How to pass the CISSP on the first attempt | EP 1

Show Notes

Everything You Need to Know About the CISSP Certification

Join Nathan House, CEO and founder of StationX, and a panel of cybersecurity experts (Yousef Alahmad CISSP, Stuart Williams CISSP & Cristobal Guerrero CISSP) as they delve into the essentials of the Certified Information Systems Security Professional (CISSP) certification. This comprehensive discussion covers why the CISSP is in demand across the cybersecurity industry, effective study methods, the challenges of the exam, and the endorsement process. Panelists share personal experiences and advice for those considering or preparing for this certification, highlighting the importance of understanding management-level thinking. The session also includes a segment addressing viewer questions and insights into StationX resources to support your CISSP journey.

00:00 Introduction to the CISSP Panel
01:28 Technical Difficulties and Initial Discussions
03:41 Polling the Audience on CISSP Exam Plans
05:55 Starting the Panel Discussion
09:35 Panelist Introductions and Backgrounds
11:14 Motivations for Taking the CISSP
20:47 Effective Study Methods and Resources
27:26 Understanding vs. Memorization
37:15 Tackling Challenging Topics and Exam Strategies
39:02 Avoid Memorizing Practice Questions
40:36 Understanding the Exam Format
42:14 Thinking Like a Manager
45:55 Exam Day Experiences
01:05:06 Endorsement Process and Tips
01:07:31 Q&A and Final Thoughts

SHOW NOTES and CISSP RESOURCES
https://www.stationx.net/podcast/how-to-pass-the-cissp-on-the-first-attempt-ep-1/

STATIONX MEMBERSHIP
https://www.stationx.net/join ► Grow your Cyber Security Skills and Advance your Career

#CyberSecurity #AI #Privacy #EthicalHacking #PenTesting #CloudComputing #Programming #Coding #TechCareers #CyberSecurityTraining #DataPrivacy #Infosec #CloudSecurity #DevSecOps #Malware

Transcript

So this is our CISSP panel. We’re going to be chatting about CISSP. For those that aren’t familiar, the CISSP is a certification that you should be interested in no matter where you are in your career within cyber security, because you will need to think about it at some point. It’s the most in-demand certification. You might want it to get through the door and also for the knowledge that it teaches you.

Are you on a treadmill?

Yes, I am on a treadmill. Or I’m just very fidgety.

Yeah. As I was saying, it’s maybe a little crazy to do it because it requires a lot of multitasking. If I start to stop, it’s because I need to think more.

You’re trying to emulate Flake from Rammstein. The German heavy metal band.

Yes, I’ve been to see them actually live. They do a very good live show.

Good day from Nigeria. I’m not hearing you clearly. Please check your connection.

I’m not sure what I’m supposed to do. It looks fine to me. Is anybody else not hearing me fine?

I’m fine.

Yeah, I hear you fine.

Maybe you need to check your connection. If you come out and go back in, you should be able to hear. Give that a try. Welcome, Charlotte. Hello, Ashley.

So, this is our CISSP panel. We’re going to talk about the CISSP, why you might want to take it, some tips on taking it, and we’ll be starting in a couple of minutes. Can hear you, Ray from Tampa.

CompTIA exam, I mean.

Guys, if you spot any questions, let me know. Because I’m unlikely to see all of them. If you have failed a CompTIA exam a few times before, is it still okay to take them again? Do they have a limit on how many times you can take them?

I don’t think there’s a limit. We’re talking about CISSP here, but I don’t think there’s a limit on how many times you can take them. I’m not sure though.

Actually, we’ve got a poll. Let me see if the poll functionality works. Let’s see… So, I’ve got a CISSP question. When are you thinking of taking your CISSP exam? Less than six months? Less than 12 months? More than 12 months? Can you guys see this poll?

I can see the poll, but it says that hosts or panelists cannot vote.

Can you see the results though?

I can vote.

What we’ve got at the moment for the results is a split between wanting to do it in less than six months and less than 12 months. Most people want to do it within the year. And then there’s 31% looking to do it after 12 months. That surprises me that so many people are wanting to do it in such a short period of time. The CISSP is the most popular certification in our polls. But when we look at the courses people take on StationX, it’s way down. It seems people aspire to take it but don’t always follow through.

Alright, let’s kick off. It’s one minute past now. Welcome to our CISSP panel discussion and how to pass your CISSP exam. I’m Nathan House, the CEO and founder of StationX. Today we’ll cover a variety of topics to enhance your understanding of the CISSP, whether it might be beneficial for you to study it, some study methods, tips and tricks, and even post-exam considerations.

The CISSP is an essential certification for almost anybody in cyber security to at least consider, whether you’re starting out or more advanced. Simply because of the demand for it in the job market. It’s something you’re likely going to need to consider at some point.

Let me just give a brief intro to what the CISSP is. Certified Information Systems Security Professional (CISSP), offered by ISC². These are the domains within it, ranging from risk management to software development security. Joining me today are Yousef, Cristobal, and Stuart, all CISSP holders who have taken the latest exam, so they know exactly what to expect.

First, thank you to Yousef, Cristobal, and Stuart for being here today. Let’s kick off with Stuart. Why did you choose to take the CISSP?

Thanks, Nathan. Hello everyone. My name is Stuart. I’ve been in IT for about 25 years. I took the CISSP because IT security is becoming more of a focus. I thought about taking the CISSP five years ago but was intimidated. However, taking it this year was one of the best decisions I’ve made. I’m here to help others get it too.

Yousef, what made you take the CISSP?

Like Stuart, I’ve been in IT for a long time. Security has always been integral to what I do. I started thinking about the CISSP around 2019 but didn’t feel ready. Recently, I moved into a cyber security role, and as part of that role, I needed to get my CISSP. The financial incentive also helped!

Cristobal, what about you?

Thank you. Hi everyone. I have 30 years of IT experience. Six months ago, I decided to take the CISSP seriously. It was a challenge because English is not my first language. I studied for six to eight hours a day for five months. The exam was hard, but I passed. If I can do it, others can too.

Amazing. So, who do we think the CISSP is intended for?

We’ve got 35% of people saying that they are going to take it in the next six months. How serious is that, and how does that relate to the CISSP Associates and the full CISSP?

I guess I can jump in there. We’ve gotten a lot of questions about the experience associated with the CISSP. The first thing you need to know is that you only need five years of cumulative experience across three of the eight domains. Most IT folks won’t have a hard time hitting that experience limit. The other thing is that even if you don’t have the requisite experience, you can still sit for the exam. You just won’t get the CISSP certification; instead, you’ll get an Associate of ISC². Then, you’ll have a predetermined amount of time to acquire the experience needed to become a fully-fledged CISSP. Still, that’s a very big accomplishment if you can manage it.

Exactly. I think I’ve got a diagram here which might illustrate that. Let me just show that. The point is that you can sit for it and become an Associate, as long as you pass, but you won’t become a full CISSP unless you have the five years of verified work experience. For some people, if they’re new, the CISSP might be too far ahead. There will be preliminary things to do to prepare before sitting the exam. What would you guys say to people coming in new and saying, “I want to do the CISSP”?

I’d like to add to that. There are qualifications that can reduce the experience requirement, so you may only need four years of experience instead of five. I’ll post a link to the list of those qualifications in the chat.

There’s also an interesting question about whether someone new to cyber security should take the SSCP before the CISSP. This is something we were going to discuss later. If you’re new, I would suggest starting with the CC (Certified in Cyber Security), which is a foundational certificate, and then consider the SSCP. The CC gives you a good understanding of how ISC² asks questions. I did the CC first, then SSCP, and it helped me understand the structure of the CISSP exam.

The endorsement process is also something people are concerned about and it can be a bit surprising. But we’ll cover that a little later.

I think one of the key things people are interested in is effective study methods. What did you guys find useful in terms of resources and methods for tackling the material?

