Behind the Scenes: Prepping for the CISSP Exam Twice

How's it going? Everyone? This is another security unfiltered mentorship episode. So you know it's been a while. It's been it feels like a month probably since I last posted my last mentorship episode for you guys, you know, and my life has just been crazy, to be completely honest with you. You know how my schedule works, is I pre-record? You know a lot of the interviews, the vast majority of the interviews, and I have them, you know, backlogged and ready to go. So every Monday that episode is already set, determined and everything like that. The mentorship episode is typically last minute. It's typically, like you know, tuesday, wednesday sort of thing. Sometimes it's even been like Wednesday at 11pm. You know when I'm getting it out, but you know I've just been exhausted lately, right. So I've been doing a lot of different things. My uncle in Florida recently passed away and so I needed to take some time to be with my family down there and, you know, do a celebration of life party for him. I was really close with him and so you know it was tough, you know, overall, right, but I also, in part, needed that vacation just with having a newborn baby and you know all the different life changes that are going on in my life. I just needed that time, you know. And with that, you know it brought some delay. It, you know, definitely had its own challenges and everything like that, right, but the show must go on. So you know, a couple things that I want to talk about today, not necessarily a mentorship episode, more of like an update type thing and talking about what's going on, you know, with me and with the podcast, right, so the podcast is getting more and more sponsors, you know bigger name sponsors, more to be released and announced coming up in the near future. So very excited for that, you know, very excited to see the security community actually showing, you know, support for this podcast, right, because the primary purpose of this podcast is to really just help people. You know, at the end of the day, I really just want to help people. If you look at my Patreon, my Patreon is not priced insanely. I've had several comments that they appreciate that the Patreon is priced how it is because you know I'm obviously not getting rich off of it. You know, like that's not my intent. My intent is to provide you great content, bring on great people, hear their story, hear about what they're doing and help you find your way into IT or security in some way, shape or form, right? That's why I have this podcast, that's why I have the format that I do and everything like that. Now, with that, I want to make the Patreon more valuable to people, right? So I want to make it more valuable to the people that are putting up the money and subscribing to the Patreon. So there's a couple of things that I'm going to be adding and this is to the basic, most low-level tier that I have I believe it's called Security Analyst, right. And what we're going to be doing is we're going to be posting the schedule for the episode recordings ahead of time, so probably something for either the weekly schedule or the monthly schedule for who we have coming on the podcast. We will post it live, or I will post it live on the Patreon, so then you can look at it and say, oh, I can squeeze in this hour for this episode to hear this episode live, right? And then there's actually going to be a live audience link that is only for Patrons, only for people that are subscribed to the Patreon and whatnot. That will be posted in the Patreon as well, potentially even in the Discord and whatnot, so that you can tune into those episodes live. You can actually ask questions live, and there's going to be more things coming. There's going to be the opportunity for my Patrons to ask a question ahead of time to a certain individual and I'll ask it live on the podcast, maybe at the end, maybe in the beginning, wherever it might be, but it will be asked, and so I think that that's a great way to actually be interacting with the community, interacting with the people that really enjoy the podcast. Right, it's a great method for me to be able to do that. The next thing, at least that happened in my life, right. So I talked about it earlier in the year and I went and tested for my CISSP. Now, I do want to caveat this with a lot of different things, right. So basically everyone knows by now, I had my first kid, right, moved into my first house, got just a million things going on in my life, right. So I just didn't have the time to study for the CISSP like I would have liked to, like I would have expected to or anything like that, right. Like I just simply didn't have the time. I barely had enough time to do any sort of practice questions. I think the most practice questions I did was maybe 150 or 200 practice questions. Now I know people that did thousands of practice questions to prepare for their CISSP. But ISC squared was running a deal at the time where basically, you get two attempts at the cert for a slightly more price than what one cert attempt is. I think one cert attempt is like $700 or $750 and for two attempts it was like $900, right. So I figure, if I pass it on the first attempt, one, they only charge you for the first attempt. But if I pass it on the first attempt, you know, great, that's fantastic. But if I don't pass it on the first attempt, I want to have at least that retake or that retry available for me, so that it's kind of like a peace of mind type of thing. Right, with these exams. You know these higher level exams right, they're really difficult, and so anyone could fail or pass any of these exams on any given day, right, like it could be someone like myself. That's experience in the field. I have, you know, just about 10 years of experience in security, literally focused on security. Ok, and so I thought that I would have a really good chance at passing the CISSP without studying that much for it and I came very close. They don't tell you the actual number, right, but there was only a few sections that I did poorly on right. So that kind of tells me that I was probably pretty close, I was probably within striking distance and, honestly, if I was to try it again sooner, I would probably even pass it if I scheduled it sooner, right. But that just tells you, right, that anyone could pass or fail any of these certifications on any given day, right, you can have different circumstances or get a different set of questions or anything like that, right, that are maybe more difficult for you, and especially with a test like the CISSP, where it actually changes itself according to how you're answering the questions and how well you're