For years I have heard people complain about having to learn things for the CISSP exam that they would never use in their life. When I was studying for this exam several years ago, I said the same types of things. I also hear people saying that they have to learn security through (ISC)2’s view for this exam, which does not match with reality.  The thought on both of these statements is that someone would have to memorize items for the test that are not helpful in their career – thus a waste of time. Again, I fell into this bucket when I studied and took the exam forever ago. Now I see it completely differently.

I have found that since I have written books and taught CISSP classes for many years, I understand the material at a much greater degree than I would have if I just studied and took the test and moved on with life.

The things that people complain about having to learn (Bell Lapadula, Biba, Clark-Wilson, etc.) are very beneficial to their understanding of security in a holistic manner instead of just focusing on their original thought of what makes up security.  Many technical people seem to think that learning anything above technology is a waste of their time. This is a common thought patterned because they are stuck in a realm that dictates that anyone who does not understand technology like they do are inferior. But companies are not in business to just have software and networks in place. The software, network, and systems are just some of the tools the company uses to support and further their business. So understanding things that are above technology, commonly referred to as soft skills, are actually more critical in the world of business – which is where we all live and work.

Although I am pretty disappointed with the way that the questions on the CISSP exam are worded (confusing, vague, subjective), I have a great appreciation for the actual Common Body of Knowledge CBK.  I was a security consultant before I took the exam, and then I wrote books, and taught CISSP – and I am still a security consultant, but the difference in my knowledgebase and view on security has drastically changed.

I, like most people, focused on what security topics I was to perform in my specific job. At the time on-line banking was just coming to the market (yes I am that old) and I worked with programmers, software architects, project managers, analysts, and end customers – all focusing on on-line banking . I sure as hell was not interested in the different types of fire suppression, access control models, trusted computing base or anything outside of my domain of topics that I lived, worked and breathed in.

Part 1 of 5 extracted from an original article written by Shon Harris entitled:

The CISSP Exam is Out of Date, Irrelevant, and Subjective
Busting through the Myths of the CISSP Exam

Read Part 2 - Training For CISSP - The Early Days

Read Part 3 - Preparing For CISSP Exam – Is It Really A Waste Of Time To Learn About The Wide Spectrum Of Topics Covering Security?

Read Part 4 - Learning Security Through The View Of CISSP Versus Reality

Read Part 5 - CISSP Exam – Having The Right Perspective On The World Of Security