"A mile wide, an inch deep"

Hi all,

I've stumbled across this forum from time to time when googling CISSP and CISSP concentrations, and wanted to share my two cents on the exams and certifications.

I am now CISSP-ISSAP,ISSEP,ISSMP, as well as some other certifications.

I took the CISSP exam quite a few years ago, when it was still a paper exam. I read the official CBK cover to cover, made notes, answered around 2000 practice questions, and then took the exam. Back then I didn't find the exam so difficult, passed it with flying colors in my first and only attempt, and attributed it to how well I studied and how brilliant I was. I must say that I enjoyed the experience, especially studying - I absolutely loved reading the CBK, I think it puts it all together very eloquently and clearly.

A few years later I started noticing the CISSP devaluation. I kept hearing criticism about how the exam is "a mile wide and an inch deep", and started to realize that holding that certification is not that great, especially after working with quite a few CISSPs who were anything but professional.

I then decided to throw a little test myself and convinced a friend who knows nothing about security and only the basics of IT (he's a mechanical engineer) to take a mock CISSP exam of 100 randomly selected practice questions. My friend got the 70% score very easily with just common sense. That was proof to me that the CISSP exam doesn't worth much.

I decided to go for the concentrations, both because I really enjoyed studying for the CISSP exam and because I was after relocation and hoped it would help me distinguish myself from the rest.

ISSMP was the first. I thought that if the CISSP was an inch deep, then the concentration exams will be at least a foot deep. I bought the ISSMP CBK, read it cover to cover, downloaded a questions bank, and went for the exam. I finished the exam in about an hour, and it didn't feel like it was more than an inch deep. I didn't feel reading the CBK cover to cover contributed anything to my success at all.

I then rented the kindle version of the ISSAP and skimmed through it, did some practice questions and went for the exam a couple of days later. This time it took me about 80 minutes, and even though it was slightly more technical, it was still just an inch deep.

I was then proud of holding those two concentrations, but it honestly didn't feel like an accomplishment, I knew the exams weren't a challenge. It basically felt like the fee I paid for the exam was in fact paid to purchase the certification.

About a year later I went for the ISSEP. I thought this one would be different, because everybody seem to glorify it and go on and on about how difficult it is. I decided to put it to the test. For this exam I didn't read the CBK cover to cover, and didn't even skim through it. I only downloaded and studied the CIB document, nothing else. I have the experience in the ISSE and technical management domains, and I am a bit familiar with the NIST 800 series, but I am not an American and I know nothing about all those USG publications. The exam was a bit harder, took me almost two hours to complete, and I passed. Again, my only study material was the CIB and my professional experience covers only half the material. If this is not an inch deep, then I don't know what is.

So I hold all three concentrations. I don't think it's an achievement and it certainly attests nothing.

I am certainly not an information security guru, and even though I've been in this field for well over 10 years now, I still have a lot to learn. I think the CBK books are great references and every security professional should read them cover to cover and keep them in the office. I think the exams are an inch deep and don't cover much more than the CIB document (to be clear - reading the bulletins is enough!). Every exam question can be easily narrowed down to two possible answers and then just an educated guess is enough for having enough correct answers to pass.

This is a summary of my experience and my two cents. My criticism is not against the ISC2 exams in particular. I must note that I have taken plenty of other certification exams, ISACA included, and it's the exact same story - an inch deep exam that requires common sense only, and not much professional knowledge.

Maybe holding the actual professional experience required for the certifications, as well as the academic degrees, is what made me feel it was so easy, I don't know.

I don't mean to offend anyone, but I've noticed a lot of people talking about the difficulty of the CISSP exam and the concentrations, and I think they should really check themselves. If you find it hard, then even if you passed the exam, I highly recommend that you go back to your study materials. And I think the good people at ISC2 (and the other organizations) should come up with better questions, that can really test knowledge and competency, or alternatively raise the passing score to somewhere around 85%, at least.

I know this post is not going to be popular, and for that reason I won't reveal my identity. I just wanted to share my opinion.

Find more posts tagged with

Comments

broli720

Funny enough I kind of agree with you. I took the CISSP right out of college and became an Associate with very little infosec experience. But, I took the test because of the journey. I learned quite a lot on how to keep in mind strategic objectives instead of focusing on the tactical ones. And believe it or not, those are the people that make the most because it's a rare skill.

At the end of the day, it's a test. It will be easy for some and hard for others, but it does validate a few things for your employer. That fact should not be missed.

TheProfezzor

As I said previously, I don't think the exam was difficult. I could have made it through, only by answering the questions based on my experience. Never the less, I was glad I passed because, recruiters keeps asking for it.

redterrorz

Plenty of IT people have FAILED it... twice, 3 times... soooooooooooooooo it can't be that easy................ many have taken YEARS to study for it.

yeah yeah

I know a lot of folks that can run laps around all the security guru's out there...but when it comes to taking an exam, FAIL. Just like I know many seasoned architects out there that can build out a state of the art cloud computing datacenter, but will fail the most basic exam. Some people just aren't built for exams. No knock to them.

JDMurray

There is a common complaint that academic society mostly judges people based on their ability to correctly read and interpret written information and choose or write answers correctly. Many very competent and knowledgeable people cannot function at their naturally high level of ability when detailed reading or writing is required. Their functional domains are more oral (spoken), aural (heard), or tactile (hands on). Unfortunately, exams incorporating these characteristics are more difficult and expensive to develop, implement, apply, and grade.

aftereffector

ISSxP wrote: »

And I think the good people at ISC2 (and the other organizations) should come up with better questions, that can really test knowledge and competency, or alternatively raise the passing score to somewhere around 85%, at least.

Interestingly enough, the exam questions are developed by volunteers at examination development workshops. Why not register for a workshop and channel some of your frustration with the credential(s) into developing better questions? It would even give you CPE credits.

Here's the link to ISC2's page on volunteer exam development (requires member credentials to view): https://www.isc2.org/MemberInnerPage.aspx?id=12501

MSP-IT

Based on my experience with the CISSP at my level of true experience (~2 years), I've mostly decided against pursuing further certifications and exams that test in this manner. When I am to take another test from (ISC)2 and Cisco, it'll only be to renew my already gained credentials.

Chivalry1

Interesting perspective. There are individuals who operate at a intellectual spectrum that posses the ability of taking & passing examinations with little effort. I can comfortable say I don't fall within that spectrum. I found the CISSP quite challenging, and consider it a career milestone. I have toyed with the ideal of a CISSP concentration. In retrospect I think my biggest hangup was approaching as a technical exam.

But thanks for sharing your experience.

5502george

@ ISSXP,
I understand what you are explaining as I have alot of the same gripes.

You have to make a conscientious decision to engage yourself to further your understanding of the subjects. If your whole intent is just to pass a test, anyone can do it just by studying HOW to take the test.

But if you want to be a better security professional, engage in events, host free seminars, practice your craft, help businesses in need etc...

There are very very very few tests that can actually test ALL of your knowledge of a job as others have explained.

impelse

it is true for some but not all the time, there are people like JDMurray says, I know a person who can read a book, sit down for the exam and pass it, her memory and retention is great, now when I sit her in front of the computer to do a slightly modification she is lost, why the way how she reads and answer the questions.

Because this is multiple answer question with the right strategic and logic will pass but doesn't mean they know how to apply the info the real life.

If they have that ability good for them, it is not easier for others, the important part is learn how to protect the network.