Home > Articles > Other IT Certifications > CISSP

Busting Through the Myths About the CISSP Exam

The CISSP exam is out of date, irrelevant, and subjective? Perhaps, but preparing for the exam is useful if you want to really learn about network security. This article by bestselling author and trainer Shon Harris discusses the importance of learning the material, not just cramming for the exam.
Like this article? We recommend

Like this article? We recommend

For years, I have heard people complain about having to learn things for the CISSP exam that they would never use in their lives. When I was studying for this exam several years ago, I said the same things. I also hear people saying that they have to learn security through (ISC)2's view for this exam, which does not match with reality. The thought on both of these statements is that someone would have to memorize items for the test that are not helpful in their career—thus a waste of time. Again, I fell into this bucket when I studied and took the exam forever ago. Now I see it completely differently.

I have found that because I have written books and taught CISSP classes for many years, I understand the material in much more depth than I would have if I just studied, took the test, and moved on with life.

The information that people complain about having to learn (Bell Lapadula, Biba, Clark-Wilson, etc.) is very beneficial to their understanding of security in a holistic manner instead of just focusing on their original thought of what makes up security.

Many technical people seem to think that learning anything above technology is a waste of their time. This is because they have a desire to stay in the technology realm and learn their trade at a much deeper level instead of understanding that security is certainly not all about technology.

Although I am pretty disappointed with the way that the questions on the CISSP exam are worded (confusing, vague, subjective), I have a great appreciation for the actual Common Body of Knowledge (CBK). I was a security consultant before I took the exam, wrote books, and taught CISSP, and I am still a security consultant, but the difference in my knowledgebase and view on security has drastically changed.

Like most people, I focused on what security topics I was to perform in my specific job. At the time, on-line banking was just coming to the market (yes, I am that old), and I worked with programmers, software architects, project managers, analysts, and end customers—all focusing on on-line banking . I sure as hell was not interested in the different types of fire suppression, access control models, trusted computing base, or anything outside of my domain of topics that I lived, worked, and breathed in.

When I took my CISSP exam, I was like most people who take it—I knew just enough to pass the exam, but I had to memorize things because I did not fully understand them. This made me very disappointed. My goal has never been to get as many certifications following my name as possible. In fact, my personal opinion of someone who lists 10 certification credentials after their name in an e-mail, on a business card, or resume is that the person may have an ego issue that requires showing off and bragging about their talent for passing tests. So this type of person may be great at taking tests, but I have yet to run into a situation in real life where answering A, B, C, or D was required to get a job done.

At the time I took my CISSP exam, there were no study guides, books, or websites for the CISSP exam. At that time, (ISC)2 was the only one that offered training for CISSP, which took four days a week for two weeks at that time. The first week I could tell that my instructors did not really fully understand the topics that they were teaching. I remember asking one of the instructors a question about Kerberos and instead of explaining the answer to me, he said, "You don't need to know that for the test." I was in shock. I could tell not only did he not know the answer, but his main focus was to help people memorize things that were going to be on the exam.

After getting the same type of response to a few more questions, I just stopped asking. On the third of the eight days of class, I left. We were going over a ton of topics at the speed of light that I did not know, and spending more time in the class meant that I would just sit through more lectures and learn nothing and get more frustrated.

As an interesting side note, the two (ISC)2 instructors who taught my class have boasted over the years that they "taught Shon Harris," and (ISC)2 sales people say the same thing today to fill more seats in their class. I have heard about these comments for years now. What the (ISC)2 instructors and salespeople do not tell their customers is that I quit the class because it was of no use.

So after passing the CISSP exam and still not really knowing much about the various topics, I thought that someone should write a book about it. So I did. The first book I ever published was close to 1,000 pages long.

There is a great difference in having to know topics to be able to choose the right answer to pass a test versus knowing the topics to be able to write a huge book and teach courses on them. I honestly feel very lucky and honored that I have had the opportunity to do both.

