Thoughts on the CISSP

Disclaimer: I’m a member of the SANS Advisory Board. SANS is a competitor certificationĀ awarding body to ISC2. None of the examples below are real questions from either exam and shouldn’t be used as revision!

isc2_cissp2I recently clicked over enough time elapsed (after deductions for my GSEC) to be eligible for the CISSP, took the exam, passed and after a wait, awarded it.

There are a reasonable number of comparisons out there between the GSEC & CISSP but none that I found that look at it after CISSP updated the common body of knowledge in 2015.

Broadly the style of the exams is similar in that they’re both computer-based proctored affairs at Pearson testing centres (CISSP used to be pen & paper!). The GSEC is shorter (180 questions against 250, 5 hours not 6) and also has the benefit of allowing one 15 minute stopped clock break at any point. The biggest difference though is that GSEC is open book, CISSP all has to be memorised: this allows the GSEC to test certain things akin to the real world like “which of these nmap switches would you use for x” (ieĀ something you’d either google or use the help pages for). Both exams haveĀ scenario type questions: “you’re the security officer for widgets INC, which is the best firewall for a DMZ if you’re worried about DDoSs” and hotspot / drag & drop multiple correct answer types. Both allow questions to be flagged and revisited.

I found the revision for the GSEC adequately prepared me for the content and style of question I faced in the real exam. Mock tests are available, which again were fairly close to the real thing. The CISSP was not so – I read a variety of books (Eric Conrad’s), the SANS bootcamp course and the official ISC2 flashcards app but once in the exam the questions felt wildly different to anything I’d revised for. This isn’t helped by the 25 ‘wildcard’ questions thrown in that don’t count!

I’ve never failed an exam in my life but I honestly found myself at the halfway point thinking I’d failed it. Genuinely that bad. Where I could answer things quickly and confidently I did so; anything I was 90% on I answered but flagged; anything I had no clue on I left blank and flagged. The first pass left me with maybe 50 questions I had to go back and review, although I probably only changed a couple of answers on the second look. An actual advantage was gleaning information from later questions to use in earlier ones.

It’s certainly been said that to pass the CISSP you have to ‘think like a manager’ which I always felt was a bit derogatory but I think it really means to think at a high level, never be afraid to give an answer that refers to outside experts and always prioritise human safety.

The CISSP, like the GSEC, is certainly a mile wide and an inch deep – although I think the GSEC is maybe more like an inch and a half! For both, having experience in the field is certainly a blessing and a curse: you need some outside knowledge but you’re often tempted to add extra information into the questions – “I do change management differently to that at work”.

So which is the better exam? From an experience perspective I’d say the GSEC was the more ‘enjoyable’ and perhaps relevant to the day job. It certainly taught me some new things to take back to the day job too. But the GSEC is not so widely recognised so if you want to pass that automated screening bot on your next job search then maybe the CISSP is the one to go for.