What I wish I knew before I took my CISSP exam

Kalkan999;

I've always referred to the CISSP exam as an experience exam, certainly not a management exam. If you have a broad field of experience with the exam its pretty easy - particularly from the government side, which was helpful. Clearly the government has had some influence on the exam, i.e. Orange book but not Government dominate. Much of the same work is performed on the civilian side as well. The OSI/TCP models are used throughout, etc.

The folks who whine and complain incessantly about how "difficult" or "hardest thing I have ever done..." are clearly the folks who have the least amount of experience in either IT or Security in the first place and probably shouldn't be taking the exam in the first place. Lots of faux CISSPs out there with questionable credentials who simply passed through a weak audit system and pretend to be what the exam is all about - a knowledgeable security practitioner.

I know some folks as yourself dislike the old paper system and prefer the newer CBT, which is fine. I for one like and miss, given my latest (ISC)2 exam (HCISPP), on paper and would probably score another point or two higher because of it.

One and done here for each exam. Security more so than even just IT requires a significant amount of study time well after the exam is over as well. Good to see you've identified your shortfalls and weaknesses as well.

- B Eads

And it's easy to understand now what I did not understand back then. Unfortunately for those in the US Government InfoSec capacities, it's a difficult undertaking to obtain the necessary experience, especially considering the compartmentalization efforts (sure to be made much more so with the Snowden snowball effect) brought about with DIACAP, and limited administrative capabilities in functional roles because of the limiting factors stated in DoD 8570.01-M, and the new Risk Management Framework.

As one of those 'whiners' myself, the test would still be difficult. I think my point might have been missed by you. It's not an easy thing to gain the required experience to pass the exam based on hands-on as one could in the past in DoD, DoS, or other because of the compartmentalization and 8570 requirements.
Example: Enterprise DoD network. Does a SysAdmin working at a military installation on a Windows 2008 server farm have access (SSH) to the routers, firewalls, IPS, etc.,? No. He or she is usually relegated to installing patches, unlocking accounts, making sure Access Control and local/group policies are properly configured and updated. But even with Local, group, Global policies, the systems (servers and workstations alike) are part of an image.
A lot of the InfoSec is also now performed in more centralized fashion by design and requirements, specifically with the adoption and implementation of McAfee HBSS, Endpoint, and other supporting items.
So I don't think it's necessarily a fair assessment to call people out for whining about the difficulty of the exam if they work or worked for the government, as the government is a model of dichotomy, in that they want you to work towards being a Senior InfoSec guru, but don't allow you the tools or resources to be able to get there. To be honest, the only way to really let yourself advance is as a contractor, where you work maybe one year or so as a Network Engineer, another as a Security Architect, another as a SysAdmin, as I did. I WILL say that even with my bouncing around like I did from one specialization to the next, that the test was still a crucible. All I ask is that you give more consideration to those who haven't the opportunity to be exposed to the work you have that let you pass the test in an easier fashion. The fact that I know now what I know regarding what is necessary to prepare does not mean that I am unsympathetic to those who are lacking in the exposure required to pass this test easily.
Lastly, please also consider that standardized testing does not mean that those who test poorly are less capable or experienced. Some, like myself, have a bona fide learning disability, and therefore view the world a little differently than you.

cgrimaldo

Thanks for your thoughts!

kalkan999 wrote: »

And it's easy to understand now what I did not understand back then. Unfortunately for those in the US Government InfoSec capacities, it's a difficult undertaking to obtain the necessary experience, especially considering the compartmentalization efforts (sure to be made much more so with the Snowden snowball effect) brought about with DIACAP, and limited administrative capabilities in functional roles because of the limiting factors stated in DoD 8570.01-M, and the new Risk Management Framework.

