topic Re: is passing CISSP exam heart of the matter?! in Tech Talk

is passing CISSP exam heart of the matter?!

Kaveh — Fri, 14 Feb 2020 15:14:41 GMT

I could find a better category to match my question I know it's not tech related but anyway...do you think it is ethical for training institutions to focus solely on passing CISSP exam?

I personally have found this actually very unethical, unprofessional and even concerning! if an training institution is highly focused on Only passing the exam, can we be sure that they deliver sufficient knowledge?

an argument might be: CISSP exam is the metric that ISC2 has put in place, so then Yes, what is wrong with that?

thoughts?

Re: is passing CISSP exam heart of the matter?!

Brewdawg — Fri, 14 Feb 2020 16:29:09 GMT

As long as the institution is using the official training curriculum or providing tips and skills to help pass the exam I do not have a problem with that.

If the training institute is doing what we all know some of them did with the MS exams years ago which is provide brain dumps and basically try to help people memorize the answers, then I do not think that is ethical. And I think that anyone that passes the exam using that method is being unethical and should not be able to earn the certification, unfortunately that is a hard thing to police and monitor.

So we have to trust that most of the training institutes are being ethical and teaching the correct material to help prepare the proper candidates for certification.

I think that the 5-yr experience requirement and the endorsement process help keep some of the 'brain dump' candidates from getting certified. At least I hope it does. My feeling on that is that it is unethical to endorse a candidate that you know 'cheated' the test process, or that you feel is not prepared to represent (ISC)2 and the CISSP community to the standard that we all hope the certification maintains.

Beyond that, the item writing workshops need to make sure that they are updating and maintaining a test that is current and difficult to 'brain dump'.

Re: is passing CISSP exam heart of the matter?!

JKWiniger — Fri, 14 Feb 2020 16:32:22 GMT

It's an interesting question, and what I think it comes down to is most places don't really know what to focus on. So in this case if they can just reach for an accepted cert like the CISSP it gives them a place to start. Overall I think what most school teach is outdated because it required something to come out, be accepted by the community, make it's way into a book, a school has to accept said book, and then work it into a class. At which point is has taken so long what is being taught is a bit old and outdated! I remember taking a class and they asked which was better WEP or WPA.. my answer was neither, I can break both and you should be on WPA2... just an example..

John-

Re: is passing CISSP exam heart of the matter?!

AlecTrevelyan — Fri, 14 Feb 2020 16:55:48 GMT

@Kaveh wrote:
I could find a better category to match my question I know it's not tech related but anyway...do you think it is ethical for training institutions to focus solely on passing CISSP exam?
I personally have found this actually very unethical, unprofessional and even concerning! if an training institution is highly focused on Only passing the exam, can we be sure that they deliver sufficient knowledge?
an argument might be: CISSP exam is the metric that ISC2 has put in place, so then Yes, what is wrong with that?
thoughts?

There are two parts to becoming CISSP certified:

Passing the exam
Going through the endorsement process to prove you have the required experience

The endorsement process is supposedly ISC2's opportunity to ensure applicants aren't just paper certified but have real-world skills, experience and knowledge. I think it's this element that should be made more strict to ensure the certification retains its value rather than worrying about the training providers.

I think a training provider's main aim is actually to get as many people attending their training sessions as possible as that is how they make their money. How they achieve that is either training people well, which you would think would translate into high pass rates, or training people to pass the exam, which again should result in high pass rates.

Over time, people will learn the style of training the providers offer, and choose the provider that suits their objectives (assuming all other things are equal like cost and location). If they just want to pass the exam then they'd choose the provider who is geared towards that. If they want to expand their knowledge then they'd choose the provider who is geared towards that.

As long as the training provider isn't breaking any rules, then there's no problem from my perspective.

What are your thoughts on someone self-studying with the same aim just to pass the exam? Do you still consider that unethical? Or is it just training providers doing this you object to? Their motivations would likely be the same. i.e. Monetary gain, albeit indirectly through better job prospects as opposed to directly through people signing up for training.

Re: is passing CISSP exam heart of the matter?!

Beads — Fri, 14 Feb 2020 17:51:15 GMT

The new ease with acquiring knowledge to pass the exam has been both a curse and a blessing for those wishing to complete the exam once and only ONCE they have the suffice document-able experience and sign-off of career skills by either the ISC(2) or another credential holder in good standing.

Unfortunately these has for whatever reason not always been the case as evidenced by people who should never have sat for the exam carrying the credential. If you have ever had the unfortunate experience in working with a paper tiger of any stripe you have my empathy on the subject. I have meet far too many both in person and on many boards from Quora to TechExams all deriding the same message, that the exam is too "hard".

