What a CISSP boot camp is like | Cyber Work Hacks

Chris Sienko: 0:00

All right. Infosec and Cyborg Hacks podcast are here to help you prepare for and pass the CISSP exam from ISC2. So for today's hack, we're talking boot camps. If you've been preparing for the Certified Information Systems Security Professional, or CISSP, study Guide, for six months or more, you might learn better from a concentrated, focused environment with expert instruction. And that expert instruction comes from Infosec boot camp instructor, steve Spearman, who has helped hundreds of learners prepare for and pass their CISSP. Steve will walk you through what the Infosec seven-day CISSP boot camp is like, which can make the difference between passing on the first try and the headache and heartache of having to reset the exam. You don't have to do it alone, but to learn more, you do have to keep it here for another Cyborg hack. Hello, welcome to a new episode of Cyborg Hacks. The purpose of this spinoff of our popular Cyborg podcast is to take a single fundamental question and give you a quick, clear and actionable solution, or give you new insights into how to utilize Infosec products and training to achieve your work and career goals. So my guest today, steve Spearman, is an Infosec instructor. But he's not just an instructor he is our boot camp instructor for ISC2's career changing certification, the Certified in Information Systems Security Professional, or CISSP. So for today's cyberwork hack, we're going to do something that people have been asking for we're going to take you on a guided tour of what it's like to take a certification boot camp. So I'm really excited about this, and I hope you are too. Thanks for joining me today, steve.

Steve Spearman: 1:32

Oh, it's a pleasure, Chris, always.

Chris Sienko: 1:35

All right, well, thank you. So, steve, just to get everyone on the same page, can you briefly explain some of the differences in boot camp training for a certification exam versus, say, academic class or self-study?

Steve Spearman: 1:49

Intensity. It's like it is it is drinking from a fire hose for five and a half, six days. Basically, yeah, the CISSP. We do do five day boot camp, but typically six days, and I can talk a little bit about how those end up being put. It's, you know you can. There are different ways to skin a cat, you know you could do, you know, an hour to two hours of study over a three month period. Or you could do a boot camp and it's there. You know both of them can work for a lot of people. The boot camp is going to be the most effective way to do it because you can get in, get it done, get out and pass the exam, you know.

Chris Sienko: 2:29

So yeah, yeah, the difference between taking a puller plunge and like dipping your toe in a frozen lake, you know, for five minutes a day for six months straight, is that one is one is infinitely desirable to the other because you're going to just going to do it. You're going to be done with it. So so I want to talk about this. So we were talking five and a half to six days of a boot camp. I want to get a sense of what the schedule is like for these days. Like what? how much of each day is spent on different domains or knowledge areas of the exam. Can you kind of give us a day to day break?

Steve Spearman: 3:00

So there are eight. There are eight domains in the in the boot camp or, I'm sorry, in the certification. It's a six day. My actual boot camp it's sort of instructor specific, but my boot camp it tends to end around noon on Friday and it starts early on Sunday. So it's, you could say, six day, six day boot camp, and the first part of Sunday is spent just kind of gearing up like we make introductions, we, we, I do things about how do we make the most of the week, that kind of stuff. Then we get into domain one. We get partially done with domain one. On Sunday we finish that up on domain on. We finish up domain one, which is the most heavily weighted you know part of the of the exam domain. Then on day two we do security engineering. That's when we get into cryptography and digital certificates and digital signatures and all that kind of stuff. This is not a technical exam. It's worth, you know people need to understand that. But it is really really important you understand certain technical concepts and and it's it's interesting, I actually don't have a technical background. It's very, very common for you know 60, 70% of the people in a boot camp that actually have more technical experience than I do, but I really enjoy teaching that more technical aspect. So security engineering, and the next domain which we cover on Tuesday is tele, is network and telecommunications. Those are the two most technical domains and then so when we finish up by end of day on Tuesday, we finish telecom, and then there are four domains left and we cover two on Wednesday and two on Thursday. We finish up all the content on Thursday. So just just to break it down. So that means Wednesday we cover on. In the morning, we cover the the gosh, I'm risk Authentic access controls, okay, and then in the afternoon Sorry, brain fart there yeah, yeah, we cover access controls on Wednesday morning. We cover us security assessment on Wednesday afternoon and then we do security operations and software on Thursday. By end of day, thursday, we're done with all the content and then on Friday we do what I call review. So we basically go through some of the concepts, will review different mnemonics, things like that. You know it's an intense week, there's no question about it.

Chris Sienko: 5:46

We also right.

