"Security" has been in my job titles for over 15 years, yet when a new boss walked in the door 3 years ago, he managed to make me seriously doubt my own talent. He announced that everyone in the Security department needed a certification of some sort. Although not a bad goal, he was using it to build a caste system. At the time, he was our company's first and only CISSP. He displayed his cert proudly and made it clear that he ruled the roost.
My assignment was Security+, which he figured I could "probably" handle it. Really, all he did was ruffle my feathers because I knew I was better than that. Sitting in a meeting a few weeks later, I spotted Shon's book on his shelf and knew what I had to do.
That evening, I went home, bought my own copy and announced to my family that I would only be surfacing for food, work and hygiene. I kept this up for 84 days, taking and passing the exam on Black Friday so that the time off would not risk my secret. The entire time NOBODY at work had any clue what I was doing, with the exception of one former boss who helped me complete my endorsement. When my certificate arrived in the mail, my family celebrated but work still had no clue.
This is when it got interesting. Along the way, I learned that a friend at work had been assigned "CISSP" as his cert. He had been halfheartedly studying since well before the new boss walked in the door. Just as I was ready to start a major gloating session, I learned his exam had been scheduled two weeks out. I chose to keep my secret because I did not want to get into his head and somehow mess him up. When he told me he passed, I shared my news first with him. It was a very happy day for both of us.
Unfortunately, not so much for the boss. His response was denial and insistence I prove my claim by showing my cert. The SOB also refused to vouch for my friend because although we had both worked in the company's security department for well over 5 years, he had only been our boss for 6 months. Without hesitation, I stepped up to the plate.
Although everyone else was proud of the two of us, it always seemed that the boss held a grudge. I suspect he felt that we diluted his credential, rather than testifying to the strength of our security department. A few months later that boss was dismissed.
Today, we have 4 CISSPs and we hold regular "CPE meetings", where we schedule a room and watch a webcast followed by discussion. I suspect a few more of my colleagues will earn their CISSP over the next year or two. The four of us will probably bring in a cake when that happens.
I never did get that Security+ cert.
@denbesten Great story and clearly shows the perils of elitism, and that people and the teams they form are more important than certification, qualifications.
Appeals to authority are never a great look, and 'what do we think we need' is much better than 'you could probably handle'. Most CISSPs I know would never use it 'at people':
I passed it in 2005 when they were still paper and pencil exams.
4 of us from a relatively rural area had formed a study group. We got together after work and studied together 2 nights a week for months, concentrating in one domain at a time until we all felt that we had mastered that domain. Then we moved to the next domain. Sometimes we just reviewed domains that we hadn't discussed for several weeks. Sometimes we just ate junk food and told stories.
We had to drive to a large city to take the exam and all signed up for the same date. When we left the exam site none of us were sure whether we had passed or not.
We had to wait for what seemed like an eternity to get our results. We continued to get together after work from time to time after we took the exam. I had given my home e-mail address rather than my work e-mail address to (ISC)2 so I was the last to get my resutls. The other 3 members of my study group already knew they'd passed, but my slow home-based ISP had not yet delivered me an e-mail from (ISC)2. I was starting to figure I'd let the group down (our goal was that we should all pass). I was feeling bad that I'd been the "weak link" since it had originally been my idea that we study together and take the exam.
Finally I got my results and we had all passed. They gave my a hard time for doubting that I'd passed because I had a slow ISP.
I had to dodge a pteranodon on the way to the testing site, so I almost didn't make it.
And back in thoooose days, you had to wait for notification in the mail. The postal mail, not email. We were told it could take up to 30 days to score/respond. I took mine in December, in the Washington, DC area, so with federal holidays and weather and whatnot, I wasn't surprised that I didn't hear back until after the new year. But I was getting really edgy by the end of January, and I still hadn't heard anything.
It took almost 60 days for me to find out I'd passed. I was thrilled when I did, and so very relieved.
And back in thooooose days, they gave you a score whether you passed or failed. I have completely forgotten my score, but I do remember my colleague who had missed getting a perfect score by ONE QUESTION...and then went about waging a campaign against ISC2 to challenge that question on the basis it was incorrect, because he wanted a perfect score.
I completely understand why ISC2 no longer gives out the scores of passing tests.
What I take out of the message and replies are a mix of experiences, learning styles and course development. I had been doing Information Assurance for the US government for ~10 years with I took the CISSP the first time. I had access to Computer Based Training modules and I bought several books and spent a little over a year studying and practicing. (Tellingly, the "CISSP For Dummies" was the best for me.) However I could never do well on the practice tests, so I got my company to splurge on the boot camp. I guess I was lucky, because our instructor was awesome. Also, I went with trainingcamp, since their package included the hotel, partial meals, and the test at the end. A huge bonus was that the instructor was available for extra study after dinner until 10 PM each night. The reviews and practice were invaluable.
I must be slower than Christmas calendar to a 5 yo because it took me 5 1/2 hours to finish the exam and it was an excruciating 6 weeks before I finally got the results. I was surprised and very relieved to find that I had passed. FYI, if you finished in under 3 hours and sometimes feel a sharp pain in your backside, that is just me sticking a pin into the voodoo doll. I both envy and hate you. I hanvy you.
A few take-aways from the class that helped me a lot:
- Read the questions carefully and fully before you even look at the answers. There may be a big clue to the answer in the question.
- Then read every answer, every time. Our instructor drilled us over and over that just because you read a good answer, it doesn't mean it is the best answer. Don't stop at the first answer that looks right and move on.
- Remember to answer the book answer, not the way you might do it at work. This is an exam that has to cover best practices in multiple industries in multiple countries, both public and private. We took a practice test at the start. Most of the scores were dismal. Mine was about line with the practice tests I had done on my own, meaning dismal. After scoring but before reviewing the correct answers, our instructor asked us how many did this for a living. Most hands went up. Then he asked how many did this for the government. about half the hands went up. Then he told us to keep that in mind when we went over the answers. Quite a few times that half would vehemently protest that the correct answer was wrong. To which he would remind us that we chose the experience answer, not the book answer.
- The finish line is to successfully pass the exam, not to finish the exam first. Just because someone finishes in an hour and leaves does not mean that they are smarter, better prepared or setting any bar. They could have just given up and left. At the time, we had 6 hours. Our instructor encouraged us to use every minute of it if we felt we needed it and not to leave until we felt we had done our best. I have not taken the computer test, so I don't know if you can skip questions and go back. But we could on the paper ones, so I went back and double checked and even marked some down and skipped, then went back later.