A journey into hell. My CISSP experience

I was always the type of person that had the attitude of ‘I don’t need a piece of paper to get a job, I have the skills, experience, and probably studied more cert materials than anyone I know”.

This remained my attitude… until a little thing called the Global Financial Crisis came to town.
The recession hit hard. Friends were losing their jobs, and businesses were falling like dominoes, only to be gobbled up by hungry organisations higher up in the food chain. The company I worked for was also crumbling. The people that weren’t abandoning the sinking ship on their own accord soon found themselves swimming. The company went under.

So this is when I started looking for a new job. Traditionally I’ve had many hats of different flavours through my career. System Admin through to Network Engineer. Each step I involved myself in Information Security, being more of the ‘security guy’ than anyone else, but not having that on my business card.

Having no industry certifications in Information Security didn’t seem like a big issue to me. The attitude of “I know what I’m doing, and I love security” is all I thought I needed to land me a sweet job in the industry. But I soon found out, that was the farthest from the truth.

I had studied for plenty of certifications in the past: Cisco, Microsoft, Linux, CEH and the other EC-Council offshoots (gag), and even the SANS courses. But I never took that extra step to get certified? Why? Because I thought I didn’t need to. I usually land jobs by who I am, not what paper I have.

I started applying for jobs online. I wanted to steer away from networks as I feel I have accomplished all I want in that area. The same is true for Microsoft. I’ve had my fair share of System Administration. It was time to find something I love and am passionate about. Information Security.

Out of about the 20 jobs I applied for. I didn’t even get a response back. (This is the recruiting agencies who are posting the online adverts.) I knew the competition for work was tough right now, but not even getting a call back left me demotivated.

Next, I started applying for network security roles. Again, no replies ever appeared in my lonely inbox. I felt this was comical as I’ve been building networks and managing security devices in organisations since I was 19, but alas I didn’t even get any call backs.

Then a few weeks later, still tirelessly spamming out my resume to recruiters in which felt like a mass phishing campaign, I started to get a slow trickle of recruiters calling me up, asking me for more information regarding to jobs I had applied for. “So, you have your CCNP right? No!? Not even a CCNA!?” *click*.

Trying to explain to the nice recruiters that I’ve got more experience than what a CCNA and CCNP claim to have got me no where.

“Man… if only I got some certs” I would mumble, kicking myself into a semi-depressional state.

Then one day I struck gold. It wasn’t the gold nugget I was searching for. But in the circumstance, it was gold none the less. Like the lucky Wildebeest crossing the Nile without becoming breakfast, the fortunate Salmon running the gauntlet up river without becoming lunch, and the athletic sperm that breaks to the front of the pack, I had beaten the other thousands of IT drones in Sydney looking for work, and landed a job as a trusty network engineer.

I was grateful for that, but it was the first time in my professional life I was doing something I didn’t love. I felt my brain weakening and getting dumber by the day. I always try to strive towards an end-goal. And being a network engineer didn’t have the end-goal I was playing for.

With that… I decided it was time to hustle. I had to do something to get into the Security Industry as it wasn’t just going to find me. I’ve been hanging around with nefarious hacker types since I was a kid, and have been one of them numerous times. But this didn’t mean squat in my situation.

I began researching Information Security certifications. I needed something that I could put after my name, and something to brandish in front of a recruiter to at least get a job interview.

I looked into Certified Ethical Hacker. But hanging around the hacking scene for long enough, I knew this was more of a joke than anything. And the idea of having ‘Ethical Hacker’ on my resume could be counter-productive (in my opinion, it sounds retarded). If you strive to have ‘CEH’ next to your name, then you probably don’t have many aspirations in the field (unless you got the cert for free). The more advanced certifications that EC-Council have after the CEH looked pretty decent at the time. They didn’t look all that hard, and I was sure I could pass them with a few weeks of cramming, but this particular vendor makes it extremely difficult to get any certification without starting with the CEH at entry level. Just like Cisco, the money making pyramid scheme turned me off.

After reading some forums, I stumbled onto the ISC(2) website and researched what the CISSP course was all about. It said you required 5 years relevant industry security experience in at least 2 of the following 10 domains.

1. Access Control
2. Application Development Security
3. Business Continuity and Disaster Recovery Planning
4. Cryptography
5. Information Security Governance and Risk Management
6. Legal, Regulations, Investigations and Compliance
7. Operations Security
8. Physical (Environmental) Security
9. Security Architecture and Design
10. Telecommunications and Network Security

These are also the domains in which you get tested on. I skimmed over these, and at first glance I knew I was eligible (due to my network security, and server work).

