Close this search box.
How to Pass your CISSP Exam

EP 75: How to Pass your CISSP Exam

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

March 16, 2021

How do you prepare for the CISSP exam and what should you expect? Listen to Jake and Kip tell you how to prep for the exam using a 3-point plan. Your hosts are Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, JD and Cybersecurity Practice Lead at Focal Law Group.


Episode Transcript

Kip Boyle: Hi, I'm excited to share that we have a new free bonus just for you.

Jake Bernstein: We've started publishing our very own quarterly Cyber Risk Management journal. It's loaded with over a 30 pages of useful content taken directly from our podcast. Here's how we make each new edition.

Kip Boyle: We start by transcribing the four or five episodes that we've published in the previous three months.

Jake Bernstein: Next, we send our editor and designer the transcripts and our supporting materials for those episodes.

Kip Boyle: Then they revise all the text. They put clickable links in for all the resources and they create the best look and feel for each episode.

Jake Bernstein: And finally we, Kip and I, make sure the finished PDF is ready for you.

Kip Boyle: So download the current edition now. All you have to do is go to, that's the letter B.L-I-N-K/C-R-M-J.

Jake Bernstein: And if you like it, share it with your friends and encourage them to subscribe to the Cyber Risk Management Podcast. Now, on with the show.

Speaker 3: Welcome to the Cyber Risk Management podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle and your virtual cybersecurity council is Jake Bernstein. Visit them at and

Jake Bernstein: So Kip, what are we going to talk about today?

Kip Boyle: Hey there, Jake.

Jake Bernstein: Well.

Kip Boyle: I recently got asked this question about, how to pass a CISSP exam? And I get that question periodically. So it's a perennial favorite. So I thought we should probably talk about that. And then in the future, when somebody asks me, I can just say, "Well, there's a podcast episode about that."

Jake Bernstein: We can do that. It turns out we've both passed our CISSP exam. So let's share what we know. But first I feel that we should discuss something truly important about this exam.

Kip Boyle: All right.

Jake Bernstein: That is the appropriate pronunciation of CISSP.

Kip Boyle: Does it need a pronunciation?

Jake Bernstein: So I recently referred to it as the CISS P and I got yelled at by someone who's very well known in our industry group, Jean Pollock. Shout out to Jean, if she happens to listen to this episode. She scolded me and said that it is CISSP and it shall not be called CISS P. However, I was not the one who started the CISS P, but who I heard that from, but if I slip into calling it CISS P, ultimately I either apologize or do not, depending upon your preferred pronunciation.

Kip Boyle: I'm going to keep tally marks and I'm going to report you to Jean. God bless Jean, because that's so funny, because I was just saying that like, "Why does it need a pronunciation?" Well, so I guess full disclosure mode, you're actually, you're an officer, right? In the local chapter of (ISC)². Are you not?

Jake Bernstein: crosstalk and in fact this is the perfect episode to hitch membership in the local (ISC)², Seattle chapter. It is brand new. This episode is being recorded in late January 2021. And the group received its certification form (ISC)², within the last week. So this won't air for quite some time, hopefully by the time this-

Kip Boyle: Mid March.

Jake Bernstein: Yeah, by the time this episode is sent out for everyone to consume, we'll have had a good couple of meetings and be established as a chapter, but I highly recommend you to check it out. We will, we take, we're certainly interested in having people join who aren't yet CISSPs.

Kip Boyle: I didn't know you could do that. That's good to know.

Jake Bernstein: You can be an associate member, which means... And get help actually becoming a CISSP. So this is not merely pitching membership in a fun little club. It is directly applicable to actually passing your CISSP exam. So now that we've said CISSP/CISS P so many times, let's just make sure people know what we're talking about.

Kip Boyle: Yeah. What is a CISSP?

Jake Bernstein: It stands for Certified Information Systems Security Professional. And as I've been mentioning, it is a certification from (ISC)². I don't actually know what (ISC)² stands for, but-

Kip Boyle: I can tell you, (ISC)²... You ready for it? I mean, there's a reason, why there's a two, there's a reason why they squared it. Okay. Here we go. It's the international information systems security certification consortium. My God, what a mouthful.

