It was a long horrible winter, but now that summer is here I am making plans to go back to the CISSP seminar before October. This time I'm armed with all the class materials and notes from the seminar. There's tons of material covered in the seminar that cannot be found in off-the-shelf books. The experience of going through the seminar and sitting for the exam is invaluable.
The other big stumbling block was my technical background, and lack of managerial focus. That's not to say that computer geeks are too anal retentive to master the CISSP exam. In my experience, and I emphasis in MY experience, those people who have a background in network management seem to excel with their CISSP endeavors more so than us PC and server people. I know that my biggest hindrance was that I think like a technician, and much less as a manager. But that's my job. The CISSP exam is really much less about Information Security than management. I'm completely convinced that all managers that have even the smallest dealings with computers, networks, or any electronic information, should be required to attend the CISSP seminar.
I was troubled, though, by what I heard from many of the other students. While a few of us were technicians and this is a logical career progression, only a hand full of the students were actually doing any type of security work. The rest sounded like a broken record with the same reason for attending. Due to some new law, regulation, or upper management decision, they were "drafted" to attend. Some had no real idea what CISSP was, and did absolutely no pre-studying. Let's hope those people went back to their employers and advised them whom they SHOULD have sent or should send to the CISSP seminar.
If you're familiar with the United States Department of Defense (DOD) Directive 8570-1M, then you know there has been a huge push for the last few years to get the their IT workforce security trained and certified.
Now if you're not familiar with DOD 8570-1M, it's an Information Assurance (IA) program to require training and certification for both IA technicians and IA managers. It has it's good and bad points. It raises the bar getting an IT job DOD wide. But at the same time I think it has diluted the quality of achieving certifications. CompTIA Security+, for example. I thought it was a difficult exam, I took it during the MCSE boot camp. We didn't use the freebie practice questions off the net like some schools do. They gave us a 380 page Powerpoint file to study. You had to know the difference between MAC, DAC, and RBAC; you had to know the difference between brute force and birthday attacks. But many thousands of people, with zero experience, simply study the practice questions freely available across the web, and pass the exam as well.
Let me clarify, I'm not completely against using practice questions. If you are experienced, and you use authentic study resources or attend training, practice questions can help highlight knowledge shortcomings of the exam objectives. The ethical dilemma arises because just about every batch of practice questions freely available (and even those you can pay for) have actual questions, word for word, from the real exams. Using them is a line you should think hard before crossing, Microsoft, CompTIA, Cisco, and lots of other vendors will ban you for life if you get caught. From that point you'll be making a career change, because you won't be working in IT anymore.
Fortunately, I think the CISSP exam is still immune to this. This is due in no small part to ISC2's circa 1970's method of administering the exam - pencil, paper, and a mark-sense form. And the exam questions are so wide spread, and not to mention they have thousands of questions in the pool, plus variations. I'd almost say it's next to impossible to completely prepare for the CISSP exam and know going into the exam with any certainty you are going to pass. It's the only IT exam I've ever taken that I didn't know before hand whether I was going to pass. Not many CISSP examinees have a warm and fuzzy about the outcome when the proctor tells them to break the seal on the exam booklet and begin the exam.
When I said that I felt it was more of a management exam, I was referring to the constant juggling that managers do with money, people, safety, reputation, etc. In any given circumstance, any one of those could be the most important item. You have to think like you're the top security person in the company. Security is not an absolute, black and white thing like it is as a Server administrator or a firewall engineer. For example, server administrators routinely implement group policies, such as requiring a 17 character complex password with special criteria. Risk is mitigated by tightening access. The CISSP has to balance the requirement for increased access security with its users ability to continue to perform their jobs. That may seem like a no-brainer at first glance, but what if there are remote users coming in through a slow VPN connection that timeout before the increased authentication requirement can be facilitated? What if your users have legacy computers that cannot use passwords longer than 8 characters, and replacing those systems is not an option? Not so black and white anymore.
You can be an expert at configuring firewalls and servers; you can be the best Active Directory engineer to ever breath the name Microsoft. None of it will help you on the CISSP exam. You need to be able to advise the Company CIO, DAA, or other leadership on the best course of action to secure his (or her) network. It has to be within the company's financial reach, it has to adequately safeguard the company's information, risks must be mitigated or eliminated; additionally, it must allow the company to continue it daily business and it certainly cannot negatively affect profit. The employees have to be trained in security appropriate for their responsibilities. And did I mention the ever growing list of state, federal, and international laws, guidelines, standards, best practices, etc.
As the top Security person in your company, every decision has to weighed against the company's bottom line, liability, business goals, objectives, and day-to-day operations, at least for the CISSP exam.
Doesn't sound that difficult, right? Been there and done that, and it's not a walk in the park by any stretch of the imagination. It's 6 hours of mostly silence, where your peripheral vision is the width of your desk. Your hand cramps from writing so much, but after sitting through the seminar, the hand hurts before you start the exam. You sweat, and tense up, and your eyes hurt. For us older people, we get flashbacks of being back in high school (back when pens weren't allowed in the building and the only keyboard was on an IBM Selectric typewriter). You can take breaks, but with 250 questions, you have to budget your time closely.
Chances are, you'll be a zombie for a day or more after the test. You'll get to work on Monday (ISC2 does allot of testing on Sunday), and you'll be spouting all this new knowledge to anyone that will listen, "did you know...? "hey, you know how we do it this way, well that's wrong." Other than failing the exam, the other thing I found hard to live with was the realization of the things that are totally screwed up in my organization and networks. I just spent a week getting educated on all the best security practices - period. If you're just an insignificant nobody like me, that has absolutely no influence over anything, it can be very large and bitter pills to swallow.
I hope this was informative. I'll be publishing another article soon on my Windows 7 adventures. I certainly appreciate your indulgence, so I leave you with this. Like my best friend and mentor at work reminds me daily "John, some days it's not worth chewing through the restraints." Keep the faith!
Mamas Best Recipes
The Cartouche - Science Fiction Reviews
Add to Technorati Favorites