"Security" has been in my job titles for over 15 years, yet when a new boss walked in the door 3 years ago, he managed to make me seriously doubt my own talent. He announced that everyone in the Security department needed a certification of some sort. Although not a bad goal, he was using it to build a caste system. At the time, he was our company's first and only CISSP. He displayed his cert proudly and made it clear that he ruled the roost.
My assignment was Security+, which he figured I could "probably" handle it. Really, all he did was ruffle my feathers because I knew I was better than that. Sitting in a meeting a few weeks later, I spotted Shon's book on his shelf and knew what I had to do.
That evening, I went home, bought my own copy and announced to my family that I would only be surfacing for food, work and hygiene. I kept this up for 84 days, taking and passing the exam on Black Friday so that the time off would not risk my secret. The entire time NOBODY at work had any clue what I was doing, with the exception of one former boss who helped me complete my endorsement. When my certificate arrived in the mail, my family celebrated but work still had no clue.
This is when it got interesting. Along the way, I learned that a friend at work had been assigned "CISSP" as his cert. He had been halfheartedly studying since well before the new boss walked in the door. Just as I was ready to start a major gloating session, I learned his exam had been scheduled two weeks out. I chose to keep my secret because I did not want to get into his head and somehow mess him up. When he told me he passed, I shared my news first with him. It was a very happy day for both of us.
Unfortunately, not so much for the boss. His response was denial and insistence I prove my claim by showing my cert. The SOB also refused to vouch for my friend because although we had both worked in the company's security department for well over 5 years, he had only been our boss for 6 months. Without hesitation, I stepped up to the plate.
Although everyone else was proud of the two of us, it always seemed that the boss held a grudge. I suspect he felt that we diluted his credential, rather than testifying to the strength of our security department. A few months later that boss was dismissed.
Today, we have 4 CISSPs and we hold regular "CPE meetings", where we schedule a room and watch a webcast followed by discussion. I suspect a few more of my colleagues will earn their CISSP over the next year or two. The four of us will probably bring in a cake when that happens.
I never did get that Security+ cert.
@denbesten Great story and clearly shows the perils of elitism, and that people and the teams they form are more important than certification, qualifications.
Appeals to authority are never a great look, and 'what do we think we need' is much better than 'you could probably handle'. Most CISSPs I know would never use it 'at people':
I passed it in 2005 when they were still paper and pencil exams.
4 of us from a relatively rural area had formed a study group. We got together after work and studied together 2 nights a week for months, concentrating in one domain at a time until we all felt that we had mastered that domain. Then we moved to the next domain. Sometimes we just reviewed domains that we hadn't discussed for several weeks. Sometimes we just ate junk food and told stories.
We had to drive to a large city to take the exam and all signed up for the same date. When we left the exam site none of us were sure whether we had passed or not.
We had to wait for what seemed like an eternity to get our results. We continued to get together after work from time to time after we took the exam. I had given my home e-mail address rather than my work e-mail address to (ISC)2 so I was the last to get my resutls. The other 3 members of my study group already knew they'd passed, but my slow home-based ISP had not yet delivered me an e-mail from (ISC)2. I was starting to figure I'd let the group down (our goal was that we should all pass). I was feeling bad that I'd been the "weak link" since it had originally been my idea that we study together and take the exam.
Finally I got my results and we had all passed. They gave my a hard time for doubting that I'd passed because I had a slow ISP.
I had to dodge a pteranodon on the way to the testing site, so I almost didn't make it.
And back in thoooose days, you had to wait for notification in the mail. The postal mail, not email. We were told it could take up to 30 days to score/respond. I took mine in December, in the Washington, DC area, so with federal holidays and weather and whatnot, I wasn't surprised that I didn't hear back until after the new year. But I was getting really edgy by the end of January, and I still hadn't heard anything.
It took almost 60 days for me to find out I'd passed. I was thrilled when I did, and so very relieved.
And back in thooooose days, they gave you a score whether you passed or failed. I have completely forgotten my score, but I do remember my colleague who had missed getting a perfect score by ONE QUESTION...and then went about waging a campaign against ISC2 to challenge that question on the basis it was incorrect, because he wanted a perfect score.
I completely understand why ISC2 no longer gives out the scores of passing tests.
What I take out of the message and replies are a mix of experiences, learning styles and course development. I had been doing Information Assurance for the US government for ~10 years with I took the CISSP the first time. I had access to Computer Based Training modules and I bought several books and spent a little over a year studying and practicing. (Tellingly, the "CISSP For Dummies" was the best for me.) However I could never do well on the practice tests, so I got my company to splurge on the boot camp. I guess I was lucky, because our instructor was awesome. Also, I went with trainingcamp, since their package included the hotel, partial meals, and the test at the end. A huge bonus was that the instructor was available for extra study after dinner until 10 PM each night. The reviews and practice were invaluable.
I must be slower than Christmas calendar to a 5 yo because it took me 5 1/2 hours to finish the exam and it was an excruciating 6 weeks before I finally got the results. I was surprised and very relieved to find that I had passed. FYI, if you finished in under 3 hours and sometimes feel a sharp pain in your backside, that is just me sticking a pin into the voodoo doll. I both envy and hate you. I hanvy you.
A few take-aways from the class that helped me a lot:
- Read the questions carefully and fully before you even look at the answers. There may be a big clue to the answer in the question.
- Then read every answer, every time. Our instructor drilled us over and over that just because you read a good answer, it doesn't mean it is the best answer. Don't stop at the first answer that looks right and move on.
- Remember to answer the book answer, not the way you might do it at work. This is an exam that has to cover best practices in multiple industries in multiple countries, both public and private. We took a practice test at the start. Most of the scores were dismal. Mine was about line with the practice tests I had done on my own, meaning dismal. After scoring but before reviewing the correct answers, our instructor asked us how many did this for a living. Most hands went up. Then he asked how many did this for the government. about half the hands went up. Then he told us to keep that in mind when we went over the answers. Quite a few times that half would vehemently protest that the correct answer was wrong. To which he would remind us that we chose the experience answer, not the book answer.
- The finish line is to successfully pass the exam, not to finish the exam first. Just because someone finishes in an hour and leaves does not mean that they are smarter, better prepared or setting any bar. They could have just given up and left. At the time, we had 6 hours. Our instructor encouraged us to use every minute of it if we felt we needed it and not to leave until we felt we had done our best. I have not taken the computer test, so I don't know if you can skip questions and go back. But we could on the paper ones, so I went back and double checked and even marked some down and skipped, then went back later.
I passed in September 2017, first time. I attended a 5 day beginners course and read Shon Harris' book cover-to-cover (much to the annoyance of my partner), plus loads of searching Wikipedia. It was a tough 5 hour exam for me.
Amazed I passed. Struck me that it was often tricky working out what the question was actually asking (probably my strength) as it is some years since I have been in a technical role.
I began my preparation for the CISSP with a lot of excitement and hope to get into a full time security position. I took a 5 day class organized by ISC2 with an exam at the end of the week long class. The class gives you an up to date syllabus of the exam and good set of questions at the end of each day of the topics covered and a final comprehensive set of all 8 domains on the last day. I found this very useful and builds a lot of confidence. However utilizing other materials and understanding the content is very important as some of the questions on the exam are very tricky and the choice of alternative answers to pick from are often confusing and even sometimes irrelevant.
I studied for the exam for about 8 months with a full time job and attending to other family matters. At the end of the journey, you get a very good understanding of the various IT domains and how security plays a key role. I am able to relate to things in a much better way when I am in meetings and am watching webinars. With all that said, I am still not in a full time security role as I intended to be when I took the exam. I would like to hear from others if a CISSP title helped them get further in their career.
I took the exam as a general introduction to the security area. It was great. My lecturer kept saying the course is "an inch deep and a mile wide".
However, I imagine employers are looking for some depth in some relevant domains. I would set up my CV, additional learning, talk to professionals to target this.
Although my job description stated that I would be required to obtain my CISSP within a prescribed amount of time, no one ever held my feet to the fire. Instead I worked tirelessly learning everything there was to learn about my company and working to secure every discipline. FINALLY I decided it was time to focus on me knowing what I learned would of course make me a better security professional.
I received what I believe was great advise; get the CompTia Security+ cert first. Many folks told me that this would be super easy. I attended a one day class and we were told that the cert had changed and now it was more challenging. I have nothing to compare it to so I don't know how accurate this was. None the less, I studied, took the exam, and passed.
I immediately signed up for a CISSP boot camp. I received the book for the class a couple of weeks prior to the scheduled class. Because of personal reasons, I had to reschedule the class for several months out. This proved to be beneficial for me because I had the book. I read the entire book taking detailed notes prior to the week long class. My instructor was "okay". I sat for the test and failed. UGGGHHHH More studying!
Because I have a total daily commute of a little over an hour I wondered if there were any audio files out on the net. I discovered a treasure trove of audio files authored by Shon Harris. Even though they were old (2003 maybe) they helped me a ton. I listened to them whenever I got in the car.
Right before I sat for my second exam I poured over my notes, re-read each chapter summary from my book, and took practice test after practice test. I took the advise I give my kids "If you have an hour for a test, use the entire hour". Actually I think the exam took me about 5 1/2 hours. I went through the exam at least three times maybe four. I really took my time on EVERY question. Don't be hasty by choosing what you think is the right answer. READ the question and read EVERY answer before making a selection. There was one question that made no sense to me until the last time through. It finally clicked and boy did I feel stupid because it really was a simple question. I just wasn't reading it correctly.
When I was handed the piece of paper that started "Congratulations........" I rushed in to the ladies room and had to re-read it just to make sure it didn't say something like "Congratulations for trying a second time but....." lol
Don't give up on yourself and don't let your study guides collect dust on your desk. Make the commitment and dive in. Don't come up for air until you pass the exam. In the end, I'm happy I failed the first time through. I learned so much more having to sit for the exam a second time. The first time it was memorizing, the second time I learned it and am better equipped to apply it to my work. Good luck!
With whatever I'd taken before this, (CompTIA Security +, MCSE, CCNA, CEH, etc.) there was a pattern --- I'd read a little (courseware), watch a lot (webinars, training) and bank on my past experience to clear the exams.
All that changed when I attempted the CISSP. I flunked at my 1st attempt, which left me rather shaken. With no options for a refund / free second shot, I tried the exam again, but this time I played it safe, joining study groups, using practice questions & free online resources, etc. It took a lot of effort & cost nothing, but definitely paid off.
You'll be expected to know how things should done rather than how things can be done, so a lot of experience may not count if things at work weren't being done the right way...