Jake Bernstein: Wow. Okay. So that does explain the... It's actually ISC in parentheses and the whole concept is squared.

Kip Boyle: Yeah. I don't know if that's mathematically correct, but it's fun.

Jake Bernstein: It could be, it is mathematically correct, because although I don't think it would expand as a binomial properly. Anyway, wow.

Kip Boyle: I'm so sorry everybody. I took us into math.

Jake Bernstein: We haven't recorded in a while. Kip, we're all very happy that you recovered successfully from COVID 19.

Kip Boyle: Oh my God.

Jake Bernstein: So now that's out of the way, let's actually go ahead and move into content that people want to hear.

Kip Boyle: Yeah. And by the way, COVID 19 is a sneaky little bugger of a virus. I don't recommend it. I didn't have to see a doctor. I didn't have to go to the hospital, which was wonderful. For a person my age, I feel like I got off easy, even though I couldn't work for over two weeks. It was just...

Jake Bernstein: We're all glad that you are no longer as miserable.

Kip Boyle: Yeah. Thank you. Okay.

Jake Bernstein: One thing that I want to get out of the way right away is, I think there's many different types of certifications out there. One could say... And there's a difference between certifications and degrees. So for example, someone with a PhD or a JD, that indicates that you have simply completed a certain amount of education and graduated. A certification is something different. And the important thing to understand about the CISSP is that it is not an entry level certification. I think a lot of people are confused about that. And one of the things that I get asked sometimes is, "Well, should I go get a CISSP in order to get into the industry?" And the answer is, "It doesn't really work that way." Does it Kip?

Kip Boyle: No, it just doesn't work that way. I mean, it's... And not their fault. I mean, the people would think that, because a lot of job descriptions imply that it's an entry level certification. And so there's a lot of misinformation out there. But you're right. It is not an entry level certification. And anybody who tries to cram it into an entry level situation, that they find themselves in. Really I think you're just making your life way more difficult than it needs to be. I would redirect you to a security plus certification, there are others that I think would be much, much better suited.

While you accumulate the minimum five years of direct full-time security work experience in two or more of the information security domains and the common body of knowledge. I mean, five years, okay? And the test, I think reflects that, right? So I'm glad we got a chance to dispel that. Now, you can get one year of the five years waved, by having a bachelor's degree. And there's a couple of other like, little things you can do to get a year shaved off, but that doesn't change the fact that this is not entry level.

Jake Bernstein: No, it's not entry level at all. And talking about the test, I think, will indicate that. So the current, the modern version and Kip can give ancient paleolithic history on the exam, it's a multiple-

Kip Boyle: I knew that was meant for me.

Jake Bernstein: Oh yeah, it was. It's a multiple choice exam, you have up to three hours and will get up to 150 questions. It is a computer adaptive exam or computer adaptive test. I don't know. So what it means is that the test is actually run by algorithms. And as you answer questions, the more you get right, the harder the questions will become. And unlike a traditional test, an adaptive exam seeks to actually have you get about 50% wrong, which would be an, that's an F by 10%, that's an F, right? Under the old standards of evaluation. But scientists and mathematicians and other experts tell us that computer adaptive exams are actually better at evaluating expertise than traditional exams.

I believe it's a minimum of a hundred questions. So basically there's about 50 questions, about 50%, actually you may or may not see, there is a scaled score of 700 points or greater out of a thousand possible points. I think 700 is what it takes to pass, but it's not like it's a, there's not a direct correlation, like I said, this is all algorithms. And you actually have to achieve a passing score in all eight knowledge domains.

Kip Boyle: Right. So you could be really strong in seven, but on the 8th, and you're not getting crosstalk.

Jake Bernstein: You're not getting it, no.
The fee is $700 to take the test. I think that's up a little bit from when I took it few years ago, the renewal is honestly pretty minimal at $125 per year. And one thing to point out about the CISSP is that, it actually reminds me a lot of having a bar number, because you have to have CPEs, which are continuing professional education credits. I'm used to thinking of them as CLEs, if I accidentally say CLE, I apologize. I mean, CPE, but it's continuing ed like many other forms of professional-

Kip Boyle: You're a professional student then, aren't you?

