Wednesday, February 17, 2010

Impressions of CISSP

The CISSP is a certification governed by ISC2. It's an industry certification focusing on a variety of information security topics. In most cases I've seen, prospective employers either require it, or hold the certification in high esteem.

After going through the studying and taking of the test, here are some brief facts:

  • The test consists of 250 multiple choice questions.
  • Test taker has six hours to complete the test.
  • Test consists of a booklet (containing questions) and Scantron with number two pencils for the answers (yes, the same Scantron sheets used in grade school in the 80s and 90s.
  • Test costs $600 to take.
I found some very odd things concerning the test taking procedure. For example, this is a six hour test that you're expected to finish in one seating. There was no coffee, or sugar provided so you need to be on top of your game for an awfully long time. As far as I could tell, food and drink was permitted however there was no literature provided recommending that candidates do so. Now any test would be difficult to remain sharp for over that length of time but when you're filling out multiple choice questions over a six hour period any brain will begin to fatigue as the letters all blend into one another.

ISC2 is a non-profit organization so why am I paying $600 for a pencil and Scantron test? Where exactly does my money go? Also, for a security test I did not get searched for any electronic devices so if I had a cheat sheet on my phone then it wouldn't be hard to put it in my lap if I chose to do so. If the proctor was in fact watching, I could simply excuse myself to the restroom as that was permitted as well...

My biggest complaint is the actual content of the test though. There are ten domains that the prospective CISSP candidate is expected to master yet the test was a farce when compared to the daily experiences of a security professional. I actually had one question where the correctness of the answer simply came down to whether I knew the difference between the words "objectivity" and "subjectivity". How in the world does that make me equipped to handle real world incident response?

All in all, I think the CISSP should consider some serious revamping to bring the level of value one would expect from someone who carries the credentials.

Oh, and don't think you will get results of the test in any short time frame - took me nearly two months to find out I passed.

No comments:

Post a Comment