Late winter clung to the delicate afternoon air, pulled away gently by the sun that shone bright. I cast my gaze upward, surveying the heavens for any clues as to my fate. No luck. The sky hides my fortune.

Fine by me. I will forge my own destiny on this day. I lower my gaze and continue on.

Steady.

This day, which may seem to be but any other day, was far, far away from any other day, for this was the day that I had chosen for battle. This was the day I had been training for, been steeling myself for, been steadily readying myself for, knowing the fight that lay ahead. This day was that day, the day for victory.

I continue towards the battlefield, eyes front, stalwart, unyielding. Sweat teases down my brow and along my back, either from the rising intensity building within my soul or from the heavy sweatshirt I was wearing. Who knows.

Steady.

“Focus,” I tell myself, eyes narrowing. “Focus.”

As I approach, closer and closer, I am already waging war with the beasts that lay within. Each quickening pulse brings a stab of fear, a prick of doubt, a seeming torrent of piercing anxiety. My mind parries each ambush of distractions as my body drives me closer, knowing that my wits are occupied. I tighten my grip on the wheel and guide my chariot forward. Forward to where I will taste my triumph.

Steady.

The fortress begins to grow out of the horizon. I can see it probing my soul, taunting me to encroach upon its hallowed ground, to dare and try to succeed. I meet its stare, in, like, a really cool way.

“You won’t scare me. Not today,” I whisper into the ether, moving closer. The building seems unphased by my words, growing only more colossal with each second.

Steady.

I’m here. As soon as I cross the threshold, I know there’s no going back.

My hands, somewhat clammy, betray the forest of nerves I hide within. I grip my car door. My brain, electrified in nervous thought, cries out for reassurance. My heart, though resolute, pounds through my chest. Training has prepared me to face this moment, and I was ready to fell the beast, to slay the foe, to emerge as victor.

Courage lies not in the absence of fear, but in spite of fear. I take one long, steadying breath, open my door, and march into the fray.

Ready.

Why I’m Writing This

Don’t worry, this whole post won’t be written like that! Even though it did feel like a battle, and, yes, even though I did wear a sweatshirt that was way too warm for the day, I felt really prepared come exam time. Now that I’ve passed the exam on my first try, I wanted to take some time to organize my thoughts, hopefully in a way that others find useful.

The CISSP is world-renowned as a security certification, so there is no shortage of websites, trainings, books, and YouTube videos. However, information about how to jump into studying and best prepare yourself is scattered and I know I had to take a long time just to develop a strategy for how to approach this beast.

Overall, my goal is to share my approach for preparing for the CISSP exam. I didn’t take any expensive trainings, I simply studied hard on my own time and drew upon my experiences in IT and security (experience I gained since changing careers back in 2016).

Here’s what I’ll cover:

• Bracing for Battle: My Studying Journey — my approach, how I had a plan(-ish), my struggles

• Weapons of Wit: My Study Resources — breakdown of what was helpful and everything I used

• Battlefield Brawl: My Exam Experience — the testing center, how I felt going in, my feelings during the test, etc.

• Post-Clash Clarity: Tips, Takeaways and Advice— the lessons learned post-exam; mostly me pretending that I know how to relay wisdom effectively

I’ll assume that you are already aware of the CISSP exam and what it entails. If you’re not familiar with the exam, I’d encourage you to start with the official ISC2 site and branch out from there.

And, okay, maybe I’ll pepper in a dose or two of dramatism just for the hell of it because it’s fun to write. Those sections will be marked with the giant capital letter thingy at the start of the paragraph, with dividers in the text, in case you’d prefer to skip. I’ll only be slightly offended.

Bracing for Battle: My Studying Journey

No certification undertaking is a small commitment because every commitment in this realm involves resources and sacrifice. Putting aside the cost of study materials and exam fees, the biggest commitment you make is always that of your time. With time being your most finite resource at any given moment on any given day, how you choose to devote your time is important.

“Well, Nathan, why did you take the CISSP?,” you may wonder.