Jake Bernstein: I mean, aren't we all in some way?

Kip Boyle: If you're in this career field, you certainly should be.

Jake Bernstein: We certainly are.

The CPE requirement is actually pretty high. It's 40 credit hours per year, over in a... And then times three reporting, what I consider it to be your reporting period is three years. So every three years you have to have finished 120 CPEs. Interestingly enough, my law license only requires 45 over three years. So...

Kip Boyle: I was wondering about that.

Jake Bernstein: And I think it's, I will say that the standards for what a CLE credit is, are a lot higher and more strict than a CPE. And the CPE is all self reported, though it can be audited. Whereas a CLE is managed by the state bar association. They're similar, but I wouldn't make the mistake of thinking that, "Oh, you know,-"

Kip Boyle: It's not one for one.

Jake Bernstein: It's not one for one, and I would not call the 40 CPEs three times harder to get, than the 15 per year CLE credits that you need as a lawyer.

Kip Boyle: I think, it reflects just the pace of change. I think, that's one thing that you're seeing there right is that the pace of change in each of the disciplines is a little different.

Jake Bernstein: Yeah.

Let's maybe talk a little bit about... Before we dive more into the test, let's talk about, what the CISSP means? And why you might want it? My impression is that it is considered the top level security related certification for managerial and leadership positions. It is, I think it's important to say, what it is not. It is not a hacker certificate. It is not... You have to know a lot of technical detail, but it is not a technical exam. Or I should say the certification is not a technical certification. Someone with a CISSP is probably not going to be personally programming firewall rules.

Kip Boyle: You could might, but it's not, but they don't correlate directly.

Jake Bernstein: They don't correlate directly, and this is not like an A plus certification or a CEH or any of the other many, many, many certifications.

Kip Boyle: Like CPAs.

Jake Bernstein: Yes, exactly.

Kip Boyle: Cisco certs, whatever. I mean, there's lots of really technical ones. This is not really technical.

Jake Bernstein: No, it really isn't. And it is... The another thing that makes it very similar to a law license is that it comes with its own ethical code, which I think is great. I think, it's actually a really important part of it. I think it's one of the reasons that (ISC)² has really established itself and maintained its hold on what this certification means. So you, when you become a lawyer and get sworn into the bar, you take an oath on the constitution, et cetera. It's not quite that-

Kip Boyle: You become an officer of the court, don't you?

Jake Bernstein: You do. Yes, you do. And it's-

Kip Boyle: I learned that on by watching Better call Saul, by the way. Isn't that terrible?

Jake Bernstein: Yeah, that is terrible. Anyway, though you do not become an officer of the court with CISSP, I do believe that you do enter a profession and, where there are ethical responsibility. So it's a lot more than just one of those technical certifications, I guess, is what I'm getting at. And that's a large part of why it's not entry level. You can take the exam whenever you want, actually, but you cannot complete certification until you have four to five years of experience and you need a sponsor.

Kip Boyle: Yeah. You need another CISSP in good standing to say to the association, "Yeah, let Kip in."

Jake Bernstein: Yep, to vouch for you.

Kip Boyle: Yep.

Jake Bernstein: By the way, lawyers need two sponsors to gain entrance to the bar.

Kip Boyle: It just makes me wonder how closely (ISC)² modeled on legal, on the process of becoming a lawyer.

Jake Bernstein: I would say they definitely looked-

Kip Boyle: crosstalk.

Jake Bernstein: Yeah. They looked at it for sure. And I think, that if you look over the eight domains, is what they call it, you'll see that there's, it's a wide ranging certification ground.

Kip Boyle: Oh yeah.

Jake Bernstein: That's what makes the exam difficult to prepare for. So the title of this episode is Passing your CISSP exam. And so let's maybe move into some of that.

Kip Boyle: Okay.

Jake Bernstein: So we already know the version I took. Kip, why don't you tell us the version you took?

Kip Boyle: Okay. You took the version that you described, which is the adaptive exam.

Jake Bernstein: Yeah.

Kip Boyle: Sitting at a computer and so forth.

Jake Bernstein: And it was in 2018, I believe.

Kip Boyle: 2018. Okay. All right. This is where I get to go into full disclosure mode. I sat for my CISSP exam in May of 1997. So the credential was only three years old at that time.