The first thing you need to do is set a reasonable expectation for how you’re going to study. I couldn’t study for five or six hours a day like some people. I could probably devote about an hour a day during the week, totaling five hours a week. For me, that worked, and it was something I could stick to. The key is to stick with it no matter what.

For that one hour, make it productive. Don’t just passively listen to a training video in the background—actively take notes, research specific subjects, and use multiple sources if you don’t fully understand something. After finishing the coursework, I moved on to practice exams. The practice exams aren’t like the real test, but they help get you into the ISC² mindset. The real test is about critical thinking and reasoning, not memorization.

I probably took two or three thousand practice questions over the course of two months.

That’s a lot! I did something similar. I couldn’t do five or six hours of study a day either, but I did more than an hour. I used Microsoft Planner to organize my study sessions and keep myself accountable. I went through a few courses to find which instructor I resonated with the most. Once I chose one, I focused on that course and supplemented it with other material.

I also took a lot of practice questions. I used questions from StationX, Boson, and the official practice exams. I found the Boson and StationX questions better than the official ones, which were easier than the actual exam.

You need to think like a manager for this exam. You can’t just memorize everything. It helps to have experience because some questions will cover technical topics, but most of the exam is about process, policy, and thinking at a higher level.

How did you decide what to memorize and what not to? There’s so much material that you can’t memorize it all. How did you approach that?

I didn’t focus on memorization at all. I focused on understanding. When I saw a concept, I wanted to be able to explain it and recognize it. I might not have known all the terms, but the exam gives you contextual clues. It’s not a technical exam, so you don’t need to memorize everything. You need to understand the concepts and apply them from a manager’s perspective.

For me, memorization wasn’t important either. I focused on concepts and connections between domains. I had technical experience with networking, databases, and software, but the management mindset was harder for me. I needed to understand governance, IAM, and security policies. Once I understood how everything was connected, the exam became easier.

There’s a great book called “How to Think Like a Manager for the CISSP Exam” by Luke Ahmed, which was recommended to me. It helped me understand the manager mindset, which is crucial for passing the exam.

Yes, that book is great because it’s concise and focuses on thinking through the types of questions you’ll face. It’s a great complement to the heavier, official study guides.

The key is to get into the mindset of thinking like a manager. You’re not just solving technical problems—you’re making high-level decisions for the organization. That’s what the CISSP exam tests.

So, what do you guys think are the most challenging topics in the CISSP, and how did you approach those both in preparation and during the exam?

I can start with that. One of the strategies I used was eliminating answers that were clearly wrong. Typically, there are at least two options you can eliminate right away. With CISSP, you need to think like a manager, so even if a technical answer is correct, it might not be the best answer from a management perspective.

When it came to studying, I focused more on the domains where I had less experience. For example, I had a lot of experience in identity and access management (IAM) and cryptography, but less experience in the software development lifecycle. So, I focused my study efforts on those weaker areas. Practice questions were essential for me, but I made sure not to repeat the same questions too often. Otherwise, I’d start memorizing the answers, which isn’t useful for the actual exam. The CISSP is not a memorization exam—it makes you think.

How did the rest of you tackle the more challenging questions?

I agree. You have to focus on the questions you got wrong and understand why you got them wrong. You can’t just memorize the questions because you’ll never see the same ones on the actual exam. During the test, I found myself reading through long, complex questions—some were two or three paragraphs long with equally lengthy answer options. It was mentally exhausting, but once I focused on what ISC² wanted to test, I was able to work through it.

The most important thing is to approach the questions from the perspective of a senior security professional, not an engineer or technical specialist. You’re not the one performing the hands-on work; you’re advising the business on high-level decisions. That shift in mindset was crucial.

Also, remember that if a question involves human safety, that’s always the highest priority for CISSP. It’s another indicator of how to think like a manager. The questions are designed to test policy and organizational security, not just technical knowledge. That’s where some engineers struggle because they approach it too technically.

On the topic of difficult questions, I want to add something about time management. How did you deal with questions that were taking too long? Did you skip them or try to work through them?

