Becoming a CISSP, Part II: Getting Certified

The CISSP Application

After provisionally passing the CISSP, I contacted a coworker who’d agreed to endorse me. For those who are unaware, passing the CISSP Exam does not automatically grant you the certification; you’re also required to:

  1. Meet ISC2’s CISSP experience requirements
  2. An existing CISSP member in good standing has to endorse you

Note: If you pass the exam but don’t possess the relevant experience, you will NOT be granted certification! Instead, you’ll become an “Associate of ISC2” and have 6 years to meet the experience requirements.

This entailed going through my resume and correlating my experience to their applicable CISSP Domains.  My application was submitted for endorsement within a couple of days, and the wait began…

I couldn’t help but feel deflated. I’d worked so hard to prepare for the exam and aced it, yet I still couldn’t call myself a CISSP! When faced with the inevitable, I did what I always do: I tried to put it out of my mind and move on.

Acceptance

About 4 weeks later, I received an email from ISC2 indicating that my application had been accepted and asking for my $125 annual maintenance fee. Upon payment, I received a follow-up email with my CISSP certification number.

I could at last breathe easy, knowing that it was finally over, and I could now celebrate my achievement in earnest! I did not yet have my physical certificate. It would be another 4 weeks before I arrived, and with it, disappointment…

The Card

While preparing for my CISSP, I stumbled on a couple of videos from a group called “Host Uknown”:

  1. Host Unkown presents: I’m a C I Double S P
  2. Benefits of being a CISSP

I found these to be a hilarious and welcome distraction amidst the stress of preparing for the CISSP exam. In particular, the second video led me to expect a card in addition to my physical certificate.

When the envelope containing my certificate arrived, I was disappointed to find that it didn’t include a card! Instead, I got a cheesy little pin… My disappointment was immeasurable. So much so that I actually reached out to ISC2, and was told this was something they discontinued due to COVID. While I can’t see why that would matter, I was powerless to do anything about it… save for maybe scanning my certificate and converting it to an SVG, then shrinking it down to business card-size, printing off and laminating it…

To be continued…

Blogging with Purpose

When I decided to create this blog, I did so with the expressed purpose of helping others (and myself) find answers that were difficult for me to come by. Either the information I wanted was scattered across several websites, buried deep in some forum, or worse still, phrased in an unclear or misleading way.

On very rare occasions, I’ve somehow managed to solve the problem and be the first (to best of my knowledge) to publish it! In my role, the emphasis is on proven technologies, so it isn’t often that I encounter an issue that’s so obscure that no one else has bothered to write about it.

Even after I’ve decided what to write about, I then will spend hours, sometimes days editing my article for spelling, grammar, readability and clarity. Not every article I write makes the cut, and I’ve got about a half dozen of these sitting in my queue that might never see the light of day.

As one might expect from this focus and model, I don’t publish many articles. I rationalize this by inferring that perhaps (content) quality is more important than quantity. But then how does an author define, “quality?”

That depends on the purpose of the blog. Some blogs are written to entertain, some for profit, others to inform while others still are a collection of seemingly random thoughts and ideas the author wanted to capture.

Does a Blog need an excuse?

For instance, suppose you’re an eccentric Welch change management consultant named ‘Rich’ with a blog whose URL suggests that it’s all about the intricacies of bovine partner-dance.

You could write about everything from social media, to technology to a badger you met on the way to the bathroom wearing a tiny badger-towel with “New Forest 1994” written on it (surprisingly, I’m not making this up – although you’d think I were given that that cheeky brit had since taken down the post it referred to)…

Whose Blog is it anyway?

Can we blog for the sake of writing? Why not!

Does every blog post have to contribute something useful to humanity? Certainly not. As Andy Leonard infers, one shouldn’t worry about what to write – time and practice will solve that for you – only that you write at all; Taking that first step.

So next time your Saudi-American friend’s eyebrow raises and suggests in an ever-so-slightly mocking tone, “You should blog about that…” Smile back and say, “Yes Yousef, I think I will!”

Disclaimer: No talking badgers, Welshmen or change management consultants were harmed in the writing of this post.

P.S. Rich, Stu and Adam – thanks for helping me retain my sanity and sense of humor in a time and place where both were hard to come by.

