Real Life: Earning the CISSP

"It seems like almost every week, you hear about a Fortune 500 company or government department having a breach of sensitive information," explains Louie DiNicola, who expects to complete his undergraduate degree in computer information systems next spring and already has a position lined up working in IT assurance. "I want to be able to help companies avoid that and maximize their potential by helping them identify problems in IT policy and implementation."

DiNicola has an edge outside of the certifications with his college degree. Companies will often ignore a potential candidate, regardless of experience and qualifications, if he hasn't earned a degree. "It does not matter if the person can walk on water," according to Hunter. "If they do not have a degree, they won't be considered" for some positions.

DiNicola knows that a degree and certifications, coupled with experience, make for a powerful mix. "I realize that as an entry-level graduate, the certification might be better suited as a long-term goal," he explains. DiNicola has already begun plans to pursue the CISA credential and the CISSP certification after that.

The CISSP credential goes far beyond measuring one's book knowledge. First, the candidate must be endorsed by an ISC2-certified professional confirming that the candidate meets the experience requirements. Also, the candidate must pledge to adhere to a code of ethics. Finally, to maintain certification, the CISSP must constantly engage in security activities, such as ongoing education and participating in security speaking opportunities.

But it all starts with the exam, and there are many ways to prepare for it. For me, self study was the best way to go. You have to be disciplined and self-motivated to forego structured courses, but self study can provide more flexibility while saving costs. Note that bypassing the class route doesn't mean that you have to go it alone. I found valuable resources online from CISSP forums such as one at CCCure.org and free online workshops such as those offered by the University of Fairfax.

Passing the CISSP and other certification exam tips

The following tips helped me pass the CISSP exam, the most difficult certification exam I have ever taken. As learning methods vary, so should your approach to preparing for any certification exam.

My first action was to register for the exam to allow for two months of preparation. While this may seem obvious, registering for the exam a certain period in advance helps to focus on the goal. Without a deadline, it can be difficult to achieve that goal, since the propensity to procrastinate is great.

My next step was to purchase a review book with practice questions and exams. I opted to purchase ISC2's CISSP review book, which came with a CD of practice exams. Of course, there are other study guides with practice exams available. The point is to have a good resource to prepare with. Multiple books can help especially in locking down difficult concepts by approaching them from different angles.

You should take a practice exam before beginning to study because it can point out subject-matter strengths and weaknesses. Predictably, I was strongest in the two domains for which I met the required experience and quite weak in some others. This helped me prioritize my studying.

Plan to study until one week before the exam and spend the last week reviewing material at a leisurely pace. A light review the night before the exam is fine, but do not cram. If the test is given in a location that requires significant travel, plan on arriving the night before, particularly for an early morning exam. I relaxed the night prior to the exam, because I knew I would need all my faculties the next day.

The CISSP test consists of 250 multiple-choice questions that must be completed in six hours. That equates to less than one and a half minutes per question. There are various strategies for attacking such exams; mine was to be well rested and answer every question in the exam in four hours, then review the rest of the time. If time becomes a factor toward the end of the exam, answers will be rushed, so pacing is important.

After I left the exam, confident that I had a 50-50 chance of passing, I began crafting my retest strategy. Since I had just spent so much time over two months preparing for this exam, I planned to register to retake the exam the moment I found out I failed, because I didn't want to lose the freshness of the knowledge. Fortunately, I didn't have to activate that plan, but I was ready to.