Now when I do consulting work, I often understand topics that my fellow consultants do not and I can "see" the topics at a greater level and how it affects surrounding issues. I commonly bring up dependencies of certain solutions that the team has not thought about. And for years I have understood what a security program is truly made up of, which the industry now finally understands.

I am certainly not the brightest bear in the bunch, but the level of research I have had to do on the topics within the CBK allows me to view security holistically and not be stuck in understanding security from only one point of view.

So to get back to the crux of this message, I still hear people complain about having to learn things that they don't have to know for their jobs and having to learn topics the way that (ISC)2 defines them. When I am teaching a class, I cover these complaints in-depth because students can erect these barriers, which will stand in the way of truly being educated.

For example, most students complain about the access control models that they have to learn about (Bell Lapadula, Biba, Brewer & Nash, Clark Wilson, etc.) for the exam. Now, if the student would take the time to really understand where these models fit in life, they would have much more appreciation for them.

Access control models are made up of formal or semiformal rules that a software architect can follow to ensure that security is built into the foundation of an application or operating system and that a certain level of security is provided throughout the software, no matter what procedure that is carried out by the code.

You might say, "I have never even heard of these models and they are old and out of date, anyway." My response would be, "You don't know these models because you have never worked as a software architect who is responsible for building these types of products. And if you don't know these models, how would you know that they are out of date?"

One reason why most people are unfamiliar with these access control models is because the software we commonly use day in and day out is not built on formal or semiformal models. Windows grew up from MS-DOS. Security was not an issue when we were using Windows 3.1, Windows 95, and even Windows 98. The code was developed to provide functionality—period.

The evolution of Windows has brought about ways to ensure that the user could not make mistakes by adding a ton of code that keeps the user from the critical pieces of the operating system, as in the kernel. And as Windows became more popular, more nontechnical people had to use these systems, so a requirement for "idiot-proofing" the software increased, and today we have a ton of wizards, help files, icons, and so on.

So is Windows or UNIX built on one of the models you need to know for the CISSP exam? Nope, they were built with only functionality in mind. Does that mean that these models are not used? Nope. The access control models are used in specialized software products that require a specific type and level of security. Are the access control models obsolete? Nope. These models are becoming more popular specifically because the industry needs more secure products. (For example, SELinux is based on the Bell-Lapadula model.) If you attend a graduate security program at a university, you will have to know these models in-depth. So just because you are not aware of something does not mean that it is not important.

I could go on and on about specific topics that students commonly poo-poo and think it is a waste of their time to learn. This attitude, although common, occurs from ignorance. These students have yet to fully understand how security covers an amazing spectrum in every organization in every industry. It isn't just about firewalls and packets anymore.

The other common statement is just as crucial to understand, which is that you have to learn security how (ISC)2 sees security. I have heard this a million times when teaching CISSP courses and from e-mail to me, CISSP forums, and other places. Again, I do not like and cannot fully support the way the CISSP exam questions are written, but the material that you have to learn for the exam is not something that has been made up by (ISC)2.

If you research each and every topic within the CBK as I have, you will quickly find that almost all the material comes straight from NIST documents and other "best practices" resources in the industry. The reason that I hear this complaint so much is because people have not fully read all the NIST documents out there or are not tuned into what correct and structured security actually requires. People are used to seeing security through the lens of their job and the company that they work in. Many companies have their own definitions for specific terms and have ways that security is practiced in a type of proprietary manner. Each company morphs terms and concepts to best fit its environment, but that does not mean that those are the standard practices in security for the industry as a whole.

I deal with this issue at the beginning of any class I teach. I do this because from years of experience I understand that people have learned different "dialects" of security and since that is what they are most used to, they fully believe that their view is the right view.

What makes this issue even more complicated is that a lot of resources do not teach CBK topics to the necessary depth of understanding. This means that the people's notions of what security is and its definitions of terms are not challenged properly. Let me give you an example that makes some students' head explode.

