Greenblatt’s video on taking the exam.
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com