Took mine in Summer 2015 - in my time and at my expense. I've been working in operational IT for long enough to know how to change the ribbon in a lineprinter without getting my fingers black and how many reels of 9-track tape I can stack on my forearms and still be able to open a door, and I've been doing security-related stuff since the working life of a password really was predicated on how long it would take to brute-force the hash. I just never bothered with formal qualifications except when they were mandated by the job.
Times change, though, and I found myself considering a job change in a world in which long experience and a fund of anecdotes just doesn't cut it. My research led me to (ISC)2 and CISSP in particular - it's more broadly based than many of the other security qualifications (I didn't want to confine myself to auditing, hacking, technical security or ISMS implementation, for instance) and it had a reputation for being hard. Hard for me means worthwhile.
I took a week's leave, parted with some money and headed off to boot camp. No work calls, no emails and no conversation other than with family in the evening or with other course delegates. It was slightly intimidating to see quite a number of (much) younger, brighter and tech-savvy folk in the same room, and the instructor knew the material and things around it like the back of his hand. Six days' hard work followed, with a long exam on the Sunday and the knowledge that I needed 700 marks or better to pass.
Yes - the exam's hard, and if I hadn't spent a week learning about the mindset that's needed for it and how to approach the questions, as well as attacking the gaps in my knowledge, I wouldn't have had a prayer. I did like the idea of seeking the best answer rather than one that seems right, though. Don't get me wrong - a lot of the time the choice felt subjective rather than objective and that was uncomfortable in the extreme. It's also a lot like what we often face in our jobs, though. Information security is seldom cut-and-dried, so we have to be able to demonstrate an ability to deal with risk appetites, business drivers and realpolitik. Those questions test that part of us, exhausting though it is. I made full use of the opportunities to take on fuel and caffeine.
Like most others, I have no idea whether I scraped 700 marks or did rather better, or whether I passed because of my "best" choices or despite them. I remember the wait between signing out and getting the mark back from Pearson, while the exam admin staff wore the kindest, most supportive poker faces I have ever seen, bless them.
One of the most satisfying results I've ever had, pleased for others on the course who also passed, and deeply sorry for those who didn't on that occasion. I'm proud to have earned my place in this organisation.
"I've been working in operational IT for long enough to know how to change the ribbon in a lineprinter without getting my fingers black"
And I assume you know the WD-40 trick?
"how many reels of 9-track tape I can stack on my forearms and still be able to open a door"
For those of us with short arms it was harder ...
"It was slightly intimidating to see quite a number of (much) younger, brighter and tech-savvy folk in the same room"
As the guy standing up at the front (many times), I can tell you it was much easier and more fun to have people like you than people like them. They know every port number ever registered: you know how things actually work, and that's what the exam is based on.
"and the instructor knew the material and things around it like the back of his hand"
And, again, as the guy in that position, let me say that it looks more impressive from your side than from mine. Sure, I had a ready patter to go with the slides (and a lot more, besides), but , when faced with a seminar attended by half a dozen guys with fifteen years (or more) of experience in specialized areas of security, it could be a little daunting, too
"It's also a lot like what we often face in our jobs, though. Information security is seldom
cut-and-dried, so we have to be able to demonstrate an ability to deal with risk appetites, business drivers and realpolitik. Those questions test that part of us, exhausting though it is."
I know I’m going to catch some flak for this story but, here goes:
In 2002 I registered for and eventually sat for the exam. It was a little intimidating checking in, turning in personal belongings, and going into a somewhat crowded conference room in a hotel that was eerily quiet. The mood was close to that of attending a funeral service. Nobody dared make eye contact. Eventually the test began, and we were warned about the rules for taking breaks and about the length of the exam in number of questions and in time. I dove in, expecting to not complete the test in time and racing through as many questions as I could.
I finished. I reached the end. I checked the clock, and I had spent about 100 minutes of my time. I looked around the room and everyone was still buried in their test. Nobody had even taken a break yet. I must have missed something. I went back to the beginning and double checked every answer. I re-erased corrections just to be sure. I was now just over two hours in, and nobody had gotten out of their chair. I sat there quietly. I looked around, and still everyone was buried in their test. I checked my answers a third time. I dutifully made sure that the entire circle was filled all the way up to the line. I swapped pencils and refilled the dots in case the machine didn’t “pick up the lead.” Finally, at two and a half hours someone stood up with their exam and walked to the administrators’ table.
I did the same. When I got to the desk, the proctor told me that only one person could go to the restroom at a time because there weren’t enough escorts. I leaned in, embarrassed, and whispered, “I’m done.” I thought to myself, “I failed this exam. There is no way I passed this thing. I must have screwed something up.” I bought a study guide book. I couldn’t tell you which one, it was almost 20 years ago – Maybe a Sybex guide? I started going through it, getting ready for my retake. Everything I read made perfect sense and I started thinking that maybe I did better than I thought. A few weeks later I was notified I passed.