1. Don’t sweat the details
It’s easy to get caught up on details, especially memorizing facts. While the CISSP does have detailed answers that depend on you knowing facts, it’s much more important to understand concepts. Don’t get me wrong, you have to put in the effort required to memorize terms and concepts, but you can’t rely on this to pass the exam.
We all know that many of the questions are difficult. You will either immediately know the answer or you won’t. When you don’t know the answer you have to count on your understanding of the concept to help you pick the most likely answer based on the intent of the question.
2. Studying for the CISSP is like learning to subnet
Remember when you learned to subnet? At first it seemed like voodoo black magic that inexplicably produced answers that couldn’t be explained. That’s because you need to apply multiple concepts at one time in order to subnet. As you learn to subnet, you first learn one of the concepts. This creates the strange sensation of learning something, yet not getting any closer to understanding it. After you learn all of the basic concepts then you suddenly have an “ah ha” moment and understand the entire process. The CISSP is the same way.
3. Learning is not incremental
This importance of coordinating competing concept creates a situation where your study plan starts off slow and speeds up as you progress. At first, this is frustrating because you question your ability to comprehend the information. You are comprehending things just fine, you just can’t put these competing concepts into perspective until you have a firm understanding of all the topics.
Think of it this way. You may only get 10% of the answers correct after you’ve studied 25% of the material. Likewise, you will get 90% of the answers correct after you’ve studied 75% of the material.
4. Think like a manager
Management is ultimately responsible for security. As such, a CISSP candidate should either be acting as management, or advising management on correct decisions. This point can’t be emphasized enough. The exam is based on the point of view of management. Often when you see multiple answers that seem correct, you should choose the one that a manager should choose. Choose the one with the highest level of perspective within the organization.
5. Don’t count on a boot camp to pass the exam
The CISSP exam is an inch deep and a mile wide, meaning you don’t have to be an expert on anything, but you need a basic understanding of lots of things. You may have to answer a question about the history of cryptology then make a sharp mental left turn to answer a question about the type of fire extinguisher used to put out electrical fires.
Boot camps are great for saturating you with information about a particular technology or function. But their format makes it cumbersome to cover a lot of separate topics in a classroom setting. Inevitably the class will spend more time than necessary on a topic that one or two students have questions about. Also, the sheer volume of information needed to pass the CISSP just can’t be communicated to the average person during the course of a single training session unless you combine it with a self-paced study plan, or knowledge gained from previous experience.
This doesn’t mean that a boot camp isn’t helpful, or that you shouldn’t use them. It means that you shouldn’t count on them as your sole mechanism for study.
Image courtesy woodleywonderworks