doing on it, right. So, just giving you an example of the security architecture portion of the exam, I didn't do that great on right, which is a little bit shocking to me, but it was a lot of policy and standards and things like that, right, things that you don't look at unless you're taking the exam or you work in an environment where you're required to know those things, and so I did fairly poorly on those parts of the exam. And the thing is, is that this exam, when it sees that you're getting those questions wrong, it will keep asking you those questions within that domain. So you getting five questions wrong on a domain previously may have not killed you, but now it will kill you because they keep on asking more and more questions. It's like, oh, you're weak in this area, where we're going to prod you in that weak area until you fail this exam because you have to have this overall score that we're expecting right Now. You can call it unfair, you could call it whatever it might be. It is a little bit frustrating, I will be honest, because the CCSP wasn't like that. It was just a bunch of test questions across all different domains. They were super hard questions and you knew what you're getting yourself into right. But the CISSP, you couldn't even go back on questions. You couldn't flag questions for review, which for me, being a test taker or at least not being the greatest test taker, right I greatly need that mark for review and that ability to go back, because you know what. I don't want to waste 20 minutes on a question that I am not 100% certain on right. I want to be able to give my initial answer, flag it for review and at the end of the test go back through and answer it again. The reason why I want to do that is because there may be other questions, that kind of add clarifying details around a topic that you wouldn't have thought of if you were just faced with that one question and you can't think through everything right then because you have the pressure of the test, you are under the clock right. Potentially even you know that you just got the last question wrong and so it kind of just builds up in your head right. So that's the most frustrating part to me with the CISSP. Honestly, it's not the material, it's not the studying even. It's the mark for review and the lack of ability to go back, which is really frustrating, because in the CCSP that was not the case. You couldn't mark for review, you could go back. You can review at the end of the exam before you submit it and everything like that. Again, at the end of this CISSP attempt it was just submit. There was no option to review anything or any second guesses or anything like that. It was literally submit, you're done, go get your score, which is frustrating for me because this is a high level exam. I feel like that doesn't make it unfair, that doesn't turn it into a situation where people that shouldn't have passed are passing. That's not the situation that it was creating, having those different little things with the mark for review and the ability to go back because, look, these questions are so difficult that, literally, if you get it wrong on your initial guess, the likelihood of you getting it right when you revisit it is very small. It's very small. It shouldn't matter at all for you to go back and review. Which that was the most frustrating part for me, along with the ISC squared package that I got for these two attempts was that I had to take the attempts within certain dates. I think the first attempt had to be, like, I want to say, june 15th or something like that, then the, or maybe it was at the end of May, I don't know. At this point I can't remember. I have a new baby and my memory is just shot from certain months. The second attempt is August 15th, which is the week after DEF CON. It's two days after I come back from DEF CON. It's going to be interesting. I'm actually studying right now. I am putting in the time, I'm taking the notes, I'm reviewing different course materials and whatnot. Once I pass the exam, I will put everything down, potentially into a blog post, or maybe I just turn it into a podcast episode where I talk about the different resources that I encountered, what the positives and the negatives are of those different resources, what worked best for me, what made the difference the second time around? Hopefully I pass it on the second time because my goal, like I told everyone back in January, was to get the CISSP. I have to recertify for the AWS Security Special Assert, which is going to be extremely hard. Then I also want to get the AWS Solutions Architect Associate Cert which, in all honesty, if I get the AWS Security Special Assert again which I already have it it's still active technically. It just expires in September. If I get that cert, I should be able to easily take and pass the Solutions Architect Associate Level AWS Certification. I have a million things going on. It's difficult and if I fail it the second time around, I'm pushing out other things in the year that I need to get done for the second half of the year for my own personal development, my own development within my career and everything like that. I do practice what I preach when I say you should be working harder on yourself than you are on your day job. The reason why I say that is because your day job, that company, could get rid of you at the drop of a hat. I was working for a company this last year, right when the market started to turn, and you know we were always told insecurity. You're never going to be laid off here, because it's really hard to staff you guys to begin with, and so why would we lay you off? First round of layoffs come, a security person that I would consider to be one of the smartest security people in the company was laid off right off the bat. Right, he was only there for maybe six months at the time, which really sucked, but it was actually easy for him to get the job. The next job that he had, you know, I think he even, like, took a month off just to kind of chill and then, you know, got back on the hunt and whatnot. The next month, more security people were laid off. You know, and yes, it is easier for us to get jobs than most other industries. You know, because there's some stat where literally 100% of security professionals that have experience in security are employed at all times. What that means is that we're literally laid off and within four weeks we typically find a job. The reason why four weeks is critical is because that's when they start you know, kind of re running the numbers for the month to see unemployment numbers and things like that. They don't run it on a weekly or biweekly basis and typically people have or