What does this have to do with morally questionable forms of educational opportunist? They are always going to exist but we can slow them down a bit by taking a cue from the Project Management Institute by requiring a more stringent vetting process along with certified instruction and materials. To do less has only hurt the reputation of the certification in general. If you didn't understand this before, let me reassure you it has and will only continue to do so.

Many of these "trainers" will not only provide training, braindumps but the sign-off as well. All in one shop. The only thing they (thankfully) cannot do is proctor the exam as well.

Cheating has become a greater risk to the community than the insider.

- b/eads

Re: is passing CISSP exam heart of the matter?!

rslade — Fri, 14 Feb 2020 18:06:53 GMT

> Kaveh (Newcomer I) posted a new topic in Tech Talk on 02-14-2020 10:14 AM in the

> I could find a better category to match my question I know it's not tech related

You might try "Certifications" ...

> do you think it is ethical for training institutions to focus
> solely on passing CISSP exam?

No.

And it doesn't even work.

> if an training institution is
> highly focused on Only passing the exam, can we be sure that they deliver
> sufficient knowledge?

They usually don't. So the supposed training agencies that concentrate on simply
giving you enough knowledge to pass the exam usually don't give you enough
knowledge to pass the exam. The exam is written to try and assess if you have
enough knowledge (and background, and experience, and judgment) to be called a
security professional.

A "brain dump" isn't going to do it ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
We are all agreed that your theory is crazy. The question which
divides us is whether it is crazy enough to have a chance of
being correct. My own feeling is that it is not crazy enough.
-- Niels Bohr
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: is passing CISSP exam heart of the matter?!

CraginS — Sun, 16 Feb 2020 14:34:03 GMT

@Kaveh wrote:
I could find a better category to match my question I know it's not tech related but anyway...do you think it is ethical for training institutions to focus solely on passing CISSP exam?
...

Kaveh,

An excellent question and concern, and a good chance to help folks understand the nature of our CISSP certification.Yes, training to pass the test is, in fact, quite ethical. This makes sense once you understand what the certification means.

Go back to the origin of the (ISC)2, formed by several organizations (not individuals) for the express purpose of developing a meaningful INFOSEC certification. The core qualification for certification was, and is, the experience factor. Length of time and depth on performing INFOSEC work is the criteria. Thus, the emphasis on being a professional in the field of INFOSEC. However, as the consortium team worked on what work makes up the INFOSEC field, they identified ten separate domains (updated to eight a few years ago). And they realized that not everyone in INFOSEC work has experience in all ten domains. Still, to be a management-level professional in the field, you should know something about each of those domains.

That leads us to the exam. The purpose of the exam is NOT to show you have deep knowledge in the field. The purpose is to demonstrate that you are aware of the breadth of work that INFOSEC includes, and further, know enough of the basics of each domain to recognize when a given project should entail each of the domains. For years, I have said the purpose is to be able to throw the domains at a task or contract to confirm which of them will apply in that task, and then decide whether you need to BE SMART (already have the knowledge and skills), GET SMART (go learn enough depth in that domain to do the work), or HIRE SMART (add team members who already have the knowledge and skills you need).

With this context, I hope you see that the purpose of the train-to-exam process is not to make every student an INFOSEC pro; that is done by the student's work experience and skills development and study. The purpose of the exam prep, and then the exam, is to make sure that the student (certification aspirant) is aware of all of the possible activities under the INFOSEC umbrella, and can recognize when to BE SMART, GET SMART, or HIRE SMART to produce professional level of work.

Thus, a high experience professional in network protection; system hardening; identification, authentication, & authorization, may well be a true professional, but to properly earn the certification, may need to learn the basics of law, governance, privacy, and compliance. Thus, that super-tech infosec pro can use the CISSP Exam training to tech that level of knowledge, and deserve the certification as CISSP.

This takes us back to the start: the experience requirement. In reality, the experience endorsement activity is key to confirming that professional level experience in multiple domains. That is why you will read about the complexity of the endorsement step, and the need for due diligence on the part of the endorser.

I hope this helps!

Best regards,

Craig

Re: is passing CISSP exam heart of the matter?!

Kaveh — Fri, 14 Feb 2020 21:35:13 GMT

very nice different perspectives, your answers and questions, all of you, had something for me to learn and consider and probably for future readers. it is very encouraging when I see how members are responsive and deeply thoughtful.

in a nutshell, I realized, my wrong perception of the role of a trainer in the whole process made me judge their sole mission against wrong criteria! I am not putting all trainers in same bucket, that is not fair, but I factored them very high in the equation, even though they are eventually act not more than a fine tuner for a seasoned security professional.

Re: is passing CISSP exam heart of the matter?!

ericgeater — Sun, 16 Feb 2020 14:05:14 GMT

Prior to CISSP, of the eight security domains, I only had expertise (or exposure) in four of them. Of the remaining four domains, my only exposure was through CISSP study guides. I was flatly reading new subject material without understanding a workflow, or watching a process. Might as well have been abstract poetry.

