CISSP exam tips and tricks: Top test-taking strategies | Cyber Work Hacks

Show Notes

Infosec and Cyber Work Hacks are here to help you pass the CISSP exam. Today’s Hack is part two, so I encourage you to go back and listen to part one of Steve Spearman’s CISSP exam tips and tricks. In part two, I pass the mic to Spearman to give you his top five test-taking strategies for the CISSP. What’s the Sesame Street rule? How does the CISSP feel about absolutes? Keep it here, and you’ll find out in part two of this week’s Cyber Work Hack. 

– Learn more about the CISSP: https://resources.infosecinstitute.com/overview/cissp/
– Get your free ebook, "CISSP exam tips and tricks (to ace your exam on the first try)": https://www.infosecinstitute.com/form/cissp-exam-tips-ebook/

1:30 - Look for absolutes in questions
3:17 - The Sesame Street principle 
4:45 - Watch for algebraic equations 
6:23 - Look for the "golden words"
7:38 - Change management is likely the answer
8:55 - Keep an eye on senior management and impact
10:19 - Think like a CISO
11:53 - Outro

About Infosec
Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.

Transcript

Chris Sienko: 1:10

Hello again. Infosec and Cyborg Hacks are here to help you pass the CISSP exam. Today's hack is part two, so I encourage you to go back and also listen to part one of Steve Spearman's CISSP exam tips and tricks. In part two, I pass the mic to Steve and he gives you his top five test taking strategies for the CISSP. What is the Sesame Street rule? How does CISSP feel about absolutes? Keep it here and you'll find out all that and more on today's part two of this week's Cyberwork Hack.

Chris Sienko: 1:44

Hello and welcome to a new episode of Cyberwork Hacks.

Chris Sienko: 1:47

The purpose of this spin-off of our popular Cyborg podcast is to take a single fundamental question and give you a quick, clear and actionable solution or a new insight into how to utilize Infosec products and training to achieve your work and career goals.

Chris Sienko: 1:59

So this is part two of a hack that was just appeared on your feed, probably just before this one here. I've been talking with Steve Spearman about his tips and tricks for taking the CISSP exam. If you haven't listened to part one yet, please do so. We talk about why the CISSP is such a challenging exam to take. What are some of the most common mistakes that people make, either leading up to the exam or on the day Things to do if you pass, things to do if you fail. But Steve, let me know at the end of that that he has lots more advice for you on taking the CISSP and more tips and tricks in the moment. So I'm just going to kind of give this over to Steve Spearman and say, steve, could you give us some of more of your tips and tricks for taking the CISSP?

Steve Spearman: 2:42

Love to absolutely. So in part one we covered two of the tips, which are take your time most important. Second is get in the habit of eliminating wrong answers as you're taking the exam. The other thing, too, is look for absolutes. This exam does not like absolutes, unless it's asking for a negative. So let me give you an example.

Steve Spearman: 3:06

Let's say you have a question that says Sally is the new CISSP for ABC Corporation. In her role, what should she focus on? And C the answer. C says eliminating all risk. So words like all, always, never, only things or absolutes. This exam does not like absolutes. You cannot eliminate all risks. So C is not the answer. Okay, reshift your focus. Now. What if it says which one of the following should not be a priority for Sally as the new CISO? And C says eliminate all risk. Can you see how, in that context, c is correct? It is not something that she should focus on. It's not possible for her to eliminate all risks. So look for absolutes.

Steve Spearman: 4:03

This exam does not like absolutes. Look for only must always, never. You know you've heard the whole marriage you always, you never. The marriage counseling thing you always, you never. It's like this exam doesn't like those things either. Marriage counselors don't like it. The ISC too doesn't like it. Okay, so look for absolutes. Doesn't like it, unless it's asking for a negative.

Steve Spearman: 4:26

So the other thing too is I would say what I call the the Sesame Street principle. That is that if you have a question that has you know where three of the four are kind of categorically the same but one is different, it's not, it's set. The Sesame Street principle is from the oldest thing. Is that which one of the following is not like the others, sesame Street? So let me give you an example. You know a question we won't even say what the question is is yada, yada, yada, blah, blah, blah question mark. And it says something like here are the following answers A, eigrp, b, ospf, c, dns and D, rip. Okay, now, those are all sort of technical terms. You may or may not be familiar with them, but the thing to note is A, b and D are all routing protocols. They're all routing protocols. You would become familiar with those during the bootcamp, but the point being is that the answer is most likely DNS. It's the one thing that's not a routing protocol. Very useful trick to sort of think about. If you have answers that are categorically the same. Most likely they are not the answer. Look for the thing that's not like the others. It's called the Sesame Street Rule.

Steve Spearman: 5:55

The last thing is what I call doing the algebra, and this is actually attending to bootcamp. We'd actually practice this in a lot of different ways, but it contains within. I'm not a math person, but it's like I do remember this from my algebra days. If you have an algebraic equation that has the same integer on each side of the equals mark, chris, do you remember? You remember what you can do with those things? You can eliminate them right, you can mark through them. They have no relevance on the thing.

Steve Spearman: 6:29

So what you'll find is some categories of questions that reuse sort of the same thing in like a list. For example, it might say what are the things that you, what are some ways that encryption can be used? It might list confidentiality, non-repudiation, blah, blah, blah, but it might have confidentiality in all four of the answers. Well, you know it doesn't have any relevance to the answer and this idea is something. There are different ways that it can help you break down questions really quickly. So it's like learning. It's something you can practice Again in bootcamp. We actually get more into like understanding this principle but it really does manifest itself. And just being aware that if something isn't you know is in all the answers, it doesn't have any relevance. It can help you quickly break down question to the, to the components within the answers that are going to impact you know whether it's right or wrong.

