InfoSec Institute alum Rexson Serrao is Senior Director of IT, PMO and Planning at the Workers’ Compensation Insurance Rating Bureau (WCIRB) in San Francisco. After enrolling in InfoSec Institute’s Certified in the Governance of Enterprise IT (CGEIT) Boot Camp and sitting his exam, Rex recieved global recognition from ISACA for earning the world’s highest CGEIT exam score.

Rex is no stranger to certification prep. In addition to passing his CGEIT exam, Rex holds seven other certifications: PMP, CSM, CSPO, ITIL, COBIT, Microsoft Certified Excel Analyst and Microsoft Professional for Data Science.

We sat down with Rex to chat about his certification experience and the strategies he used to take home the world’s highest CGEIT score in 2017.

Why Did You Decide to Earn Your CGEIT Certification?

Rex: Security and IT certifications help me speak with a voice of authority. I’ve earned seven certifications and received them in order of how I wanted my career to progress.

For example, I earned my ITIL certification because I wanted to take on application support, and later earned my COBIT to assist with IT governance. Having practical experience is important, but being able to ground my experience in best-practice frameworks where possible has really helped me professionally. COBIT and the CGEIT in particular tie IT and security investments to ROI, business value and IT business alignment. Sharing this perspective with my leadership team and knowing the best words to use really helped capture my executive team’s attention.  

I pursued the CGEIT as my firm started to explore risk management. At the same time, there was also a push to do better benefits realization. I saw the CGEIT certification as the next level up from my COBIT foundation certification. It was a natural extension of COBIT’s fifth principal, Separating Governance from Management. This is an important step in the next evolution of project management offices (PMOs) — connecting PMOs to strategic objectives by managing the enterprise portfolio to optimize both risk and value.

Have You Found IT & Security Certifications Valuable in Your Career?

Rex: Yes. We just revamped our enterprise governance model at WCIRB. Certifications help build your mental bench regardless of your experience or knowledge. Being able to connect with thousands of other practitioners and tap into their knowledge as expressed in the frameworks is really beneficial. I’ve learned how to take thoughts from my colleagues and quickly relate them to established best practices, processes and KPIs in the frameworks. This approach accelerates thinking and has been exceptionally helpful.

How Did You Get Ready For Your Certification Exams?

Rex: I prepared for my ITIL and COBIT exams via self study, and was required to take in-person training before sitting the CSPO and CSM exams.

I decided to enroll in training boot camps for the PMP and CGEIT exams to gain a deeper understanding of the frameworks. Your practical experience can become a hindrance when taking exams like the CGEIT. As a practitioner, you’ll find different firms use the same terminology in different ways. I took the boot camps to get in alignment with the terminology, learn how the tests would be administered and understand the key areas of focus.

Tell Me About Your InfoSec Institute CGEIT Boot Camp.

Rex: CGEIT exam material is initially dry — I cannot stress that enough. Having the instructor there to discuss the material and make it engaging was really helpful.

My instructor, Frank, really carried the class with his personality. He was knowledgeable and brought a lot of experience to the course. Each day, he reviewed a section of the material and asked questions to engage the class. He really made space for the online students — he’s one of the only instructors I’ve seen do this well.

Frank directly asked online students for feedback — often calling on us by name. If he asked a question, he would wait until responses from all students came in before moving forward. You didn’t feel like you were just watching a training video because you were engaged.

The instructor also encouraged class discussion, which allowed students to share governance issues they faced in their own organizations with the class. These stories made the course interesting and relevant. It gave you insights into how CGEIT material could be applied at other firms.

Did You Use Other Resources to Prepare for Your CGEIT Exam?

Rex: I did not study before taking the CGEIT Boot Camp, or use any third-party question banks or services to prepare for the exam. Before the course, I didn’t know what topics were high priority, important or not important. I used the CGEIT Boot Camp as a way to triangulate what to focus on and go from there.

What Strategies Did You Use to Prepare for Your CGEIT Exam?

Rex: Having done other exams and boot camps, one of the best tips I’ve received is to take the exam as soon as you can after the boot camp. When you don’t do that, you start losing information quickly. Frank reiterated this again and again in class.

The CGEIT Boot Camp includes a copy of ISACA’s official question test bank. During class, Frank told us you don’t need to use additional material — you just need to use the question bank and consistently score above 90% before sitting the exam. Not all exam questions came from the bank, but focusing on a limited set of questions allowed me more study time per topic than if I had simply completed many practice tests.

I used the question bank and answered the same questions over and over again. When I got one right — I would go back and figure out why I got it right, even if I thought I already understood the topic well. I did the same thing when I got questions wrong. This is typically in contrast to doing thousands of questions and primarily focusing on the questions you got wrong.

This approach made me really comfortable with the material. Finding out why my practical experience doesn’t always align with what the book says makes the content more intuitive. When you get to this point, it’s not memorization anymore — you create a mental model that links your practical experience to the framework.

Most test takers are going to say this is bad advice  — I would have, too. As counterintuitive as it sounds, if you study that question bank you’ll walk into the exam with so much confidence. It’s a great feeling.

Did You Feel Prepared to Sit Your CGEIT Exam?

Rex: Yes, I felt really good going into the exam. Questions were familiar because I spent so much time studying the question bank. I sat the exam about two weeks after class and walked out knowing I would do well. I didn’t think I’d score as high as I did, but certainly didn’t think I was going to fail either.  

Would Your Recommend InfoSec Institute Training to Your Peers?

Rex: Yes, absolutely.