Jake Bernstein: Kip, I have to point out that I was a sophomore in high school in May of 97.

I just want you to know that.

Kip Boyle: I weeped for the future.

Okay. Anyway, what was I? I was a captain in the air force. I was on active duty and uncle Sam decided that this was a good thing for me. So uncle Sam actually, generously and without asking for very much in return, got me ready for the exam by putting me through a prep course. And then flew me to Dallas, Texas. Actually, each prep course was in a different location around the US. So I did one week of prep in Nashua, New Hampshire and then I did another week of prep in Dallas, Texas. And then I went back to Dallas, Texas to take the exam. It was totally different than what it is now.

So I will entertain you by telling you a little bit about how is different, but it's completely irrelevant. Think about a big conference room, very large conference room, was about 50 test takers in the room. This is so old school. It was like, I was going to take an SAT exam and super formal atmosphere, dead silent room. We had number two pencils. We had a little, like a pencil sharpener in the back of the room. Everybody brought Scantrons to bubble our answers into, they were like roving test proctors, and we had six hours. And, but you had to answer, I mean, you really had to answer every question. I mean, there was no adaptive anything. And yeah, that was what I did.

Jake Bernstein: Wow, Kip. Did you have to fend off any dinosaurs when you're trying to get into the building?

Kip Boyle: Oh gosh. You're just so irreverent. No.

Jake Bernstein: To be fair, you wrote the script and since you put that in there, I had to say it.

Kip Boyle: Yeah well, no, you really didn't. But...

Jake Bernstein: Oh no, I did. It's right here. In fact, I didn't say OMG exclamation point.

Kip Boyle: Well, I didn't have to worry about the dinosaurs because there were armed guards. They took care of them for us. So I, it was not burdened with that. And I had to pass the exam, but I'm not going to tell you anymore about how I took my exam or anything. Because it's just not going to help anybody. But you took the exam that's available now, in the common body of knowledge that's currently being tested.

Jake Bernstein: Yeah.

Kip Boyle: So what did you do to get ready?

Jake Bernstein: I did a couple of things. The first thing that I did was, downloaded the exam outline, which anyone can get on (ISC)²'s website. You just go and, you can probably just Google CISSP exam outline. And I looked it over and I thought, "Huh, I know some of this stuff, but I don't know nearly enough." And I thought, "But you know what? This would be super helpful." And I thought that I wanted to get it. So I, at one point I want to say it was March of 2017, I did a month-long bootcamp through the local ISSA chapter. After I mentioned to Jean Pollock, hello again Jean, was one of the instructors, we had a whole bunch of instructors, all from ISSA and I think, it was a relatively inexpensive course. It was like six or seven hours on four Sundays in March. And humorously enough, I didn't actually sit for the exam until May of 2018. So over a year and three months later, almost three months later, we can get into why that was, but-

Kip Boyle: That's an evergreen challenge for anybody that's got a working life and of family.

Jake Bernstein: It is. But I would say that the bootcamp course was more of an introduction. There's no way, I don't think you could pass the exam only doing something along those lines. And it wasn't meant for that. It was really meant to familiarize you with the material, so that you could self-study and succeed. And there's a lot of different strategies for doing this. I think, I probably had an advantage in so far as I have, I went through law school then took the bar exam, which by the way, interestingly enough in Virginia, you must wear a suit to sit for the bar exam still to this day.

Kip Boyle: No, I can't. I cannot resist telling you that what immediately flashed through mind was My Cousin Vinny and the ridiculous suit.

Jake Bernstein: crosstalk. Regardless of what it was the, if you thought your CISSP test was formal, it has nothing on Virginia bar exam. Here in Washington, you don't have to wear a suit to take the bar exam. It is however, three days.

Kip Boyle: Wow.

Jake Bernstein: Not six hours. So, you know-

Kip Boyle: Is it computer or paper based?

Jake Bernstein: You bring your own computer, it's essay. Actually when I took it was all essay. I think it was what it was 18 essays over three days, slip between the common law and statutory stuff, and then a separate ethics portion, but that's the bar exam. This is not... The modern bar exam is actually more like the modern CISSP, though it is not yet adaptive to my knowledge. So-

Kip Boyle: Okay. But you, so for your CISSP then just to summarize a little bit, you brought your expertise in experience of going through law school, sitting for and passing the state bar exam. I mean, you're a professional test taker.

