Immersing in Defcon and Navigating CISSP Exam Prep: A Journey Towards Personal Development in Tech

How's it going everyone? So this is another security unfiltered mentorship episode. So I want to do a bit of a catch up. So you know, last week slash weekend Was Defcon in Las Vegas, which was, I mean, it was fantastic. You know, I think it was probably the best Defcon that we've had on a long time, maybe ever. That's like actually the consensus that is going around. It's not just me saying it, it's a whole lot of people, it seems like everyone in the community who's anyone really, you know showed up this year. You know, I saw a lot of the people that I've had on the podcast and, to be completely honest with you, I just didn't have the time to stop and talk with them and whatnot, like I would have liked to. So, you know, if you've been on the podcast before and you were at Defcon, I apologize for not, you know, stopping by and saying hello and whatnot, but literally my days were completely jam-packed with meetings, introductions, happy hours, dinners, lunches, all the above, which is pretty typical for someone, I guess, in in the field. You know, every vendor in security knows where all the security professionals are going, and so all the vendors kind of go to black hat in the first day or two of Defcon, the black hat vendors are still typically in town and they will, you know, invite you to their parties, to lunches, to dinners, drinks, all of the above. You know some of them have events off the strip and you know things like that, which is really awesome. That's, like I guess, one of the perks, right, that you don't really think about or hear about that much when you're getting into this field is, you know, the vendors actually spend a decent amount of money on you most of the time, but you know they do that right, because they want to generate more business for themselves and whatnot. But overall, it was a fantastic time. It was a great time to just, you know, spend in Vegas with like-minded individuals, you know, that come from all different backgrounds and whatnot. To be completely honest, I didn't watch or attend too many talks, mostly because all those will be, you know, on YouTube in a couple months. So, you know, I don't really feel bad about that, because I spent the majority of my time in villages handing out stickers. You know I handed out 300 stickers, right, so I should probably should have brought more honestly, but it was fantastic, you know, meeting people, making new connections, you know potentially exploring, right, like where things can go. Just talking to people of all different kinds of backgrounds, everything from reverse engineers in malware to you know pen testers to you know people that hack airplanes and everything in between. You know people that hack satellites. There was actually a contest that the military put on this year was with a bunch of hackers to hack a satellite and try to traverse from one satellite to another satellite. Now, I don't know if they were successful in doing that or whatnot. It was behind closed doors, which is typically how it is for those sorts of things, but you know, still like that's an amazing thing, right? I always find it funny when the news outlets put stories out there. Every year it happens with DEF CON, where they say that, like the most dangerous time to be in Vegas is during DEF CON, because you know you're more than likely going to be hacked and the top hackers in the entire world are all centered in this conference and they're going to be targeting everyone and anyone. You shouldn't be using your phone, you shouldn't use any Wi-Fi or Bluetooth when you're in Vegas, or anything like that. You know, I talked about this before. I talked about this in the DEF CON 101 episode last week where you know, yeah, you probably shouldn't use Wi-Fi or Bluetooth if you're going to the conference. You know, when you're going towards conference grounds, you probably shouldn't be doing that or you probably shouldn't be connected to that. I should say, right, but if you're not attending the conference, if you're not going anywhere near where the conference is, there's no reason for you to not have your Wi-Fi and Bluetooth enabled. Obviously, when you connect to Wi-Fi, only connect to networks that you know are legitimate. Don't be connecting to the alpha beta, charlie, delta, you know all of those other hacker networks. You know don't randomly click on one. Make sure that you're clicking on the right one when you connect to one. And if you're really that paranoid, use a VPN. You know, like that's a really good way to protect yourself. Yes, right like it, hackers can still get in, right, I'll say that. Right, they can still get in, but it makes you a harder target. And so when you're dealing with a drunk hacker, maybe they're not looking for the hardest target out of a million people that are in Vegas. Maybe they just want, like, a quick, you know, a hack or whatever might be right, but it's. It's always funny when the news stations start saying you know, basically shouldn't go to Vegas during Def Con. I mean I wouldn't recommend it because Literally there's like 60,000 people that are in Vegas for a conference, for one purpose, that normally aren't in