Obtaining the Certified Information Systems Security Professional (CISSP) Credential

Researching the CISSP

In February 2019, I decided to start my journey toward obtaining the CISSP (Certified Information Systems Security Professional) credential. The CISSP is a certification covering a wide range of information security topics. It is consistently included in annual top ten lists of the best IT certifications.

At that point in my career, I had 18 years of professional experience across various aspects of IT and, during the last two years of that time, I had become more directly involved in information security. After spending time reading about the exam format, the domains covered by the exam, horror stories about its difficulty, and some healthy procrastinating, I began studying at the beginning of May 2019.

As part of my initial research, I read seemingly endless posts in which people claimed to study 8+ hours per day for months to prepare for the exam. I also found a number of posters who claimed to sit for the exam with minimal (or zero) study. How much time should you spend studying? It depends! The amount of preparation needed to pass the exam depends entirely on you — your educational background, your professional work experience, and your ability to absorb the study materials. The domains covered by the exam are broad and many people describe the exam as a mile wide and an inch deep. I assumed that I wouldn’t need much preparation given my background and experience. I was wrong.

Studying for the CISSP Exam

Between family and work commitments, I limited my study time to a few hours of reading during the early hours on weekends. I set a goal to read a chapter per week from (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide. WARNING — this book is dense, dry, and repetitive. I found it to be a difficult read and I used 3 months (May through July) to finish it.

While the study guide has 20 practice questions at the end of each chapter, I didn’t attempt them until I finished reading the entire book. Thinking back, I probably should have attempted them immediately after finishing a chapter or a week later at most. The questions uncovered that I didn’t retain a lot of detail from each of the chapters over that 3 month period. I was scoring in the neighborhood of 60% in each chapter. It was an alarming realization because I thought I was retaining much more.

I knew I needed to do something more than reread the study guide so I supplemented my studies with free audio resources from Kelly Handerhan available on Cybrary. This allowed me to take advantage of my commute and add about 2 hours per day of study time in addition to any weekend reading. From August through mid-October, I probably listened to Kelly’s course 3 times completely and some individual lessons many more times.

PARENTING HACK — The audio course served a dual purpose as it is apparently boring to children (and most adults) and can put kids to sleep if played in the car for everyone to hear.

From September until a few days prior to the test, I used the Boson test simulator almost daily for practice questions. This software helped me identify weak points and also exposed me to material beyond the study guide. The software provides very detailed explanations of the answers and why one answer was more correct than the other choices. The software allows you to configure custom exams to focus on troublesome domains or on questions that are consistently answered incorrectly. The software is worth the additional cost and you can occasionally find discount codes on the CISSP Reddit group.

Up to this point, I had not scheduled the exam. I didn’t want to lock myself into a date but by mid-September I felt ready. I had been preparing for over 4 months and I didn’t want to prolong it. I scheduled the exam for mid-October. Also during this period, I significantly increased my time spent reading. I revisited the Official Study Guide and started the Eleventh Hour CISSP: Study Guide. I also branched out to YouTube videos to help me better understand concepts where I had lower practice scores. I know I went too deep into the technical aspects of networking, but at least the videos were interesting and I learned (or refreshed my memory) on many topics I had not touched in a while.

Exam Day

I was very nervous on exam day. I felt like I wasn’t ready but I had to go for it. I was tired of studying, taking practice questions, and generally worrying about the exam. All I will say about the exam itself is that it is challenging. When the first question popped up I had a moment of panic, but I took my time and tried to calm my nerves. In the end, I finished the exam in roughly 90 minutes at question 100.

After the Exam

Once I passed the exam, I received an email with instructions to complete the application for the CISSP credential. I completed the application and requested an endorsement from another active CISSP. This took about 5 days for me to complete after passing the exam. From this point, it takes another 6 to 8 weeks for (ISC)2 to review and approve the application. I received an email that my application was approved exactly 4 weeks post submission and membership fees were due. After paying the fees, I received a confirmation that I was officially a CISSP! The welcome package with printed certificate, membership card, and CISSP pin arrived about a month later.

Final Notes

To answer the question of how long does it take to prepare for the CISSP — for me it took 5 and a half months from May through mid-October with varying amounts of weekly study time.

Months 0-35 hours per week reading
Month 4• 5 hours per week reading
• 10 hours per week listening to Cybrary audio
• 1 hour per week on practice questions
Months 5-5.5• 20 hours per week reading
• 10 hours per week listening to Cybrary audio
• 5 hour per week on practice questions

One other point to note is the cost to obtain the CISSP (all amounts here are in USD and as of 2019). It’s not inexpensive. The exam itself is $699 and the annual membership fees are $125. I also purchased two books totaling $55 and the Boson software for $85 (after discount). My total cost was $964. Keep in mind that the exam fee is required each time you take the exam. I was very hesitant to schedule the exam too early because I didn’t want to risk not passing and paying another $699.



CISSP – Certified Information System Security Professional Subreddit

CISSP 16-week Study Guide, Resources, and Links to Source Documents

(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide

Eleventh Hour CISSP: Study Guide (Syngress Eleventh Hour)

Cybrary – CISSP Training with Kelly Handerhan

Boson ExSim-Max for CISSP

Kelly Handerhan – Why you will pass the CISSP

Larry Greenblatt – Pass the 2018 CISSP with Kirk & Spock

Parse Cell Value in Excel Using Regular Expressions

Using Excel formulas to parse a substring from a cell value is usually difficult especially if the cell value or pattern is not easily defined. I have found that it requires various combinations of SEARCH, FIND, LEFT, RIGHT, MID, etc. The resulting formula is both unreadable and it does not successfully handle all cell values thus resulting in manual clean up. It would be nice if the SEARCH or FIND functions were able to use regular expressions by default.