Jake Bernstein: In a way, I think that's a fair accusation perhaps. But regardless, and we can talk more about this, but the very first thing is, and the reason that is relevant is that I know, and I knew then, and as I know now, how I learn, right? And that is really the key, it is. It's not, I'm not going to sit here and say that, "You should all do what I did." Because that's not guaranteed to work for anyone, but me. I'll tell you what I did, but I think, Kip, you had some ideas about, in fact you have a three point plan, which I don't want to spoil, but spoiler alert 0.1 is Know and play to your test prep strengths.

Kip Boyle: Yeah.

Jake Bernstein: And you have to use that. So for me, here's what I did. I picked a book. It was the one that was written by Eric Conrad and another author. It's CISS P... Oh, I just did it see, it's one of the-

Kip Boyle: crosstalk.

Jake Bernstein: It's, yeah. It's one of the CISSP prep books. And I just read that book. I went through it and much like I did throughout law school. I took my own notes from the book as I went and then I studied what resulted from that, and the reason that's important and that it works for me is that, if you just read something and highlight it, you're not really going to, you're not necessarily going to retain it. Whereas if you rewrite it in your own words, it's more likely to stick with you. So that's how I did it in a nutshell, even, it's not that it took me a year and two months to take the exam, because I was studying that whole time, here's my full disclosure. By the time I actually scheduled the exam, I probably did most of my reading and note taking in the prior six weeks.

Kip Boyle: Oh yeah. That's typical. I mean, a lot of people find themselves in that situation.

Jake Bernstein: And I think, and I'm not even sure if it's, there's anything wrong with that. I think that's just how it is. So now I will say it does help mentally, when you are... If it's your job, then you're going to see things that make it a lot easier to do. I mean, for example, I was already... Kip and I were already working together, I don't know if we'd started the podcast, I don't think we had. But we were already definitely doing things together and so I was able to take experience, link it to the material and continue from there. And that's why even as a lawyer without any kind of sys admin or network administrator experience, I was able to pass and then get invited in. That was how I did it. So Kip, how about you take us through the rest of your three point plan.

Kip Boyle: Yeah, absolutely. And I hope that you're going to find that this three point plan will be useful for whatever test you need to take and pass, right? So it's generic in that way, but I got to tell you, I have in the past helped people get ready for the CISSP that kind of bootcamp, the month of Sundays approach that you talked about, I've facilitated that before. And so I've seen a lot of people really just kind of crash on the rocks because they don't understand how they learn. And so they borrow other people's learning strategies and it doesn't fit. So, okay, here you go, three point plan. Jake, you already said the first one, know and play to your test prep strengths, number two, use that knowledge to prepare for the exam and number three, importantly, schedule and take the exam.

You'd be amazed at how many people just don't really get around to that. Their entire goal of becoming a CSSP just disintegrates like so many AC/DC songs. So this is a very simple plan, but again, if you're a full-time employee and you don't have a lot of spare time to study, it's going to be difficult. If you're not getting employer help with the accountability part of this, and with test fees and study material expenses, then it's going to be even more of a monster. So let's just go through this. Okay, do you know how you learn best? That's step one, you have to know, and if don't know, then you need to find out. And there's different ways you can find out. You can reflect on like, your experiences in school and what worked and what didn't work.

You can actually go and take a test to find out what your learning styles are. And I'm not going to point you at a specific test. There's so many of them. And I want to be careful that I don't make this episode any more stale and any faster than they typically do. So, but just know that you've got to know yourself, you've got to know. So what are some of the different learning styles? Well, you might be a very visual person, or you might be an auditory learner, there could be a physical component to learning for you. There's so many, there's probably a dozen different learning styles. And it turns out that many people learn best when they mix learning styles. So this is... I know about my learning style, right? So if I was going to take the CISSP again, I would probably listen a lot of the prep material.