For me, the Black Hat USA 2023 conference last year was my inflection point. Throughout 2023 I had been searching for a personal development goal and had thought about the CISSP a bit here and there. But, being at Black Hat, surrounded by multitudes of dedicated professionals and exciting tech, I decided to jump in and commit myself once and for all. If I was going to excel at this whole security deal, I shouldn’t wait for anyone to create the opportunity for me. I wanted to set a goal and see it through.

I’m fortunate enough to work for a company that is supportive but not prescriptive when it comes to personal development, which I treasure. I chose the CISSP to kind of kick my butt a little bit and to re-energize my study habits in general.

I’m of the feeling that everyone should be able to explain exactly why they are pursuing a specific effort, especially for certifications. I’ve learned, through personal experience and that of friends and coworkers, most people get certifications for the following reasons:

• Make a case for promotion — Certifications, in the correct work setting, can help people make their case for career advancement

• Make a case for that next job — positions they are applying for or will apply for

• It’s required (in federal government and military scenarios, for example)

• Personal development — Certifications may not be required, but they use them to upskill and as a means of continuous learning

I will always support people who choose to get certified in whatever way, however I will also always tell people to ask themselves, (1) “Is this certification absolutely required for my current position, or the position that I want?,” (2) “Does this certification align with my goals? Will it put me on track for success or distract from what I really want?”, and (3) “Is this certification going to be the best use of my time, energy, and money?”

Spend your time, energy, and money wisely!

Spend your time, energy, and money wisely! Most people that I know are not blessed with endless wealth (myself included [insert crying face here]), and, money aside, most people I know have families and partners that they help provide for. You should consider the impact that your studying commitment and your spending on materials will have on your finances, your mental health, and your relationships. There will always be an impact, even if that impact is as small as robbing you of your free time. Taking time to consider these factors will leave you better prepared for when unforeseen stressors pop out at you at the least opportune time.

On the whole, my study journey lasted about six months in total, though most of that time I was not studying seriously. Only the last two months were heavily focused and disciplined, where I was studying each day. Here’s a breakdown of my study process in those two months.

If my study time was a deep dish pizza, I’d say it felt like 7 out of 8 slices were devoted to highlighting the entire OSG. And I do mean the entire thing! This was possibly the most mind numbing experience of my life, yet it turned out to be a great way for me to work through the study material.

To take breaks from highlighting, I started pouring flashcards into Quizlet. No kidding, I’m pretty sure I created thousands of them when all was said and done. Quizlet has been my study buddy ever since getting my CompTIA A+ years ago, so it’s my go-to when there’s a need to study. I’d flip through flashcards on my laptop and almost every night in bed on my phone. Did I use all the flashcards I created? Definitely not. They were still very helpful to have at the ready.

This process of reading and skimming over flashcards and material I’d read previously lasted for about 1–1/2 months. Then, for the final two weeks, I focused on drilling practice exams and study questions. I would do one LearnZApp practice exam each day, review any missed questions, and began working through the domain-specific questions (in the book of official practice exams) for the domains where I struggled. I’d always prioritize domains where the LearnZApp indicated areas of weakness. I never got below 70% on any practice exams or chunks of domain-specific questions, did better one some exams, and barely passed on at least one. This helped build my confidence that my study plan was working and I was going to be ready come exam time.

Treating my CISSP studying like practicing piano really helped reframe things for me

When you practice piano, you always have the “not fun” things that are fundamental for any pianist and a part of your daily routine. For example, major/minor scales aren’t exactly the sexiest thing you can play for your friends at parties, but they’re crucial for skills development. Finger exercises, scales, and arpeggios, among others, are just something that you know you have to do, that you should do, in order to build up your skills holistically.

Studying frequently felt like a punishment, let’s be real. Sometimes I felt like I was really into the material, sure, but more often than not it was like when you’re a kid and your Mom forces you to eat your vegetables. You don’t want to do it even if you know it’s good for you. Since my Mom wasn’t here to make me eat my CISSP vegetables, I shifted my approach to studying from thinking about it simply as reading to the more involved mindset of practicing. Flashcards were my new piano scales and reading study guides was like me learning a piano piece for the first time. Slow, intentional, methodical practice, chunking out material, and supplementing with other sources when needed, all with the goal of absorbing the material and making it stick.