As one of those 'whiners' myself, the test would still be difficult. I think my point might have been missed by you. It's not an easy thing to gain the required experience to pass the exam based on hands-on as one could in the past in DoD, DoS, or other because of the compartmentalization and 8570 requirements.
Example: Enterprise DoD network. Does a SysAdmin working at a military installation on a Windows 2008 server farm have access (SSH) to the routers, firewalls, IPS, etc.,? No. He or she is usually relegated to installing patches, unlocking accounts, making sure Access Control and local/group policies are properly configured and updated. But even with Local, group, Global policies, the systems (servers and workstations alike) are part of an image.
A lot of the InfoSec is also now performed in more centralized fashion by design and requirements, specifically with the adoption and implementation of McAfee HBSS, Endpoint, and other supporting items.
So I don't think it's necessarily a fair assessment to call people out for whining about the difficulty of the exam if they work or worked for the government, as the government is a model of dichotomy, in that they want you to work towards being a Senior InfoSec guru, but don't allow you the tools or resources to be able to get there. To be honest, the only way to really let yourself advance is as a contractor, where you work maybe one year or so as a Network Engineer, another as a Security Architect, another as a SysAdmin, as I did. I WILL say that even with my bouncing around like I did from one specialization to the next, that the test was still a crucible. All I ask is that you give more consideration to those who haven't the opportunity to be exposed to the work you have that let you pass the test in an easier fashion. The fact that I know now what I know regarding what is necessary to prepare does not mean that I am unsympathetic to those who are lacking in the exposure required to pass this test easily.
Lastly, please also consider that standardized testing does not mean that those who test poorly are less capable or experienced. Some, like myself, have a bona fide learning disability, and therefore view the world a little differently than you.

Not calling anyone out for being a whiner coming from the Government side but the irony of Government requiring a broad based background exam while its so difficult to achieve the broad based background in the first place. Hence I see this as making my argument in the first place. The CISSP is very much an experience based exam. You have a broad background its actually quite easy to pass. Now, getting that broad based experience is tougher than it sounds to many people - even in the civilian world. Back when I started security there was no specialization, no super-specialist - just a single "security guy". Well, generally a guy as few if any of my old peers were female. A fairly recent phenomena unto itself. We had to do everything from perimeter security to desktop forensics. Compared to the specialist - who do you think has a broader security background? You had to learn everything, everyday, all day and be as close to perfect as possible. Or be blamed for anything that went wrong. Having ones toes to that type of fire meant keeping a bit too much of an edge to one's work week which always spilled into the weekend, etc.

If the exam is difficult at all it because people, Government or civilian lack the broader based background with security. The exam is broad based and reflects that which is self-apparent: No one is going to be an expert in all 10 domains but you should have some experience with all domains. Its a test that says your a well rounded security practitioner not a single domain expert who can simply pass a short, easy test. Yeah, yeah, you've got six hours to pass a test I've seen people do in as little as 75 minutes or less on paper. Took me about 90 minutes without a break.

For the record, yeah, I've worked in the active military, reserve, National Guard, DoD and Veteran's Administration not to mention many years in the civilian world. So, I know what Government work and hierarchies are all about. Some are better than others, though the civilian side is much less consistent and easier to get your hands on nearly everything imaginable given the right place to work. Otherwise you could find yourself working in security but say only IAM or Vulnerability Management with no forensics (hey, that would suck!) So by no means is the comment dedicated strictly at Government background types. Its aimed at the general whining about how "hard" people perceive the exam. Like anything else: Its not a hard exam when your prepared for it.

If your unprepared then be prepared to whine all you want. There is no comparison of the number of materials available for an exam of this level save CPA and Legal preparation materials available and this is hardly the CPA or Legal bar by any comparison.

- B Eads

Context is key to understanding what you were trying to bring across to us, but I get it now that you've explained it more fully. You were still a little 'brusque' with your initial response, in my humble opinion. People need hope, especially those who take the test two or three times because their livelihood requires it, aka DoD requirements.
Try to get even a mid-level InfoSec job with the DoD right now with a Security +, and you'll find yourself unemployed for a good bit. Whether ready, prepared or not, the US Gov is driving this forward. Designated Approving Authorities can only waiver someone without having the CISSP in an IAM II or III position for so long before that person HAS to take and pass the test.

kalkan999 wrote: »

Context is key to understanding what you were trying to bring across to us, but I get it now that you've explained it more fully. You were still a little 'brusque' with your initial response, in my humble opinion. People need hope, especially those who take the test two or three times because their livelihood requires it, aka DoD requirements.
Try to get even a mid-level InfoSec job with the DoD right now with a Security +, and you'll find yourself unemployed for a good bit. Whether ready, prepared or not, the US Gov is driving this forward. Designated Approving Authorities can only waiver someone without having the CISSP in an IAM II or III position for so long before that person HAS to take and pass the test.

