When I took my CISSP exam, I was like most people who take it – knowing just enough to pass it was my aim, but I had to memorize things because I had no deep understanding of the concepts. This made me very disappointed. It was not my objective to get as many certifications following my name as possible. In fact, my personal belief is when I encounter someone list 10 certification credentials beside their name in an e-mail, on a calling card, or curriculum vitae – the person may have a self-importance issue that makes the individual to show off and brag about their credentials. So this individual may excel in taking examinations, but I have yet to run into a situation in real life where responding A, B, C, or D was essential to complete a job.
When I took my CISSP exam, study guides were non-existent, no books, and no sites for the CISSP exam. (ISC)2 was the single organization who offered training for CISSP. It was like four days a week for two consecutive weeks at that time. The first week I could tell that my instructors did not really have a clear understanding of the topics that they were teaching. I even asked one of the instructors a question on Kerberos and instead of discussing the answer to me, he said, “You are not required to understand that for the exam.” I was in shock. I could sense not only did he not know the answer, but his biggest pre-occupation was to help people memorize things that were going to be on the exam. After receiving similar responses to a few more queries, I just controlled myself to stop asking. On the third day out of the eight days of class, I left. We were tackling a ton of topics at breakneck speed that I did not know and spending more time in the class meant that I would just sit through more lectures and get nothing from it and grow more impatient.
Just would like to note that the two (ISC)2 instructors that handled the class I was in have always touted for years that “Shon Harris was their student” and (ISC)2 sales people say the same thing today to fill more seats in their class. I've been hearing about these comments for years now. What the instructors from (ISC)2 and sales people do not mention to their potential clients is that I quit the class because it was useless.
When I passed the CISSP exam and still not really knowing much about the diverse topics, I thought that somebody has to write a book on it. So I did. My first published book was close to 1,000 pages long. I was a masochist.
There is a great difference in memorizing concepts to be able to choose the correct answer to pass an exam as against knowing the concepts to be able to publish a huge book and handle training courses on them. To be honest, I feel so fortunate and rewarded that I have had the chance to do both.
These days whenever I do consulting work, I many times understand topics that my fellow consultants do not and I can “see” the concepts at a deeper level and how it influences other surrounding issues. I ordinarily raise dependencies of certain solutions that the team has not considered. And for years I have understood what a security program is truly built upon, which the industry is today finally getting a grasp on. I am for sure not the brightest bear in the bunch, but the level of research I have had to do on the topics contained in the CBK allows me to view security holistically and not be stuck in comprehending security from one point of view only.