I would probably listen to a podcast or I would put YouTube on and I would listen to YouTube prep videos, and I would combine that with something physical. So for me, that means walking, typically walking. So I would go on a long walk, maybe a 45 minute walk or an hour long walk, and I would listen to some kind of audio prep and I would do it alone. I'd put my earbuds in and it would just be me walking and listening, that's so effective, for me it's a great combination.

What do you know about your learning styles?

Jake Bernstein: For me, I gave that hint earlier. I do best with lectures that I listen to and then I have to read and then rewrite in my own terms.

Kip Boyle: Okay.

Jake Bernstein: So I have-

Kip Boyle: There's a physical thing going on there too, right? The rewriting process-

Jake Bernstein: The rewriting process.

Kip Boyle: -and note taking process.

Jake Bernstein: Yep.

Kip Boyle: Is a physical thing, is kinaesthetic, and I have that too. I don't tend to take notes as much anymore these days, but when I was younger, I would take tons of notes. I would never look at any of them, to be honest with you, but I would take them because the process of making the notes with a pen and ink, and a piece of paper would sink these ideas into my brain. And so that made a ton of sense for me.

Jake Bernstein: Yeah. One of the tricks I learned in law school for law school exams was, sometimes they would, the professors would allow you to bring a single page into the exam. And I rapidly learned the power of text boxes onward. So I would make these incredibly elaborate one page cheat sheets. That were permitted, so I guess, they were just sheets, not cheat sheets. And it wasn't so much that, I mean, yes, it was useful to have the piece of paper, but if you were going to rely on finding stuff on your piece of paper with six point font, you were in trouble, the process of making the sheet was the best studying that I found.

Kip Boyle: Yeah. That's a good point. That's an extremely good point. Okay. Cool. All right. So that's step one, know your learning style and then create a study plan that plays to the strengths of your learning style. Okay, so that's number two is make that study plan. Okay. So let's talk about this briefly. So if you are a visual learner, then you could mind map, right? The material that you're learning, you could use colored highlighters to mark up your study materials, right? And you could actually say, "Well, red means this and green means this and yellow means this." Or you could actually watch CISSP prep videos on YouTube, right? So visual, think about visual things that you can do. If you are a talker, because sometimes I like to process out loud, so I would form a study group and I would take turns quizzing each other in the study group.

And these days with zoom, that should be pretty easy. But this study plan has to also factor in the reality of your life. So don't get too ambitious. If you can only do an hour a day early in the morning before everybody else gets up or an hour late at night, after everybody in your house has gone to sleep. If that's what you can do, then just embrace it. And don't get all salty about the fact that it's going to take you a year, took it Jake over a year. And so if it takes you over a year, that's all right, that's what you can do. That's what's most important about your study plan and if you are, and if it takes you a year and you're playing to your learning strengths, then that's perfect. You're probably going to do a wonderful job when you actually get to the exam. And you didn't mention mind maps, Jake, I know you like mind maps. Don't you use that as a study tool sometimes?

Jake Bernstein: I didn't know about mind maps until more recently. So I did not. I actually have, I never really used them to study. I probably would these days, if I were take-

Kip Boyle: I know you used them to break down new topics that you-

Jake Bernstein: I certainly do. It was just a, I probably would've used them if I had known they existed, at least the electronic versions. I just, it wasn't on my radar at that point. So-

Kip Boyle: Yeah, well, for me, right, with my clay tablets and styluses.

Jake Bernstein: Q and A form writing?

Kip Boyle: That's right. It wasn't even possible.

Jake Bernstein: Yeah.

Kip Boyle: But I, mind maps are pretty cool. I don't use them a lot, but sometimes I use them and if you've ever thought about a mind map, dear listener, give it a try. It's pretty cool.

Jake Bernstein: There is one other thing, you put it as a bonus tip, but I actually think it's really a core strategy, which is find practice exams and take them, take as many as you can. There actually, and Kip, you would not be aware of this, there actually is an (ISC)² CISSP app for iPhone. And it has built in quizzes and tests broken down in many different ways. So when I would take the bus to work, back when I would go to an office, I would sit there on the-

Kip Boyle: The good old days.

Jake Bernstein: I know, I read. I would sit there on the bus and I would go through practice tests, just little multiple choice exam versions of it. And that was really helpful too.

