@Sylvia589 wrote:I took the exam and not 1 question from any of thier official books came out and the questions were at least 80% trcik questions so it is like the playing the lottery if you take this exam.
It's an exam that tests your understanding, your experience and judgment, your critical thinking ability. No, you won't see any practice questions "word for word" on the exam.
Those who designed this exam have no clue how to set exams and test someones knowledge.
I'm afraid that this exam is written by people who know how to set exams. I'm afraid that you have simply never encountered an exam of this type before. Check out https://community.isc2.org/t5/Career/CISSP-Failed-Exam-11-2018/m-p/16254/highlight/true#M1623
Failure is only failure until it becomes success. I never read much Shon Harris, but I suspect even she would have counselled her students to have lived a few years in IT and the `real world`of late nights and early (real early!) mornings of trying to keep the lights on of all kinds of crufty old cr@p.
I am (sort of) relieved that not everyone is finding the exam a cakewalk.Having said that, and having written it and thankfully passed it, I might suggest that whoever wants to write it (and PASS IT!) should treat it and those who have designed it, and those who have written it, and those who will write it and pass or fail, with some courtesy and respect.
If you pass, you have yourself to blame. If you fail, you have yourself to congratulate. Be a big boy or girl and take some responsibility.
@cissptaker -- I am sorry you failed it. The language is ambiguous, and it is meant to prove understanding of the content.
If one can see through the murk and provide the best answer, then the candidate shows she or he can handle the challenges.
The challenges of this exam are minor in comparison to the challenges a professional must face. Moreover, part of the exam in my mind is how the candidate handles the stress of not achieving success at first blush.
I have admiration for those who have failed and then commit to succeeding. Finding a way.
I am sure there is a way to overcome the challenges; I know many people for whom English is not a first language and they pass. I many many who fluently speak English, and they flunk. To me, this means it must be more than language fluency.
Good luck on the path and keep chipping away!
Before writing off the CISSP program as a con, kindly consider this:
The eight domains that are tested in the CISSP exam cover the areas that are pain points in this—and many other—organizations. You need not be a subject matter expert in all eight (although, I’ve found it helps tremendously). You should know enough about each to delegate as needed, and know whether the technical people that report to you are truly competent, simply appear competent, or worse.
How would a certifying body test for this?
There will undoubtedly be some either/or binary questions, “Does a given technical concept provide both integrity and confidentiality? True or false.” However, those point to purely technical knowledge, and do not query you on your ability to decide what is the “best”approach to a given situation. Questions that test for this may be in a multiple choice format, and the majority of the choices may “answer the mail” from a purely technical standpoint, but only one choice is practical from a business, legal, financial, or human resource standpoint. Even the most experienced technologist may know little or nothing about their business from the viewpoint of those departments and thus fail to answer correctly.
An underlying precept that’s sets a CISSP apart from his or her peers is that they are more than competent engineers, more than team leads, more than project managers. Yes they have “been there, and done that,” but nowadays the CISSP accreditation is supposed to tell an organization that you are qualified to serve as a trusted advisor to the company’s President, the CEO, and the Board of Directors. They are called upon to demonstrate technically competent leadership, not management or administration, and they can parachute into a disaster on day one and hit the ground running. From there, they can develop an architecture and strategies to minimize risk, inculcate a culture of security, and save money doing so. That is what the certification is intended to show, and candidates preparing for it must realize what they're signing up for; what organizations will expect from people with those initials next to their name.
@Ben_Malisow, an (ISC)2 instructor exhorts his students to avoid buying “a $10 lock for a $5 bike.” If you ask the security person which is the “best” lock, they may point to the one offering the most security, even if it costs $10. If you ask the business person, they’ll want to consider the cost – and do so from a risk management perspective. It’s unlikely that they’ll want to spend $10 to protect a $5 asset. We call this “wearing the CEO hat” and I exhort my clients and students to do it.
I see many posts from people who are attempting this test while still learning the fundamentals.
That is a mistake, and may be the cause of many of the frustrations expressed here.