Microsoft CSAT Survey

NOTE: This post was written in July of 2009, and the information herein may be outdated/no longer applicable. I’ve elected to preserve the post here for posterity.

As of October 2009, Microsoft is requiring all of its Gold-level Partners to participate in a Customer Satisfaction Index (CSAT) Survey:

“Effective October 2009, partners re-enrolling at the Gold Certified level will need to have participated in at least one CSAT Index survey prior to re-enrolling, and receive ten or more survey responses (up to eight responses can be from the same customer organization).”

In my case, my employer is an ISV that develops web-based applications for use on a Microsoft platform (IIS/.NET/SQL Server etc), but don’t actually resell Microsoft products. This requirement is big headache for us for a number of reasons:

  1. Most of the questions are geared toward resellers, and won’t apply to ISVs (e.g. “…Assuming [Company Name]’s performance remains the same as it is now, do you expect your company’s future purchase levels from [Company Name] will be…”)
  2. The questionnaire is around 30 questions long, and can’t be shortened! You can only add additional questions.
  3. The partner points you can earn for these surveys are negligible (as little as 2 points for 10-19 responses, as much as 20 points for 200+ responses).

After several weeks of exchanges with various Microsoft representatives, I was finally told that although participation is mandatory for Gold Certified partners, incomplete surveys would still count toward the requirement if inapplicable questions were left unanswered (specifically, questions 14 and 15 as those pertain to sales performance).

I hope this helps someone else out there who might find themselves in a similar predicament!

Honesty in Sales

One of the most effective ways for me to evaluate vendors is to speak directly with a representative. This saves a lot of time and effort spent picking through the fluff to try to get to meat of what you’re after.

When I approach a sales person, whether it be over the phone or in person, I get right down to the point, explain what I’m looking for and declare my budget. Generally, we’ll know within 5-10 minutes whether or not we’re wasting each other’s time.

Today, I placed such a call, intending to reach a representative I’d previously worked with on an unrelated project. The rep was no longer with the organization, but I decided to press on with the next available person. Our conversation went something like this:

I opened by explaining my requirements and budget to the sales rep, we’ll call him “Don”. Don explained that he had both on-premise and SaaS offerings. I expressed interest in the later, and asked what pricing was like. Instead of responding appropriately, he continues to pitch me the on-premise solution. I ask again, how much his solution costs. He dodges the question again, this time going into more detail about the application’s features. I ask him a third time, and he finally confesses that the cost is 4 times greater than what I’d already defined to him as my budget, but he wasn’t finished.

There was also support, training, and another feature I listed in my requirements which he had previously claimed was a ‘standard’ feature, was actually available only at an additional cost. After all of the ancillary fees, the total solution came to just over 5 times my stated budget.

At that point, I was ready to end the call, but decided to entertain the SaaS offering. I was equally disappointed there as well, the cost still being well above my constraints. I explained him that my budget was neither negotiable nor arbitrary, so he played the quality card.

While his product was good, he could not identify any direct competitors (which there were many), nor could he articulate what was so unique about his product that warranted a premium price tag. I let him go at that point and moved on, but invited him to talk to his superior and see if he could come back with an offer that met our requirements.

Within an hour, I had a quote from him that was equally insulting – the price had not changed, and he even went so far as to say (in not so many words) that we weren’t big enough to bother with, and that he was puzzled about how we came up with such a low budget for this project. He even went so far as to infer that our constraints weren’t realistic, or that we hadn’t done our homework.

Two calls later, I found a solution that offered all of the functionality Don’s product did, but at 1/3 of our budgeted cost per user. It included:

  • Free support
  • No multi-year contract
  • Setup in minutes instead of months.

It was clear to me based on Don’s attitude and pricing that SMBs were not one of their target markets, and that’s okay. A Mercedes is not for everyone! Whether the car can park itself or make julienne fries, these features mean little to a person looking to get from point A to point B, and can’t spend an extra $35K to get there.

While Don didn’t have anything that could help me today, his behavior guaranteed that I would never do business with his firm again, either in this, or any other organization later down the road. I can only wonder how much this kind of carelessness costs organizations every year in damaged reputations and missed opportunities? I replied to his email with a lengthy explanation of why I we weren’t going to do business in hopes that he might learn from the experience. I hope he does.

What kind of experiences has everyone else had with dodgy vendors?