Still, I read. A whole lot. The new domain material remained flat, but I read, and read, and read about it.

I attended a boot camp. It didn't take long to observe how the instructor was pushing to pass the exam, but he happened to be an "expert generalist" who could easily illustrate any subject matter. He (sometimes impatiently) answered my frequent questions requesting additional context, even though this was far from his responsibility to the class. I can be kind of obnoxious like that, but hell! If I pay $3,800, I'm askin' questions.

If I was at 70% understanding, my instructor's contextual add-ons lifted me the last 10-15% I needed to succeed. Class ended at noon, and I passed the test five hours later.

My last words:

Boot camps are stilted toward exam passes. Personally, I will only take formal classes from now on.
Boot camps still winnow people out. Several attendees blankly admitted they were not ready.

Re: is passing CISSP exam heart of the matter?!

Steve-Wilme — Mon, 17 Feb 2020 14:03:27 GMT

Generally you won't pass an exam without an understanding of the material, if the subject is of any degree of complexity. But moreover a training provider won't 'get you through' the exam, it's up to each candidate to do that themselves. It's faulty thinking to believe that if you just use company X then you'll sail through without much effort on your part. You'll simply need to learn the material. So possibly these companies are less scrupulous than they may ideally be, but they also need candidates who are willing to be taken in.

Re: is passing CISSP exam heart of the matter?!

Caute_cautim — Tue, 18 Feb 2020 18:34:02 GMT

I compare the CISSP in a similar way to the British Computer Society (BCS) and New Zealand Institute of Technology Professionals (ITP),which I belong and maintain despite having left the UK. Both establishments have come together to follow the Chartered Information Technology Professional (CITP). Which is seen by industry in UK and New Zealand as the Gold Standard, in the digital acclaim world.

https://www.bcs.org/get-qualified/become-chartered/chartered-it-professional/

In order to obtain this is similar to the CISSP, pass an examination, which is based on experience and different scenarios. Obtain evidence and complete a package. Every five years one is subject to evidential scrutiny, of self development and continued maintaining ethics and professional integrity.

Passing the both the CISSP and concentrations, or even the CITP is an ongoing journey, of maintaining ones professional integrity and ethics. In both cases, it is possible for formal complaints to be made by employers, and as witnessed in the past for members to be censored privately or publicly.

Just passing the examination, is the commencement of a lifelong journey, a professional commitment, yes I passed the CISSP in the days of the 10 domains instead of eight, but went to do a concentration, which requires you to go back to basics and re-examine whether or not one is prepared for the next level.

These qualifications are hard earned, hard fought for some, but through determination, they provide a baseline upon which you can place your professional career as a baseline going forward.

Having recently become involved in the Pathway to Technology (P-Tech) as a mentor, helping young people to get a leg up in preparation for their journey's going forward makes, it provides an opportunity for professional giveback. Which all of us, could provide to individuals also at the commencement of their own individual journeys.

It certainly is not a wasted one, but something to look back upon, and wonder, how did we arrive at where we are right now. So keep and maintain motivation, it is not totally about us, it is about the others behind us and around us too. We have a job as a caretaker to understand and take action as necessary to protect others.

Regards

Caute_cautim

Re: is passing CISSP exam heart of the matter?!

Steve-Wilme — Wed, 19 Feb 2020 11:34:56 GMT

This may appear controversial, but I don't think passing the CISSP or any other ISC2 exam is key. It's simply a step to formalising knowledge as with any qualification. There will be people who hold the CISSP who struggle to apply their knowledge in an organisational context and similarly great practitioners who don't hold a specific formal credential. The CISSP and similar are often simply used as short cut to filter job candidates and so interviewers without a security background can get some assurance on the knowledge of the candidate.

Re: is passing CISSP exam heart of the matter?!

JKWiniger — Wed, 19 Feb 2020 14:30:44 GMT

Let's start with, what do you call the guy who finishes last in his class at med school?

Doctor!

I knew a guy back in the late 90s who was trying to get his MCSE. He failed every test like 7 times! But in time he passed them all and got it, and heaven help anyone who let this guy work on their servers. So yes, a certification is just a message and does not show how well you understand the material and your ability to comprehend things, which is what is really needed.

This is one of the reasons I am glad to see retry delays have been put in place!

John-

Re: is passing CISSP exam heart of the matter?!

Kaveh — Wed, 19 Feb 2020 15:46:31 GMT

That was the best analogy. I actually was hesitant to bring those as examples so I am glad @JKWiniger did

Re: is passing CISSP exam heart of the matter?!

emb021 — Wed, 19 Feb 2020 15:58:36 GMT

@JKWiniger wrote:
Let's start with, what do you call the guy who finishes last in his class at med school?