I’m no wizard of discipline! Not in the slightest. Yet, the discipline I do have propelled me to get some studying done on the tough days. There will be days where you’ve had a long day at work. There will be days where things at home distract you, both good and bad. There will be days where studying is the last thing you want to do and you might even feel like you truly can’t study.

A piece of advice I heard from a professional bodybuilder, of all people:

“Remember the Five P’s: Proper Practice Prevents Poor Performance.”

It’s not “perfect” practice — not at all. Get perfection out of your head and forget about it. Remember that while your goal is to learn as much as you can, chasing perfection isn’t what will earn you your CISSP, but that 70% mark (that’s common for most certifications). All you need to do is demonstrate 70% proficiency on the exam. While I passed at 125 questions, my passing score is exactly the same as someone who passed at 175 questions. What’s cool is that it doesn’t matter! If you pass, you never even see your grade anyhow. Any two CISSPs will be the same because no one knows their actual score.

My advice is to go into your studies with the mindset that you’re practicing, not simply reading. Establish a routine of building the fundamentals and the discipline will build over time. Then, when motivation falters (because it will — motivation is not permanent) you’ll have your discipline to fall back on.

If you’re like me and the word “studying” can give you the willies, check out this free Coursera course, Learning How to Learn.

Weapons of Wit: My Study Resources

I remember what it felt like to receive that first CISSP study guide in the mail. I’d used the McGraw Hill “all-in-one” training guides in the past, so I went ahead and ordered the CISSP All-in-one, too. When I received it and realized how monstrous of a book it was, that’s when it finally hit me just how much knowledge I’d be expected to know when I sat for the exam. It was intimidating, if I’m honest.

In hindsight, it wasn’t so much the sheer amount of material to be covered alone, but the combination of that plus a fear of the unknown type of deal. I was diving into a certification effort that was wholly new and looking to learn while also earning a credential that carries a lot of weight.

To help address that fear of the unknown, I Googled like I had never Googled before:

• I looked up the official CISSP site on ISC2, pulled down copies of the objectives, read about the Computerized Adaptive Testing (CAT) system, and everything else they offered about the exam and what the exam covered.

• I dove into Reddit. Reddit can be a wild place, but it has a vibrant CISSP subreddit, r/cissp, where tons of Redditors have shared their stories of success and failure. Not every post is created equal here and the advice from post to post may conflict, but some of them were tremendously helpful. I can’t stress enough how helpful this subreddit was to my preparations (and encourage you to exercise due diligence whenever accepting a stranger’s advice regarding study practices). Active members within the subreddit are very supportive of one another.

• Using different sources, including Amazon/book site reviews, I settled on study resources that I thought would help (full list below).

Speaking of study resources, I bought that McGraw Hill All-in-one shortly after Black Hat. After I started reading that CISSP All-in-one book, though, I quickly began to wonder about my study strategy.

“I should start with the official study guide, if anything,” I thought to myself.

I decided to buy the official CISSP study and the official practice exams (<$50 USD at the time). I’d focus on the Official Study Guide (OSG) and use that as my study Bible, my source of truth. Any conflicting information anywhere else would be disregarded and I’d always default to the OSG. For practice exams, I would rely on the official practice exams book to gauge the style and difficulty level of questions I may encounter come exam time. Anything else would supplement those sources of truth. Thus began the steady purchasing of materials throughout the fall of 2023.

Here’s a list of all study resources I obtained (paid resources marked with $):

• CISSP All-in-One Exam Guide, Ninth Edition $

• Cybrary — Kelly Handerhan’s CISSP Course $$ (she is the BEST, I love her explanations)

• (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide & Practice Tests Bundle $

• Destination Certification’s Destination CISSP: A Concise Guide $ (don’t let the name fool you, it’s a large, beautiful textbook; another excellent resource)

• Thor Teaches — CISSP by Thor Pederson $$$ (can buy on his website, or individually through Udemy, I personally did Udemy)

• Thor Teaches — ALL CISSP questions by Thor + Boson $$$

• Pete Zerger’s CISSP Exam Cram Full Course on YouTube (crazily helpful video)