Vegas. You know, like, like we don't, or at least I don't I don't typically go to Vegas throughout the year multiple times. Maybe I'll go for a guys trip every once in a while, but outside of Def Con I'm not going to Vegas, which is more than likely the case for a lot of the people that are going to Def Con, right. So it's just, it's an interesting time, right, but I still wouldn't say like, reschedule your, your plan, tripping one not, which is what the news was actually saying, which is insane to me but two days, two days after Vegas, you know, I took the CISP certification for the second time and I ended up passing it. So I want to talk about a little bit of the differences between the first attempt and the second attempt and what I did differently and all that good stuff. So you know, first and foremost, the first time around I really didn't study. I mean I just I just didn't study, I didn't have the time. There was several projects that I have on the side that were wrapping up all at the same time that require a huge amount of my time, and so I just couldn't, you know, study like I wanted. But the package that I had purchased from ISC squared was a two for one. You get two vouchers for the price of one, and you know, you had to take the first attempt by a certain date, which was, I don't know, sometime in June or something like that, and then the second attempt had to be, you know, in August sometime, and so I took the first one, really more as if I pass it, great. But if I don't, then at least I will have experienced the exam already and I'll get those kind of first experienced jitters out of the way and then from there I can focus on the content, see what I need to improve upon and all that good stuff, right? So I got to give a big shout out to Ben Maliso. So, ben Maliso, I've had him on the podcast a couple times. I'll probably have him back on to talk about his product. That I'm about to talk about One this episode isn't isn't sponsored by him. He doesn't know I'm bringing it up or anything like that. He'll literally find out tomorrow when I tag him in a post. So you know, when he found out that I had failed my first attempt, he went ahead and, you know, directed me towards the Want to practice platform that he has created. Right, and it's it's a great platform. I didn't know what to expect when I was going into it, to be completely honest. I mean, you know these practice questions and whatnot. You know these practice questions and whatnot. They can be hit or miss, like I've talked about before. Right, they can be really hit or miss where you can either have practice questions that are extraordinarily hard, that are so hard that they don't even help you prepare For the exam because they're so far out there, or you could have questions that are super, super easy. That is not a total, you know, reflection of the exam, or you could have something that doesn't Doesn't feel like it even pertains to the exam. Maybe the questions are not formatted the same way that isc squared formats them, and so it can really be hit or miss with these practice questions and practice tests and everything like that. I know someone that went through several thousand practice questions to pass his CISSP. I mean that's insane. I'll tell you right now the amount of practice questions that I went through in preparation for this CIS CISSP attempt. The second attempt Was under. It was under 500 for sure, 100% under 500. If I had a guess, maybe 300 or 350. But I used, like, only Ben Maloso's products To actually prepare for this second attempt. You know he, he has online Recorded boot camps of the certifications for a discounted price. I think it's actually really good quality. It's actually fantastic content. It's better than what you would find, you know. On Udemy, in my opinion, which you know, udemy I don't know what's going on with them, but they don't have as many sales as they used to and now, like the higher-in-demand content is Basically full price, which is insane. You know, because when I was looking at getting courses to go over the, the domains that I messed up on first place I went was Udemy and you know the top collection for CISSP is, I think it's like $90 or something like that per domain, which is just absurd. I mean $90 per domain. We're talking about eight domains. That's just. That is completely unreasonable. It's unfathomable even of how they would, you know, rationalize that. I guess they would rationalize it where it's like hey, if you, if you're struggling with two or three domains. This could make sense. If you're struggling with two or three domains and you're totally fine on the others, you're gonna pass the exam Right, like that isn't going to break you. It's when it's four or more is when it's really gonna break you. Yeah, like if you completely get questions wrong for three domains, yes, it will break you, but the odds are pretty good that that's not gonna happen. You may get lucky even in that mix, and so it just doesn't make any sense to me. And so I was at the time. I was actually kind of stuck. Then I kind of stumbled upon Ben Maloso's product, went ahead and started going with that and it was fantastic. To be completely honest, you know, with the first attempt you know when you fail an ISC squared