The first time I took my CISSP exam, I have taken it the way most people take it - I knew just enough to pass the exam, but I was asked to memorize facts, bits and pieces because I did not fully understand them. It was very disappointing. My goal has never been to get as many certifications following my name as possible. In fact, my personal belief is when I see somebody list 10 certification credentials beside their name in an electronic mail, on a business card, or resume - the person may have an ego issue that makes the individual to show off and brag about their credentials. So this individual may be great at taking tests, but I have yet to run into a situation in real life where responding Yes Or No was required to get a job done.

At the time that I took my CISSP exam, study guides were non-existent, no books, and no websites for the CISSP exam. (ISC)2 was the sole body who provided training for CISSP. It was like four days a week for two consecutive weeks at that time. The first week I could tell that my instructors did not really have a clear understanding of the topics that they were teaching. I even asked one of the instructors a query on Kerberos and instead of discussing the answer to me, he said, “You are not required to understand that for the test.” I was very shock. I could tell not only did he not know the answer, but his main pre-occupation was to help people memorize things that were going to be on the exam. After getting similar responses to a few more questions, I just controlled myself to stop asking. On the third day out of the eight days of class, I decided not to attend anymore. We were discussing a ton of subjects at breakneck speed that I did not know and spending more time in the class meant that I would just sit through more lectures and learn nothing and grow more impatient.

Just would like to note that the two (ISC)2 instructors that taught the class I was in have always touted over the years that “Shon Harris was their student” and (ISC)2 sales people say the same thing today to fill more seats in their class. I have heard about these comments for several years now. What the instructors from (ISC)2 and sales people do not mention to their customers is that I quit the class because it was useless.

So after passing the CISSP exam and still not really understanding much about the varied topics, I thought that someone has to write a book on it. So I did. The first book I ever published was close to 1,000 pages long. I was a masochist.

There is a huge difference in memorizing topics to be able to choose the right answer to pass a test as against understanding fully the concepts to be able to publish a huge book and handle training courses on them. To be honest, I feel so fortunate and rewarded that I have had the chance to do both.

Now when I do consulting work, I many times understand subjects that my colleagues do not and I can “view” the subjects at a greater level and how it influences other surrounding issues. I ordinarily raise dependencies of particular solutions that the team has not thought about. And for years I have a clear understanding of what a security program is truly made up of, which the industry is now finally getting a grasp on. I am certainly not the brightest bear in the bunch, but the level of research I have had to do on the topics within the CBK allows me to look at security holistically and not be lodged in understanding security from only one point of view.