Your bringing to a head another famous argument from 1969: The Peter Principal. Allow me to directly quote the first Google reference I found (Wikipedia).

The Peter Principle is a proposition that states that the members of an organization where promotion is based on achievement, success, and merit will eventually be promoted beyond their level of ability. The principle is commonly phrased, "Employees tend to rise to their level of incompetence." In more formal parlance, the effect could be stated as: employees tend to be given increasing responsibility and authority until they cannot continue to work competently. It was formulated by Laurence J. Peter and Raymond Hull in their 1969 book The Peter Principle, a humorous^[1] treatise, which also introduced the "salutary science of hierarchiology".
The principle holds that in a hierarchy, members are promoted so long as they work competently. Eventually they are promoted to a position at which they are no longer competent (their "level of incompetence"), and there they remain, being unable to earn further promotions. Peter's Corollary states that "n time, every post tends to be occupied by an employee who is incompetent to carry out its duties"^[2] and adds that "work is accomplished by those employees who have not yet reached their level of incompetence." "Managing upward" is the concept of a subordinate finding ways to subtly manipulate his or her superiors in order to prevent them from interfering with the subordinate's productive activity or to generally limit the damage done by the superiors' incompetence.

Hardly the sole domain of the US or any other Government but apt nonetheless. People become promoted into positions they are unable to justified into fulfilling in the first place. Reason? Competence is earned through repetitive success. DoD 8570 standards meet or not. Same happens in the civilian world all the time. I feel absolutely no sympathy for the incompetent. We are talking about security here not an ice cream vendor here. The stakes are higher in security than IT in general and we have to be 'brusque' in the accounting. This isn't some game to be played for our amusement or Pollyannish cheer leading exercise. The field has matured to the point where we have an explosion of "certified" but incompetent people out there gaining access to a certification but no ability to perform. Yeah! Go Team! You can do it!! We're quickly closing in on the 100,000 certified CISSP mark. Hardly an elite club of security "professionals" now. Pretty pedestrian given the number of certified folks, don't you think? Personally, I am waiting for the first teen or pre-teen to declare their SSCP status.

In my experience having meet literally hundreds of faux CISSPs many of which have admitted in one form or another to falsifying experience in order to certify with the (ISC)2. Again, leading to the whole thrust of my argument that the test isn't that difficult when zero experience people are passing the exam on the first attempt. Not saying it was easy for them to do so but its being accomplished as we speak.

Sorry to burst anyone's bubble here but its time for the community to grow up a bit. If that's too "brusque" then so be it. Security is what you do after you've built a solid career in IT first, else your next to useless to your employer and the security community professionals in general. Experience and the sheer volume of passed credentials have already proven this over and over.

If you need me, Pollyanna and I will be tending to the security pony in rainbow land where everything is safe and everyone has a warm friendly cheerleader smile.

By the way if you have been reading my posts for the past 15 years or so over any number of boards, not just this one, you'd see that I have always been patient and encouraging but as the field has matured so do the people involved. Its time to treat ourselves with a bit more self-respect and adult-like. At a 100,000 certified folks out there I think we've hit that mile mark and can stop coddling everyone. See above: Peter principal.

Go Team!

Humbe

Beads I agree with you in some of your points. I've met many CISSPs that are not technical at all... They don't even have a solid network or access control background.

Quite sad.

Humbe;

We can disagree to a point - cool with that. Main thrust of the point is at a point in time there are enough people who have passed and certified their experience as CISSPs that I no longer feel the need to treat everyone with such kid gloves regarding this exam. Its become pretty pedestrian and the stakes involved with security are too high to continue to allow gross incompetence as a rule of thumb.