exam, they tell you what domains you struggled with. You know they're labeled as like below proficiency, what domains you were near proficiency with and then what domains you were above proficiency with right. So there was three domains that I was above proficiency on, and so I didn't really focus that much on them. Those domains I touched on two weeks leading up to the exam. You know, kind of just a quick touch, did some questions to make sure I knew the, the material reviewed, my notes Ensured that you know. Material from those areas that I may struggle with is in my study guide. But I focused the vast majority of the time on the domains that were below proficiency and near proficiency Because I really wanted to make up or at least get those kind of Easy give me questions. You know when it's like. If you just knew this one thing, you would have got these four questions right. You know that, like stuff like that. So it's really important you know after you, after you fail an exam like this, to reflect and Adjust your study plan accordingly. Right, but again, right, those practice questions from Bell, ben Maliso, the want to practice, I'll. I'll have the links and the description and everything like that. In case you know anyone is in the same position or they're looking to start studying for these exams, they can also go to this resource. It's very well priced, in my opinion, very well worth the money. It's probably the one resource that Is actually worth the money that you pay for it. Like you're getting very good quality material and content, getting very good, very good training, you know, with the practice questions and everything. So you know the final week leading up to the exam. Really, all I did was practice questions. I'll tell you what I did exactly. The very first day of that, like seven days out, I went ahead and and created my study guide. So I went through each domain because I took notes on each domain. When I went through the video, it was notes about things that I didn't I didn't know before or I had forgotten previously, things that I had seen on the exam, all of those different things I took note of, potentially screenshots and things like that. Right, you know, one of the things is like the OSI model and what protocols fall under which layer of the OSI model. That sounds like a really simple thing, but if you literally do not look at it every day, you're going to forget it and that's a Googleable. You know questions. So if you're in, if you're encountering that in your day job, right, one random time, you could just Google it and you'll be able to find it. But on the exam it really doesn't, doesn't work like that. You know you're not going to be able to Google it and find it or just pull it out of thin air or anything like that, which you know is challenging, right? So knowing you know the protocols with those with the layers and things like that. That's where I had like a, like a screenshot of right and with the encryption I had a screenshot of the encryption that has like a hybrid encryption. You know architecture or whatnot, just to you know. Refresh my memory and all this stuff. You know there was a. There was a good majority of the stuff on this exam that I had already touched on with the CCSP. That's the certified cloud security professional, or maybe it's practitioner, I don't know, but a lot of it was on the CCSP. The difference between the two exams CISSP is more management based, more management focused. You're making decisions. The way that the questions Are worded and everything I mean your your ask questions about making decisions. You know about dollar amounts, about you know business critical situations and things like that. It really does Prepare you for the next question, does prepare you a little bit more to be a manager in the field. Ccsp is really. It enables you to effectively secure any cloud environment, regardless of what it is, regardless of whether you know the architecture or you know that cloud provider or anything like that. You're able to secure that cloud no matter what. So that's a big difference, you know. Obviously it's focused around the cloud, where CISSP is focused more around management and whatnot. But you know, you get the difference right. So you know, the thing that this certification actually gives me is it gives me one more thing. That is checking the box for HR, for hiring managers, for people that are looking for that sort of thing in their environment. It still checks the box for those people to actually get me in the door to be a manager. Right, it's more difficult to have that conversation to be a manager when you don't have your CISSP than it is when you do have it. And that may not be true for every single environment, but I'm talking about the vast majority of the environments out there, the vast majority of companies out there, because they have a set of requirements and if you don't hit those requirements, they just don't, they don't look at you any more than that. The reason why is because HR basically sat down with their legal team and said for this role, what do we need to have in this role? Because if we ever get audited, if we're ever breached, if something bad happens, you know we need to be able to say to the US government