Matt Palmer

View Original

A personal experience of CISSP boot camp

Information risk and security is an infinite field of work and study. You can spend your whole life trying to gain the width or depth of knowledge necessary to do the job competently, and every day feel you know a little less than the day before.

At the same time, it’s one of the least mature professions you can find. It has been borne from a computing industry less than a century old, yet in many ways has grown beyond it. It’s often unclear whether it is a technical field or a management one, with passionate advocates arguing both that there are too many policy wonks and it’s time to get back to our technical roots, and that there are too many technical specialists who can’t see the wood for the trees.

Choosing CISSP

Against that background it is no wonder there is a deep cynicism of training programmes and professional qualifications in particular. The one qualification that employers seem to value above all others (apart from experience) is CISSP. It requires both technical understanding and business context. As such, its seen as rather hard and therefore a good differentiator.

With that in mind I decided to try my hand at it last year. Comments from industry colleagues and a quick reading of the syllabus convinced me that, whilst i’d have to call on all my experience in IT, business and risk, I would also need some form of refresher training to stand any chance of passing. In some areas my knowledge lacked depth, in others width. I also lacked time.

Choosing Firebrand

I rapidly found that the information security training market was fragmented with no clear or consistent view of the quality of courses of training providers. I was particularly concerned that it would be impossible to cover the CISSP syllabus in a short course. After some months looking in detail into the options and talking with colleagues, I picked a 7 day residential intensive CISSP boot camp from training provider Firebrand, and tried to arrive with an open mind.

I was pleased I did.

The Course

The instructor – flown in from the US for the course – was unquestionably an expert and able to explain theory both clearly and quickly. This was essential, as to pack the course into the week and get us prepared for an exam on day seven required an early morning start, full morning and afternoon sessions, and for many a return after dinner for more study. We rattled through at a rate of two domains per day for the week, returning at the end of the week to those areas generating most concern.

The hardest thing about such an intensive programme was staying awake and engaged, but fortunately the sessions were run in an interactive way that maintained interest for most throughout. It was sometimes brain overload, but that is I am sure inevitable given the nature of the syllabus.

Course materials were good, being based on ISC2′s official guide to the CISSP examination, complemented by an instructor who knew the strengths and weaknesses of the text and where to look for additional information and explanations.

Facilities

The location itself was a self contained business park and golf centre with an on site gym and plenty of car parking and fresh air, easy to find and just off the main road. For supplies the nearest supermarket was about 5 minus in the car, though with stationary, food and coffee included there wasn’t really anything you needed.

Given the intensive nature of the week you do need good accommodation, excellent food, and opportunities to relax. I rapidly found the gym next door (full gym facilities including a pool, with day membership available from the centre for a fiver), whilst others, including the instructor, were braver and opted for the bar. By day 2 I had a routine going – gym, breakfast, course, lunch, course, dinner, and back to my room to catch up on the world. It worked.

The food was excellent and there was always enough of it, although you had to order at lunchtime and it was easy to forget your choice at the end of the day.

The accommodation was basic but clean and acceptable (good bed, desk, chair, television, plenty of plug sockets and free coffee) and let down only by poor mobile reception indoors. Fortunately reception outside the building was just fine. However, there is really no excuse for not having free wifi!

The CISSP Exam

Exam day itself was almost an anti-climax, with a fairly leisurely start. The exam is scheduled to last 6 hours, but time is not the issue. Nor was refreshment – lunch was laid on in the next room and you took a break for lunch in small groups, basically when you wanted to. The issue with this exam is resilience – after about 100 questions I felt I was losing the will to live, and there are 250 in the exam. Still though the course content and the focus of the instructor was a genuine help, and I came back time and time again to elements of the week that, by putting what you know in the context of ISC2′s requirements, helps you answer the question.

People started walking out after about two and half hours, and I left after three having completed the paper and decided there was no point going back over my answers – that way lies madness! Some others were just leaving when I got back from my post-exam trip to the gym next door, so a few used the full six hours.

Did I pass at the end of the week? Yes, though I didn’t do so well on the mock tests they set during the course and I don’t know whether I would have passed without the course. Part of it is about attitude and approach and understand the style of questions, and you can’t learn that from a textbook.

Would I recommend it? Absolutely. At the end of the day, this is not an exam you want to do twice! I did gain more than a piece of paper, and a year on I still use the knowledge I gained in my work. If you are going to do CISSP or a similar certification, this is the way to do it.

Footnote

As a brief update, this was written in 2004 and updated slightly in 2024. With a few small differences (such as online rather than paper based exams), it still stands. And I’m still in cybersecurity.

Useful links:

See this content in the original post