- CPA to Cybersecurity
- Posts
- Top 10 CISSP Surprises
Top 10 CISSP Surprises
Table of Contents
Introduction
One of my favorite Youtubers is Emergency Awesome, Charlie Scheider, who breaks down Star Wars, Game of Thrones, and other stories, recapping their top 10 surprises.
Today I'll apply that same format to my 12 week study journey with the CISSP exam, which sometimes felt like being in Game of Thrones. If you read through to the end:
You’ll see the any Given Sunday pep talk from Al Pacino, as it relates to my number one CISSP surprise moment,
You’ll get some insights on what to expect in your study journey, to help maximize your odds of passing on exam day
You’ll get some encouragement to persevere through the difficult study process. People sharing their stories on YouTube and Reddit helped me get through this thing, and I want to amplify that experience for others.
So grab some popcorn and let’s start at the bottom of the list, with my 10th biggest surprise.
#10: Lockpicking Lawyer cuts through physical locks like butter, with wrenches and commercially available tools
After reading in Destination Certification to check out the Lockpicking Lawyer on YouTube if you still think that physical locks are a preventative control, I went to the channel to watch him trivially bypass a variety of strong looking locks. It’s very eyebrow raising and alarming. A good case study on the need for layered defences.
#9 The Official Study Guide has a mobile app!
After hundreds of questions squinting and scrolling in my phone's browser, I learned that this friction could have been avoided by downloading the Wiley Efficient Learning mobile app. It was too late for me a week before my exam - but hopefully not too late for you.
#8 I kept getting the financial questions wrong, and I’m an accountant!
This sliver of the material that was financial, things like Average Loss Expectancy, was supposed to my strong area. But I kept making careless mistakes and eating humble pie. If you’re struggling with this topic, you’re not alone, just put in enough reps, remember to read the question carefully and you’ll get it straightened out.
#7 There was a lot I studied that I didn’t see in the exam
But that’s the nature of multiple choice exams and I guess shouldn’t be a surprise. It’s how they do it with certs, college and university degrees. While flawed, multiple choice tests are useful for cost, efficiency and effectiveness reasons because:
They can boil down exam time to 4 hours - mine took 2 and a bit
And they make the grading more objective, standardized, reliable and measurable - for scale
Of course it’s not as good demonstrate creativity and problem-solving, that you can express better in an essay or by building something.
But keep in mind Harvard’s advice that the research is clear: education is only 10% of career growth, with the bigger elements being relationships 20% and experiences 70. My other videos talk your ear off on that.
#6 The hardest topics for me
Kerberos
OAuth vs Open ID vs Open ID Connect
Subnetting
Object Oriented Programming
Multi Threading vs multi tasking
I had to do lots of lot of lather, rinse repeat repeat for these: watch a lecture, read, get practice questions wrong, make notes, repeat. I list the resources I found most helpful here:
#5 SimplyCyberCon keynote: "Multiple-choice certifications need to be destroyed with fire"!
Quite the hot take from John Strand! Here’s a recap of key points:
The industry perpetuates a problematic culture of elitism and exclusivity
There is a general distrust of higher education's effectiveness in preparing cyber professionals
The high cost of professional cybersecurity training creates barriers to entry
Multiple-choice certs don't necessarily reflect real-world skills or abilities - like we just talked about that
Free or low-cost cyber ranges and practical skill assessments, can be more valuable than traditional certs.
The industry needs to shift from an elitist mindset to a more inclusive and supportive culture.
Then John provides some balancing perspective, that multiple choice certifications are good at quote
“To make sure that somebody understands the vocabulary of the industry is where I'll give the CISSP a slight pass. I look at the CISSP as: this is the binding language and terminology that we use. There's some value in that when we're all sitting around having a conversation”.
I’d add to that perspective that:
Education is only 10% of a Career Development Plan
Some certs are more practitioner focused with case studies as opposed to rote memorizing the terminology that is table stakes for a case study discussion
CISSP was a good fit for my 70-20-10 career development plan and it might also be for yours.
#4 Candidates passing, failing, sometimes singing or crying on the CISSP subreddit
I’ve mentioned in a prior video that This reddit community was my most valuable resource. Stories shared by participants there optimizing my balance of being scared and hungry, while offering advice on the best training approaches.
#3 Thor Peterson teaches me that OSG questions are in the easy/mid category, and students should expect to do 5,000 practice questions
When he said this in a Udemy boot camp it made me realize that my currently planned study hours were insufficiently LOW.
I haven’t crunched the numbers yet on how many questions I did. But it was in Thor’s ballpark of 5,000 and if you want a more precise answer, let me know in a comment.
#2 Database polyinstantiation
This impressive sounding computer science term to to straight up lie and deceive! What?! That’s super different and eyebrow raising for accountants with fraud fighting with transparency backgrounds, but I get it for protecting confidentiality. What a fascinating field. It requires integrative thinking, for more on that topic, check out Canadian: Roger Martin.
#1 It got a bit ugly for me around question 76
I was getting a tired, I felt jolts of self doubt. What if I don’t pass? How many more study hours and exam attempts is it going to take? How much is it going to cost? This is hard.
In that moment I needed Al Pachino’s “One inch at a time” football pep talk from Any Given Sunday.
“We’re in hell right now, gentlemen. Believe me. And we can stay here… or we can fight our way back, into the light. We can climb out of hell, one inch at a time”.
And I remembered reading that advice in the CISSP subreddit. When you feel flooded, take a beat, and just focus on the immediate question. Then the next one, then the next one, then the next one.
This exam, just like football and just like life, is a game of inches.
Thanks for reading and good luck getting after it!