I just recently finished watching a final webinar on new malware variants to earn my last Continuing Professional Education (CPE) credit to renew my Certified Information Systems Security Professional (CISSP) certification. As I logged out of isc2.org, I remembered way back to the first time I passed that grueling exam. You heard me – the first time. Yes, I am one of those numbskulls who let his certification lapse because he didn’t earn the continuing credits. That said, here’s how it went down on my first time around. Cue the wavy flashback effect.
As I stepped out of the blistering Arizona summer heat into the large air-conditioned conference room, I was astonished at the number of other people taking this same CISSP exam. It was July 2002, and the closest similar experience I had up to this point was taking my LSAT back in college. There were dozens of people sitting at long tables several feet apart waiting for their booklets and holding #2 pencils waiting to fill in hundreds of circles. I felt like I was well-prepared using training materials from the late, great Shon Harris and I met the official experience requirements at the time.
This brings me to my first major point. Some people fudge the phony job activities and prerequisites to qualify for CISSP certification. All I can say is good luck when it’s time to perform that hour-long technical interview to get their next IT security job, and they go blank when asked to “please compare IKE version 1 to IKE version 2.” In other words, if you don’t have the required experience, please go for either the Associate of International Information System Security Certification Consortium (ISC) 2 or the Systems Security Certified Practitioner (SSCP) certification first. Then continue to get the necessary on-the-job experience. I get it. It is a mighty fine-looking diploma with its gold leaf logo and your name spelled out in some academic-looking “Olde English” font. However, what good is having a CISSP certification if it’s not truly representative of your security skillset? Becoming a “paper CISSP” will come back to haunt you in the future.
After taking a break for a few years to focus on Microsoft Exchange and SharePoint implementation, the next time I re-took the exam was in 2015. The good news was that the second time I took the exam, it was on a PC in a testing center. You know, real 21st-century stuff, using a mouse and a monitor and such – as opposed to taking some standardized test the way they would on That 70’s Show. The bad news was that now my new CISSP ID number was six digits long instead of my original five digit ID. It shouldn’t matter, but it does – ask a Cisco Certified Internetwork Expert (CCIE) sometime. And it still bothers me. The moral of the story is don’t forget to keep up with your CPE credits.
By this time, I had been implementing security and teaching network security for so many years that I honestly didn’t study for the exam. This brings up my next major point. This newer version is a tough exam to study or prepare for because while earlier iterations of the CISSP exam involved mostly memorization of various technologies, mechanisms, and security architectures, this newer exam is much more scenario-based and the evaluation of real-world knowledge and experience. You are required to choose the best answer based on being a seasoned security practitioner or engineer. It will be very challenging to get by on merely memorizing terminology and reading through some lengthy and error-filled brain dumps. You will most likely fail – and that’s about $700 wasted that you could have used towards your next VR headset or Cosplay outfit.
When I conduct CISSP bootcamps, I have my students do a thorough gap analysis on all of the concepts and topics in my presentation. They then must put in the time and energy on their own to make sure they do a “deep dive” into any areas of weakness. I highly recommend using their working environments, home labs, or something virtual like Cisco VIRL or Amazon Web Services to get hands-on with any technology in which they are not well-trained. Most pass the CISSP exam the first time. Then they can move on to one of those CISSP concentrations like Architecture (ISSAP), Engineering (ISSEP), or Management (ISSMP).
Are you preparing for your CISSP certification?
Skillsoft just launched a Skillsoft Bootcamp class on CISSP that is conducted virtually and in-person by yours truly. You can also sample the very latest CISSP courses with a 14-day free trial of Percipio or view the course details in our certification catalog.
Michael J. Shannon is a Technical Instructor for Skillsoft.