Most people are familiar with the OSI model, which is a model that describes the various functionalities at different layers in a network stack. Most people know the "canned" definition of what takes place at the seven layers of a network stack, but really do not understand the model or what each layer truly represents. So two things that I have seen students almost go through a nervous breakdown about is SSL working at the Transport layer and ARP working at the Data Link layer. The canned definition of the functionality that takes place at the Transport layer is "end-to-end transmission." The canned definition for what takes place at the Session layer is "a connection is built, maintained and torn down." These two definitions sound as though they are the same—what is the difference?

A Session layer protocol builds a connection to an application on another system. In the client/server model, a small part of an application is the client, and the larger part of the application resides on another computer and does a lot of the work for the client. So how does the client and server portion of an application communicate? Through some type of Session layer protocol, NFS, RPC, NetBIOS, SQL, and so on. These protocols keep track of the dialog connections between the two pieces of software and carry out a variety of functions as in checkpointing, session recovery, opening and terminating connections, access control, and more.

Simply put, protocols at the Transport level provide connections between computers, and protocols at the Session layer provide connections through applications. So, what does this have to do with SSL and ARP?

Some people have learned that SSL works in the Session layer and when I say that for the CISSP exam it works at the Transport layer they want to throw a book at me. (This is one example of why people think that they have to learn security through the view of CISSP versus reality.) What people do not fully understand is that the SSL is made up of two protocols that carry out the functionality of the Session layer and the Transport layer. So some resources say that SSL works at the Session layer and another resource says it works in the Transport layer and they are both right—but neither of the resources goes deep enough within the protocol to explain how it works. So we just memorize what layer we are told that it works in.

The reason why many people have a difficulty with conflicting resources is because the OSI model does not actually exist. It is a conceptual model to allow people to understand the different pieces of a network stack. You will never open your hard drive and see where the OSI model is; you will never find an actual file that has OSI in it. The OSI model is taking reality (a network stack) and virtually cutting it up into understandable and digestible chunks. This is like trying to put boxes on top of your life so that your life can be explained in discreet levels of activities. There are things that you do in your life that do not fit well in just one box; maybe it takes two boxes to cover a certain aspect of your life. The same goes for a network protocol stack. The OSI model is attempting to break the network stack down into specific layers, but some protocols cover more than one layer. (ARP is made up of code that provides the functionality of the Network and Data Link layer. This is another one of those issues that can result in a lively debate.)

So, if you learned that SSL works at the Session layer instead of the Transport layer, and ARP works at the Network layer instead of the Data Link layer—you have memorized the functionality of the layers within the OSI model. This in no way means that you actually understand what is going on in the network stack.

This is just one example of why people think that they are being taught incorrectly; that they just have to answer the question on the exam the way that (ISC)2 wants them to answer and then get back to their real lives. In reality, you just don't fully understand the OSI model and how it relates to the protocols that make up a network stack.

Another piece that contributes to the thinking that you have to learn security incorrectly for the exam is the instructor. I cannot tell you how livid I have become over the years when I hear instructors tell students that they just need to memorize the CISSP-type of answers, even though that is not really how it works in real life. This is a case of the blind leading the blind. Many people have wanted to work as CISSP instructors for my company over the years, and many failed because of this exact issue. The instructor does not fully understand the specific topic, so he takes a copout and says that it is wrong but you have to know it anyway for the exam. Unbelievable, but this is a common practice in CISSP courses.

So is the CISSP exam is out of date, irrelevant, and subjective? Only if you do not put the effort into actually understanding the concepts that are covered on the exam. For example, you may have learned the "canned" definition of the TCB and security perimeter, but what do they have to do with the real world? You can know and understand only if you put in the effort. If you just want to just get your CISSP and memorize the "canned" definitions, don't ask me for a job—and I hope I don't work on any consulting team with you.

The best compliment I have received over the years is when someone comes up to me after my class and says, "It doesn't matter whether I get my CISSP or not; this class really opened my eyes to the world of security."

For more information visit http://www.logicalsecurity.com.

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020