they should have, you know, a month or more of leeway and savings to be able to make it right. But you know it's still frustrating, right and so for you to invest so much time into a company to make them more successful, to make you know, one or 10 people more millions of dollars right, to make them more secure, and things like that, for you to do that and not invest in yourself is a terrible idea. You know, because I saw firsthand the people that invested in themselves along the way literally had job offers the day that they were laid off. I mean literally. I'm not even, I can't even, you know, make that stuff up like they were already in the process, talking to the hiring manager, talking to HR, literally the day that they were laid off. And the reason being is that people in the industry, especially if you're in a tech hub like Chicago, seattle, california, new York, you know any of those places, these other companies. They know where you work. They're looking at LinkedIn profiles, they're following you. They probably know your boss or your CISO and so they're waiting for you to leave, to get laid off to. You know, talk to the right person, whatever it might be for them to actually, you know, poach you and get you from that job. You know, previously in my career, I worked for a credit bureau and I won't name it, but this credit bureau worked right down the street from CME in Chicago, the Chicago Mercantile Exchange, and this place would always, just constantly, poach people from our security team. It seemed to be like and I did actually talk to people, you know, later on, years later, right about this, and they literally said they literally have a profile on everyone that worked at this credit bureau, on the security team, you know. So they did their research, they did their due diligence, they knew how much people were making at this company and what not, and so they would, you know, actively like, already have things prepared for them to make that process even easier. Right, they would pretty much let this credit bureau do the vetting for them with these people, make sure that they were technically sound and then, when these people were ready, this other company, cme, would poach them away. Right, and I had a good, I have a good friend of mine that used to work there and he told me literally, you know, you could get a little bit too drunk and stumble into their lobby and that security guard knows your name, knows what you look like, and he's going to offer you a coffee, he's going to offer you a nice warm blanket, they're going to bring you upstairs, they're going to talk to you about different roles and whatnot, and sign you on right then, in there, right Now. That isn't the case for every single person, you know. Yes, there was probably a little bit of exaggeration there, you know, because they want you in a clear mind and whatnot, right. But it is not out of the question that a company would do something like that, where they would actively, you know, go after someone and poach them from another company that they know is a good security team, right, that you know can make a difference at their company. And I actually, you know, later on in my career, I applied there and the process was extremely easy, extremely quick. The only reason why I didn't go with them is because I had an offer from somewhere else and it wouldn't be fair for me to you know. Now let them know that and things like that, right? Because I don't like. I don't like playing companies off of each other. I feel like that's a dirty game, a dirty thing to do. This is even coming from someone that you know tells you to invest more in yourself than you do at a company. But, with all of that said, right, you should always be investing in yourself. You should always, you know, have goals every single year that that specifically pertain to you bettering yourself in your career and your personal life and your relationships, everything like that. You know your career is one facet of your goals. That's really only maybe 15 to 20% of your goals, right? There's other areas of your life that you should have goals for. Now, with that, we have Defcon coming up in a couple of weeks, which I'm actually really excited for. I haven't been to Defcon in a couple of years. I think the last time I went to Defcon might have been 2019. I'm pretty sure it was 2019, and that is way too long. I cannot wait to go back. So, for the people that are going to Defcon, if you want to grab drinks, I'm always open, right? The other thing is, you either need to message me or you need to find me in Vegas and I'll be more than happy to have a drink with you. All right, if you do find me and this is while supplies last I do have a bunch of stickers with me that will be going up, potentially at some point in time, on Patreon or Marketplace or something like that, for other people to purchase and whatnot. But if you find me at Defcon, I'll give it to you for free. These stickers there's a security unfiltered sticker. They're a good, solid size. After probably 10 rounds of figuring out different stickers the material, the quality, the logo, the size, the vendor that would provide them and everything like that I worked it out. It literally took me probably eight months to work through this, which sounds like an absurd amount of time, but if I'm going to put something out on the market for anyone to buy, even spend a dollar on, I want to make sure that it's good quality, that it's something that I expect that people will enjoy when they hold, when they put it on, something they will know hey, that's a good sticker, that's a solid sticker. Right, I put stickers on my desktop and you can tell the difference between them. Right Now, I'll most likely be wearing a security unfiltered shirt that's a few steps away from actually being available to everyone else. I'm still testing out different material and shirt styles and things like that. Right For Defcon, I should have a couple different styles and shirt material and all that sort of thing. I'm testing it out with the mentality of this could be a shirt that someone could wear all day long. No issues, they're comfortable in it, it feels great, they can wash it and it doesn't shrink two sizes anything like that. Right With that, guys. That's everything that's been going on. That's all the changes that are coming to the Patreon and the podcast and whatnot. Much more to come. In regards to the sponsors and more interesting guests, I'm bringing on more and more interesting people that are having fantastic conversations about their journey into security. Hopefully those conversations are helping With that. Thanks, guys. I appreciate you listening. Have a good one.