The Certified Information Systems Security Professional (CISSP) certification has become a widely recognized credential for broad information security expertise. But the challenging exam for CISSP certification requires such a wide range of security knowledge that many tech pros require some help to pass it, regardless of their experience level.
As a CISSP trainer for Certified Tech Trainers, I've heard a lot of horror stories about money wasted on not-so-great instructor-led training. In fact, many of my students have already invested in training that simply didn't work for them.
You should look for several common elements when choosing a school and its course. To save you time and money, I've come up with six tips to help you evaluate instructor-led CISSP training.
Tip 1: Verify the credentials of the instructor
If you expect the instructor to transfer knowledge on a wide variety of security domains, make sure he or she is an expert in each of the security domains. Naturally the instructor should be CISSP certified, but I would argue that CISSP certification alone is not all you should look for.
If a Microsoft Certified Trainer is teaching Windows 2000 directory services, you don't really need the instructor to also be a firewall guru. However, if the instructor is teaching Microsoft Internet Security and Acceleration (ISA) server, it would be kind of nice if the instructor really knew firewall implementations and could explain how ISA functions in comparison to Cisco PIX, Check Point Firewall NG, and Linux IP Tables.
The CISSP exam covers 10 security domains, and it's really 10 exams in one. Look for an instructor who is a credentialed expert in each of the security domains. Desirable instructor certifications include (ISC)2's CISSP, ISACA's CISA, CompTIA's Security+, SCP's SCNP, Check Point's CCSE and CCSI, Cisco's CCIE, CCNP, and CCSP, Microsoft's MCT, MCSE, and MCSD, Nokia's NSA, TruSecure's TICSA, and SANS's GIAC. It is also desirable for your instructor to have a business or computer sciences degree.
Some courses have even been created by recognized authors. Although this is certainly nice, be careful that authoring is not the instructor's only claim to fame. Getting a book deal is not that hard. Having coauthored and edited four books myself, I can speak from experience. The CISSP is an expert-level certification. Make sure your instructor is an expert in each of the 10 security domains before you sign up for a CISSP class.
You should also be careful of a school that boasts of a course created by an expert but then uses someone else to teach it. The strength of an instructor-led class comes primarily from the instructor in front of you, since it is the instructor's ability to transfer knowledge that can really deliver the value of the class. I can tell you that it's a lot harder to hire extremely talented and qualified instructors than it is to find or create good base content. Promoting a course created by an expert and delivered by someone else is often little more than bait-and-switch marketing.
Tip 2: Beware of the cookie-cutter course
Make sure that the course provides a foundation of solid information security training mapped to the 10 security domains of the Common Body of Knowledge (CBK). Is the course adapted solely from a book, or does it include custom content as well? What is the extra content?
Oddly enough, you should also make sure that the instructor's presentation actually corresponds to the course materials provided. We've had many frustrated students come to us after attending a presentation that didn't even match the materials provided.
Tip 3: Evaluate the after-course study materials
Make sure that the course is set up to allow easy review. There's an enormous amount of material to cover for the CISSP, and you'll absolutely have to review on your own to retain all the necessary details. If the course is set up properly, it should already have critical exam points highlighted for you.
The school should not rely on your ability to remember what was important to remember for the exam. It will be hard enough just keeping up, let alone discerning what to review. Make sure the school is doing its job by taking as much of the work out of the learning process as possible. You want to have energy and concentration left for pure retention efforts without wasting them on preparatory details the school could have taken care of.
Tip 4: Ensure that the course addresses test-taking strategies
Although the school should naturally provide solid information security training and knowledge transfer, it should also provide specialized training on the art of attacking ambiguous, subjective, and very tricky exam questions. Many of our students have commented that the CISSP exam seemed as much a test of IQ as a test of infosec know-how. My opinion is that it's both.
You'll need to develop the skill of ferreting out the true point of a question and then determining the best answer out of four good and arguable answers. Most instructor-led courses shy from this kind of instruction, but that doesn't mean that testing skill is bad or that you don't need it. Just ask any CISSP about the exam. Most will just grin and swear they will never take it again!
Tip 5: Check out the opportunity to practice for the exam
Make sure that the course includes plenty of mentoring through practice exams. Simply taking practice exams for the CISSP does not work as it does for many technical certifications. From my experience, I can vouch that you'll probably not see more than 2 to 3 percent of any practice questions on your real exam. That means you can't "Transcender" through this one.
In preparing for my own exam, I parsed more than 2,800 commercially available practice questions from Boson, The CISSP Prep Guide, the All-in-One CISSP Certification , and the SRV publications to find and memorize more than 1,100 nonredundant questions. I can't say for sure, but I don't remember more than about 25 real questions that mapped very closely to practice questions. The math says you would need 10 times the memorization to get the content you need. Not much of a shortcut, is it?
So why do I recommend seeking mentored practice exams? The key word is mentored. If an exam expert walks you through the logic of attacking tricky questions, you can apply those same techniques to any exam. And if the instructor has the string of certifications mentioned in tip number 1, you can be confident that he or she has plenty of experience in taking tricky exams.
Tip 6: Don't buy training based on pass guarantees
Beware of making your decision based upon a hollow "exam pass guarantee." Most of these guarantees are not money-back guarantees. They often only enable you to take the class again if you fail your exam. It's kind of like being offered a free meal from a restaurant after showing proof from the hospital that your last meal gave you food poisoning.
If the class did not get the job done the first time, do you really want to go back again at your own expense? If a school wants to impress you with an exam-pass guarantee, see whether it will give you your money back if you fail on your first attempt.