or to whoever is suing us that like hey, we did our due diligence, we hired someone with this qualification. This qualification means this in the field, we thought that we were doing the best job possible. Right? They need to be able to say that. So yeah, it's a cover your own ass type of thing that companies are doing with certifications in most cases, but it's not for us to determine, right, we're not the ones that are making those rules, we're the ones that have to kind of find our way in there, no matter what. So I think that sums up. I'll talk about taking it the second time around. So again, I took it like two days after DEF CON not the best idea that I've ever had, that's for sure, especially after a conference like DEF CON. But when I was taking the exam, I had reviewed my study guide thoroughly. I memorized everything on my study guide. I understood everything on my study guide. When I was taking the exam, literally on every single question, I thought I got it wrong. I answered with the best answer that I had, that I thought of right and I thought every single question was wrong. It got to the point where I was actually contemplating during the exam how I was going to get another free voucher to retake it a third time and I was thinking of how I was going to even explain failing this to the security unfiltered podcast community. That's how bad it was. But I think it was like at question 120 or something like that. It's like one of the very first question numbers that you can hit and pass the exam. The exam is 150 questions, total it's 175. They always throw in like 25 questions at the end that are used as test questions or something like that. But 150 is the maximum amount and I think it was at like question 120 or maybe 115 or something, where the exam just stopped going for me. It said you're done with the exam, go get your score. So I figured, okay, I either passed or I failed. And I figured I failed because I literally thought, you know, every single question that I was answering was wrong, right, and so I went and got my my score and said I'm past and now I have to go through the whole like application process with ISE squared to get recognized for the certification and all that good stuff. But you know I bring that up right Because I was in my head during this exam. I was kind of caught up in the fact that, you know, I couldn't believe that these questions were. We're just wrong. You know, like I felt like there was better answers out there and that the answers that I was given was not good choices in most cases, and I was choosing, you know, the one that I thought was the best fit for the scenario, which turns out to be. You know that I was correct, but at the same time I was in my head that entire time and it could have cost me the exam Because I could have, you know, dialed it back, stopped focusing as much and I could have just kind of nonchalantly gone through the exam. Thankfully I didn't. I stayed locked in the entire time. I stayed focused, I stayed, you know, within myself with the exam and I kept on moving forward and I answered each question to the best of my ability. You know, there's a couple questions that I took, like you know, two, three minutes on right because I was thinking through everything so thoroughly, not that I was, not that I was wasting time, but, like I stated before with the first attempt, the first attempt was the the time that I actually first encountered it where you couldn't mark something to be reviewed at, reviewed later, and you couldn't go back to any questions on the exam at any point in time. You couldn't go back, and so I knew on this exam I would have to answer every single question to the best of my ability, upfront. When I'm at that question and as soon as I hit next on the on the screen, you know I have to forget about it and move on to the next one. And I think that was the biggest thing for me that actually Benefited me. You know, because as I'll get into my head with a question, right as soon as I would hit next, all that will go away and I would start over and sometimes I would take a breath, right. I would sit back in my chair, take a breath, clear my head and then get right back in it. I never lost my focus, which is really fantastic, you know. But yeah, I don't want to. You know, kind of beat a dead horse, right. But I just wanted to let you guys know the whole thought process, start to finish, because that's what I do. If you've read any of my previous blogs about search that I've gotten, that's what I do. So what's next for certifications? So this year I have to renew the AWS security specialist Certification, which I am not excited for that's the most difficult test I've ever taken and I want to get the AWS solutions architect associate Certification next year. I think I'll get the CISM and the AWS solutions architect Professional certifications and I'll probably like call it done right there for certifications, or at least, you know, for a couple years. But you know that's my goal. I set that goal back in January. I'm on pace to get it, so I'm gonna keep on, you know, working towards it. You know one thing that I wanted to bring up I talk with a lot of people at Def Con and there's a lot of people out there that are actually really