Steve Spearman: 5:48

Yeah, these are full days. It takes about 48 hours. It's about 48 hours long. We spend we spend a lot of time doing questions in class. Okay, you know, several hours worth during the week, like where we just do at least an hour every day and in even more probably most days, and so it's kind of it just breaks it off. I've had a lot of feedback saying they really enjoy the question parts of that. It's it kind of helps build sort of the the group dynamic. So, and that's an important component, the main thing that sacrificed when we do a five day boot camp Monday through Friday the Friday's full day, but is it? We don't spend as much time on questions and I think that that's. You know that that's a bit of a loss. I'm not saying those aren't effective boot camps, but I think there's a read in there. Our default is a six day CISSP boot camp. There's just a lot, a lot to cover.

Chris Sienko: 6:50

Absolutely. Now I want to talk about the communication in these boot camps. I know, pre COVID we we mostly thought of boot camp classes as something where everyone flew a single site and barricaded themselves in a hotel room, conference center with a mountain of pastries and coffee and sweated it out together. But these days, obviously, boot camps are, and have to be more flexible, with remote learning and remote entry and so forth. I'm wondering how classes managed to retain this type of communication during the class, because it sounds like you do have a lot of back and forth with the class Like what is? What is that like in terms of these days?

Steve Spearman: 7:23

Well, one of the things there's no question that you know, I like to say one of my monsters in life is everything's a trade off, right. So there are some real benefits to remote learning, to remote boot camps, and there are some things that are hard for some people, which is why we still do a significant number of live. I do a significant number of live on site boot camps as well, but the thing is, though, there is an inherent kind of structured communication capability built into zoom, which is the primary platform we use to deliver these, for example, chat. So chat, you know you just, you know that's you putting a chat message. I am, I try to keep a close eye on the chat box. People ask questions. They'll make comments. It's kind of interesting, you know, in any boot camp you have a. You have a range of different kinds of personalities, from the, from the highly gregarious outgoing people sometimes I have to. You know it's like. You know they can take over, and that's a classroom management skill, you know. And then you have the person. It's sitting in the back of the room and they're just watching everything. They're probably the smartest person in the room, you know it's like. So, with something like an online class. I feel like that. It gives you an opportunity to to sort of just take your strengths, kind of you know, and take. That's true with on site classes as well. But I think the biggest trade off negative trade-off is just many, many, many people tell me they can't watch it. They can't look at a computer screen for eight hours, you know, or more day, and they prefer the on-site. We offer both and we actually do hybrid classes where I'm doing live training and there's a remote component to that as well. So, which you know, I think it's interesting. It's like you know it's, you know whether you have it managing. It's challenging for the instructor, but but we do them. We get good reviews for those. So you know it's, you know it's possible.

Chris Sienko: 9:47

Definitely works. Yeah, so I want to. I read the syllabus, you know, on our website, and I see, I see that evenings are often earmarked for individual or group study in order to make sure you're retaining everything. What are are these? These are obviously optional, but what are these? After class learning sessions like, do you take part in these?

Steve Spearman: 10:04

Well, I don't do them as an instructor that is instructor specific and I used to do them and I don't do them now for an interesting reason. I at least I think it's interesting. It's that I think it is important that people spend time on their own doing homework. Yeah, you know, it's tempted. Here's the problem with group study. I'm a big fan of group study and that's why we do questions as a class, you know. But people need to to go, they need to dig into questions. You know the, the, the different ISC two questions that we use, exam, sample exam questions, and in a group dynamic you have one person who's really on top of it and they're answering all those questions and the person who's sitting right next. yeah, this certain person sitting right next to them thinks they got it, but they didn't. They just heard the other person. So, yeah, I just found it's most effective use of time to send people off. I do, you know, if you know there are venues for doing group study, and I don't. I'm not saying don't do it, but I think it's important people spend time on their own. Some instructors do it and I. You know that's good, it's just, but I, I, we tend to finish our boot camp, you know, around between 430 and five and whatever time zone it's going to finish, and then I say, okay, you got a couple hours of homework to do.

Chris Sienko: 11:21

Yeah, I was going to say it Regardless. You're definitely not saying don't study in the. You're saying you got to keep your head in the, in the, in the, in the content for the whole time. You can't take your head away from the firehouse?

Steve Spearman: 11:34

Yes, no, I tell it. No, I say you need to. I even make the point that it's not just merely doing questions, but you have to really understand why the questions Like if you get it right or get it wrong. You need to understand why you got it right or wrong. So it takes you could just knock out a bunch of questions the homework questions, which is 80 per night, 80 questions per night, and you know you could be done in 40 minutes, but you're not doing your homework. Then you've got to go in and dig into why you got it right. Did you get it right because you were lucky or did you really understand the question? If you got it wrong, you got to dig in and say okay, did I, do I understand the explanation?