Further investigation led me to the discovery that people claim this is one of the hardest exams they have ever attempted. Some of these people, I would call highly experienced and skilled individuals. I also read that this was one of highest paying certifications in the field, and this was a ‘gold standard’ to get you into many different roles. The CISSP sounded like the certification I should attempt…. Until I saw the $900 price tag stapled to the examination fee. Ouch!

After a few wines with my newly pronounced Fiancé, and explaining the situation, she encouraged me that I should go for it if it was indeed what I wanted to do. “Pay for it with our Wedding credit card… I believe you can do it… but if you fail, I will cut off your balls with a rusty steak knife”.

With her warning still ringing in my ears… I logged into the ISC(2) website, credit card in hand (which we were using to pay for our wedding – smart I know), and booked in for the exam.

At this point I hadn’t looked too deep into the actual CISSP material. And almost fell over when I did. It was way more in-depth than I assumed from the list of 10 domains.

I searched some forums in aid to get some pointers for the CISSP exam. It seemed to be very sought after and popular, and intended for high-level managers and government agencies. This was a little intimidating; even worse was reading peoples horror stories of the 6 hour exam. Even worse was the rate at which people seemed to fail (people with more experience than me)

Without letting the thought of failure get me down, I started to look for some study material. In my travels I came across the Australian Information Security Association’s website (http://aisa.org.au/). At this point in time, I had never heard of AISA before, but it sounded like the right type of place to go if I wanted to be an IT Security dude for a profession.

The AISA website said that they were having a free-for-members CISSP study group, once a week, for people studying the exam. The measly $50 membership fee paid for itself. I signed up and started going to the group. It was more of a refresher for each chapter in the CISSP study books, but it gave you extra motivation and focus than just sitting at home and reading the book by yourself.
So my study routine consisted of watching one domain (DVD) a day or two before the CISSP study group and taking notes on the important facts. Then afterwards, going over the content in the group meeting followed by doing some practice tests at home. Wash, rinse, repeat for the next domain.

Some of the domains were daunting. Cryptography was one. I had to watch those domains at least a few times, and constantly go over my notes to make sure I could remember certain encryption algorithms and how many bits each one used. The same applies for the security models; I had to print out a list of what BLP and Clarke-Wilson were, and what rules married to them. (I could always remember the Biba model, thanks Justin). The software development lifecycle was another tricky one for me as I am not a developer, but after going over the content (or in my case, DVDs) a few times it finally sank in, and I started to realise the whole concept of the CISSP is just logical thinking.

In total, it probably took about 3-4 months of study (probably about 5 hours a week not including the study groups) and $300 or so dollars in parking fines (for driving into the city to attend the study group). I had a few months before I was scheduled to sit my exam, and I didn’t’ study much at all during this period. Just went back over my notes and watched the DVDs again 2 weeks prior. (I wish I had given myself more time, I felt really under-prepared when the time finally came)

The day of the exam came. And as this was my first ever attempted certification, I didn’t know what to expect. I read the notes which ISC(2) had emailed me. ‘Bring pencils, erasers’ etc. With that advice, I bought 2 pencils, and an eraser. I didn’t own a pencil case, so I just put them in my pocket the morning of the exam, and made the journey. It also didn’t help that I was running on about 2 hours sleep from the night before. That coffee I was drinking the day prior to help me cram was definitely a bad idea.

I arrive at the building in North Sydney at an ungodly hour (ungodly for a Saturday). I see middle-aged uber-geeky tech-head types with backpacks migrating towards the entrance. I soon found out that they all had packed lunches, snacks and drinks. “Why didn’t I think of that!?”. 6 hours is a long time to go without nutrition. I glanced around, and I would have been the youngest by a country mile. One guy was wearing a Microsoft polo shirt. (I didn’t know if that meant he was smart, or quite the opposite)

At this point, I am feeling REALLY nervous. I don’t appear to be in the same league as my fellow exam-takers. I started to feel intimidated by the competition around me. “What am I doing to myself? There is no way I am ready for this” I kept thinking. And I especially didn’t want to let the fiancé down, especially considering I could lose my manhood to a rusty steak knife.

The dreaded moment came, and we all got ushered into a room to sit down. After receiving the general instructions, we all opened our exam papers, and began the exam.

