I have been reached out to quite a few times almost 2-3 times a day since I passed the CCSP exam to give help to people that want to take this cert. The CCSP was extremely difficult in my opinion. However, I haven’t taken any other ISC2 exam yet but I do plan to take the CISSP exam this year which I will blog about my study process, how I create study guides, the resources I use and the results. Pass of fail I will document it here all the way until I pass the test.
I want to give a background of my own experience before taking this exam. I started my career in IT on the helpdesk of a few companies straight out of college in 2014. I had some helpdesk experience in college and so it was an easy transition for me into the working world. I never expected to stay in IT and I felt help desk was very boring and so I felt the help desk was a good segway into a career that would keep me more engaged and excited. At one of my helpdesk positions I met someone that introduced me to cyber security and suggested I pick up a Security+ book and see what I thought. I did just that and from that day on I chased getting into cyber security. It took me almost 3 years from that point on to get my first dedicated cyber security role but once I got into the field I found it to be very challenging, rewarding and there was always something to learn which I need to keep my mind busy. I have touched a wide array of security technology from SIEM’s, EDR’s, Web Proxies and more. I eventually developed an expertise in privileged access management with IAM as an overall focus (I did this on the job as I went not in a degree program.) During those three years of trying to get into security I also got a master’s degree in cyber security which helped me land my first dedicated cyber security role. Cyber security is my passion, its what I do and its what keeps me going. I love the challenges and the fact that I always have something else to learn and master in this field. If it wasn’t for this field, I am not sure what else I would be doing, even when I have hard days at the office, I still absolutely love what I am doing.
For the CCSP I used the CCSP CBK by Adam Gordon. I purchased this book a full year before I took the exam since the book is quite long I wanted to ensure that I could read the entire book front to back and take notes as I was doing it. I did not read this book every day, there were times when I took a few weeks off from reading then would get back into it. As I would read, I would highlight various points that I felt were important or items that I didn’t fully understand and needed to look them up. I would take note of those items in OneNote and look them up. I would try to allocate anywhere from 1-3 hours a day of straight reading and taking notes. Once I finished the book, I then dove into the CCSP Study Guide and the Study Guide Practice Tests by Ben Malisow. I did the same exact process of highlighting and taking notes. I felt the study guide was a great refresher since I took a few weeks off in-between finishing the CBK and starting the study guide. I finished the study guide in maybe a week of reading 1-3 hours a day. After this I started taking practice exams from the Study Guide books and the CBK. Two weeks before I was scheduled to take the CCSP for my first attempt I took a bootcamp from Training Camp. The bootcamp cost $3500 which gave you the study materials and an exam attempt. The bootcamp was great, I felt it engrained various bits of information into me that I needed to know and made me aware of others that I should know as well. The bootcamp was difficult to get through because you must spend anywhere from 8-12 hours a day in your office focusing on this material and taking notes while trying to understand and relate these ideas to the real world. The instructor helped with this immensely, helped us learn and remember these items in terms of modern-day situations you may encounter. I studied off and on the week leading up to the exam, I felt I had a great handle on the material, I seemed to be doing okay on practice tests, I would normally score anywhere from a 70-78% on these practice exams.
I get into the exam, extremely nervous but still could recall all the material I was working on and right from question 1 I felt I was taking a different exam. I was very confused as to how I could study so much and not understand these questions. I understood some of them but the way the wording was for these questions was completely off compared to the practice exams I had encountered. I immediately knew that if I passed it would be because I got the minimum score and if I fail it would likely be close as well. I took the test exactly how everyone tells you to take it. Read the question and all the answers, take a few seconds, and re-read the whole thing again. If you do not know the answer by now or are confused, flag the question, and move on. Consistently I felt the answer to these questions could go either way, it always came down to two or three answers that I could argue either way in my head. At the end of the test I ended up failing. I felt like I had failed myself that I did not do enough but, in all honesty, I am not the best test taker, not even close to being good. There was something about this test where the wording felt completely off from what I was used to with the other practice tests I studied and even how the books were. It seemed very odd to me and I didn’t understand it because going into the test I felt very prepared and all the practice tests I took reinforced that in my head. As soon as I got home from taking the test I immediately starting taking down notes from what I could remember were the questions I had the most issues with. Encryption, Architecture styles, API security, Application security. From the test results it seemed like I only really knew 50% of what I really should have known. I took note of not just the topics I had issues with but the exact kind of question I was asked and the information I was being asked about. I did my best to write down as much as I possibly could and to tell you the truth, I wish I could provide an example to give you a better picture of that but I am 6 months removed from passing and I couldn’t if I tried and if I had the info I don’t think ISC2 would have happy with me.
