CISSP, whos got it?

[xphil3]

What materials did you use?
Take the authorized bootcamp? Test on sunday?
How would you rate it in the scale of difficulty?

If you have it, how hard was it to get all your CPE's afterwards?
Did you find a lot of the test questions differed from your strongest domain?
How scrutinized was your previous experience?

Thanks!

 

[Protoform-X]

Giving up on the CCIE?

 

[xphil3]

Giving up on the CCIE?

its on hold for now, without a doubt(other customer requirements). I dont want to derail this thread, no CCIE talk here please

 

[Madnes5]

Back when I got mine the only books out were the Hal Tipton books which sucked. Shon Harris' book came out the last week that I was studying and I found that immensely useful. I couldn't recommend her book enough. I don't know if things have changed over the last 6 years or whatever it is.

I've never been to a bootcamp class. My understanding is that they would basically teach you the test. If you've got someone else paying for it, go for it. If I had to pay out of my own pocket, personally I wouldn't do it. But again I don't have personal experience here so I'm not the best to answer.

If you know your shit, the test is easy. The hardest part would be understanding how they uniquely form their questions. Regardless, you should be able to eliminate two of the four answers pretty quickly. Go through once, answer all the questions you're confident about. Then make a followup pass, eliminate the answers you know are wrong and then take your best guess. If you're new to InfoSec you'll probably have a hard time but with studying you'll still likely pass. I know A LOT of dumbasses with a CISSP.

CPE's are easy. Go to Defcon or some other training or conference every year. That and reading a book or two meets your CPE qualifications for the year.

Test questions all follow a similar theme. Understand CIA and risk analysis like your life depended on it. Once you start taking the test you'll start to see a general pattern that the questions take. A certain "security mentality" the questions writers have. Once you understand what they're looking for, you'll be able to answer the questions.

I've yet to hear them scrutinize anyone's experience. Again, I know a bunch of idiots that in my opinion have no right to have a CISSP. Because of lack or experience and because of lack of knowledge. Yet they do. ISC2 has better things to do then chase down that stuff. Plus, they wouldn't get your money if they did.

While I'm sure there are plenty of people at ISC2 who have good intentions, the cert is mostly a joke. Unless you're known within the industry it's a pretty standard requirement to have to get a job. But most people I know who have a clue don't consider the CISSP to be any qualification of competency whatsoever.

 

[berky]

I do not have it, but I know a couple people who do.

they basically read that big thick cissp bible book (don't remember the name) to study

i think they took the test on a saturday.

they said it was actually pretty hard. they said the questions are the ones that are like "here's a couple answers... 2 are basically throw-away answers, but the other 2 are both right. which one is MORE right?"

i can't answer your other questions, but I certainly wouldn't take it lightly.

you mention customer requirements... i know that i might be required soon (if i'm not technically already required) to get either a cissp or security+. i may go for the cissp just to have for resume purposes, but i'm sure the security+ is a lot easier.

 

[fantasticdan]

The CISSP has high job experience requirements does it not? Is it not 7 years but you can negate a year if you have a relevant cert? So even if you're bluffing your security bit you need at least 6 years employment.

 

[ben chi(f4)]

Huge CISSP book, boot camp, then the 7 hour test.

Marc, the test equates to being pushed up against the jail bars with Bubba behind you.

 

[xphil3]

Thanks for all the feedback guys.

Madness,
I dont think that you're right at all about the cert being a joke, its extremely recognized but more so from a management standpoint. Its also a more higher paying certification than many other top level certifications that are purely technical based(JNCIE,CCIE, etc, etc).

With that said, I totally think the test is bias bullshit.. but does it hold value... you bet your ass

Also, CPE's are quite a bit harder to get from what was conveyed to me from a few people. I wish it was as easy as going to a security con and reading some materials.

Berky,
Yep, you know the mandate... eventually we must meet it as well.

Chris,
Thanks man, you have a way with words... haha

The CISSP has high job experience requirements does it not? Is it not 7 years but you can negate a year if you have a relevant cert? So even if you're bluffing your security bit you need at least 6 years employment.

5 years of security related job experience. No overall job employment experience is required except for the previous stated. I think that many people "stretch" their job experience rather than bluff as well, plus you can use any of the 10 domains to take security experience from. Its flawed imo as I see people that are programmers that can say they worked on a application that implement app security for 3 years and get almost all of their credit while all they really did was implement one security feature.

Ive seen people use ACL implementation on cisco routers for over 5 years do the same.

Lastly, there really isn't a requirement as well to be certified at all. Without any experience you can always get the Associate of (ISC)² and eventually have it moved into CISSP status with a few more years of experience.

 

[supermen]

I used a combination of books. Shon Harris was the main one. I think I read the book cover to cover two or three times. I also used Security Engineering by Ross Anderson. I had another book that I didn't read, but used the practice tests several times. I don't recall the name.

No boot camp. I did the test in the middle of the week.

I found the wording of the questions to be some of the worst I've ever experienced. The material wasn't too bad though.

You need to have something like 20 hours of CPEs per year and 120 every 3 years. Pretty much any extra learning you do will qualify. I used college courses, reading books, CBT Nuggets training, other certification training, and so on. I don't find it difficult to hit. You can also get 5 CPEs for reading a magazine they send out.
https://www.isc2.org/cpe-opportunities/default.aspx


The test was scantron when I took it, so it did not dynamically change. I only had a couple questions that weren't on any of the study materials I used. They were related to physical security ratings of locks and fencing.

No scrutiny when it came to previous job experience.

 

[Madnes5]

Thanks for all the feedback guys.

Madness,
I dont think that you're right at all about the cert being a joke, its extremely recognized but more so from a management standpoint. Its also a more higher paying certification than many other top level certifications that are purely technical based(JNCIE,CCIE, etc, etc).

I'm not necessarily disagreeing. Management definitely recognizes it. HR departments are trained to look for it. That being said, the quality of people who have the cert nowadays is significantly lower than what it was even two years ago. It's like most other certs. The MCSE was a good way to get a Windows SysAdmin job until they came out with bootcamps and you could pay people to take the test and pass for you. CCNA was a good way to get a Network Admin job until they dropped the practical and offered boot camps teaching exact questions of the test. CISSP is no different. The only well known cert I've run across that was immune to this was the CCIE. As I know you know, you can't pass that without the fundamental knowledge to perform well as a Network Eng.

I previously worked for a company that was "the largest employer of CISSPs". They had a bonus for those who passed. Sadly, many people took the test and passed and in my opinion had no business doing so.

Also, CPE's are quite a bit harder to get from what was conveyed to me from a few people. I wish it was as easy as going to a security con and reading some materials.

Believe me or don't. I've been doing it for the past 8 years (just looked it up) with no problems. Defcon is ~12 hours the first two days. ~8 hours the third. Thats 32 CPEs per year. 24 shy of what you need. If you subscribe to InfoSecurityMag and you read one book a year, thats another 10 CPEs. Do that each year and you've got 30 which brings you to 126 CPEs. Not including vendor presentations you go to, papers you write, other conferences you attend, etc. I know many people who do the same and I've never heard of a problem.

I think that many people "stretch" their job experience rather than bluff as well, plus you can use any of the 10 domains to take security experience from..

Very, very common.