I recently attended the 7 Day Boot Camp from Firebrand UK.  Over here, Firebrand have a reputation for being quite pricey which puts a lot of budget managers off when they see the headline figure.  However, you get what you pay for and I would recommend them for your organisation’s training.  They also do a Firebrand Passport which can give you pretty large discounts when you buy blocks of training upfront – ideal for larger organisations or those with a big budget!

When I was researching which training provider to use, I struggled to find any recent reviews of people’s experience.  There were a few posts over at CertForums but nothing from the past few years.  This post is designed to fix that once it climbs up the Google rankings!

Disclaimer: I get a free T shirt for reviewing the course! WOO!

Pre-Reqs

I should probably start by mentioning that ISC2 require a minimum of 5 years experience in at least 2 of the security domains and I genuinely can’t stress the importance of this if you are using the Firebrand boot camp method.  I’ve been doing IT professionally for 14 years, starting as a sysadmin, then an IT / team manager before jumping into pentest / red teaming – my point here is I have a broad base of knowledge and a rough idea on a lot of the topics.  If you expect to ’embellish’ your experience and jump straight into a CISSP Boot Camp you are going to have a really bad time as you try to ‘drink from a firehose’ of information.  My management experience also incorporated a bit of ITIL / Axelos MoR which really helped during the certain modules.  Quickly going through the Security+ syllabus (almost a mini, watered-down CISSP) will give you a head start.

The Firebrand USP is that everything is included; food, hotel, transport, course materials, exam fees.  Everything.  It’s partly this reason why the cost can drain the colour of your line manager when you ask him to attend.   However if you were to attend other residential camps you would need to source hotel, food, transport additionally.  The one stop approach of Firebrand removes this hassle and would allow an organisation to forecast spending more reliably rather than having to worry about the variance of hotel room prices and expenses claims.

You are accommodated on a sort of country park estate with the hotel specialising in training courses (there are medical and engineering training firms on the estate too) so the buffet food and willingness to vary meal times to fit around the course works very well.  Rooms are pretty standard, a couple of people thought the hotel was a bit dated but you are hardly in it for that many hours a day.  Take multiplugs.

Food

Buffet style and unlimited portions.  Each weekday has a theme and Sat/Sun is a roast dinner or similar.  Choice of three puddings at lunch and dinner!  I put on 2KG in a week, but the networking in the bar ‘may’ have also been a contributory factor.  Quality of food was pretty good throughout.

Key issue: A pint is £4.10!

Venue

Firebrand’s training venue is in a large barn conversion literally 30m from the hotel.  It’s a really good facility, free wifi and hot / cold drinks as well as unlimited fruit & boiled sweets.  I calculated that during the week I consumed 3 pint glasses of Fox’s Glacier and Fruit sweets.  You can actually enter the venue 24hours a day so if you are on a lab-orientated course you can practice and lab away until your hearts content, or revise as a group in the evenings.  The staff are all genuinely helpful and want to give you the best chance to pass the exam.

Course Materials

The instructor began by advising us to ignore the massive ISC2 ‘green book’ that was on our desks and focus on the presentations and her lectures.  I didn’t open the book once (it’s on eBay!) and focused on the instructor-supplied flashcard list and the 11th Hour CISSP book.  The instructor also sends a Dropbox link with the days presentations and any additions or handouts in it.

Instructor

Our instructor was a contractor from TSI, an American consultancy.  Several people were slightly perturbed it wasn’t a Firebrand instructor but having completed the course, it is clear that instructing all over the world and to a variety of 3 letter agencies has really developed their teaching style.  More importantly, they have real-world experience of consulting and wider business practices – sometimes a decent anecdote or case study can really explain a concept.  However – you need to keep them on topic due to the compressed nature of the course.

Top Tip: When the instructor says at the start of the week ‘don’t be too British and sit there quietly, if I’m going to slow / fast / off topic – tell me!’.  I did this a few times before we disappeared into anecdote rabbit holes and it was taken with good grace and a smile.

Course Times

Course times were 0815 – 1930 every day, with an early finish of 1300 on the Saturday, giving you 4 hours revision until the instructor-dictated hard stop of 1700.  Short breaks are interspersed as needed but the extended times of the teaching day (an extra 3-4 hours a day) mean you get much better value than other ‘boot camp’ providers such as QA / Global Knowledge.  There is instructor suggested evening work, and you should definitely go over your notes as a bare minimum.  I found I was finished by 2100 each evening, but others were still there until well past 2230.

Networking

An unquantifiable benefit of the Firebrand course was the networking, I really enjoyed speaking to the varied attendees about their businesses, sectors and experiences.  It is always interesting to speak to managers of different industries and seniority as well as swap ‘war stories’ of successful projects or security errors!  Given the high cost of the course, attendees seemed to be quite high up in their organisations and could often expand upon subjects covered in the day over a pint in the evening.  I am moving from the public to private sector and from this networking I was lucky to receive two interview offers and four offers of internal recommendations for IT security / architect roles.  There is a lot to be said for going through flashcards and definitions / concepts round a table after dinner.

Exam

Every man and his dog has written about the ‘behemoth’ of the CISSP exam so I won’t cover this too much.  I have a few tips.

It’s 6 hours but most people complete in less than that.  Take breaks and drink water, you won’t run out of time.

Don’t overcomplicate it – you will know someone with CISSP who isn’t as good as you.  If they can do it, so can you!  Lots of reviews drone on about how difficult it is but keep the faith.  Don’t talk yourself out the battle before you have even sat down.

It is a management exam.  They want to see if you can be an InfoSec manager.  Not a sysadmin, not an architect, not a software dev.  Think accordingly.

Areas for Improvement

Although the course is marketed as a 7 day boot camp. It’s more akin to 6.  Sunday evening is a meet & greet and not much else.  Saturday is a half day with some spare time for revision.  There might be scope to for arrivals on a Monday morning starting at 0900 which would reduce the cost of a night in the hotel / food.

The CISSP syllabus is an inch deep but a mile wide.  Some of the topics that came up in the exam we had skipped over or covered in exceptionally little detail.  It just depends on what questions you get.  If you haven’t got the widest experience I would suggest doing some pre-work before you attend.  There’s plenty of video tutorials on YouTube and PluralSight/PearsonVue also have paid videos if you wish.

I think the instructor could set some more structured evening work for after formal tuition.  There were various handouts distributed but some form of active learning could pay off here, particularly with some of the plain ‘memory test’ topics – eg Common Criteria EAL orders.  Perhaps some YouTube links describing Chosen Ciphertext Attacks or an 10 minute exercise to remind yourself of the key documents you need to know.

Conclusion

Firebrand is truly worthy of it’s reputation as a premier training firm.  Their campus approach really works for an intense course such as CISSP as you can immerse yourself in the content.  The staff and instructors are all very knowledgeable and really want you to succeed.  By taking all the ‘admin’ of the week out of the equation it leaves you free to learn.  It’s a fast paced course, but then the certification is testing breadth not depth of knowledge.  The other attendees really make it a good learning environment, and you make some really good contacts.  It’s important to find time to unwind at the end of each day, so agree early in the week that a group of you will meet for a drink in the late evening after you have finished revising.

I would definitely return to Firebrand for training in the future, if I win the lottery!