I recently took the CAT test and passed. I wish if I could take the old exam (linear 250 questions). Personally I believe CAT is a bit tougher format to "Pass" the exam. I haven't studied for more than a few weeks. But, my overall experience in the field has helped me more, than all studies. Especially my last six years in the military. My plan was focusing on the few domains I had less experience on. I was confident about a few domains and was hoping to score 95% on those domains. I was more keen about learning the other domains deep. The study experience is much more valuable than certification. I don't know much about the pass rates, but have seen a lot of people failing too. Maybe we eventually will have someone who had experience on the linear exam taking the CAT and giving some inputs about the "easiness" of CAT. Given an option, I will opt for the longer format. I wouldn't want to see Dilution in an exam like CISSP, like it happened in lot of other certifications.
just my opinion
I made my 250 questions back in 2013 after over 15 years of daily work in securityland.
Took one week course to get idea about, which kind of language tricks there might be (I'm not native english speaker).
Spent little less than 3 hours on test. It was my life second hardest test, only Mensa test was harder
Which brings my tought to actual topic; is there too many CISSP ?
It depends to what you compare that number. Here in Finland, we have around 500 CISSP, but we have over 2000 Mensa members.
SO; there definetly are not too many CISSP.
I think one thing of this gossip might come from social media and behaviour change, how new security practioneers are marketing themselves more openly than example 20 years ago. When I was working at Defence Forces (Army), I didn't market myself at anyway as it was not wanted nor desired to do so.
> However, it is (ISC)² policy to not publicly
> disclose exact pass rates.
Why exactly is that? The lack of transparency here is concerning -- in other industries by way of comparison, their certification and licensing authorities expose such data.
You state it's ethical issue. It's an ethical issue to be transparent about the process? That's laughable... ETHICS is the very reason why most authorities ARE transparent about their processes!!!
It's not the number of questions that can decide the quality of the individual. You can ask a person 1000 multiple choice questions, but can't measure the true knowledge level. In some situations 3 or 4 questions can measure the knowledge and experience of a person. I think the "adaptive" method is far better than the subjective questions method or the longer objective format exam. You can design the questions so that a single question might be covering multiple domains. Remember that it's far tougher to choose from multiple right answers than filtering out the wrong ones. So the number of right answers for a single question may vary and it becomes a matter of perspective to choose the "RIGHT" answer. The more the number of right answers per question, the tougher the exam gets.I have met a lot of people (including a few who were teaching where I was taking training on information security), who couldn't answer the basic questions. They all had those fancy certifications. So the dilution is there in most certifications. I personally believe ISC2 should test in more depth, may be more than a few inches deep. The best thing I liked about the test is that cramming will not cut it like many other exams out there. And for a true security professional, the learning never stops and certifications are just milestones in the never ending journey. You have to love the learning part. I was at the receiving end of handling under qualified certified people a lot of times in my career. I didn't have a choice on the skill level of people I get to work with. Not an enviable position to be in.
Cheers, Happy learning
I must respectfully disagree with you.
3 or 4 questions can certainly validate one single topic out of the 500 being covered by the CBK.
They refer to the CISSP as the gold standard, the all-encompassing certification.
When the CISSP was released a few dozen years ago, the field of information security was nowhere as complex and as diversified as it is today. At that time, people were getting certified after working in the field for years. Now it is the opposite, certifications are entry level, where people get certified not to show their mastery of the subject but more to show they met the minimum requirements.
Bottom line, the new CAT test seems to be saving a lot of time for sure. I had a student who completed his exam in 34 minutes with 100 questions.
@mgoblue93 Historically, (ISC)² has not shared any pass rates publicly and this practice is unchanged by the update of the exam format. I will share your feedback on this issue, though. Thank you!
I'm a little late to this conversation, but I strongly disagree.
I belong to the subreddit r/CISSP and a Facebook group and I see the many posts about passing. I feel that many people are quick to post their success, but few have the courage to post their failures.
I have failed this exam twice. I'm taking my time before a third attempt and am studying more for the knowledge than for the certificate at this point. I don't think it's diluted, but becoming more popular in the mainsteam tech community and thus has reached a wider audience.