Tuesday, March 20, 2007

Going for a Big one

I remember the time when the CISSP certification was criticized by my staff instructor who actually was one of the first who passed this "tough nut" exam. His argument was that the exam is out of real life of the security practitioners and geared toward the management staff only; that the exam tests the crazy collection of knowledge from various (not always related disciplines); that the exam tests not only the background but rather your ability to memorize huge number of abbreviations of IT protocols, technologies, law definitions, terms, etc. At that time, we developed our own security training course, and later, we liked more the SCNP exam as the one that checks the hands-on knowledge, the knowledge that really matter in the real world of the cyber war (I hope you agree that this war is a matter of a fact).

Well, time has changed our perceptions because the CISSP exam became the number one exam in the cyber security world. I assume that several factors attributed to this change. First of all, then, in 2000, we had no idea what can happen just in one year - the major attack in NY. This factor was the most important in the growing popularity of the CISSP certification.

Also, more and more companies realized that protecting of their infrastructure and IT resources becomes the task number one. It is obvious that the expertise in this area is required unless you want to outsource this matter to a third party. It wasn't 100% safe to rely on someone (even with enough expertise) if you really care about your business. So, many companies tried to hire the security experts to solve the problem internally being able to control the process to higher degree.
The first pros who were hired: hands-on gurus in the cyber protection area who knew the firewalls, routers, sniffers, and were good LAN/WAN troubleshooters. As it always happened, the HR departments began to look for the definition of the professional level for this tough job. Unfortunately, the reality is that none of the HR people knows anything about the Information Security, and as it happened in a past, the certification became the definition of the professional level. Not the hands-on knowledge, not the real-world experience, not the achievements, but one exam that made the difference (see my article about IT certifications hypes written in 2002).

I have to admit that the folks at (ISC)2 were smart enough to push their certification up to the point when the Department of Defense requested all security professionals who work for DoD to be CISSP certified. Even Alan Paller and Steve Northcutt from SANS institute were not able to push hard enough their GIAC Certification Program (and those guys are good entrepreneurs and are pretty successful). So, the CISSP certification became a mainstream certification in the security world, and the de-facto standard.

Many folks around the world are jumping on this wagon and trying to pass one of the toughest certification exams. Just imaging: 250 written questions, 6 hours, $450 per test, and 10 security-related domains (including the domain with a criminal/cyber law!). The collection of knowledge required to pass the exam is described as being "2 miles wide and 2 inches in depth".

Well, considering the today's value of the CISSP certification as never before, I have decided to go for a Big one, too. I have to admit that during my study I gathered some useful knowledge that "widened my IT horizon". For instance, I was never interested to find out in-depth what the technology Microsoft uses for an authentication in Windows 2003 server except knowing that it's called Kerberos. I learned even some pieces of criminal law that might help in understanding better one of those lengthy TV serials about crime investigation (as Shon Harris mentioned in her DVD-based training course).

Only 10 days left for study, and I am overwhelmed with a stream of information that I must memorize. It's not hard to understand, but to memorize...

Wish me good luck and strength for 6 hours on March 31st!

I will add more information to this topic later. So far, if you interested, reply to my blog with your certification-related questions.

Best to all of you (but spammers)!

The Cyberteacher


Blues said...

Thanks for stopping by! And good luck to you! My advice to you is to get up and stretch every hour or so. I would sign out go to the bath room and wash my face, stretch, and do a few jumping jacks to get the blood moving...I know it sounds nuts but 6hrs is a long time. It is a test of endurance and you have to stay alert.

Best of luck to you and let me know how you do!


cyberteacher said...

Johnny, thanks for taking time to reply. Final week before exam is not easy. The exam prepapration itself is exaustive. While I learn next domain, I am getting forgetting the details (not the concepts) from the earliest ones.
It drives me crazy. I used to have better memory. I want to take a day off before exam and just relax (I hope the weather will be good in DC where I am taking the exam next Saturday). This week I'll dedicate to quizzes.

I certainly will use your suggestions. I'll get back to you after the exam. Thanks a lot!


Blues said... man! How was the test? Crazy eh. If you feel like you failed that's normal, everyone I talk to says the same thing. 6hrs is draining!


cyberteacher said...


Thanks for remembering about my exam. Yes, I had this "pleasure" to spend full 6 hrs with CISSP exam forcing my brain to run at a full speed. I am actually going to describe it in more details but later, when I'll get some feedback from ISC(2).

So, I am waiting for the second week... it's painful, man!

cyberteacher said...

Johnny, I have passed the exam. See my blog for a detailed story.
My son and me are big fans of jazz. In fact, he plays jazz (guitar).

jessi said...

hi Roman

I know this is an old post, but I am looking for info on the exam, I was wondering if you took a training course online, I found many at many prices, some questions for free and all, but wanted to know if I found the right option, also if is worthy.

This is the one I liked


cyberteacher said...

Jessi, sorry for such a delayed answer. Somehow I missed this e-mail notification.
I actually have another blog about how I passed an exam and what I did to be ready for it:
Let me know if you have any questions.