---

@Early_Adopter wrote:

 

... in nearly all scenarios that hire people) you must have the adjacent experience ...

I like that "adjacent experience" phrase. The analogy I sometimes use is that there is no such thing as an entry level judge. You have to start as a lawyer, learn the system, find you have an aptitude for judicial work, and then get noticed/be appointed.

While there are junior level jobs in security, they all have certain requisite skills. Do you know directories, networking, system administration etc.? While these tasks may not have "security" in their title, they most certainly are (or should be) security related. You're following procedures intended to perform those tasks securely, and what happens when you transition to a security role is you move from the person following those procedures to the one confirming them or writing them.

In that regard, I am not sure the CC is a gateway to the industry. I think what it is really about is that it was designed to be a gateway to the (ISC)2, a way of growing the membership. Admittedly marketing "cybersecurity" has become a highly competitive industry. Everyone is offering some sort of cert or training these days.

---

@brainybits wrote:

After all these courses are designed by the very same folks that designed the test. 

---

This is not true. The education department has no involvement with exam development, nor do they have access to exam questions. (ISC)² staff do not even write the exam questions. See this post and this post and this blog.  

---

@denbesten wrote:

The education department has no involvement with exam development, nor do they have access to exam questions. (ISC)² staff do not even write the exam questions. See this post and this post and this blog.  

---

This is one of the challenges I have. It would be nice to have more detail about what's on the exam or input into its nature. It should have been a no-brainer: Likely, the people a CC would be applying to for a job are CISSPs or otherwise (ISC)2 members. There was this great (missed) opportunity to educate security hiring managers about this cert.

I don't think any of that separation can/will change, and that's a good thing.

I think the main problem with CC isn't so much around content/questions just that the industry really hasn't been primed with any demand for it before offering it out to candidates as a perceived freebie, it's more like a succulent fifty-dollar meal that you pay for at the end. Well at least you don't need to tip!

Well while that may be true that’s not very reassuring to know the prep materials provided by isc2 are not enough to ensure exam passag as the second poster referenced in your comment suggests. 😕

I speak of course with a tone of sarcasm because I would have never guessed that. I took the CISSP 14 years immediately taken after boot camp administered onsite at my company (Symantec, a leading cybersecurity company at the time) and and many of the questions were virtually straight out of the ISC2 CBK book we had all gone through.

But I’ll take your word for it. It’s quite interesting to see elements of separation of duties between authors and administrators. Because everything I assume falls under the ISC2 umbrella, cbk and exam, that it is unavoidable (and expected) that exam material, no matter if it is not directly based on the CBK, uses information directly referenced in the CBK. Like I said it was quite evident having taken the CISSP years ago and more recently taking the CC exam had questions that were eerily similar to questions from the post-course assessment test, which was basis of my assumptions.  But am genuinely glad to see this separation for the reasons explained. 

@brainybits 

I think you can be confident that the materials/references are consistent, as well as that the exam questions are constructed in the same way as the test questions are constructed, even to the point of looking similar but they won't be the same ones.

However, to pass you're going to need to comprehend and interpret information in the exam scenarios and questions and try to work out what the most good/least bad option is so it's not enough to just memorize the CBK and exam references, you need to be in the habit of applying reason to them.

Of course if you certify as CISSP you might go behind the curtain as an exam writer on a voluntary basis, but then you'd be NDA's up so in that sense it's a bit like crossing a black hole's event horizon in that you couldn't tell anyone left of the other side...

Spot on! 

As the person responsible for the Exam Content Development Team, I can assure everyone on this board that there is a "wall" between my team and the education/publication teams. 

My team facilitates workshops where members, not us, create/update exam content (questions) as well as create updated exam outlines every three years. 

I like to say our exams are by peers for peers. 

Additionally, my entire team are members; we all had to have at least the CISSP to even apply for one of our positions and we have to maintain our certs through CPEs just like every other member does.

Over the past few years, we have moved away from allowing our volunteer SMEs to use any of the CBKs as references when creating new content.  We're trying to stay away from a self-feeding loop between exam content development and publication.