In the interest of adhering to the ISC(2) code of ethics, I am unable to speak of the exam or it’s contents. But on a personal level, I was surprised how easy it was to begin with. I was breezing through questions. A guy in front of me dropped his paper on the ground by mistake, and I noticed he had only filled in half the numbers as I. I was feeling confident at this point. Then bam… I run into one of those ‘tricky’ questions you always hear about. Not knowing the ‘best answer’ (opposed to the right answer). I started to worry as I was wasting time scratching my head, so I marked it with my pencil and continued on. Then the next question was similar, and the next one, and the one after that.

I started to get frustrated and lost my cool (because I am usually a very cool guy, you know). During my loss of cool, I realised I had to go to the bathroom, but as you can only go one at a time, there was already 5 guys waiting to go before me. To make it worse, the guy next to me started chewing on some sort of snack, and proceeded to spill his water bottle onto the ground next to me.

“I need to clear my head” I was saying to myself in frustration. Finally my time came to visit the bathroom. I had a drink of warm tap water and washed my face. “Just what the doctor ordered”.

I re-entered the exam and decided to skip over all of the trickier questions that I didn’t know at first glance and continued on. I finally got to a patch where the questions appeared easy to me, and I felt like I was going great. Didn’t last for long and I got stuck again. This would have been a few hours into the exam (plus an additional 2 hours from when I arrived)

At this point my stomach is twisting up with hunger pains, I’m thirsty, my eyes are stinging and my head feels like it has been hit with a sack of potatoes and dunked into a bowl of glue (weird sensation, trust me) . The lighting in the room seemed to be getting darker and more blurry. I was getting purple splotches dancing around vision. My back was aching from sitting in the one spot for hours on end. My body hurting from lack of sleep. At one point when I glanced up to look at the clock, I thought I saw a leprechaun dash across the front of the room riding on the back of an albino Goanna.

This was starting to get tough. My head was playing games with me. I would come across a question and it would remind me of a previous question which I now realised was wrong. So I am jumping around the pages trying to find that singular question before I forget. I started to second guess myself and the answers I was putting down. Some questions seemed so easy that I assumed it was a trick (“It’s a Trapp” memes were popping into my head). I’d re-read the question a few times and keep changing my mind. “In what context are you asking?!” I felt like screaming at the paper.

I looked up at the clock (no Leprechaun this time, just a creepy proctor staring straight at me), and I was going good for time. I was about 4 hours in and I had ‘finished’. But I still had to go back and mark all of the answers onto the answer sheet, and re-visit about 50 questions I was unsure of. This was a killer… of the 50 questions I was unsure of, 2 of the answers could be right, but for whatever reason it was a struggle to figure out which one. My mind was fried and hours seemed to be going like minutes and minutes seemed like hours. This was when people started walking out and handing in their sheets.

This stressed me out a little. I took another hour to put all of my answers in, and to go over my exam one time and MAKE SURE I was happy with what I’ve selected. Numerous times I felt myself wanting to change answers but figured that my first instinct was probably the right one.

I finally hand in my exam. One hour to go on the clock. There was probably about 10 people left in the class (out of 30 odd).

One of the proctors (the creepy staring guy) gave me an ISC(2) pencil for a ‘souvenir’ (I didn’t dare smell it). Similar to if I was being tortured in prison and they gave me the cork I was biting down on for a gift. “Thanks mate…” I politely said. Covering my arse on the way out the door.

On the way out, I bumped into another guy in the hallway. He looked tired and stressed. The little remaining hair on his shiny head was frayed and looked as if he’d been pulling on it. “Lets never do that again!” I joked. “That’s the plan” He grumbles. And with that, I made my way to the nearest pub and sunk a well deserved cold beer.

It took 6 weeks… to the day. 6 long and grueling weeks to get the email of my results. Every single day and night I was re-thinking the exam in my head, and knew I got things wrong. I was doubting myself big time. I couldn’t even remember most of the exam… if you asked me what some of the questions were, I couldn’t even tell you – the whole experience has now become a blur. The only things I remember are the premise of a few really hard questions – which I went over in my head for 6 weeks.

On that fateful Saturday morning… 6 weeks to the day. My fiancé opened up Gmail on my PC. I was accidentally still logged in from the night before (heh… security?)

“YOUR RESULTS ARE HERE!!!” she screamed, running out to the lounge. “OPEN IT, OPEN IT!!!” (I checked to see what she was holding behind her back… yep… a steak knife)

I couldn’t open it straight away. I was sure I had failed. I looked at the screen…Subject = “CISSP Examination Results”. I stared at it for a few minutes, paced back and fourth, but couldn’t do it. I went and got a beer from the fridge and sat on the balcony… thinking about the possibilities of me failing as I sipped it… but then thinking to myself… ‘what if I passed!?’. Without thinking a minute longer I got up and went over to the computer, took a breath and clicked on the email.