For me, if I didn’t know the answer right away, I would eliminate the obvious wrong choices and make an educated guess. You can’t afford to spend too much time on any one question. If you do, you’ll run out of time and end up rushing through the rest. The CISSP exam is adaptive, so if you’re consistently getting tough questions, it means you’re doing well. But that can also be mentally taxing, so it’s important to manage your time and not get stuck on a single question.

Exactly. Spending too much time on one question can break your momentum, so it’s best to make an educated guess and move on. You’ll have plenty of other questions to make up for it.

How about the experience on exam day itself? What was it like for each of you?

For me, the exam day experience was stressful, but I made sure to prepare for the environment as much as the content. I arrived early, had to lock away my phone, and was given noise-canceling headphones, which helped a lot. I didn’t look around or get distracted. I focused entirely on the screen and each question in front of me. The first 30-40 questions took me longer than I expected, but after that, I found my rhythm and sped up.

I finished with 125 questions, which was the minimum number needed to pass. It’s a computerized adaptive test, so it adjusts the difficulty based on how you’re answering. If you’re getting tougher questions, you’re on the right track. When I finished, I had to wait for them to print my provisional pass result, and it was a huge relief.

For me, it was a bit different. I had a tough time focusing at first. I was really nervous, and the noise in the testing room distracted me. I could hear other people clicking on their keyboards, and even with the noise-canceling headphones, I could hear my heartbeat! It was a rough start, and for the first 50 questions, I thought I had failed. But eventually, I relaxed and started getting into the flow of the test. I ended up finishing with only 15 seconds left on the clock, but I managed to answer all 155 questions.

That sounds intense! I took the exam in a private room with earplugs, which helped me block out distractions. My strategy was to stay focused on the present question and not worry about the previous ones. You can’t go back and change your answers, so there’s no point in dwelling on them. I found that helped me stay calm and keep moving forward.

What advice do you have for people approaching the exam in terms of pacing themselves and managing stress?

I think it’s important to know yourself and your study habits. If you’re the kind of person who gets distracted easily, you might need to take a few breaks. But keep in mind that the exam clock doesn’t stop, so use your time wisely. Don’t be afraid to take a quick break to regroup if you need to, but make sure it’s brief so you don’t lose too much time.

Another tip is to focus on eliminating wrong answers. If you’re stuck, don’t spend too much time agonizing over one question. Narrow it down, make your best guess, and move on. You’ll have plenty of other questions to get right.

Did you find that taking practice exams was helpful for pacing and understanding the structure of the exam?

Absolutely. Practice exams are crucial, but you need to remember that no practice exam is going to perfectly replicate the actual test. The real CISSP exam questions are much more nuanced and require critical thinking. However, practice exams help you get used to the format and can teach you to think in the way ISC² expects you to.

I recommend using a variety of practice exams. Don’t just stick to one source, because you don’t want to memorize specific answers. I used practice questions from different providers like Boson and StationX. I also used official practice tests, but I found them a bit easier compared to the actual exam.

The key is to use the practice exams not for memorization, but for understanding the concepts and getting into the habit of thinking like a senior security professional. After each practice test, review the questions you got wrong and understand why the correct answers are right. That’s where the real learning happens.

When it came to practice questions, I took thousands of them. I would do a set of 100 questions, review my answers, and then focus on the areas where I struggled. But as was said earlier, avoid doing the same set of questions over and over because you’ll start to memorize them, which won’t help on the actual test.

What about pre-exam certifications? Do you think taking something like the SSCP or CC is a good idea before tackling the CISSP?

Definitely. Taking the CC or SSCP first can help you get used to the structure of ISC² exams. I took the SSCP before attempting the CISSP, and I think it made a big difference. It helped me understand the types of questions ISC² asks and gave me confidence in the exam format.

The SSCP is a bit easier, and while it covers similar topics, it’s not as in-depth. It’s a good stepping stone if you’re new to cyber security or if you don’t have the full five years of experience yet. The CC (Certified in Cyber Security) is also great as a foundational course. If you’re nervous about the CISSP, these earlier certifications can give you a solid base to build on.