- B Eads

Beads,

Not disagreeing with you on any point. I know for a fact that a lot of that forward momentum is not just due to the CBT, but because proctors at testing facilities in India are payed anywhere from 15000-25000 rupees to let someone who is CISSP savvy take the test for those who know NOTHING about the exam. ISC2 does not have the means to fully engage in auditing in an environment where corruption is the norm, not the exception. I mean no disrespect to Indian CISSP's or InfoSec people in India or other countries at all. I am just stating facts.
I agree with you that there should be more stringent requirements for obtaining the certification. I also feel that just having a slew of certs on top of the CISSP is not necessarily the best way to separate yourself from the masses. Fact is that Information Security as a whole has changed because it's now considered an essential versus a necessary evil for compliance. I fight the good fight on that every day, as I know you do as well. The entire Internet is broken and needs an overhaul. I don't disagree with Tipton's push to add 2 million of us, as that is what's needed. Unfortunately, there are not 2 million competent InfoSec people in this world, and the C level execs, and government brass, and HR peeps will not know that for even more years to come. ALL unfortunate facts. WHAT do you propose? I mean, I know I already work 80 hours a week and I still feel like the little Dutch boy putting his finger in the dike to save Holland.
Write a white paper or three on the subject. I will too and we can compare notes. But I don't see ISC as irrelevant. It's all in how you sell yourself, your abilities, your talents, your drive and initiative to make a difference in the digital age. Most of us started out as operational and technical. I still have my hands in it, but find myself being less and less technical in my profession as I spend so MUCH time trying to preach the gospel to the purse string holders, and somehow still play nice with the operational people who THINK they do Security, but don't. Worse, the operational people so often under-report or don't report actual incidents, as Up-time and availability is all execs care about anyway. Everyone needs a stake in the game in order to get the message across. Tough sell.

kalkan999 wrote: »

I don't disagree with Tipton's push to add 2 million of us

I do; I even disagree with the 100,000 mark if they aren't competent. Good CISSP's, by volume, don't degrade the value of the certification anywhere near as heavily as terrible CISSPs, who have no understanding of basic "inch deep" information security concepts that are addressed in the curriculum, books, podcasts, references, and exam do.

EDIT: And I've met as many, or more, bad as I have good.

I yield there on the whole Tipton thing, just makes me scratch my head as my head hurts when I read some of these things. I have however changed my language from irrelevant to pedestrian a couple of weeks ago.

As far as the India thing? Well, lets just say I have seen a couple of recent cattle calls that would probably describe that situation to a 'T'. Four very young looking gents and myself in a waiting room (interview). Four couldn't have been older to 28 and myself (add 20 but I look a lot younger, thanks) for a "senior" level position. CISSP required... blah, blah. When discreetly asked about the experience thing - "Just made something up..." Pretty standard. So, yes. I yield! LOL.

Good thing I was blessed with 10 thumbs, myself. I understand.

- B Eads

If you disagree with Tipton, then what's the solution? Tipton is definitely correct with the following statement: We need 2 million competent InfoSec people JUST to keep our heads above water.
Total Cost of ownership for small to medium businesses to shore up with vendor hardware/software/firmware that can 'do the trick' in protecting them is too prohibitive for most of them, and their existing operational people are either not up to the task to BE InfoSec professionals, or are too apathetic about it, because they get paid to do what they are doing and make companies feel all warm and fuzzy because the systems stay up and running.
There has to be a means and a method of shoring up the fatal flaws of the Internet, i.e., E-commerce, privacy, government, medical, R&D, compliance, etc.,etc...I could go on and on.
Fact is, InfoSec incompetence can do more harm than good, which is why it's important to screen as best as possible beforehand. I can proudly say that I have cleaned the clocks of operational IT people who interviewed me, but I don't get hired BECAUSE they feel threatened, and share their 'concerns' with HR or others.
I've seen IT Operational people give the thumbs-up to less competent InfoSec people during interviews on PURPOSE, because they don't feel like the person in question can effectively challenge or discover what they do, or don't do but supposed to, on a daily basis.
SO, what's the solution? Seriously...

emerald_octane

blame the CISSPs letting these guys pass without the requisite experience. My slated CISSP endorser said he would not endorse me without seeing my work on deploying linux based authentication solutions and cisco certifications.

kalkan999 wrote: »

what's the solution?

