('binary' encoding is not supported, stored as-is) In-Reply-To: <OF038EFA2B.E64DFFA2-ON85256B24.00756392at_private> For some reason, the 'reply' function to these messages isn't quoting anything past the headers... I have to agree w/ the previous post...I won't discourage anyone from pursuing the CISSP, but it would be a good idea for them to go into it w/ their eyes open. I passed my exam the first time around in '99. I spent 4 1/2 hrs in the room. Many of the govvies spent the full 6 hrs, and I found out later that some didn't pass. One guy spent 1 1/2 hrs on the exam...total...and passed. The exam was 250 questions, 25 of which were throw-aways...trials for future exams. Since I received my cert, I've learned a lot. For example, at the CSI conf in Nov '99, ISC^2 offered a sample exam. Currently certified CISSPs could sit and take the exam. I was working the conference for my employer, so I didn't get to attend. But then I found out how many CPE points were involved...if you *attended* the conference, you could receive 1 CPE point for every hour of attendance. If you sat and took the exam, you could get 40 CPE points. So...if you burned through the exam, knowing that it didn't have any bearing on your cert, in say, 2 hrs...that's 20 CPE points per hour. Compared to 1 CPE point per hour for listening to Bruce Schneier, or mingling w/ your peers. Less than 6 months into my cert, and I found out just how self-serving the certifying organization could be. While I fully agree w/ continuing education, and I've put some serious work into publications and presentations myself. But in a case where I will work for 3 or 4 weeks, running tests, verifying and reverifying results, I've seen complete fluff articles written by others...and they get the same number of CPE points for far less effort. Most of these 'fluff' pieces aren't subjected to any serious editing or peer review prior to publication. Has the CISSP helped me? In some ways, yes...it's gotten me in the door and considered. But in the vast majority of instances, I also found out that the headhunter or recruiter that I had to go through to get the interview had no idea what a "CISSP" was/is, other than the fact that someone else requested it. Like others, I was not required to produce any documentation regarding my number of years in the security industry. At the time, I had less than two years in commercial consulting, but over 8 yrs in working physical and communications security as part of my job in the military. Finally, the certification was originally designed for and by federal gov't types...govvies. Many of the questions when I took the exam in '99 were heavily weighted toward the Rainbow Series, particularly the Orange and Red books. The CPEs are heavily weighted toward govvies, as well...I don't know many commercial consulting firms that can have their employees running off to conferences and doing other things that they can't bill to, all to get these CPE points. Anyway, just my thoughts. If anyone cares to discuss them, I'd be happy to do so via email (keydet89at_private).
This archive was generated by hypermail 2b30 : Tue Jan 01 2002 - 21:49:08 PST