What’s the endorsement process like after you pass? I’ve heard some people find that part challenging.

Once you pass the CISSP exam, you need to get endorsed by someone who is already a CISSP. That person will review your experience and verify that it matches the requirements of the certification. The endorsement process involves documenting your experience in each of the eight CISSP domains. If you don’t know anyone who can endorse you, ISC² can endorse you themselves, but that process can take longer.

It helps to have your experience clearly mapped out in advance. Break it down by domain and explain how your work aligns with those areas. Once you submit your endorsement application, ISC² will review it, and if everything checks out, you’ll be fully certified. If you’ve already completed the five years of experience, you’ll become a CISSP; if not, you’ll be listed as an Associate of ISC² until you gain the required experience.

How long does the endorsement process take?

It varies, but it usually takes about five to six weeks. Even if the person endorsing you does it right away, ISC² can take some time to process the application. There’s no need to panic if you don’t hear back immediately—just be patient. In rare cases, they might audit your application, but that’s pretty uncommon.

Do you have any advice for people in the final stages of preparing for the exam?

One thing I’d recommend is reviewing the materials you’ve used throughout your study. Don’t try to learn new concepts a few days before the exam. Instead, focus on reinforcing what you already know. Go over your notes, take a few more practice exams, and make sure you understand the reasoning behind the questions you missed.

On exam day, make sure you’re well-rested. Arrive early, stay calm, and manage your time carefully during the test. If you feel stuck, take a deep breath, eliminate the wrong answers, and make your best guess. Trust the preparation you’ve done and focus on each question as it comes.

Are there any specific resources you recommend for those studying for the CISSP?

There are a lot of great resources out there, and it really depends on your learning style. I personally recommend using a mix of books, video courses, and practice exams. Some people like to use the official CISSP study guide, while others prefer shorter, more concise guides like “How to Think Like a Manager for the CISSP Exam” by Luke Ahmed.

For practice exams, I found Boson and StationX to be the most helpful. StationX also has an active CISSP focus group and mastermind group, which can be incredibly useful for staying motivated and getting answers to specific questions.

If you’re part of StationX, we have workshops and study groups dedicated to CISSP prep. Joining a study group can really help keep you on track and give you access to other people’s experiences. The StationX focus group has been instrumental in helping many people prepare for the exam.

How about continuing education? Once you pass, how do you maintain your certification?

Once you pass the CISSP, it’s valid for three years. To maintain it, you need to earn Continuing Professional Education (CPE) credits—120 CPEs over the three-year period. This breaks down to about 40 CPEs per year. You can earn CPEs by attending webinars, completing training courses, or even teaching. You just need to submit proof of your activities, like certificates of completion, and ISC² will update your CPE record.

If you stay organized and regularly participate in webinars or take courses, you won’t have to retake the exam. It’s important to keep up with your CPEs because if you don’t, you’ll have to retake the CISSP exam to keep your certification.

That’s a great point. It’s also worth noting that if you have multiple ISC² certifications, you can use the same CPEs across all of them. So, you won’t need to earn separate CPEs for each certification, which is really helpful.

One final question: What’s your advice for someone who’s just starting to prepare for the CISSP?

Start with a plan. The CISSP is a big exam, and it covers a lot of material, so you need to break it down into manageable chunks. Use a study guide or course to structure your preparation, and make sure to set aside dedicated time each day or week to study.

Join a study group or find a community to keep you motivated. StationX has been a great resource for a lot of people because of the focus groups, study groups, and the fast-track program. It’s easy to get overwhelmed, but if you stay consistent and follow your plan, you’ll get there.

Also, remember that you don’t need to memorize everything. Focus on understanding the concepts and how they apply to the real world. The CISSP is about critical thinking, not rote memorization. Practice with exam questions, review your mistakes, and keep pushing forward.

Start with a plan. The CISSP is a big exam, and it covers a lot of material, so you need to break it down into manageable chunks. Use a study guide or course to structure your preparation, and make sure to set aside dedicated time each day or week to study.

