How I Passed The #CISSP #vExpert #VCDX @kmcnam1

May 10, 2021 Bilal Ahmed Cyber Security, InfoSecurity, Security 2


My Background:

My career has covered areas that turned out to be quite helpful. I started at a bank, doing Media Management/Backups/Silo tapes, moving them between sites etc.

I then became a data centre engineer, racking and stacking and cabling

I then joined a BC/DR provider and helped customers test their DR processes and workplace recoveries and just managed services.

I then became a VMware and Storage admin, working on keeping it running and upgrading it all and managing their DR recoveries.

I now work as a Senior Consultant doing migration work and helping customers with changes and joining CAB meetings and all that jazz.

I’ve been through many certification exams; I enjoy doing them as they force me to progress and give me a goal to reach!

The hardest certification I have ever done in IT is the VCDX (VMware Certified Design Expert). You submit a design and all the associated documentation (SOPs, Risk Analysis and the design must cover key areas such as Availability, Manageability, Performance, Recoverability, Security). It then gets peer-reviewed, then you get invited to defend your design decisions and discuss the various bits of your design from a business perspective for about an hour and then you must design a VMware solution at a high level, on the fly for 45mins while the panel pretends to be High C Level people, who really don’t know tech, but do know RPO/RTO/SLAs how much data they can afford to lose and what they are trying to achieve.

The reason I mention this is that it taught me more than anything, it’s not about the tech, it’s about the business and enabling the business. You can’t just pick the tech because you like it or it’s the only thing you know. It has got to make sense, if there is a requirement for ease of manageability can you prove your design meets that, does it work within the constraints the customer has etc.

CISSP:

I took a Global Knowledge 5-day Bootcamp that gave me an exam voucher as well.

I bought the books etc, but I have found over the years, I learn better in a classroom with an instructor and from the video training.

I used Cybrary IT ( https://www.cybrary.it/course/cissp/ ), Kelly is legit, great style of teaching and enough at the high level. Each time I watched/listened to her videos I picked up something I glossed over the first time.

After the bootcamp and watching Kellys vids, I watched Destination Mind Map vids multiple times, they were good and concise and helped bring things together. I kept watching Kellys videos on areas I was weak.

The instructor from the boot-camp sent me these videos to help give me a different viewpoint as well:

When I initially looked at trying the CISSP back in 2018 I bought the Boson questions, but never used them. Reading through everyone’s experiences I bought cissprep.net and studynotesandtheory.com to get an idea of the questions. I am a firm believer you can know all the material but if you don’t know how to apply it to the exam you are going to be in for a bad time.

This is why I love reading exam feedback from people who pass and fail, and the process they went through. You get to learn a lot about tests in general by reading up and researching. The r/CISSP channel is a great place for people wanting to pass the exam.

I used the pockeprep CISSP app at the start and found it decent, but I kept reading people saying the test questions just didn’t reflect the type of questions in the exam. I was thinking there has to be something out there.

I saw people recently recommend two other places for exam questions. I found cissprep.net questions very good, I found studynotesandtheory.com questions, a bit too much and purposely difficult…more so than the exam……Which isn’t necessarily a bad thing. I kept scoring 50-60% on them, and sometimes it was just me reading them too fast. Questions I found odd or couldn’t explain, I researched or emailed the instructor and he helped break down a few bits for me on keywording choices that I was missing. I am in a group with other IT people and I would post questions in there and discuss, most of the time the first response was…that’s a crap question lol.

They reminded me a lot of the VMware Certified Advanced Professional (VCAP) Design Exam you can take, it’s multiple-choice, but since designing is very subjective esp when based on limited info, sometimes you look at answers and think it could be any of them or none of them. Normally in the real world, you would ask for more info, but you can’t do that in an exam.

I watched this video:

CISSP Test-Taking Tactics: Successfully Navigating Adaptive Exams 

To learn how the exam worked, so I learned that:

  • Base 100 questions
  • Up to 20 could be Beta questions with no scoring
  • The first 10 questions, help the engine learn how to proceed and are important 8 domains and that leaves about 80 questions, so at a guess about 10 questions per domain
  • The passing score is 700/1000 but certain questions could be marked higher, so 7/10 questions need to be correct per domain and it needs 95% confidence in your pass
  • If you hit 150 questions or your 3 hours are up, it then decides the result based on the last 75 markable questions you did (not beta), to see if you pass.