Steve Spearman: 7:27

And then, lastly, is what we call the golden words. The golden words are words that you know 75, 80% of the time. May you know if they're? If they're in one of the answers, it's likely the right answer. Remember, this is a management exam, so this is words like business or organization or whatever. So business strategy, business goals, you know, business objectives, business risk, basically business, anything Good chance, it's the answer.

Steve Spearman: 8:01

Risk Risk is a concept we really dig into. This is a risk management exam and it's the highest it's kind of the highest order thing that we care about. Do we care about threats? Sure, do we like vulnerabilities? Absolutely, but mostly we care about those things because they tell us what our risks are. So if you see a question where it says threat management or risk management, the answer is risk management. We care about threats, but mostly because they inform us about what our risks are. We give. I give a nice succinct definition of risk in the bootcamp, so, but you know, risk is related to threats and vulnerabilities and that's the highest order thing that we care about Change management. Change management is often the answer, and it's even more so than the others that we talked about. It's like if it's the only answer in a question. There's a really like 90% chance that it's the answer.

Chris Sienko: 9:02

So can you, can you break down the idea of change management a little bit?

Steve Spearman: 9:05

Well, change management, of course, is the concept that when we're undergoing some changes often referred to as software in software development, but any context we want to make a change policy, things like that you want to use change management procedures, got it? You know, it's often these. These are initiated in a, in a ticketing system with a change request, ticket, etc. And then you just manage it, document the changes, all that sort of stuff, just running willy-nilly. Yeah, yes, yes, classification and Conversation slightly different concepts but very similar concepts. I won't get into it now. But class, you know you classified documents. Is it secret? Is it top secret? And then you associate a baseline with that, like what is the protections you want for that? So Documentation is also a golden word. It's used in we're talking about software development as well as compliance. We have to come document our compliance. It's accountability tied to responsibility.

Steve Spearman: 10:01

By the way, in this exam, if it says senior management is accountable or senior management support, it's almost, it is so likely going to be the answer.

Steve Spearman: 10:12

It's like you have to have senior management support and then, lastly, impact, which I would also add a Likelihood in impact, or combined together as concepts to determine the level of risk. So if something is very likely to happen and if it happens it's really bad, like ransomware. You know 85 to 90% of healthcare organizations is an example of experience, a ransomware attack Likely to happen. If it happens and it's successful, it's a bad day. So it's like we use impact and likelihood to rank. We have to care about the impact.

Steve Spearman: 10:48

And then, lastly, there are going to be some words where we can kind of questions where we can match Terms in the question to something that's you know in the thing so we can just look. For you know, if it talks about enforcement in the question, you know it might say it might use the word Enforce in the answer and that kind of helps clue you into that. So those tips together, if you combine that with take your time, eliminate wrong answers, they'll give you and you practice you got to practice all these ideas they can really help you a lot in terms of taking this exam fantastic.

Chris Sienko: 11:23

I think that's gonna Really. I think this is gonna be. People are gonna be rewinding and and taking notes on this one. I think this is gonna really help people with the exam you know, and I just just to editorialize a little bit.

Chris Sienko: 11:34

I think it's worth remembering that. You know, like you said, as much as we like, I think, as cybersecurity people, we like being involved with dealing with vulnerabilities, dealing with Breaches and so forth, but the CSP is ultimately for people who are going to be the decision makers of the company. So of course, you're gonna talk about risk, of course you're gonna talk about Management, buy-in. So you have to be, you have to be sort of also thinking like the manager that you are hoping to be or the CISO that you're hoping to be, ultimately, because this is, this is, you know, I would imagine that some of the technical stuff is almost kind of Sort of like a shiny bobble that you have to kind of yeah.

Steve Spearman: 12:12

I know you have to. You have you absolutely. You have to be careful of things. It's very tempting say if, if the scenario let's say they spells out a scenario, and and let's say one of the answers is MFA, and let's say it's correct it could actually be a true solution. But one of the answers deal with some management or governance concerns, like policy. Yep, that's almost definitely the answer. It's not that we don't care about technical solutions, but this is a management exam so we have to think about it at that level and in some. So you have to think. You don't ask yourself what would you do at your work or your job in your? You have to think about, think like a manager, understand, you know what. How can we manage?

Chris Sienko: 12:54

You know these you're not just taking the exam, you're growing into your next position. Ultimately, you're thinking exactly.

Steve Spearman: 13:00

Yeah, that's exciting.

Chris Sienko: 13:02

All right, well, I'm gonna leave it at that. So, steve Spearman, thank you so much for for talking us further through the CISSP. This was absolutely invaluable. I really appreciate it.

Steve Spearman: 13:11

No problem, it's my pleasure.

Chris Sienko: 13:13

And thank you all for watching this episode again. Check out part one as well. You're gonna get a very good overview of the CISSP and it's gonna take a lot of fear out for you. If you enjoyed this video and felt that it helped you, please share it with your colleagues on your forums of choice, social media accounts, whatever you want to do, and definitely subscribe to our feed and I on your podcast catcher of choice or our YouTube page. You can type in cyber work info sec into any of them and it'll get you there. Liquity split. There's plenty more to come and if you have any topics you want us to cover, just drop them in the comments below. But I'll leave it at that for now. Until next time, happy learning. Thanks again, you.