• Kelly Handerhan’s Why you will pass the CISSP on YouTube (to be watched close to exam time)

• Wiley — free online study questions and flashcards (simply register following the process in the OSG)

• LearnZApp $ (mobile/desktop app)

• Luke Ahmed’s How to Think Like a Manager for the CISSP Exam $

• Mike Chapple’s Linkedin Learning CISSP courses $ (this was free, thanks to my library card — you should look to see if your local library offers something similar)

• Mike Chapple’s One-time Practice Exam $

• Mike Chapple’s CISSP Last Minute Review Guide $

• The Official (ISC)2 CISSP CBK Reference $

Now, everything above is hundreds of dollars in total. Trust me, I am definitely not rich. For me, the idea is that online reviews are one thing, but I want to see something for myself; dip my toes in the water of each resource and deem it useful or not.

By the way, it’s also important to note that I did not find all of these resources useful. And no, my list above is not a comprehensive list of all the good resources available, either. I’ll share more on that later when I get into the lessons learned.

My pulse, accelerating. My mouth, dry with anxiety. My muscles, tense, galvanized for action. My mind, honed, sharp, and ready. My ears, oddly sweaty from the noise-blocking headphones. The battle is on. No going back now.

Focus.

Thoughts of doubt, lying in wait, leap at my concentration from the shadows. The armor of preparation holds fast. Their attack, hellbent on my derailment, is unceasing, testing my defenses at every turn.

Click. Easy question — I parry the blow. “Nice try, CISSP,” I say with a smirk. Click. Another easy one.

Click. Click, click. Clickclickclickclick. I wiggle my mouse with a hushed, frustrated fury, clicking on emptiness all over the screen as the question before me evades my understanding. My opponent fights valiantly, earning my respect.

The monitor in front of me is my battlefield on this day, my mouse, my sword. Staring ahead I see only a minefield of logical snares, clever traps of comprehension, hidden, ready to strike, waiting for my misstep within its interface. “Not today…”, I tell myself.

Focus.

Each question, a wave of attack. My enemy is deft of hand and keen of strategy. I counter a weak strike yet soon suffer wounds from the next, poisoning my concentration with fear. They are too strong… There’s too many of them. This fight was testing my strength.

Training instilled in me the goal of 125 foes. 125 conquered enemies must fall before I may taste victory, or feel the pangs of defeat. Yet, I knew that up to 175 attacks may be launched before this battle was through.

I tighten my grip on the mouse and repeat the mantra that has seen me through before. I will not be defeated…

Focus!

On the Battlefield: My Exam Experience

I, like many of you, I’m sure, fight back imposter syndrome more often than I may care to admit. And while people talk more openly about their failures than they may have in past decades, the fear of failure is still a powerful force. While studying, I’d be lying if I said I wasn’t worried about failing. That kind of fear is, unfortunately, a thing, but it’s something that many people can empathize with.

The best thing I did to combat those feelings was to practice and prepare. That way, when I walked into Pearson Vue, I would know that I was ready.

My experience at the Pearson Vue testing center was quite pleasant. The facilities were clean, the staff was friendly and professional, and the testing area itself was nice and quiet. If you’ve never been to a Pearson Vue testing center, you should go and simply ask for a brief tour. At worst, they may say, “No,” but at best you will get a chance to see where you will be taking your exam.

On the day of your exam, I’d recommend that you:

• Arrive at least 30 minutes early. This allows plenty of time for you to use the restroom, handle the paperwork, and take care of other security measures. This alleviates any stress which could come with being in a rush.

• Eat filling, healthy meals and mind your liquids. You are able to take breaks during the four hours of the exam, but you do so at the cost of your total time. The clock will not stop, so mind your caffeine and liquid intake, and, if possible, try to go into the exam fueled with a good meal a reasonable amount of time beforehand.

• Pause and take a minute or two to collect your thoughts before going in. You may very well feel nervous and anxious. Taking a second to experience the calming effect of a few deep breaths and introducing some reassuring thoughts into the mix might help you enter the testing center in a healthier mental state for excellence.