Start auditing.

I've been through an (ISC)2 audit. They didn't call a single reference. I could have written anything I wanted in my resume. They're pushing as many through as possible, without regard to their own standards or experience requisites. A CISSP certification does not make an individual qualified, it only makes people think that they are. It puts those people in a position to do substantially more harm than good.

That is the cause of, not the solution to, many information security problems.

EDIT: As a side note, I offer pro bono consulting to small businesses and startups in SE Michigan. What are you, personally, doing to fix the problem? Adding more CISSP's solves nothing.

ivx502

For my job a CISSP is not required, but frankly it helps especially when I have to explain to my bosses why a certain action cannot take place without opening the door to lawsuits. I never looked at it as a end goal. Just only the beginning, for some people just having it is fine and dandy.

I don't blame ISC2 for the bad products (people) that have the certification I blame those particular endorsers. What is auditing going to do and if so how many get audited? I mean they do audit a certain amount, but it is not like they are forthcoming with numbers.

Do I believe more stringent requirements are needed? Yes that only gets you so far. Once the rubber stampers are found I believe they should lose their credentials as well.

TeKniques

kalkan999 wrote: »

SO, what's the solution? Seriously...

I've read a lot of your posts and think they are very informative and I thank you for the positive messages you send to everyone. I believe that the solution is to NOT flood the market with boat loads of CISSPs. The reason is quite like economics; flood the market with something and it's not worth as much. And while I do think Beads and Redz are quite critical in some of their posts, there are some valid points they make. For example, in another thread Beads made a point about many entry level positions asking for a CISSP - that is not a good thing.

Personally, I think this sucks, because I put in quite a bit of time (and experience) to get my CISSP and I hate thinking that it is losing overall market value. Sure, it's still something that employers want ... but if all this becomes reality it won't be a good indicator to separate people from the pack. I am also a believer that the switch to CBT has hurt the value of the certification; your India example is a prime reason why ... cheating is easier.

Sorry to ramble, I don't have a solution either, but I do know that flooding the market is NOT the way to solve the problem.

ivx502 wrote: »

What is auditing going to do and if so how many get audited? I mean they do audit a certain amount, but it is not like they are forthcoming with numbers.

My understanding is that it is in the 10% range, currently. My problem, however, is that they don't actually - in my experience, this may not be a widespread problem - do the audit. To me, that makes it seem as though they aren't interested in ensuring their standards are met, which is highly counterintuitive to their stated mission... And this is why we vote for (ISC)2 leadership that promises to make changes every in every board election.

To make the information security world better, we need to step out and make it better instead of just chasing salaries and promotions.

Agree with you on that point, but it's not the solution I was talking about, specifically. ISC lacks the capacity to effectively audit the way that they should, that is for sure. The problem is getting the necessary experience needed if you work for the US Government, as everything is so darned compartmentalized now, and becoming more centralized (not a bad thing in of itself), but it does unfortunately hamper one's ability to gain experience in all of the CISSP domains, even at an elementary level. Now, one solution to that we can add is that we encourage IT people who want to BE security focused to embrace a more extroverted and proactive stance, and volunteer for work outside of their 'lane.' I don't know about you, but it's my experience that a lot of IT people tend to be...introverted, intelligent but confident to the point of arrogant, and generally disinclined to learn things outside of their 'comfort zone.' I know a lot of network engineers, Linux people, etc., who won't consider other platforms, Operating Systems, the cloud, BYOD, much less document what they do for a living for the benefit of the business. Yes, CISSP should now be a Baseline for those who want to specialize as I see a lot of us doing. Unfortunately, I am personally too busy to consider taking on additional certs at the moment. But to be honest, I have to agree with our favorite CISSP holder, Javaad (watch youtube of him), that HR does not see that the more certs you have above CISSP, the smarter or more experienced you are, they see it as 'your last company had a good education expense that you took advantage of.' proof is in the pudding, as the saying goes. But like BEads said, he competes with CISSP holders in their 20's with padded up CV's, and they get the job because they work for less money, and they are seen as less of a threat by the operational IT people already employed by prospective companies, because they don't think the less experienced candidate will challenge their work, which means that the company that hired said CISSP guy just flushed money down the drain by continuing to follow the trend of 'hire the InfoSec guy to be compliant.' So I ask again...solutions?