After writing it all down I reached out to my instructor from the bootcamp and asked for guidance on the areas I struggled in. He gave me some guidance of things I should know for those sections and I took note of those items. I effectively created a new study guide for myself since my old one did not work. After a week to just decompress from everything I started forcing myself to dive back in and get this material down. The first thing I did was review the notes from the domains I failed and did average on and as I was reading the notes and reviewing the chapters if there was anything that I know for sure I was asked about on the exam I wrote it in my study guide, bolded it and highlighted it with yellow. For my notes I have a color/bolding code where various colors mean different things to me. To other people it looks like a colorful document that makes no sense but to me yellow means I need to know this, bold and yellow means I saw it with certainty and I didn’t do good on it. Bold and green means and saw it with certainty and I did good on this topic, but I need to ensure I still know it. There are others but those are just examples. Once I reviewed all the sections in question and I had all of the notes ready I then went back and reviewed the sections I did well on and applied the same principle to those as well. This entire process took maybe 6 weeks to get completely through (keep in mind once you fail you must wait 12 weeks to retake the exam). At this point I started involving practice tests but I refused to use the CBK or study guide practice tests since I used them before and I felt it didn’t help that much (the reason will be discussed later on).
When I started looking for practice tests I started to run into issues where I didn’t really know where to turn for quality practice tests that weren’t extremely expensive but the site also didn’t look like it was created by someone that would steal my credit card info. I settled on a set of practice questions that I felt were the game changer for me. The questions were similar to what I experienced on the test and at the time the practice questions were only $10 on Udemy. Here is the link: https://www.udemy.com/course/ccsp-2019-cloud-security-practice-tests-300-qs/. This link is great but it also only offers 3 tests at 300 Questions total. You need more to get comfortable with this material and the style of questions you will encounter. I remembered back to when I was in the bootcamp they said there was an early release of the new CBK book with a few practice tests in it on their online service that only allows you to view it online. I didn’t think anything of it since I figured how different could the questions be? What I did not know was that by the time I would take the exam a new version of that exam had just been released; the new unreleased book was not out at that time. So, I ended up taking an exam that had questions that were worded completely differently from the book I had used to study. I ended up using the practice tests in the online CBK book and the Udemy practice questions found at the link above.
The final four to five weeks leading up to the exam I did practice tests at least once a night and based on the results of those practice tests I would adjust my study guide. Things that I did very well on got moved to the right since I felt I was greatly confident in those topics, but it was information I still needed to know for the exam. Items on the left were items that I need more knowledge on, things that I was struggling with. Things like API security, differences between REST and SOAP, the pros and cons of each, where they are used and why, encryption is a big topic that you must know as well that I struggled with until I studied this way. The Udemy questions I felt were extremely helpful not only for the wording but when you got something wrong there was a clear explanation as to why you were wrong and why the correct answer is correct. I used this process to refine my study guide to get this information down into manageable chunks of information that I can easily consume and understand for this test. I was worried by study guide was getting too large as I am sure most people get as well but in the end it was still extremely useful to have the study guide how I had it for me because I understand how my brain learns and this is just simply how it learns best. For the last 1.5 weeks leading up to the exam I did practice tests 3 times a day at a minimum. If there was an area I felt I was struggling with I would get other resources to help, I would google things on the topics I outlined above, watch videos, absolutely anything to get my understanding up to a level that I was confident in. The week of the exam I started reading the CSA Security Guidance v4 document. I was told this document would be helpful, but I didn’t really have the time due to everything else I have going on. I wish I started reading this document the week before since it is 150 pages and by now, I was tired of reading. I powered through though and adjusted a few areas of my study guide accordingly. The day of the exam I ensured I got at least 8 hours of sleep the night before, had breakfast which I never normally do, had coffee and reviewed my study guide for an hour. After that hour was up, I took a practice test. I got an 80% on the practice test. Some will critique me and say I should have had more variety and sure I absolutely should have but I couldn’t find great, reliable, valid resources outside of what I used so I did my best to rotate the 5 or 6 that I had in a way that I wouldn’t be able to memorize the test and cheat myself from learning that way. After taking the practice test once and scoring an 80% I gave myself a break for 45 mins then repeated. At this point it was probably 1 or 2pm and my exam was at 4pm so I started getting ready to go. I did not touch any study materials from then on and took the exam in that state. When taking the exam, the questions felt remarkably familiar to what I was used to with Udemy and the more up to date CBK that I used. I was very confident in every single answer I gave and ended up passing the test. The sense of relief was overwhelming, it was awesome and what a relief to finally be done with just one of many more I plan on taking. When I got back home, I wrote a reddit post on the CCSP subreddit where I didn’t go into as much detail as I did here but is still valuable content I feel. Please comment on the LinkedIn post with any questions for now until I figure out how to add comments on this site.
Thank you very much for reading, I hope to have another post out in the next few days discussing how to get started in cyber security and the value of certifications.