CISSP exam tips and tricks: Avoiding common mistakes

Chris Sienko: 0:00

Good news. Infosec and Cyberwork Hacks are here to help you pass the CISSP exam. This is part one of a two-part Cyberwork Hack in which Infosec's CISSP bootcamp instructor, steve Spearman, gives you his top tips and tricks for taking the CISSP exam. In part one here we'll be talking about what makes the CISSP such a difficult exam, common mistakes people make while taking the exam and what to do if, heaven forbid, you don't pass on the first try. You don't need to do this alone, but you do need to listen to Steve's amazing suggestions in this part one of this week's Cyberwork Hack. Hello and welcome to a new episode of Cyberwork Hacks. Purpose of this spin-off of our popular Cyberwork podcast is to take a single fundamental question and give you a quick, clear and actionable solution or a new insight in how to use Infosec products and training to achieve your work and career goals. So my guest today, steve Spearman, is an Infosec instructor and, among his many areas of expertise, he is our bootcamp instructor for one of the most requested and most desired certs in the industry, that's ISC2's Certified Information Systems Security Professional, or the CISSP certification as we all know it. So for today's Cyberwork Hack, steve has some tips and tricks to help you pace yourself and strategize taking your test day with the CISSP. So thanks for joining me today, steve. It's a pleasure, chris. So, steve, we know that the CISSP is pretty officially known as one of the most challenging exams in cybersecurity and among even the most talented security professionals. We know I know, more than a few of them have failed the exam once or more, and there's no shame in that. This is a biggie. So, to start off, I want to ask you what it is that makes the CISSP such a challenging exam to take and such a challenging certification to get.

Steve Spearman: 1:52

It is a very difficult exam. There's no question In class I say this for many of you will be the most difficult exam you will ever take in your life. It's very difficult. The reason is kind of interesting, so it covers a lot of topics. There are hundreds and hundreds and hundreds of specific topics. There are some people that have indexed that and I don't know the exact number, but maybe it's even thousand. It depends on how you define a topic, but it's like it is. A lot of people say it's a mile wide and an inch deep. It doesn't go deeply into any topics, but it covers a huge volume of topics. So, you have to be familiar with a lot of different, a lot of content, and one of the most common questions I get asked during a boot camp is we'll be covering some topic in the slide deck and they'll say could this be on the exam? And my answer is if you're looking at it on the screen. I don't say it snarkily, but it's like it could be on the exam. If it's in this PowerPoint deck, it's definitely in the Everything's in play. And the company knowledge and, yes, it could be on the exam. So, yeah, so it's just a lot of material. The other thing I would say is tricky. It is the questions are kind of tricky, like you have to really dig into, kind of understanding, what they're trying to get from you as the test taker. With exams, and I think most certs are known to have what are called distractors. These are questions, these are answers to questions that look good like oh wow, but they're actually not, they're wrong, and I think the CISSP is possibly the trickiest exam out there. I don't mean that in any way to imply kind of any sort of ethical failure. It's like it's just, the questions are very particular and even occasionally peculiar. So yeah, it's, and so you have to understand how to break down. Questions is what it is, the one of the critical skills.

Chris Sienko: 4:14

Yeah, and in their defense, I mean, this is the certification that basically says to the industry like I am, I am at least somewhat knowledgeable in every conceivable thing that you could possibly need before in the realm of cybersecurity, whether it's cryptography or physical building security or anything. So you know, you almost have to be kind of a very sort of like a Wikipedia of cybersecurity or a reference library of cybersecurity.

Steve Spearman: 4:41

Like, if I can't have every man, I can get it.

Chris Sienko: 4:43

Yeah, exactly yeah. If I don't have it in my brain this I have all the prompts. I need to sort of get to all the things so. So, based on feedback you've received from people who have taken your boot camps, what are some of the most common mistakes people make with the CISSP, either leading up to the exam or on the day of the exam?