Now I had read on forums previously that when people have gotten their results, they either say a big CONGRATULATIONS at the top of the email, or if not – a body of text telling them their score and what they need to improve on.

I opened the email… and DID NOT see CONGRATULATIONS!!.. I saw a whole page of small text. My heart sunk for a moment. A tear almost dripping from my eye. I began to read the email. Then in small letters towards the start I saw ‘Congratulations, this is to notify you that you have passed the CISSP examination!’.

I heard a high pitched yelp get emitted from somewhere. On closer examination I think it was from me. I was too stoked to say anything. A tear welled in my eye. I looked up at the fiancé.. “I passed…” I muttered. She dropped the steak knife and gave me a hug. Celebrations were had by all. The hard work had paid off.

I might be sounding lame for the in-depth bleeding-heart post about my CISSP achievement. But at the time it meant a lot to me. Being the first exam I had ever attempted, coming at an unfortunate time, and one of the hardest things I could have chosen to do. I was trying to get this damn piece of paper so I could finally waive it at recruiters and land myself a job I actually enjoy. So it was a momentous personal victory.

 

If you are considering doing the CISSP. I recommend the book from Shon Harris Below. The best book for studying the CISSP exam in my opinion.

If you don’t like reading, and prefer multimedia to help you study (like myself), this is the best boxset of DVDs. I actually used these.

I have written a new blog post following up from this post. 12 months after passing: Was the CISSP worth it?

13 thoughts on “A journey into hell. My CISSP experience

  1. Great post Matt :)

    I had similar experiences during my CISSP examination. I would highly reccomend anyone taking the test to take along some food and water – the biggest part of the battle is keeping your sanity during those 6 hours.

    Glad you passed! Keep up the good work.

    Phill

  2. This post was funny but at the same time scary…
    I am planning to take the CISSP certification sometime soon and I have gone through the CBT Nuggets videos but stopped halfway because I had to study for my last undergrad exam….
    anyway I have taken you tips into consideration and will prepare real good..
    I will also need guidance in the security world so sure will be in touch

  3. I really enjoyed reading your blog entry on your “journey into hell”. I’ve been going through some very similar experiences in the last few years and am now considering studying for the CISSP as well. I recently completed a program in Computer & Digital Forensics Investigation, but have now certifications (or as I call it, alphabet soup), after my name (although I do have degrees and plenty of experience). I recently attended a forensics conference here in the states and one of the presentations was on the CISSP and has whetted my appetite — but alas, I am still very pensive over the whole thing. I do congratulate you on your success.

  4. I’ve been a CISSP since 2005 and I enjoyed your story. I packed a full lunch and brought a bottle of water. I took 5 hours and 45 minutes to complete with a pass on the first try.

    One of my friends was taking the exam and he was right in front of me. I could tell he was hurting. No lunch, no breakfast [this guy smokes cigs for breakfast and lunch] and was very figity and agitated. To this day, he has yet to pass. He’s studied more than anyone I know and I figured it comes down to test taking skills to marry with your real skills.

    I wish you luck in your future career in InfoSec.

  5. Great story,

    I love the depiction that you have done and the many tips you have shared. I have been maintaining a portal specifically to help CISSP in becoming for 12 years.

    You can see a nice tutorial on how to become a CISSP at:

    http://www.cccure.org/article1477.html

    It talks about every step from a to z.

    I also have a very complete quiz engine to practice at:

    https://www.freepracticetests.org/

    You can get over 400 questions for free. More are available for $39.99 for a 6 months subscription.

    Best regards

    Clement

  6. I passed my exam in Jan 2006, took me 2.5 hours to take. I was certain I failed though at the time ( a common feeling). The only training I did was to attend a training camp. I can actually say though that was the limit of my preparation. I didn’t read or watch anything else but my instructor was awesome. I had Larry Greenblatt and combined with my xp that was enough. Fast forward a few years and I have been actually teaching CISSP. I can vouch for Clement’s site. There are good study aids, the aide de memoire and what not. Also if you can do the hardest set of questions on the loosely related setting you will be well off. I will say this though, DO NOT try to memorize the practice questions. Those questions are not on the exam, the concepts are. So if you know why the answer was right on the practice test you will do fine on the real exam.

  7. I was in the middle of reading your adventure, shaking my head in agreement that it was so similar to how I felt when I was taking the test…mid through reading this ‘the email arrived’…I passed too! I am sad though, I had no leprechauns entertaining me in the process :(

Comments are closed.