Getting Certified

Background

I have a bit of interest in security, since I’m quite a paranoid regarding the data I own ever since my family bought a shared Windows XP PC to be used together by the whole family back in 2003. We only had expensive and slow dial-up connection back then, so we didn’t use the Internet often. I learned how to hide files, manage user accounts, keep access control, and how to track accesses by trying out the settings provided by Windows XP.

Later on when we had a better Internet connection at home in 2007, I used to do Google dorking to find information about people I know in real life and from Internet forums. I spent more time reading free contents on the Internet at home (previously I had to go to Internet cafes) and interacting with people online (since I have been a bit of a shut-in). I downloaded Linux, installed it on the old computer I had been using since 2003, learned about UNIX-like OS’ security, and played a bit of challenges such has Hack This Site.

To be honest, paranoia was the main driver for me to major in computer science when I graduated high school in 2009 (and later pursued a master’s degree in information security) since I wanted to avoid having my personal information gathered by someone else without me knowing. Also, I had the experience of collecting people’s personal information without them knowing by using various sources available in the Internet and keeping a local copy in my computer during my high school years.

Fast forward about ten years to the future, the company I’m working for (Cermati) planned to sponsor one of their engineers for CISSP certification. Our company is a financial technology company and we have to deal with sensitive information of our customers, so we have concerns regarding information security and compliance. As one of their engineers, and probably the only one who has the prior experience of working as a security engineer at this point, I got sponsored to take CISSP training classes and the CISSP exam.

Pre-Classes

I happened to know a bit of the CISSP CBK (Common Body of Knowledge), since in my previous job I used to be in the same team with a security analyst who knows a bit about several security certification standards. He also brought the CISSP CBK book he borrowed from one of his past coworkers to the office once.

I personally only knew CISSP as the “managerial path certification” for security professionals, without knowing much about what is covered in the materials. I somewhat knew of materials required for CEH and OSCP, but not CISSP. I also never seriously considered to be certified before, so I didn’t look too much into them.

So when my current company’s CTO, Oby Sumampouw, asked me to be certified, I started by finding a copy of CISSP CBK around the mid of 2018. I got one in the form of PDF, so I put it in my Kindle and spent the whole Eid holiday reading it. I was already familiar with the content of the CBK, since I took my master’s degree in IT and information security in 2014-2015. I didn’t know how exactly the exam would be like though, after some time researching on the net it seems to be a set of multiple choice questions but I wouldn’t know for sure whether I could pass it or not.

After the Eid holiday, I told my CTO about what I know regarding the certification process and I asked him whether he’d like me to prepare by myself and just take the exam after some time of self-study. He decided that it was better for me to take a proper training, so I was assigned to find a good place for training in Jakarta.

I didn’t know any, so I searched the Internet for a bit and found several. Some are way cheaper than the others, but I didn’t know for sure which one I should take. So I contacted Rendra Perdana Satria, a CISSP holder who is a well-known information security practitioner in Indonesia’s tech startup scene. He told me to register for the training provided by Advanced Technology Pacific, as it was the only one with the official CISSP instructor teaching their classes.

So I finally registered to take the training classes provided by Advanced Technology Pacific.

Training Classes

On the first session I met the trainer for our CISSP training classes, Andang Nugroho. He explained a few things about the certification procedures, and that the CBK I studied a few months earlier during the Eid holiday was an outdated material.

I got a physical copy of the CBK on the first session, which is used for the whole training sessions. The sessions I had were split into 5 weekends, held on either Saturdays or Sundays. So I had about 5 weeks or training in the weekends, starting from the morning until late afternoon or evening.

I found the training sessions interesting, as I learned some new things while also refreshed things I’ve forgotten. We were given a set of multiple-choice problems to solve as our homework after each session, covering the materials we studied on the day.

On the last session, we were given a set of exam simulation questions to solve within a time limit. I didn’t do very well, since I only scored about 64% of the given questions while the passing grade for the CISSP exam is 70%.

It was mid-November 2018, and I set my target to pass the CISSP exam before the end of 2018. So I figured I needed to do more practice tests and review the materials more often.

Preparing for the Exam

To be honest, I didn’t manage to pass the exam before the end of 2018. I aimed to take the exam in December 2018 at first, but during the November-December 2018 period I didn’t do much practice tests and material reviews for the exam preparation since there were a few more urgent matters on the job.

I finally started preparing for the exam during the Christmas holiday, as I spent the holiday doing practice tests and material reviews. It still didn’t look that good though, my practice test scores ranged from 59% to 75%, which didn’t seem to be good enough to reliably score 70% on the actual exam.

I continued the preparation in January, and the practice test scores’ range improved. The range was from 64% to 77%. It still didn’t seem reliable enough, but since the company requires me to pass the exam I talked with my CTO on January 14th to consult whether I should take the bet and proceed to the exam or whether he’d prefer me to practice more so I have a more reliable chance to pass.

We decided to take the bet, so I took the exam on January 28th. I managed to pass the exam after spending most of the weekends and nights for the last two weeks starting from January 14th doing practice questions from Skillset and watching IT Dojo’s daily CISSP practice question series on YouTube.

I don’t know how I scored on the exam, the exam workstation told me that I passed after the 104th or 105th question. After that, I waited for (ISC)2 to process my exam data and verify the validity of my results before proceeding to the endorsement phase where I need to be endorsed by active CISSP certification holders to ensure that I have the required qualifications to be promoted from an associate to a CISSP.

Conclusion

This post should sum up the process I went through to pass the CISSP exam, and a bit of a background how I studied in the beginning, went for the training, prepared for the exam, and finally took the exam.

To be honest, I think I would most likely fail if I went for the self-study route at the beginning since to pass the exam we need to be able to look at things from a certain point of view. Without looking at things from the right perspective, it’s difficult to decide the best answer to given situations.

I’d like to give credits to my CTO and coworkers for their support during the process, Rendra Perdana Satria for guiding me and giving me a glimpse of what I had to prepare for, the trainers from Advanced Technology Pacific for preparing me to take the exam, and friends from the training class who have been supportive to each other.

I’m now still waiting for my endorsement process to be reviewed by (ISC)2, hopefully it’s going well.