Steve Spearman: 5:04

Well, leading up to the exam, it's just not preparing, not not being prepared. You know not, you know so. So that's you know. Hopefully, if they're my boot camp, that problem hopefully is going to go away, especially if they're taking my advice during the boot camp. But on the day of, I think, first of all, just not being rested is a common, you know, and it makes a huge difference. This is a taxing test by about question 90, you're like, you're so spent, like you know, and 90 out of what 150 or something, is it? or so the minimum it's right now, until April 15th, it's 125 minimum, 175 maximum, wow, so, and you know, so it's like you know, you have to really double down, get rest, you know, you know, be well rested and, and you know, be hydrated, all that sort of stuff like, so that you can, you know, perform at your maximum, you know, and also, the day I just don't be stressed get there early, all that sort of stuff. So the thing is, in actually taking the exam, the, I think the, the, the, the number one piece of advice and possibly the number one failure that people Will have is not taking their time. You have plenty of Time. Oh, so, if you, if you have, if you, if you, if you finish at 125 questions, which is sort of like acing the exam, you know you've got on one minute and 15 seconds per question, and if you go all the way to 175 Questions and then you've got about 85 seconds per question, you have time. And people Like me I'm actually quite an impatient test taker and you know I think you're time, you have time. I have been doing this. I've had hundreds and hundreds and hundreds of students. I guess it's probably well over a thousand students now and go through my CIS is P bootcamp and I've never had a student run out of time that that has told me they ran out of time. Right, I've. You know, you, you have to get to 125, but if you get to 125 you're gonna have a scored exam and and and you know it's never happened, it's so you've got Tom. That's really my main kind of point of emphasis is take your time. Yeah, if you being being rushed or in a hurry or impatient, it's gonna hurt you.

Chris Sienko: 7:43

Yeah, it's a marathon, not a sprint. You really have to you. You got to resist that temptation to go Blasting out of the front gate and and say, oh, I'm doing great, or whatever, because then you're just gonna burn yourself out.

Steve Spearman: 7:54

Yes, it's a marathon exactly, absolutely so.

Chris Sienko: 7:57

Can you walk us through some of your personal tips and tricks for taking the CIS P? I know that you mentioned some mnemonics before and things like that, but what are some things they should be watching out for on the exam? Or If you can give any advice regarding pacing or prioritizing certain problems when taking the test, that would be great.

Steve Spearman: 8:13

Yeah. So remember, with this exam you cannot review and answer questions later. In fact, is it cat, a computer adaptive test? But how you answer the question, this you know question, is going to determine what question you get next. Nobody takes the same exam. That used to be true for the linear exam but not for the computer adaptive test, and you know. So again, the most important advice I really do think is take your time. The second thing is that I'd say the second most important piece of advice is Eliminating wrong answers first. Yep, so you're confronted with four questions, I mean four answers to a question and you, and in 80% of them you can say well, it's not a and it's not d. It's like so, learning to, kind of you know, learning to you know, and you have to. I know, for me personally, taking this exam and in other certifications, you have to make your brain do it. You know it's like I don't know what it is about the brain, but we'd like to see this block of four answers and we'd like to process them together and what we're saying is like eliminate any wrong answers first. So when I'm teaching a bootcamp, I say I'm training your brain this week and what I'm training your brain to do. I can't give you all the content. Even with a week of a thousand slide, deck, powerpoint and all, I can't give you all the content. You're going to have to dig into that even more beyond bootcamp. What I can teach you is how to take the exam, and we're going to be practicing these principles. So I tell people, even if it seems kind of easy, just get in the habit of eliminating wrong answers first. So that's so, take your time, eliminate wrong answers first. Then there's some just general kind of things I like to let people be aware of. Taking this One is that I have this joke I tell people you are going to think you're failing the exam. 90% of people are thinking I'm failing this exam. It's just, this is an exam, more so than I think other certification. It gets in your head. So I tell people during my bootcamp I say you guys, you're going to be in question 60, 80, 90,. You think I'm failing this exam. And here's what I want you to do Just remember this face. I want you to remember this face right here and see how I'm smiling. See how I'm smiling. The point is you're not failing the exam. The exam is getting into your head. Don't let it get into your head. It's, you're doing fine. Almost everybody that goes through this bootcamp passes the exam. Don't let it get into your head. It's like Steve Allen, another instructor, says it does not give you warm and fuzzies. That's just the way this exam is. So just remember. You're going to say I'm failing and then you're saying, oh wait, steve said I would say that no, I'm not failing, I'm doing fine, and then just keep plugging away and doing your best. So yeah, yeah.

Chris Sienko: 11:26

Again, going back to marathon things. They say that so much of it is the mental game, like you don't believe you can do it and then, but your body still could do it. It's just you shut your brain down before you shut your legs down. So I think that's really good advice. So I want to talk to the 9%, or whatever, who would rather not think about these things right now. What is your advice if you finish the exam and find out you didn't pass? Like what's your next step? To pick yourself back up and start climbing them out in the second time.