For the test itself, they had a pair of these gigantic, noise-blocking headphones that were like an unexpected gift from the heavens. Even though everyone else there seemed to be very polite, making almost no noise, having those headphones on brought me back to my happy place. I’m always wearing headphones at home so it made me feel comfortable, just like when I was studying.

The room itself was comfortable — not too warm, not too cold. There was also a nice hum from the air system, like the brown noise that’s popular for meditation/focus (check it out and see if you like that kind of sound).

I didn’t take a bathroom or snack break, but, had I done so, I knew that the bathroom was close by. This was because I went to the bathroom immediately beforehand (mind that liquid intake on test day!) to wash my hands, take a breath, and psych myself up in the mirror.

Again, remember that you are able to take breaks during the exam but those breaks will count against your time. The 4-hour timer will not stop. There’s nothing wrong at all with taking breaks as needed, just be aware of the time remaining!

Of course, if you have any questions or concerns about time and/or breaks going into the exam, be sure to ask the staff. The staff at my location were extremely polite and answered any question I had right away.

Post-Clash Clarity: Tips, Takeaways, and Advice

First, I want to mention something that I think is important: I can only speak to my own experience. This is also true for anyone else whose advice you may read regarding the CISSP exam. Know that there are many resources out there that make hefty promises, or lob catchy titles meant to drive traffic to their site. I mean, some people even have fully fledged business enterprises out of helping people train, which is, of course, completely fine. However, you don’t have to take an expensive training course, and you don’t have to use any particular training material. Just know that your precious dollars are the object of many an entity’s eye, so be judicious in whose advice you follow (including from me!). Sermon complete. Moving on.

As you take the exam, you will know right away whether or not certain training materials helped prepare you sufficiently. For me, some materials soared while others floundered.

Some materials soared while others floundered

In an attempt to help you save some dough, here’s my list of resources that I would consider absolutely essential to your exam prep:

1. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide & Practice Tests Bundle: Just get the bundle! Besides, you should purchase both the OSG and the official practice tests. The OSG is always your source of truth.

2. LearnZApp: This app is endorsed as the official training app for the CISSP and it’s worth every penny. It’s not perfect. For instance, the UI isn’t my favorite at all, and block text is often presented with little space or separation. While there is duplication of training questions between the app and the official practice exams, there are thousands of questions available. The included practice exams, which are 125 questions each, are an excellent way of gauging your preparation!

3. Pete Zerger’s CISSP Exam Cram Full Course on YouTube: First, it’s free (woot, woot!). Pete provides almost eight hours of content. What I love about this video is that he focuses on the important stuff without dwelling on unnecessary details. He covers important points for every domain topic. I couldn’t recommend this video enough.

4. Cybrary — Kelly Handerhan’s CISSP Course: A monthly Cybrary subscription can be a little pricey, but it’s worth it to experience Kelly’s course. While Pete Zerger covers only the essentials, Kelly dives deep into each topic, explaining everything clearly and thoroughly. Throughout her course, she reinforces how you should approach different topics and helps build what some refer to as “the CISSP mindset.” After her CISSP courses, I’m a huge Kelly Handerhan fan. She’s a wonderful teacher.

5. Kelly Handerhan’s Why you will pass the CISSP on YouTube: Continuing on the Handerhan fan train, this is only something you should watch the day of your exam or perhaps the day before. Assuming that you have studied sufficiently for the exam, Kelly provides assurance that you will pass the exam, walking through a few key points in this short, 10-minute video. This was surprisingly helpful!

Now, here’s the set of resources that I found helpful as supplemental but not quite as helpful:

1. Wiley — free online study questions and flashcards: Within the OSG, they give you instructions on how to register for access to free online study questions and flashcards provided by Wiley. The coverage wasn’t comprehensive, yet the content, including the practice questions, was helpful. This is another free resource that should be taken advantage of.

2. Luke Ahmed’s How to Think Like a Manager for the CISSP Exam: You’ll likely see many mentions of this book throughout different posts on the Internet, as did I, which is why I bought it. I only skimmed through the book and read the first couple of pages. The book dives deep into example questions to explain, in detail, how to approach CISSP questions and to “think like a manager”. For the money, I think it’s a bit expensive for how small of a book you get.