Doctor!

I knew a guy back in the late 90s who was trying to get his MCSE. He failed every test like 7 times! But in time he passed them all and got it, and heaven help anyone who let this guy work on their servers. So yes, a certification is just a message and does not show how well you understand the material and your ability to comprehend things, which is what is really needed.

This is one of the reasons I am glad to see retry delays have been put in place!

John-

Some people are just bad at taking tests. Failing a test isn't always a sign of someone who doesn't know what they are doing.

AFAIK, retry delays have been in place for some time. You seem to imply they are a recent thing.

Re: is passing CISSP exam heart of the matter?!

emb021 — Wed, 19 Feb 2020 19:20:40 GMT

It does bother me that some folks focus on just passing the test. I especially don't like seeing people who seem to want a 'brain dump' of the exam or actual exam questions as if they are going to memorize the answers.

The goal should be to learn the material. Basically the CBK. You should study or learn what is in the CBK. The test is against that CBK. Don't study against the test, or study just to pass the test. Study to learn/understand the CBK.

Using test banks should be more to help you understand the style of the questions you will get and help make sure you understand the information. I hate test banks that don't explain WHY the answer was right or wrong. (I like ISACA's QAEs for this reason).

Also, am annoyed that people assume official sample test banks are somehow the *same* as the real test questions or even retired questions. That's not how it works. To maintain their ANSI/ISO certifications, certifying bodies like ISC2, ISACA, SANS, etc need to keep separate their testing and training groups (SANS went to the extreme of separating the testing folks as GIAC). The people who develop test questions are not the same as the people who develop sample questions.

For me, when I studied for the CISSP, it was a way for me to refresh my knowledge on topics I hadn't dealt with since college, ensure I knew the stuff I currently work on, and fill gaps in my knowledge for areas that I didn't do much work in. The process of learning was just as valuable as passing the test itself, so again, I don't understand why some want to short-circuit this with just exam cram or studying only exam questions.

This is one reason I don't agree with those who poo-poo certs. I think that the process of having to learn and study to prepare for the cert is a valuable process that shouldn't be overlooked.

Re: is passing CISSP exam heart of the matter?!

JKWiniger — Wed, 19 Feb 2020 16:22:51 GMT

@emb021 this has me thinking of an unforgettable experience at an exam center many years back. A guy was coming out of the testing area after just failing his A+ and was rather pissed! He ranted about how the question were nothing like they ones he got online! I was in disbelief that this is what things had come to. Especially since I was required to take both the A+ and Network+ when they first came out so there was not such thing as a practice test or even a book to study, either you knew it or you didn't.

John-

Re: is passing CISSP exam heart of the matter?!

rslade — Wed, 19 Feb 2020 20:21:39 GMT

> JKWiniger (Contributor I) posted a new reply in Tech Talk on 02-19-2020 09:30 AM

> I knew a guy back in the late 90s who was trying to get his
> MCSE. He failed every test like 7 times!

I remember one group where the guy we (a bunch of data comms, VAX and Unix people) considered the primo Windows guy failed the MCSE 3 times, and finally gave up. (I knew a Unix guy who *did* pass, first time. He'd never touched a Windows box, and claimed he answered every question by asking "Which answer would make Microsoft the most money?")

Re: is passing CISSP exam heart of the matter?!

JKWiniger — Wed, 19 Feb 2020 20:55:55 GMT

@rslade ok, now you made me laugh, but sadly it's so true! I know someone who has fail a certification exam numerous times. She would not let me help her study and even tried to blame for her failing, but that's another story. I did point out that you have to get into the mindset of who is providing the exam. You cannot pass the CISSP and CISM with the same mindset because each exam comes from a different place.

With Microsoft I will never forget the Exchange 5.5 exam, they had just gone to adaptive testing. The whole exam was 13 questions and 1 was on licensing. If you have 5 people accessing exchange from in the office and 5 accessing it with OWA, how many licenses do you need? I was actually pissed they made me drive to the testing center for that and send they should have just mail out a pass! hahah

And VAX, you had to go there! I hated that thing! Everything was so stripped down, I would have to telnet over to a Unix account and go out from there so I could look in my scroll back buffer and see the added spaces and other characters to get into those.. umm never mind... that was a friend of mine, ya that's always a friend of mine! hahah

John-

Re: JKWiniger mentioned you in (ISC)Â² Community

rslade — Wed, 19 Feb 2020 23:31:53 GMT

> JKWiniger (Contributor I) mentioned you in a post! Join the conversation below:

> And VAX, you had to go there! I hated
> that thing!

I never knew enough about VAX internals to love or hate them, but, at one point,
I did a lot of fun stuff on or around VAXen ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
I haven't lost my mind -- it's backed up on tape somewhere.
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB