I last wrote about transitioning my career as a paragliding instructor to one in cybersecurity back in 2021! By then, I had already been a cybersecurity analyst here at Fractional CISO for about two years and had ISC2’s SSCP certification under my belt.
The learning curve was steep, but the exposure to different industries and their security challenges was invaluable. Each client had unique security needs—healthcare with its strict data protection rules, finance with its focus on risk management—you name it. Working here was like drinking from the cybersecurity firehose!
What started as an uncertain leap has now led me to an exciting and fulfilling career; by 2022, I had been working in cybersecurity for five years. Five is a big number in cybersecurity, because it’s the number of years of full-time work experience needed to get the CISSP certification , the next rung up on ISC2’s certification ladder and commonly considered to be the gold standard of cybersecurity certifications.
I’m happy to report that, after a lot of studying and a very challenging test, I got my CISSP last year! I’m writing this to help those of you considering getting this certification yourself.
Why I Chose to Get a CISSP As I looked ahead at my career, I knew I wanted to transition from a supporting analyst role to an account lead vCISO role at Fractional CISO. Our clients value having very experienced vCISOs to lead their cybersecurity and compliance programs – which means they want to see that CISSP credential. If I wanted a leadership role, I needed to prove I had the experience and capabilities to back it up.
What Exactly Is the CISSP? The CISSP (Certified Information Systems Security Professional) is one of the highest-regarded certifications in cybersecurity, especially for leadership and management roles. According to ISC2, “Earning the CISSP proves you have what it takes to effectively design, implement, and manage a best-in-class cybersecurity program.”
The certification covers expertise in eight key information security domains:
Security and Risk Management
Asset Security
Security Architecture and Engineering
Communication and Network Security
Identity and Access Management (IAM)
Security Assessment and Testing
Security Operations
Software Development Security
As I previously mentioned, you need at least five years of full-time experience in at least two of these domains to qualify. If you have a relevant degree or another ISC2 certification, you can knock off one year of the required experience.
How I Prepared for the CISSP To get ready for the exam, I took a well-rounded approach, mixing self-study, formal training, and practice tests. I started with the official CISSP study guide
Knowing that I learn best in structured environments, I signed up for a week-long, in-person bootcamp. This was a game-changer. Being in a room with other CISSP candidates kept me focused, and the ability to ask questions on the spot made a huge difference. I took tons of notes and made sure to schedule my exam soon after while everything was still fresh.
In the final month before my exam, I used the official CISSP study app
My Certification Testing Experience The CISSP exam is proctored and must be taken at an official testing center. When I arrived, I noticed several test-takers freaking out when they realized they couldn’t have study materials in the waiting room.
Sounds easy? It’s not.
The test itself was brutal , not because I didn’t know the material, but because of the way the questions were worded. The adaptive format meant that if I got a question right, the next one would be even harder. If I got one wrong, it’d test me again in the same area to check if I really didn’t understand it or if I just flubbed one question. That made it impossible to tell how I was doing!
On top of that, most of the questions were “best answer” questions—where multiple answers could be correct, but one was better than the others. That meant carefully reading every single question multiple times.
When I finished, I went back to the proctor, who handed me my results. I was thrilled to read:
“Congratulations! We are pleased to inform you that you have provisionally passed the Certified Information Systems Security Professional (CISSP) examination.”
After passing, I had to complete the endorsement process, which meant getting an existing CISSP to vouch for my experience and passing an ISC2 background check.
The only annoying part? The approval process took over two months. I took my exam on December 12, 2022 , and my certification was officially approved on February 28, 2023 .
How to maintain the certification with CPEs Getting CISSP-certified is great, but keeping it requires continuing education. To maintain the certification, you need to earn 120 Continuing Professional Education (CPE) credits over a three-year cycle, with at least 40 credits per year. (CPE Handbook )
CPEs are split into two categories:
Group A : Directly related to cybersecurity domains, like attending conferences, taking training courses, or giving security presentations.Group B : General professional development, such as leadership courses or project management training.
On top of earning CPEs, CISSP holders must pay an Annual Maintenance Fee (AMF) of $125. It’s a bit tedious to track and submit CPEs through the ISC2 portal, but it’s a pretty straightforward process. Personally, I make it a habit to attend at least one cybersecurity conference each year, watch webinars, and listen to security podcasts to keep up with the field.
Is the CISSP right for you? While preparing for the CISSP, I learned that it isn’t for everyone. I think you should…
Skip the CISSP If:
You prefer “red team” or technical work like penetration testing or malware analysis—other certs like Offensive Security Certified Professional (OSCP), GIAC Exploit Researcher and Advanced Penetration Tester (GXPN), or GIAC Reverse Engineering Malware (GREM) might be better.
You are terrible at standardized tests. It’s a standardized test on steroids. The CISSP’s tricky wording and adaptive format really adds to the difficulty.
Go for the CISSP If:
You want to move into security management or consulting.
You need to prove your cybersecurity leadership skills.
You want a broad understanding of cybersecurity beyond just technical execution.
The CISSP is best for those who want to lead security programs and manage risk. If that sounds like your career path, it’s a solid investment in your future.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.
