I used to consider myself a pretty good test taker. Having taken some 27 misc cert tests (MCSE,A+,CNA,CCNA,Checkpoint CCSE, manufacturer technician tests) I’ve worked out reasonably efficient methods of studying and analysis/disqualification processes to pick the right answer on questions that I’m not sure about. I actually had a good track record of never failing to pass a test for eight years, and was able to do my MCSE one test per week using the ExamCram materials.
Then, a couple years ago, I started the aggressive update for the MCSE exam. I passed the first three ok (Workstation, Server, IIS-or something) and sat for the ‘Designing Directory Services‘ test. I’m not sure what it was – maybe I’d just been in Linux world too long to think Microsoft again, but for some reason I just couldn’t wrap my head around the complexity between the different types of directory servers, sub-schemas, replication, etc. Everything seemed just backwards of the logical model and when I took the test – despite having practiced to the point of perfect scores on the examples – I didn’t pass by a minor amount.
That was such a let down that I pretty much gave up on these certs until the CISSP started showed up everywhere as a requirement, or for preferred candidates.
I had mixed feelings about the CISSP. On one hand, I was glad there was some sort of minimum baseline by which you could measure security knowledge (I was tired of ‘internet security experts’ who don’t understand the basic concepts of either internet or security) but on the other – uncertain of how valid that benchmark actually was. In any case, I first started thinking about taking this test a couple years ago. I got a book, and some of us at work started up a study session – but we kept ending up with conflicts. Plus the book was deadly boring.
So anyways, I slack, years pass, and ultimately slightly after NewYears – I decide that it’s time for me to get my act together. So I registered for a test one month away and crammed on materials. One of the things that bugged me in reviewing the study guides was that the presentation of the concepts was quite shallow. For instance, the overview of IDS was presented as part of a vulnerability scan explanation as a way to show whether a compromise was caused by your scan or some coincidental attack from a 3rd party. One of those things that’s accurate, but missed the bigger picture.
In any case, I studied, practiced and went in for the test. The instructions had me showing up at 8:00am on a Saturday in Reston. I arrived about ten minutes early to find the parking lot was full of cars with people sitting them reading through their notes. At 8, we all started walking in and milled around for about 15 minutes until we were instructed to form lines for authentication and signing of non-disclosure/non-cheat/non-distract/shutupandflyright rules. This was also the time for the confiscation of cell phones from anybody who forgot to read that part of the instructions or thought that rule didn’t apply to them.
We had assigned seating, instructions, and blank looks until nine – at which point they started the test. We had six hours to complete the test, I finished double checking my work and turned it in around four hours after the start. Two weeks later, I received the results via email – I’d passed the test. Now I just need for someone to vouch for my strength of character and to send in a resume showing a minimum of four years experience in a relevant field, and I will be legally approved to add CISSP after my name in email signatures and on my business cards like so many people seem to do. That was an exhausting test tho. I took a couple breaks to put down the pencil, look off into the distance, rub the eyes, etc – and I was still ready to go take a nap.