Chris Sienko: 12:10

So now let's talk about exam day. What's it like when you're ready to take the exam? Do people go right into taking the exam from the boot camp, or do they give their brains a few days to cool down? Or is that, is that a worry, that if you do that, it kind of all?

Steve Spearman: 12:25

tumbles back out again. Here's my recommendation, with caveats. I recommend that people don't examine, don't schedule their exam, immediately following bootcamp. And here's one Now. It's like it's a rule of thumb, because you have people that come into the class that have been preparing for months and they're ready. They come into my bootcamp. My bootcamp is kind of like just the seal, like they're. Yeah, it's like a reinforcement to make sure that you, it's a reinforcement. They've been prepared. You know, I had somebody in my, my class, you know, several A few months ago. She was so prepared by the end I joked, I said we're going to have some bracelets made WWLD. What would Lauren do Like? Because she was so prepared, like you know. But at the end of the day, it's like, you know, yeah, varying things. The third week following the ending of the bootcamp seems to be a good target. It allows people you know, your average learner to kind of know they're prepared. One of the things that I do during my bootcamp is I give them what I say here's when to know you're ready for the exam. It's what I call the readiness assessment. And so they can monitor their results coming out of bootcamp. And you know, and I recommend that by the end of the bootcamp I want them to have scheduled their bootcamp sometime, two to three weeks after the exam, two to three weeks after the bootcamp, and then if, according to this readiness test, if they're not ready, you know, two days before they need to push, they need to. You know I'd rather them, you know I'd rather than you know, pass. And so it's like you know. That's why I tell them here's how to know when you're ready. So yeah, now the other thing too is the day of. I don't know if you want me to comment like on the day of, but the day of it's like get there 30 minutes ahead of time, take you know, you know, review a few of the mnemonics, things like that, and then sit down and take the exam and then you're giving a given, a whiteboard during the exam is. Go ahead and just write out your, your, some of the mnemonics and things like that to you know. Get it out of your head if you can.

Chris Sienko: 14:45

Yeah, now do you find out how you did that same day, like when you submit your test, do you get the results right, then you don't get it in the workstation.

Steve Spearman: 14:56

That's one difference between the CISSP and the citizen. The system tells you in the York station congratulations, you passed you. The exam ends and then you go to the proctor and they give you a piece of a piece of paper and it says either you provisionally passed or we're sorry but you didn't. If you provisionally passed, it doesn't tell you how you did on the domains. You have to pass all the domains. If you fail it, it says how you did on each domains, either above proficiency that means you passed near proficiency, close or below proficiency, which those are the domains you need to focus on.

Chris Sienko: 15:30

Well, that's good, I know. I know a couple other exams give you absolutely nothing in terms of you know other than pass or fail. So it's good to know that at least you can. You can get a sense of what you need to sort of strengthen for next time. So I can wrap up here for listeners considering taking a bootcamp for certification exam study Steve, what advice or evidence can you give to listeners who are wondering if this is their best option? Like you, pretty well laid it out. But let's just kind of wrap that up a little bit.

Steve Spearman: 15:56

I mean, the key thing is that we know. So here's an interesting thing we don't know the pass rate. The ISC2 doesn't publish it. It's something I wish they did publish, but they don't. If you Google Google like pass rate you get a pass rate as low as 20%, as high as like 70%. I would imagine that between 60 and 70 is correct, is probably correct, but what's? This is what we know. We know what our pass rate is. We monitor it closely at InfoSec and it's over 90%, A little bit over. It's not way over 90%, but it's 90% plus. So here we're talking about assuming I'm correct that it's probably the pass rate is between 65% to 70%. That's a significant boost in pass rates. So if you want to know the best cheat for passing the CISSP, your best cheat is to take a bootcamp. It's just statistically, we know it's the best way to prepare. I monitor different forms of people that do self-preparation and study and there are many, many of them that pass, but there are a lot of them that don't. So it's your best way to have a go in with a high-degree confidence that you'll pass the exam.

Chris Sienko: 17:26

All right. Well, Steve Zuran, thanks for this entertaining step-by-step tour through your CISSP bootcamp. I hope it gets a bunch of new people in there.

Steve Spearman: 17:34

Thank you very much, it was a pleasure.

Chris Sienko: 17:36

And thank you all for watching this episode of Cyberwork Hacks. If you enjoyed this video and felt it helps you, please share it with your colleagues, forums or on your social media accounts. That really helps us out a lot, and definitely please subscribe to our podcast feed. You can get it on any of the places you get podcasts, or go to YouTube and type in Cyberwork, infosec and you will be well on your way. We've got plenty more hacks to come, including several more CISSP's with Steve Spearman, so if you have any other topics you want us to cover, drop them in the comments below. Until then, happy learning. See you then. Thank you.