Light bulb moment!

Have (ISC)2 tap the NSA to use Prism to help them conduct the audits!!!!!!!!!!!!!!!!!!!!! I am so smart sometimes, I scare me. HAHAHAHHAHHA!

LeifAlire

Ever since they allowed the test to be taken at Prometric or VUE it has totally watered down the test and prestige. Shoot all you have to do is look online and you got the answers, and those mobile testing facilities are a JOKE!!! Pure theft of exams going on there!!! They need too scale back and test again on written paper and pencil.

Sigh...

First, take a look at the (ISC)2 annual report and tell me they don't have funding to hire a team of CPA's to perform a legitimate full audit of all current credential holders over the next 3 years. You want your solution? I said it before twice... And i just did again. Having a $25M surplus is great... Unless it is because you're skimping on protection of the integrity of the credential. It would cost a large amount to fix at this point, and would also cost money in lost AMFs. It's not a good business decision, but as (ISC)2 a non-profit, maximizing the bottom line shouldn't be their goal.

Again, this is why we vote.

In response to the US Gov't thing, I don't want to be too harsh, but you need to drop it. I had only US Gov't experience prior to obtaining my CISSP. If you like, you can verify that on my LinkedIn. There's a link on my TE profile.

REdz. I am referring to how the US Government is leaning today versus the US government you and I know and knew. More compartmentalized, less exposure to other domains. that was all.

Redz. You ask what I am doing to shore up? Now that we are connected, check it out. I volunteer with the CyberPatriot program, funded by the Air Force Association, teaching very young and very smart young men and women InfoSec, where they compete with other teams across the country...currently around 1300. I also provide pro bono Information Security Training through the Wounded Warrior Project out of my own company, at my own expense because kenos technologies is a for-profit company, so I have to pay, with no incentives from the Infernal Revenue Service. I teach Windows and Unix, but with an emphasis on CompTIA certs to start, with the intention to advance at least some to a more senior level down the road. My website (being revamped for the moment) is the host for my live webinar training sessions for up to 25 people at a time using WebEx account paid for out of my own pocket. As a former military veteran and someone deployed to Afghanistan, I pay it forward to those who can benefit the most.
It's my intention to take these men and women under my tutelage and provide them not only career training, but maybe even work for me some day if that is what they desire. if not, I'll wish them the best and ask that they remember me when they are rich.

!nf0s3cure

ISC2 needs to improve their standards by a great deal. I agree with some comments here that since they have gone to CBT they have lost the control and the quality of the exam. I have tried unsuccessfully to get assistance from ISC2 helpdesk but they point you to PV and PV send you to ISC2 between the 2 of them it is a total loss. This is going to show up in the quality of CISSP in the future. Some other certification have limited exams per year..great idea ..you have to be ready for the chance and I have seen some good quality people from those certification. I think that model will work just fine. Put more rigour in the system and focus back on quality than quantity.

kalkan999 wrote: »

Light bulb moment!

Have (ISC)2 tap the NSA to use Prism to help them conduct the audits!!!!!!!!!!!!!!!!!!!!! I am so smart sometimes, I scare me. HAHAHAHHAHHA!

Your sounding way to Government orientated now. Slow down... breath into the paper bag -- slowly, now. That's it. S-L-O-W-L-Y.

- B Eads

Very Team America as my LinkedIn profile suggests.