When I took my CISSP exam, I was like most people who take it – I knew just enough to pass the exam, but I had to memorize things because I did not fully understand them. This made me very disappointed. My goal has never been to get as many certifications following my name as possible. In fact, my personal opinion is when I see someone list 10 certification credentials after their name in an e-mail, on a business card, or resume – the person may have an ego issue that requires the person to show off and brag about their talent of passing tests. So this type of person may be great at taking tests, but I have yet to run into a situation in real life where answering A, B, C, or D was required to get a job done.

At the time that I took my CISSP exam, there were no study guides, no books, and no websites for the CISSP exam. (ISC)2 was the only one who offered training for CISSP. They had it for four days a week for two weeks at that time. The first week I could tell that my instructors did not really fully understand the topics that they were teaching. I remember asking one of the instructors a question about Kerberos and instead of explaining the answer to me, he said, “You don’t need to know that for the test.” I was in shock. I could tell not only did he not know the answer, but his main focus was to help people memorize things that were going to be on the exam. After getting the same type of response to a few more questions, I just stopped asking. On the third day out of the eight days of class, I left. We were going over a ton of topics at the speed of light that I did not know and spending more time in the class meant that I would just sit through more lectures and learn nothing and get more frustrated.

As an interesting side note, the two (ISC)2 instructors that taught the class I was in have boasted over the years that they “taught Shon Harris” and (ISC)2 sales people say the same thing today to fill more seats in their class. I have heard about these comments for years now. What the (ISC)2 instructors and sales people do not tell their customers is that I quit the class because it was of no use.

So after passing the CISSP exam and still not really knowing much about the various topics, I thought that someone should write a book on it. So I did. The first book I ever published was close to 1,000 pages long. I was a masochist.

There is a great difference in having to know topics to be able to choose the right answer to pass a test versus knowing the topics to be able to write a huge book and teach courses on them. I honestly feel very lucky and honored that I have had the opportunity to do both.

Now when I do consulting work, I many times understand topics that my fellow consultants do not and I can “see” the topics at a greater level and how it affects surrounding issues. I commonly bring up dependencies of certain solutions that the team has not thought about. And for years I have understood what a security program is truly made up of, which the industry is now finally getting a grasp on. I am certainly not the brightest bear in the bunch, but the level of research I have had to do on the topics within the CBK allows me to view security holistically and not be stuck in understanding security from only one point of view.

Part 2 of 5 extracted from an original article written by Shon Harris entitled:

The CISSP Exam is Out of Date, Irrelevant, and Subjective
Busting through the Myths of the CISSP Exam

Read Part 1 - CISSP Exam – Learning Above Technology And Understanding Security In A Holistic Manner

Read Part 3 - Preparing For CISSP Exam – Is It Really A Waste Of Time To Learn About The Wide Spectrum Of Topics Covering Security?

Read Part 4 - Learning Security Through The View Of CISSP Versus Reality

Read Part 5 - CISSP Exam – Having The Right Perspective On The World Of Security