Steve Spearman: 11:57

So the thing is it does happen. It's not common, fortunately for me as instructor and for InfoSec as a company, but it does happen. So I've had people. The good news with what I do is the vast majority of messages I get from clients, from students, are yeah, I passed the exam, and so that makes my job really satisfying. But occasionally it happens. I even say this during the boot camp I said your value as a professional, as a person, is not tied to how you doing this exam. It's like and just remind yourself of that right, it's like you know you have, you are you're, you know you're a capable person. There may be a lot of reasons you know, some of which might be out of your control. I just you just got to let it go. And I actually think it's important for even first time test takers to kind of have a little bit of mentalities like I've done my preparation, I'm doing the best, I'm going to do the best I can and that's all you can do, right. So then I tell people is like if you, if it's an important goal for you to pass this exam, go ahead and schedule it 30 to 40 days out from now. Take the results from your sorry you didn't pass sheets that you got at. It was given to the proctor at Pearson View. Focus on the domains you're weakest at. And then and again I have a way that I have a recommendation that I call the readiness assessment that I use to help people know and it's like really gauge yourself from that. That readiness assessment, which is I want students to get 75% or higher on ISC2 slash Wiley questions. So these are the questions in the official practice test, I mean in the official study guide in the official practice test 75% or higher, and it needs to be questions you've never seen before. So you need access to a fresh bank of questions. If you see, if you miss a question today and you ask the same, you're gonna get it tomorrow. It's not a good assessment, in other words. And then use that to guide your readiness. Go ahead and schedule your exam, don't? You don't wanna pass it a second time. You don't wanna fail it a second time. You can't take it for 90 days if you do that. And then use that to kind of guide your preparation and then just believe you're gonna do, you're gonna do better next time and that I've had many people come through my boot camp, that for sitting in my boot camp. They had failed it before, in some cases more than once, who went on to pass it as a result, and I think it's taking the combination of advice and other things that really make a difference.

Chris Sienko: 14:43

So All right. Well so for those who did pass their exams, congratulations. We're imagining the best possible scenario right now. Do you have any advice for sort of keeping what you've learned fresh in your head and applicable for your job? I'm not talking necessarily like CPEs, but just ways to apply your newly learned skills on your job.

Steve Spearman: 15:02

I mean the thing is, I think people want to take they're for everybody, even for those that have 20 years experience information security. There's always new things, ideas that you can take away. So I would consider it. Use it as an opportunity to understand, like, what direction I wanna take my career. I've been exposed to some new ideas. Maybe I wanna focus on something different. And then, of course, just I think that subscribing to and to different information security newsletters I'm a big fan of Krebs on security is one of. He's a long form journalist in information security. Brian Krebs is amazing In different resources like that the CISA. Subscribe to CISA's alerts, different things like that. That can help you sort of stay fresh. And then, of course, the CPEs are important. You need it to maintain your credentials anyway.

Chris Sienko: 16:02

So yeah, all right. Well, I asked this in another Hacks episode, but I'm gonna wrap up by asking it again here what's your best piece of advice for exam day?

Steve Spearman: 16:13

For exam day is be rested, be rested. So.

Chris Sienko: 16:18

Yeah, yeah, and you mentioned before, you get a whiteboard right, You're able to like yeah, you have a, you're giving a whiteboard.

Steve Spearman: 16:25

you can take any mnemonics that you've memorized, put them on there, get it out of your brain and you know it helps reduce stress and things like that. Love that.

Chris Sienko: 16:35

All right well, steve Spearman, thank you for taking a bit of worry out of the processing of the CISSP. I appreciate it.

Steve Spearman: 16:41

Yeah, it's my pleasure, thank you.

Chris Sienko: 16:43

And to all of you. Thank you for watching this episode. If you enjoyed this video and felt it helped you, I hope you'll please share it with colleagues, forums or other people on your social media accounts and definitely subscribe to our podcast feed and YouTube page. You can just type in CyberWork InfoSec on YouTube or just type it into your podcast catcher of choice. Guarantee, we'll be there. So there's plenty more to come, and if you have any other topics you want us to cover, just drop them in the comments below. We do read them and we do appreciate them. So until next time, have a great day and happy learning.