For many years many people complain about learning so many things for the CISSP exam that they would never use in their life. When I was preparing for the exam a few years ago, I also had the same perspective as others. People also have the belief that they are required to understand security through (ISC)2’s view for this exam, which is so detached from reality. The contention of these statements is that someone would have to memorize bits and pieces and other trivial facts for the exam that are not helpful in their career – thus a waste of time. Again, I was also in the same boat when I prepared and took the exam ages ago. Now I see it completely differently.
I have found that since I have authored books and taught for many years CISSP training classes, I have a greater understanding of the material than I would have if I just studied and took the test and moved on with life.
The things that people are complaining about learning (Bell Lapadula, Biba, Clark-Wilson, etc.) will be of much benefit to a comprehensive understanding of security in a holistic manner instead of just focusing on their original thought of what makes up security. A lot of the technical guys are of the belief that learning anything above technology is a waste of their time. This thinking is common to these people because they think of anyone who does not understand technology like they do as inferior. But companies are not in business to just have software and networks in place. The software, network, and systems are just some of the tools the company utilizes to manage and grow their business. So understanding things that are above technology, commonly referred to as soft skills, are actually more critical in the world of business – which is where we all live and work.
Although I am pretty disappointed with the manner that the questions on the CISSP exam are worded (confusing, vague, subjective), I have greater appreciation of the actual Common Body of Knowledge CBK. I was a security consultant before I took the exam, and then I wrote books, and taught CISSP – and I am still a security consultant, but my view on security as against my knowledgebase has significantly changed.
I, like most people, focused on what security topics I was to perform in my specific job. At the time on-line banking was coming out of the market (yes I am that old) and I worked with programmers, software architects, project managers, analysts, and end customers – all doing on-line banking . To be honest at that time I was the least interested in the different types of fire suppression, access control models, trusted computing base or anything outside of my domain of topics that I lived, worked and breathed in.
By: Shon Harris
© 2010 Understanding Network Security