Kip Boyle: Yeah. Gosh, they practically giving these things away like candy with all these study aids and tools and stuff. So that's crosstalk.

Jake Bernstein: There is an app for passing the CISSP.

Kip Boyle: Go get it. Okay, all right, so again, recap, step one, know your learning style. You probably have more than one, blend them. Two, do that to make a study plan that's reasonable. And then step number three, take the exam, actually schedule it, put a line in the sand, plant a flag or whatever your favorite metaphor is. And at some point, just schedule the exam and then do your very, very best to honor that scheduling and don't reschedule, and reschedule, and reschedule. That's not very helpful, but you, this is about accountability, all right? You need accountability, because no one really right is to wag their finger at you and say, "Oh my gosh, Kip, you haven't gotten your CISSP yet for shame." I mean, that just doesn't normally happen for most people. You've got to make it happen.

So if you can get your employer to sponsor you, that's good accountability. But if you can't then just schedule the exam and you'll have the same experience Jake had, which isn't the six weeks leading up to the exam date. You will get that fire in your belly and you're going to make it happen. So yeah, get yourself locked and loaded.

Jake Bernstein: I had good motivation. My employer, the deal I got with my employer was, they would pay for the exam if I passed it. So I think that's a pretty fair way of doing it. Now, I worked for a small firm, so I wouldn't expect. I know Microsoft pays for exam prep and exam courses and the exam all the time for its employees. But if you have a smaller employer, it's a way to float, it's a way to put skin in the game, right? If you're paying or if you might pay the $700 exam because you failed, then you'll at least study. It's not going to guarantee you, you pass, but you'll study.

Kip Boyle: Yeah. Accountability is really the... I said, point number three is schedule and take the exam, but really it's about accountability, about having somebody else that is going to know whether you did it or not. And that just makes a big, big difference in these kinds of endeavors, so... Okay, there's the three point plan. I hope that helps you. Jake gave you a ton of specifics on how the exam actually works these days. Any other thoughts, Jake?

Jake Bernstein: I would just say that there's a number of books. You must get the official common body of knowledge. I think that hopefully goes without saying, but-

Kip Boyle: I have that.

Jake Bernstein: Yeah.

Kip Boyle: Because it's a great reference tool.

Jake Bernstein: It's a great reference menu. You must get that. And then I definitely recommend getting one of the distillations that are out there. There's CISSP for Dummies, from our friend Peter Gregory, a shout out to Peter, and there is the original all in one exam prep book, the huge ones, those are good, but really it's, find one that you can read, that fits your style and then read the whole thing.

Kip Boyle: By the way, this is my parting comment to everybody here, having a CISSP is a very good thing. If and when you can acquire one, but the common body of knowledge is also super helpful. Let me tell you a very practical example of this. I recently served as an expert witness in a data breach lawsuit, and I had to write my report and I had to talk about why it was unreasonable that this data breach occurred. And so, as I looked at the facts as these documents were presented to me, I needed some kind of a framework to filter these facts through to find out, to look for signs of reasonableness and signs of unreasonableness. And one of the things that I discovered was that this organization, there was no evidence that there was a consistent security architectural approach to designing their systems. It turns out that the common body knowledge does talk about security architectural principles. And so in my report, I referred to them, cited my sources, and that was incredibly helpful.

Jake Bernstein: Yeah, very much so.

Kip Boyle: So I don't know if you want to become an expert witness or whatever, but maybe you're just trying to convince somebody that your brand new framastan system that's going to generate revenue for your company should have a inaudible and you could go to the common body of knowledge and you could get some help in making your case. And there you go.

Jake Bernstein: crosstalk let's wrap it up.

Kip Boyle: Great. Thank you everybody. Thank you, Jake, for weighing in with your insights and that wraps up this episode of the Cyber Risk Management podcast, today we gave you a three point plan to pass your CISSP not CISS P exam. Thanks for being here. We'll see you next time.

Jake Bernstein: See you next time.

Speaker 3: Thanks for joining us today on the Cyber Risk Management podcast. Remember that cyber risk management is a team sport, so include your senior decision makers, legal department, HR, and IT for full effectiveness. So if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at and Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).


Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.