Join a study group or find a community to keep you motivated. StationX has been a great resource for a lot of people because of the focus groups, study groups, and the fast-track program. It’s easy to get overwhelmed, but if you stay consistent and follow your plan, you’ll get there.

Also, remember that you don’t need to memorize everything. Focus on understanding the concepts and how they apply to the real world. The CISSP is about critical thinking, not rote memorization. Practice with exam questions, review your mistakes, and keep pushing forward.

To add to that, consistency is key. I’ve seen people who try to cram right before the exam, and it rarely works out well. You need to give yourself enough time to go over everything, review the concepts, and take multiple practice tests. And if you can, do a mock exam in real exam conditions so you can practice time management and get used to the pressure.

When it comes to the actual exam, it’s a mental game. You’ll feel like you don’t know some of the answers, but that’s normal. Focus on each question individually, eliminate the wrong answers, and make your best choice. Don’t get hung up on one question—just keep moving forward. You might find that the answer to a later question gives you a clue for something earlier.

What about dealing with burnout during study? How do you keep going without feeling overwhelmed?

That’s a really good question. I think it’s all about pacing. If you’re studying for hours every day without a break, you’re going to burn out. You need to schedule breaks and give yourself time to recharge. One thing I did was schedule my weekends off from studying. That gave me time to decompress and come back to it on Monday feeling refreshed.

I also broke my study time into chunks. I’d do one hour of focused study and then take a short break. You can’t maintain high levels of focus for hours on end, so it’s important to break things up.

Don’t be afraid to change things up either. If you’re tired of reading, switch to a video course. If you’re sick of videos, take a practice exam. Keeping things varied can help prevent burnout. And don’t forget to celebrate small victories—if you finish a domain, reward yourself. Those little wins help keep you motivated.

Exactly. Cyber security is a marathon, not a sprint. It’s easy to feel like you’re not making progress, especially with something as comprehensive as the CISSP, but trust that you are. Take breaks, keep the end goal in mind, and you’ll get there.

So, we’ve discussed the importance of mindset, study strategies, and tackling difficult questions. I think one last point to touch on is the job market and how the CISSP can help boost your career. How have you seen the CISSP impact your career?

For me, getting the CISSP opened up a lot of doors. It’s such a respected certification that it’s often a requirement for higher-level roles in security. Once I had it, I was able to move into more strategic, senior positions. The knowledge I gained from the CISSP also gave me the confidence to take on more responsibility and lead security initiatives within my organization.

It definitely boosted my career. Before I had the CISSP, I was working in more technical, hands-on roles. But after passing the exam, I was able to transition into more managerial roles. It’s given me the ability to oversee projects from a security management perspective, which has been a game-changer for my career. The CISSP not only gives you the credentials but also the skills to think strategically about security.

I agree. It’s a certification that employers recognize and trust. When recruiters or hiring managers see CISSP on your resume, they know that you have a broad understanding of security at a high level. For me, having the CISSP has helped me stand out from other candidates and has given me the leverage to negotiate higher salaries.

It’s also given me more confidence in my day-to-day work. The CISSP covers so many aspects of security, and now I feel much more equipped to handle complex security challenges.

To wrap things up, I’d say that if you’re serious about a career in cyber security, especially if you want to move into more senior or managerial roles, the CISSP is worth it. It’s challenging, but with the right preparation and mindset, it’s achievable. And once you have it, it can really help elevate your career to the next level.

That’s a great way to sum it up. The CISSP is not just about passing an exam—it’s about gaining the knowledge and mindset to approach security from a leadership perspective. It’s a valuable investment in your career.

So, I think we’ll wrap up the session here. If you’re looking for more support, whether it’s in the form of study groups, resources, or just general guidance, StationX has plenty of opportunities to help you along the way.

Thank you to everyone who joined us today and to the panel for sharing your insights and experiences. Best of luck to everyone preparing for their CISSP, and we hope to see you in the StationX community.

Take care, everyone, and good luck with your studies!

Thanks, everyone.