RE: I've passed the CISSP exam, few months back...Now what???

["Hagen, Eric" <ehagen () DenverNewspaperAgency com>]

Honestly, this is the most difficult requirement.  I posed the question that
if I am a network engineer or IT generalist who works in security on a
regular but not "full time" basis, if I would qualify and I was given a
"most defiantly NO WAY" answer from ISC2.  Of course, I can pass the CISSP
practice exams blindfolded and I already passed their SSCP exam without much
outside studying, but according to the person I spoke with at ISC2, I
shouldn't even have an SSCP because my official title is "IT Specialist" and
half of my day is spent rebooting computers and installing MSOffice, since
that sort of thing is one of those "somebody's gotta do it" jobs.

Today, with MOST security positions requiring a CISSP, this demand from the
ISC2 seems a bit silly and I know many people who simply "fudge" their work
experience and put down their "Helpdesk Technician" job as a security
reference...  But ISC2 has made it clear they do NOT find that acceptable,
at least in the letter their representative sent me.

After taking the SSCP, however; I have found that my security experience
does not generally qualify for CPE credits.  I can pentest my company and
any number of job activities all I want, all day long, but if I didn't pay
for it and/or it didn't have an instructor to sign off that it was
"training", it doesn't count toward the CPE requirements.   I could attend
one or two week-long classes per year and never do any security on the other
50 weeks of the year and maintain my cert, but doing security 50% of the
day, every single day, but not finding time for CPE classes, my cert is
going to expire in a few months and I will have to retake the exam or I will
have to pay to get some CPEs.

Yes, you can get CPEs free, by subscribing to a major security newsletter
you get a few and by writing and publishing articles, you get a few, but I
have never found someone who was able to maintain their CPEs without paying
for at least one training session.

My opinion of the SSCP (being one of only uhhm..  like 1000 SSCPs in the
country), is that it is a relatively useless cert and the CISSP is a
"managerial" cert in that I know people who know VIRTUALLY NOTHING about
"real" security who were able to pass the exam by memorizing terms from the
book.  It is heavily based on correct terminology and theoretical concepts
less so on real-world applications of these concepts.  This is fine as a
basis for more, but it makes a poor end-all-be-all security certification as
so many people (and job recruiters) seem to think it is.

It's an "administrative" cert, good for middle management...   that's the
best use for it I see.  Of course, this isn't the case with practitioners
required to have it, but this is how I feel it SHOULD be.

Regardless, that's my opinion of THAT exam.

Eric


-----Original Message-----
From: Christopher Carpenter [mailto:ccarpenter () dswa net] 
Sent: Friday, September 09, 2005 10:45 AM
To: tech.louie () verizon net; security-basics () securityfocus com
Subject: RE: I've passed the CISSP exam, few months back...Now what???
Importance: Low

The (ISC)2 has a study guide for the CISSP exam that I found more than
adequate for preparation.  

https://www.isc2.org/cgi-bin/content.cgi?category=1328

Keep in mind that you need to have verified professional experience to
obtain the certification.  From
https://www.isc2.org/cgi-bin/content.cgi?category=1187 :

"Applicants must have a minimum of four years of direct full-time security
professional work experience in one or more of the ten domains of the (ISC)²
CISSP® CBK® or three years of direct full-time security professional work
experience in one or more of the ten domains of the CISSP® CBK® with a
college degree. Additionally, a Master's Degree in Information Security from
a National Center of Excellence can substitute for one year toward the
four-year requirement."

Christopher Carpenter, CISSP

-----Original Message-----
From: Louie [mailto:tech.louie () verizon net] 
Sent: Thursday, September 08, 2005 8:49 PM
To: rami9009 () hotmail com; security-basics () securityfocus com
Subject: RE: I've passed the CISSP exam, few months back...Now what???

If you don't mind me asking, what books did you study or material. I'm also
trying to see if I could go for CISSP... Any kind of help would be great..


--Louie 

-----Original Message-----
From: rami9009 () hotmail com [mailto:rami9009 () hotmail com] 
Sent: Wednesday, September 07, 2005 9:51 PM
To: security-basics () securityfocus com
Subject: I've passed the CISSP exam, few months back...Now what???

I have passed the CISSP exam few month back. I have almost 14 years
experience in the IT field, support, networking, and routing.  I thought
that adding security to this profile will be cool. . I prepared for it just
like any other exam; I read the right books, studied well and passed. The
problem is that now few months later I feel that I have forgot everything. I
want to apply for a security consultant position, but I feel that I lack the
confidence to fulfill this position. What went wrong????
I am willing to devote time and effort to bridge the gap and rebuild this
"Security skill set" but I don't know where to start or what book to read.
Please guys advice!