Top 10 CISSP Surprises

Author

Steve McMichael
January 30, 2024

Table of Contents

Introduction

One of my favorite Youtubers is Emergency Awesome, Charlie Scheider, who breaks down Star Wars, Game of Thrones, and other stories, recapping their top 10 surprises.

Today I'll apply that same format to my 12 week study journey with the CISSP exam, which sometimes felt like being in Game of Thrones. If you read through to the end:

  1. You’ll see the any Given Sunday pep talk from Al Pacino, as it relates to my number one CISSP surprise moment,

  2. You’ll get some insights on what to expect in your study journey, to help maximize your odds of passing on exam day

  3. You’ll get some encouragement to persevere through the difficult study process. People sharing their stories on YouTube and Reddit helped me get through this thing, and I want to amplify that experience for others.

So grab some popcorn and let’s start at the bottom of the list, with my 10th biggest surprise.

#10: Lockpicking Lawyer cuts through physical locks like butter, with wrenches and commercially available tools

After reading in Destination Certification to check out the Lockpicking Lawyer on YouTube if you still think that physical locks are a preventative control, I went to the channel to watch him trivially bypass a variety of strong looking locks. It’s very eyebrow raising and alarming. A good case study on the need for layered defences.

Physical Security MindMap – CISSP Domain 3

Review of the major Physical Security topics to guide your studies, and help you pass the CISSP exam.

destcert.com/resources/physical-security-mindmap-cissp-domain-3

LockPickingLawyer

This channel aims to educate consumers about weaknesses and defects in security devices so they can make better security decisions. It should go without saying, but I’ll say it anyway: do not use any of the information presented in my videos for illegal purposes.

www.youtube.com/@lockpickinglawyer

#9 The Official Study Guide has a mobile app!

After hundreds of questions squinting and scrolling in my phone's browser, I learned that this friction could have been avoided by downloading the Wiley Efficient Learning mobile app. It was too late for me a week before my exam - but hopefully not too late for you.

Wiley Efficient Learning App

Turn your downtime into productive time with our powerful all-in-one mobile app! The app includes video lectures, practice questions and more.

www.efficientlearning.com/mobile-app

#8 I kept getting the financial questions wrong, and I’m an accountant!

This sliver of the material that was financial, things like Average Loss Expectancy, was supposed to my strong area. But I kept making careless mistakes and eating humble pie. If you’re struggling with this topic, you’re not alone, just put in enough reps, remember to read the question carefully and you’ll get it straightened out.

#7 There was a lot I studied that I didn’t see in the exam

But that’s the nature of multiple choice exams and I guess shouldn’t be a surprise. It’s how they do it with certs, college and university degrees. While flawed, multiple choice tests are useful for cost, efficiency and effectiveness reasons because:

  • They can boil down exam time to 4 hours - mine took 2 and a bit

  • And they make the grading more objective, standardized, reliable and measurable - for scale

Of course it’s not as good demonstrate creativity and problem-solving, that you can express better in an essay or by building something.

But keep in mind Harvard’s advice that the research is clear: education is only 10% of career growth, with the bigger elements being relationships 20% and experiences 70. My other videos talk your ear off on that.

A Simple Way to Map Out Your Career Ambitions

Growing yourself faster isn’t easy but it’s made far simpler when you’re clear about your origin, your destination, and the fastest, experience-driven route between the two.

hbr.org/2018/11/a-simple-way-to-map-out-your-career-ambitions

#6 The hardest topics for me

  • Kerberos

  • OAuth vs Open ID vs Open ID Connect

  • Subnetting

  • Object Oriented Programming

  • Multi Threading vs multi tasking

I had to do lots of lot of lather, rinse repeat repeat for these: watch a lecture, read, get practice questions wrong, make notes, repeat. I list the resources I found most helpful here:

#5 SimplyCyberCon keynote: "Multiple-choice certifications need to be destroyed with fire"!

Quite the hot take from John Strand! Here’s a recap of key points:

  • The industry perpetuates a problematic culture of elitism and exclusivity

  • There is a general distrust of higher education's effectiveness in preparing cyber professionals

  • The high cost of professional cybersecurity training creates barriers to entry

  • Multiple-choice certs don't necessarily reflect real-world skills or abilities - like we just talked about that

  • Free or low-cost cyber ranges and practical skill assessments, can be more valuable than traditional certs.

  • The industry needs to shift from an elitist mindset to a more inclusive and supportive culture.

Then John provides some balancing perspective, that multiple choice certifications are good at quote

“To make sure that somebody understands the vocabulary of the industry is where I'll give the CISSP a slight pass. I look at the CISSP as: this is the binding language and terminology that we use. There's some value in that when we're all sitting around having a conversation”.

I’d add to that perspective that:

  • Education is only 10% of a Career Development Plan

  • Some certs are more practitioner focused with case studies as opposed to rote memorizing the terminology that is table stakes for a case study discussion

  • CISSP was a good fit for my 70-20-10 career development plan and it might also be for yours.

#4 Candidates passing, failing, sometimes singing or crying on the CISSP subreddit

I’ve mentioned in a prior video that This reddit community was my most valuable resource. Stories shared by participants there optimizing my balance of being scared and hungry, while offering advice on the best training approaches.

r/CISSP

Certified Information System Security Professional

www.reddit.com/r/cissp

#3 Thor Peterson teaches me that OSG questions are in the easy/mid category, and students should expect to do 5,000 practice questions

When he said this in a Udemy boot camp it made me realize that my currently planned study hours were insufficiently LOW.

I haven’t crunched the numbers yet on how many questions I did. But it was in Thor’s ballpark of 5,000 and if you want a more precise answer, let me know in a comment.

Thor Pederson Udemy Courses

www.udemy.com/user/thorpedersen

#2 Database polyinstantiation

This impressive sounding computer science term to to straight up lie and deceive! What?! That’s super different and eyebrow raising for accountants with fraud fighting with transparency backgrounds, but I get it for protecting confidentiality. What a fascinating field. It requires integrative thinking, for more on that topic, check out Canadian: Roger Martin.

Integrative Thinking

The author discovered that most are integrative thinkers—that is, they can hold in their heads two opposing ideas at once and then come up with a new idea that contains elements of each but is superior to both. Martin argues that this process of consideration and synthesis (rather than superior strategy or faultless execution) is the hallmark of exceptional businesses and the people who run them.

hbr.org/2007/06/how-successful-leaders-think

#1 It got a bit ugly for me around question 76

I was getting a tired, I felt jolts of self doubt. What if I don’t pass? How many more study hours and exam attempts is it going to take? How much is it going to cost? This is hard.

In that moment I needed Al Pachino’s “One inch at a time” football pep talk from Any Given Sunday.

“We’re in hell right now, gentlemen. Believe me. And we can stay here… or we can fight our way back, into the light. We can climb out of hell, one inch at a time”.

And I remembered reading that advice in the CISSP subreddit. When you feel flooded, take a beat, and just focus on the immediate question. Then the next one, then the next one, then the next one.

This exam, just like football and just like life, is a game of inches.

Thanks for reading and good luck getting after it!