3. Destination Certification’s Destination CISSP: A Concise Guide: The OSG is the OSG — you get lots of dry, informative content. But, literally every official study guide is like that. The Destination Certification team delivers a gorgeous textbook (in full color, no less!) that is an amazing bang-for-your-buck buy. I’d still recommend having the OSG as your primary focus as this book dives into additional details that aren’t found in the OSG.

4. Mike Chapple’s One-time Practice Exam: What’s nice about this exam is it doesn’t allow you to go back to previous questions, just like how the CISSP exam will be. That made me nervous and seems to make a lot of others nervous, too, so this one-time exam was a good practice. I recommend taking this exam a couple of days prior to your actual exam date.

As a quick note, I know that I listed the CISSP All-in-One Exam Guide, Ninth Edition in my resources list earlier, but I never really gave it a fair shake. Soon after I started reading this I had a lightning strike of realization about how I should probably start with the OSG first. I never got back to this book, deciding to use Destination Certification’s book as my secondary study guide. I didn’t see any issues with the All-in-One and it was well written at a fair price point.

There were a few things I paid for that were somewhat disappointing. The list below represents a few hundred dollars that I should have spent elsewhere:

1. Thor Teaches — CISSP by Thor Pederson: Now, you’ll see that others have found a lot of value from Thor’s material as he’s well known in the CISSP prep world. But, for me, after listening to several hours of his courses, I came to the realization that the content was simply not effective; too expensive for what you get. His real world experience allows him to speak intelligently on most topics, but after all those hours of watching/listening I noticed that there was added levels of detail that didn’t seem applicable, so I switched to Mike Chapple’s online course. Preview Thor’s material and decide for yourself!

2. Thor Teaches — ALL CISSP questions by Thor + Boson: So while Thor’s training courses just weren’t for me, I will say that the practice questions are not a great value. Yes, they will reinforce important topics across the eight domains. Yes, they will be challenging (even some of his “medium” questions) and make you think. However, both the Boson questions and his own were nowhere close to the quality and type of questions presented in the OSG and official practice exams (toss LearnZApp in there, too). You pay a lot of money for access to these questions that ask you about technical details you won’t really need to know for the CISSP. The way the questions are designed are also not helpful for practicing the finding of an answer given a particular scenario. Again, try them yourself and come to your own conclusion.

Perhaps the biggest tip that I can give you is to no be discouraged when motivation is low or life throws a wrench into your study plan. I rescheduled twice (yup, that was $50 per reschedule) because I knew I wouldn’t be prepared. Whatever you’re feeling in any given moment where times are tough, whether you’re unsure of yourself, you’re questioning your abilities, or you feel as if you just don’t have the energy, my advice is to do something on those difficult days. Skim the OSG, close your eyes and listen to a video course, flip through flash cards on your phone and drill terms in your head, just do something. I guarantee that you will wake up the next day knowing that you went out of your way to keep up your study grind, and you’ll feel all the better for it.

My second tip would be to accept, not deny, feelings of nervousness or anxiety. Imposter syndrome is a thing. Feelings of inadequacy may creep up as a natural part of your humanity. Totally understandable anxiety about preparing for the exam and taking the exam may pounce at you constantly. This is normal! Soldier forth while accepting that such feelings don’t make you weak, they are just a part of life.

There ain’t no shame in the having feelings game!

Allowing yourself to feel those feelings in an honest way will help erase the baggage that can accompany them. I, for one, was insanely nervous sitting for the exam. I likely burned 1,000 calories just bouncing my legs up and down in that exam chair and lost about five pounds of sweat through my hands alone. You’re not alone and anyone else who’s readied themselves for something like this, CISSP or not, can relate.

So, this turned out to be about 3–1/2 miles longer than I originally intended. If you’re studying for your CISSP, first of all — awesome! I sincerely hope that you’ll find this content helpful to you in some way.

Best wishes to all of you and here’s to an exciting 2024. Cheers!