This exam does test knowledge of certain undisputed facts, and those can be studied for. However factual knowledge alone does not make a good leader. The ability to think on your feet, process dozens of incoming and conflicting pieces of information, and quickly decide (with a large measure of self-confidence) that your decision is the “best” one, or does the “most” to appropriately respond to the incident, is the hallmark of leadership and grace under fire.
Those qualities are difficult to test for in a written exam, and practice tests face the same limitation, which is why I caution strongly against most of them.
In my previous careers in the military and law enforcement written exams were part of comprehensive testing, with role-playing, physical testing, and on-the-job training, among other things. That is probably a better approach, but isn’t available through (ISC)2, so if you haven’t got the material down cold you’ll need a mentor or coach who knows how to get you there, unless you’re autodidactic and possess enough self-awareness to know what you don’t know.
I’m fortunate enough to have come to terms with the vastness of my ignorance a long time ago, so I’m self-taught, and it took me more than 20 years to get where I am. That timeline is fine if it weren’t for the drastic global workforce shortage, so when one of my staff approaches me about becoming a CISSP, I run them through a thinking exercise that I noted in a different post.
If the CISSP is still the most appropriate certification for them, I start bringing them to my client meetings, so they can see the depth and breath of questions and concerns I’m expected to answer and address (without preparation) at 6 or 7 AM every morning.
I also begin “walk-around” testing. For example, we’re walking past a wiring closet and I tell them that we smell smoke, and say “talk me through how you’ll respond.”
On another walk, I’ll ask them – in rapid fire – to give definitions of “due diligence”, “personally identifiable information (PII),” the difference between RAID 10 and RAID 15, how the annual rate of occurrence is calculated, describe the components of COBIT, and why we salt hashes. You may never see questions like this on the test, I can ask the person I’m coaching these questions all day long, as my clients ask them of me. My environment is a bit unforgiving. Today I was asked about MPLS and firewall configurations, CMMI, SQL injections, Disaster Recovery plans, hypervisors, and legal liabilities.
Sitting in a roomful of people and saying to a client, “I’m sorry, I need to research that and get back to you,” is not an acceptable response, any more than the surgeon who says “Oops!” In the middle of a procedure.
Accordingly, I have a higher bar than (ISC)2; I won’t invest my limited time in a person if they haven’t paid their dues by working in every domain, not just two of them. That’s because you might master the test, but you won’t last very long as a CISO, CTO, CIO, or consultant like me if you’re only truly competent in 25% of IT.
On walks, over coffee, and at lunch each day, I’ll drill, drill, drill. This can go on for several months. When they can answer my questions correctly, calmly and understandably, time and again, they’ll realize that they have the knowledge—and the confidence—to become a CISSP, if they so choose.
Thank you for the kudos, and your explanation about where you disagree with the last part of my post. You made a very good point, which I can relate to, when you shared that "I can't tell you how many jobs I happily said NO to where at the interview it was made clear to me that my job would be filling three or more positions, but I'd only get paid for one of them. While I am all for working hard, I'd like the salary to reflect all of that."
I did not do a good job of communicating my thoughts when I expressed my belief that candidates should demonstrate experience in more than 25% of the eight domains to serve competently under the accreditation of a CISSP.
You noted that in your role as a consultant you fill a particular need for your client. My world is quite the opposite, more in keeping with your other statement, “…because when you carry the prestige of the CISSP designation, much is expected of you.”
In my consultancy, I’m only filling one role, not two or three, but to serve organizations that need to build—or rebuild—what information they handle, and how they handle it, I must have skill in all of the other roles.
Accordingly, I sit for a given exam only after I’ve spent a few years working in a given arena. I hold over two dozen, and I keep my skills current in each. When the time comes to look for new business I present the most applicable certs to the client.
I look at a person with the CISSP as holding the highest level of cybersecurity accreditation and thus meeting one important qualification to serve as a CIO, CTO, CISO or other role in the C-suite. As a consultant, I serve as a trusted advisor to everyone sitting in that boardroom, not just the technologists, who sometimes only hold a narrow focus and range of experience. As I mentor people who strive to attain the CISSP, I do so with the idea that they will eventually sit there in my place.