The following VBA function allows you to parse a cell value based on a regular expression. To use this function, you must enable Microsoft VBScript Regular Expressions 5.5.

  1. On the Developer ribbon, click Visual Basic
  2. Once the Visual Basic window opens, go to Tools -> References…
  3. From the References dialog box, check/enable Microsoft Regular Expressions 5.5
  4. Click the OK button

Now that the regular expression reference is activated, insert a new module into the workbook if one doesn’t already exist. The code will not work if added directly to a worksheet object.

Add the below code to the module. You can then use it as part of formulas in the workbook, e.g. =RegExParse(A1,”ID[0-9]+”). This would parse the value in cell A1 returning the substring matching the pattern ID[0-9]+, e.g. ID0, ID123, ID183274917234.

Option Explicit

Public Function RegExParse(val As String, SearchPattern As String) As String
  On Error GoTo errorHandler
  Dim regEx As New RegExp
  With regEx
    .Global = True
    .MultiLine = True
    .IgnoreCase = True
    .pattern = SearchPattern
  End With
  If regEx.Test(val) Then
    RegExParse = regEx.Execute(val)(0)
    RegExParse = ""
  End If
  If Err.Number <> 0 Then
    RegExParse = ""
  End If
End Function

Creating Cascading Drop-down Lists in Excel

If you’re using Microsoft Excel to capture and track data, one of the challenges is maintaining good data quality when more than one person is updating the workbook. The data validation features in Excel help by allowing the user to select data based on pre-defined options in a list. This feature works well on individual cells. However, if you have a column that depends on the value in a different column, you will need to get a little more creative. This post describes the steps for creating cascading drop-down lists in Excel using a combination of data validation and named ranges.

Step 1 – Define the Reference Data

Let’s assume that you are collecting data that includes Organization and Department attributes. In this example, an Organization is the parent to one or more Departments. We’ll set up the reference data for the data validation drop-down lists as follows on its own worksheet.

  • Column A (“ORGANIZATION”) represents the list of valid Organizations that will appear in the Organization drop-down list.
  • Column B (“NAMED RANGE MAPPING”) represents the names given to ranges that will be defined in a later step.
  • Columns D through E (“ORG_X_DEPARTMENTS”) represent the lists of valid Departments that will appear in the Department drop-down list depending upon which Organization is selected.
Excel Cascading Drop-down List Reference Data
Excel Cascading Drop-down List Reference Data

Step 2 – Define the Named Ranges

Now that we have the reference data established, we can define the named ranges that refer to these lists. The named range entry defined as ORGS_TO_DEPTS_MAPPINGS is the key to creating the cascading drop-down list functionality. It is important that the values in Column B match the names given to the ORG_X_DEPARTMENTS ranges. This value will be used in a subsequent step with an indirect and vlookup data validation formula.

Excel Cascading Drop-down List Reference Data Named Ranges
Excel Cascading Drop-down List Reference Data Named Ranges

Step 3 – Define the Organization Data Validation (Parent Column)

In this step, we establish the standard data validation on the parent data in Column A (“ORGANIZATIONS”) on a new data collection worksheet.

Excel Cascading Drop-down List Top Level Validation
Excel Cascading Drop-down List Top Level Validation

Step 4 – Define the Department Data Validation (Child / Dependent Column)

Here we establish the data validation rule that performs the cascading drop-down list function. Once the user selects a valid Organization, this formula performs a vlookup against the ORGS_TO_DEPTS_MAPPINGS named range and returns the name of the Department named range associated with the selected Organization. The indirect function then converts that name, a text value, into the range reference.

Excel Cascading Drop-down List Validation Formula
Excel Cascading Drop-down List Validation Formula

When you click the OK button, Excel will display the following error message. Click the Yes button to continue.

Excel Cascading Drop-down List Error Message
Excel Cascading Drop-down List Error Message

Step 5 – Test the Cascading Drop-down Lists

Now that the data validation rules are set up, we can test the cascading drop-down list functionality. Selecting “Org 1” will cause the validation drop-down list in the Department column to reflect only those Departments associated with “Org 1”. Selecting “Org 2” causes the Department drop-down list to show those Departments associated with “Org 2”.

Excel Cascading Drop-down List Example 1
Excel Cascading Drop-down List Example 1
Excel Cascading Drop-down List Example 2
Excel Cascading Drop-down List Example 2

Step 6 – Macro to Validate Parent / Dependent Relationship

Now that the worksheet is functioning as expected, you release it for users to update and someone will inevitably enter data in a way that breaks the parent / dependent relationship. As an example, “Org 1” is selected in the Organization column and “Dept 1” is selected in the Department column. The user then returns to the Organization column and changes the entry to “Org 2”. The Department column retains the value of “Dept 1” which is not valid for the “Org 2” selection in the Organization column. To help avoid these errors, you can save the file as a macro enabled workbook and add the following code to the data entry worksheet. If this macro had been enabled, the “Dept 1” value would have been removed as soon as the user selected “Org 2”. This code assumes that the parent column is the first column (Column A) in the worksheet and the dependent column is immediately to the right (Column B). Please revise the code to meet your specific requirements.

Option Explicit

Private Sub Worksheet_Change(ByVal Target As Range)
On Error GoTo exitHandler

    With Application
        .EnableEvents = False
        .ScreenUpdating = False
    End With

    If Target.Column = 1 Then
        If Target.Validation.Type = xlValidateList Then
            If Not Target.Offset(0, 1).Validation.Value Then
                Target.Offset(0, 1).ClearContents
            End If
        End If
    End If

    With Application
        .EnableEvents = True
        .ScreenUpdating = True
    End With
End Sub