smart, that Feel like they aren't able to give back to the community. Right, because they feel like, you know, they're not the expert that's giving the talk at Def Con, right, they're not the person that is having a following on Social media or anything like that. Right, they feel like the the value that they bring to the community is not valuable enough that the community would not appreciate it, or anything like that, and they're kind of getting in their head About that sort of stuff. You know, this is what I say to that you know you don't need to be the world's foremost expert to, to actually give back to the community, to provide value to the community, to. You know, do these sorts of things that will actually help people in the in this community. You, really, the way that you need to view it is that what you know someone else may not know, and if they don't know it and they Read your blog or they hear your podcast or whatever it might be, now they do know it and now they're a step ahead, whereas if they didn't encounter that content, they wouldn't have that knowledge, they wouldn't be where they are, you know, with it right? So it's not benefiting the community for you to keep it all to yourself. There's some really, really smart people out there that you've never heard of that don't have podcasts, they don't have blogs that don't really go on. Social media Don't really, you know, provide very much to the community. But there are like freaking geniuses out there. I and they think that they're not smart enough, that they're not the expert, they're not the one given the talk, right, and so who would want to hear from them? You know, when I was starting this podcast, I had that exact same thought and there was there was a good amount of people in my friend group that even said you know who who's gonna listen to your podcast. I mean, you're not a world-renowned expert. You have no name in the community. No one is gonna recognize you. Why would someone choose your podcast over another? You know and I approached it from the angle of they're not choosing my podcast over another I'm Offering things with my podcasts that are unique to this podcast. Right with this episode. I'm not editing it. Right, it is 11 pm On Wednesday. It's going live in an hour. I'm not editing it, I'm not touching it. This is the unedited, uncut, unfiltered, right episode or podcast that it is, and I'm providing value. That is Helping people be more successful in this field, potentially. You know, really, that that's what it all is. You know another reason that you would give back to the community, that you would post on social media, that you would Contribute to the community. More is about building a personal brand. You know, the easiest way, the easiest times that I've ever gotten a job is when the hiring manager heard my podcast and they understood, understood my personality, just from here in my podcast. Now, that's a really interesting thing, right, because I never thought that that would happen. I mean, I definitely didn't start this podcast to get jobs or anything like that. I didn't think it. I didn't even think that that was a thing, you know. But Creating a platform for yourself from nothing I mean you can have no connections on LinkedIn and build something up right, but building a community, building that personal brand, will pay you dividends in the long run, because you know, god forbid you lose your job, god forbid you have to move to another country, or you have to move to another state, or you know, you have to take an extended period of time off of work for some unforeseen reason. You have a personal brand out there, you are contributing to the community, people are listening to you, they're paying attention to you, and so you're not starting from zero. You know this is giving you a leg up, and so it really makes a difference when you have that personal brand, when you have, you know, something that you have worked towards, where you have, like, a public persona. You know, I don't view it as a public persona, right, because what you see right now is what you get at Def Con. What you get at Def Con is what you get when I'm at Jewel, right, like it's the exact same, joe, I really don't know how to be anyone else. But I think that my audience and I think that the people that are listening to my podcast From that perspective or seeing that as well, is I like hey, this guy is who he says he is. He is not what he says he is not, and that is a rare thing in this world, I think. In my opinion, I think that that's a rare thing as all these different things are coming out, right as the Linus Media Group drama Came out this week and all that sort of stuff. Right it's, it's interesting, to say the least. But look, guys, I Don't want to. I don't want to. You know, drag this episode along. Right, it's a 30-minute mentorship episode. For a reason, it's something quick, easily consumable that you can listen to, grab some knowledge from and excel from right. So that's all that I have for this episode. I really hope that you enjoyed it. I will absolutely, you know, continue the mentorship episode series next week again. You know, sorry for Missing a couple weeks there, but I think I'm back on the wagon now. So, alright, guys, see ya.