I am a firm believer that sometimes you just must take the exam to see where you stand, if you pass it great, if you fail you now know what to expect and what your weak points are to readjust and try again. Otherwise, you could just end up studying blindly and wasting all that effort!

The biggest enemy I realised though was myself. I am so used to IT exams going out of their way to not be difficult, you can usually answer the questions quickly and move on. This exam, the devil is in the detail and if you speed through it, you’re going to miss some bits for sure. So, part of my training was to slow down and read and re-read the question and read it again once more.

I believe the VCDX helped massively in tuning me into the right way of thinking especially for an exam like this. You must have a level of technical knowledge to go alongside your business skills. The VCDX also showed me I have 2 weak areas….networking and security and I have been slowly chipping away at them ever since. I never want to become a badass in them, but I want to have enough knowledge to be dangerous heh.

This was by far the hardest computer-based exam I have taken, all the way through it I was picking answers that I thought could be right but never totally sure. Some answers were just a stab in the dark as I did as much deduction as I could. When it got to 100 questions and it kept going, I was thinking ”so we are now playing the long game are we” lol

You are there to enable the business, help them become security-focused and incorporate security from the start and from the ground up. You need to keep that in mind throughout the exam and just in general these days.

If I had the option to do a review or to create a policy or amend a standard, that was my go-to answer. I wanted a high-level overarching answer where possible. I have the CCNA Cyberops which I think helped as well, although it’s more technical it opened me up to areas I wouldn’t have normally focused on. I did it when they were giving away free training and exams for the beta.

At the start I made some notes on my laminated sheet, the usual stuff:

  • APSTNDP
  • IRDMO
  • ISMRDAD
  • PFSDATCTRM
  • RRATSD
  • DRMRRRL
  • AES/DES/RC4
  • RSA/DSA ECC/ElGamal DH

There was no time after that I needed to look at it, which I was quite surprised about.

I didn’t think I had passed and was making mental notes on areas I knew I just couldn’t answer as well as I thought. I can’t even be totally sure which questions I got right 100%.

After The Exam

I reached out to Katherine McNamara and she was happy to endorse me, as you need someone to verify your work history and who is in good standing with ISC2. So I submitted my work history, you have to supply proof of the roles you have had in the last 5 years and what domains the work is valid for (needs to be across at least 2 domains). I submitted my old work contracts and a full break down of what I did and what CISSP domains they related to.

About 3 weeks later I got this glorious email:

Dear Bilal Ahmed, 
Congratulations! Your application for CISSP has been approved

Hope that helps!


2 Comments

  1. Well done Bilal, as a CISSP myself this is the first exam I truly felt proud of for achieving. The reason for this is that other exams you can simply braindump or look at exam questions and not really understand the content so never really felt any satisfaction knowing I’d passed through real studying.

    As you’ve said, this is a completely different exam and you actually need to understand why the answer is the answer because there are other extremely close answers to choose from which have a minute diference but critical difference. So you need to understand what is the BEST answer using the knowleddge not just from the CBKs from ISC but also actual real world experience.

    To pass this exam, my advice is NOT to rely on any CISSP practice exams even from the ISC apps as well as their CBK. They do help but if you think you’re going to see these in the exam then think again. I’d really recommend reading not just the ISC CBK but also other books from Shon Harris as well as others. If you’re like me and hate looking at a sea of words/text in books, consider Audible and listen in your downtime.

    Another thing to consider is to speak to other CISSP holders and also look at LinkedIn as there always a few quizes which gets the brain going.

    In terms of the exam approach, just remember the priorities and principles of Security and answer if you were a manager/director and you should be good to pass. If you don’t, then don’t get disheartened, it’s a tough exam for a reason but when you do pass it, you’ll have a great sense of achievement.

    Good luck all!

    Reply

    • Yeah, you can watch all the videos and do all the training, but you have to understand the impact of everything. I think a lot of the issues are similar issues I see with people taking the VCDX (myself included). You can come in too tech-focused when really you are there to enable the business and enable them to reach their goals.

      With the CISSP it’s all about helping them meet their security goals by giving them enough security to enable them without it becoming a hindrance. You have to think about the overall processes and chain of command, you’re there to enable, creates processes, you aren’t there to physically go add firewall rules (you help create the processes which allow people to do that under change control etc).

      Just like you, I am not much of a book reader, I like using books for quick reference, but I’d rather listen or watch videos on topics.

      I can totally see why people fail it and the questions really have you pondering, it took me ages to retrain myself to slow down and read and then reread and then reread the question again before picking an answer.

      Reply

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.