cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Kaveh
Newcomer II

is passing CISSP exam heart of the matter?!

I could find a better category to match my question I know it's not tech related but anyway...do you think it is ethical for training institutions to focus solely on passing CISSP exam?

I personally have found this actually very unethical, unprofessional and even concerning! if an training institution is highly focused on Only passing the exam, can we be sure that they deliver sufficient knowledge?

an argument might be: CISSP exam is the metric that ISC2 has put in place, so then Yes, what is wrong with that?

thoughts?

21 Replies
Brewdawg
Newcomer III

As long as the institution is using the official training curriculum or providing tips and skills to help pass the exam I do not have a problem with that.

If the training institute is doing what we all know some of them did with the MS exams years ago which is provide brain dumps and basically try to help people memorize the answers, then I do not think that is ethical.  And I think that anyone that passes the exam using that method is being unethical and should not be able to earn the certification, unfortunately that is a hard thing to police and monitor. 

 

So we have to trust that  most of the training institutes are being ethical and teaching the correct material to help prepare the proper candidates for certification.  

 

I think that the 5-yr experience requirement and the endorsement process help keep some of the 'brain dump' candidates from getting certified.  At least I hope it does.  My feeling on that is that it is unethical to endorse a candidate that you know 'cheated' the test process, or that you feel is not prepared to represent (ISC)2 and the CISSP community to the standard that we all hope the certification maintains.

 

Beyond that, the item writing workshops need to make sure that they are updating and maintaining a test that is current and difficult to 'brain dump'.  

JKWiniger
Community Champion

It's an interesting question, and what I think it comes down to is most places don't really know what to focus on. So in this case if they can just reach for an accepted cert like the CISSP it gives them a place to start. Overall I think what most school teach is outdated because it required something to come out, be accepted by the community, make it's way into a book, a school has to accept said book, and then work it into a class. At which point is has taken so long what is being taught is a bit old and outdated! I remember taking a class and they asked which was better WEP or WPA.. my answer was neither, I can break both and you should be on WPA2... just an example..

 

John-

AlecTrevelyan
Community Champion


@Kaveh wrote:

I could find a better category to match my question I know it's not tech related but anyway...do you think it is ethical for training institutions to focus solely on passing CISSP exam?

I personally have found this actually very unethical, unprofessional and even concerning! if an training institution is highly focused on Only passing the exam, can we be sure that they deliver sufficient knowledge?

an argument might be: CISSP exam is the metric that ISC2 has put in place, so then Yes, what is wrong with that?

thoughts?


There are two parts to becoming CISSP certified:

 

  1. Passing the exam
  2. Going through the endorsement process to prove you have the required experience

The endorsement process is supposedly ISC2's opportunity to ensure applicants aren't just paper certified but have real-world skills, experience and knowledge. I think it's this element that should be made more strict to ensure the certification retains its value rather than worrying about the training providers.

 

I think a training provider's main aim is actually to get as many people attending their training sessions as possible as that is how they make their money. How they achieve that is either training people well, which you would think would translate into high pass rates, or training people to pass the exam, which again should result in high pass rates.

 

Over time, people will learn the style of training the providers offer, and choose the provider that suits their objectives (assuming all other things are equal like cost and location). If they just want to pass the exam then they'd choose the provider who is geared towards that. If they want to expand their knowledge then they'd choose the provider who is geared towards that.

 

As long as the training provider isn't breaking any rules, then there's no problem from my perspective.

 

What are your thoughts on someone self-studying with the same aim just to pass the exam? Do you still consider that unethical? Or is it just training providers doing this you object to? Their motivations would likely be the same. i.e. Monetary gain, albeit indirectly through better job prospects as opposed to directly through people signing up for training.

 

Beads
Advocate I

The new ease with acquiring knowledge to pass the exam has been both a curse and a blessing for those wishing to complete the exam once and only ONCE they have the suffice document-able experience and sign-off of career skills by either the ISC(2) or another credential holder in good standing.

 

Unfortunately these has for whatever reason not always been the case as evidenced by people who should never have sat for the exam carrying the credential. If you have ever had the unfortunate experience in working with a paper tiger of any stripe you have my empathy on the subject. I have meet far too many both in person and on many boards from Quora to TechExams all deriding the same message, that the exam is too "hard".

 

What does this have to do with morally questionable forms of educational opportunist? They are always going to exist but we can slow them down a bit by taking a cue from the Project Management Institute by requiring a more stringent vetting process along with certified instruction and materials. To do less has only hurt the reputation of the certification in general. If you didn't understand this before, let me reassure you it has and will only continue to do so.

 

Many of these "trainers" will not only provide training, braindumps but the sign-off as well. All in one shop. The only thing they (thankfully) cannot do is proctor the exam as well.

 

Cheating has become a greater risk to the community than the insider.

 

- b/eads

rslade
Influencer II

> Kaveh (Newcomer I) posted a new topic in Tech Talk on 02-14-2020 10:14 AM in the

> I could find a better category to match my question I know it's not tech related

You might try "Certifications" ...

> do you think it is ethical for training institutions to focus
> solely on passing CISSP exam?

No.

And it doesn't even work.

> if an training institution is
> highly focused on Only passing the exam, can we be sure that they deliver
> sufficient knowledge?

They usually don't. So the supposed training agencies that concentrate on simply
giving you enough knowledge to pass the exam usually don't give you enough
knowledge to pass the exam. The exam is written to try and assess if you have
enough knowledge (and background, and experience, and judgment) to be called a
security professional.

A "brain dump" isn't going to do it ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
We are all agreed that your theory is crazy. The question which
divides us is whether it is crazy enough to have a chance of
being correct. My own feeling is that it is not crazy enough.
-- Niels Bohr
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
CraginS
Defender I


@Kaveh wrote:

I could find a better category to match my question I know it's not tech related but anyway...do you think it is ethical for training institutions to focus solely on passing CISSP exam?

...


Kaveh,

An excellent question and concern, and a good chance to help folks understand the nature of our CISSP certification.Yes, training to pass the test is, in fact, quite ethical. This makes sense once you understand what the certification means.  

 

Go back to the origin of the (ISC)2, formed by several organizations (not individuals) for the express purpose of developing a meaningful INFOSEC certification. The core qualification for certification was, and is, the experience factor. Length of time and depth on performing INFOSEC work is the criteria. Thus, the emphasis on being a professional in the field of INFOSEC. However, as the consortium team worked on what work makes up the INFOSEC field, they identified ten separate domains (updated to eight a few years ago). And they realized that not everyone in INFOSEC work has experience in all ten domains. Still, to be a management-level professional in the field, you should know something about each of those domains.

 

That leads us to the exam. The purpose of the exam is NOT to show you have deep knowledge in the field. The purpose is to demonstrate that you are aware of the breadth of work that INFOSEC includes, and further, know enough of the basics of each domain to recognize when a given project should entail each of the domains. For years, I have said the purpose is to be able to throw the domains at a task or contract to confirm which of them will apply in that task, and then decide whether you need to BE SMART (already have the knowledge and skills), GET SMART (go learn enough depth in that domain to do the work), or HIRE SMART (add team members who already have the knowledge and skills you need).

 

With this context, I hope you see that the purpose of the train-to-exam process is not to make every student an INFOSEC pro; that is done by the student's work experience and skills development and study. The purpose of the exam prep, and then the exam, is to make sure that the student (certification aspirant) is aware of all of the possible activities under the INFOSEC umbrella, and can recognize when to BE SMART, GET SMART, or HIRE SMART to produce professional level of work. 

 

Thus, a high experience professional in network protection; system hardening; identification, authentication, & authorization, may well be a true professional, but to properly earn the certification, may need to learn the basics of law, governance, privacy, and compliance. Thus, that super-tech infosec pro can use the CISSP Exam training to tech that level of knowledge, and deserve the certification as CISSP.

 

This takes us back to the start: the experience requirement. In reality, the experience endorsement activity is key to confirming that professional level experience in multiple domains. That is why you will read about the complexity of the endorsement step, and the need for due diligence on the part of the endorser.

 

I hope this helps!

 

Best regards,

 

Craig

 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
Kaveh
Newcomer II

very nice different perspectives, your answers and questions, all of you, had something for me to learn and consider and probably for future readers. it is very encouraging when I see how members are responsive and deeply thoughtful.

in a nutshell, I realized, my wrong perception of the role of a trainer in the whole process made me judge their sole mission against wrong criteria! I am not putting all trainers in same bucket, that is not fair, but I factored them very high in the equation, even though they are eventually act not more than a fine tuner for a seasoned security professional. 

ericgeater
Community Champion

Prior to CISSP, of the eight security domains, I only had expertise (or exposure) in four of them. Of the remaining four domains, my only exposure was through CISSP study guides.  I was flatly reading new subject material without understanding a workflow, or watching a process.  Might as well have been abstract poetry.

 

Still, I read.  A whole lot.  The new domain material remained flat, but I read, and read, and read about it. 

I attended a boot camp.  It didn't take long to observe how the instructor was pushing to pass the exam, but he happened to be an "expert generalist" who could easily illustrate any subject matter.  He (sometimes impatiently) answered my frequent questions requesting additional context, even though this was far from his responsibility to the class.  I can be kind of obnoxious like that, but hell!  If I pay $3,800, I'm askin' questions.

 

If I was at 70% understanding, my instructor's contextual add-ons lifted me the last 10-15% I needed to succeed.  Class ended at noon, and I passed the test five hours later.

My last words:

  • Boot camps are stilted toward exam passes.  Personally, I will only take formal classes from now on.
  • Boot camps still winnow people out. Several attendees blankly admitted they were not ready.
--
"A claim is as good as its veracity."
Steve-Wilme
Advocate II

Generally you won't pass an exam without an understanding of the material, if the subject is of any degree of complexity.  But moreover a training provider won't 'get you through' the exam, it's up to each candidate to do that themselves.  It's faulty thinking to believe that if you just use company X then you'll sail through without much effort on your part.  You'll simply need to learn the material.  So possibly these companies are less scrupulous than they may ideally be, but they also need candidates who are willing to be taken in.  

 

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS