Skip to content
I Passed CISSP Without a Manager Telling Me To - Here Is Whether It Was Worth the 18 Months
exam guide

I Passed CISSP Without a Manager Telling Me To - Here Is Whether It Was Worth the 18 Months

By ReadRoost TeamMay 31, 2026
Most CISSP advice is written either by people selling you a course, or by people whose employer paid for everything and put them on study leave. Neither perspective is that useful if you are considering it on your own time, on your own dime, while holding down a full-time security role. I did it that way - 18 months, ~800 hours, around $1,400 out of pocket, no manager telling me to. Short answer: yes, it was worth it for me, because I needed a credential to bridge from "senior engineer" to "security architect" and the cert moved that transition in months not years. Long answer is whether *you* are in the same situation, because if you are not, the same 800 hours might be better spent elsewhere. Here is the honest cost-benefit, including the parts nobody writes about.

The cost, fully loaded

Exam fee: $749 USD (~$1,150 AUD) at time of writing, plus $125 USD annual maintenance fee (AMF) once certified. That is real money even if your employer covers it. If they do not, it is the price of a decent laptop.

Study material: the Sybex Official Study Guide is $80, the Sybex Practice Tests book is another $50, and most candidates also use one of the major courses (Pete Zerger, Kelly Handerhan/CyberCop, or Destination Certification) which run from $200 to $700. Realistic spend if you are self-funded: $300-$1,000 on books and one course.

Time: I logged my study time. Eighteen months, averaging 8 hours per week, with a final 6-week sprint of ~20 hours per week. Total around 800 hours. Other passers I know report between 400 and 1,200 hours. The variance is mostly in how much security work the candidate already does day-to-day - it is meaningfully easier if you already touch GRC, risk management, or architecture professionally.

Lifestyle: the part nobody writes about. Eighteen months of "no, I can't" to evenings out, hobbies, fitness slipping, weekend study blocks. If you have small kids or a partner who works opposite hours to you, do the maths honestly before you start. The exam fee is not the part that hurts.

What CISSP actually gets you

Salary uplift, mostly. The honest answer. Multiple salary surveys (ISC2's own, Robert Half, the SANS GIAC reports) put CISSP holders 10-25% above non-holders in equivalent mid-level security roles, with the gap widening at senior-and-above levels. In Australia, the typical bump on a new role is $15-30K. Over a 10-year career horizon that easily clears six figures of accumulated gain. The cert pays for itself dozens of times over if it lands you a single role you would not otherwise have got.

Recruiter signal. Recruiters filter LinkedIn searches by "CISSP" because it is the closest thing the security industry has to a universally-recognised mid-level credential. Without it, you are competing with everyone. With it, you appear in a smaller shortlist that recruiters trust more. The signal is real even if the underlying knowledge is overlapping with what you already do at work.

Doors that open without explanation. Some senior roles, particularly in government, defence, and large enterprise security, simply require it as a hard filter. You do not get to argue your way past the requirement, and they do not let you sit for it on the day. Having it ahead of time is the only way through that door.

Confidence in your own breadth. The eight CISSP domains force you to know the parts of security you avoid in your day job. If you work in SOC, you will be forced to learn architecture and governance. If you work in GRC, you will be forced to learn cryptography and software security. Whether or not that "broadening" is worth 800 hours is the real question.

What CISSP does not get you

Technical skill. CISSP is a breadth-not-depth exam. You will not become better at writing detections, configuring firewalls, doing incident response, or any actual hands-on security work as a result of passing it. The cert is famously, sometimes proudly, "a mile wide and an inch deep". If your career goal is to be a hands-on engineer, OSCP or PNPT or one of the SANS GIAC technical certs will move you further faster.

Permission to lead. A CISSP does not make you a security leader. You become a security leader by leading - by running an incident, by building a programme, by translating risk to the C-suite. The cert helps you get the interview where you can demonstrate that. It does not substitute for the demonstration.

A shortcut around experience. ISC2 requires five years of relevant work experience to be certified (you can take the exam and become an Associate of ISC2 first, then convert when you hit the experience threshold). The cert is calibrated for people who have already done the work. If you are early-career, it is the wrong cert to chase - Security+ or SSCP is a better fit.

Was it worth it for me?

Yes - but with a specific caveat. I was at a fork in my career. I had been doing cloud security and identity work for about six years and was bouncing between titles like "Senior Cloud Engineer" and "Security Architect" without a strong external signal that justified the senior framing. The CISSP closed that gap quickly. Within four months of getting certified I had moved into a Senior Cloud and Security Architect role with a meaningful pay rise.

The caveat is that the cert *was the right tool for that specific transition*. If I had stayed where I was, or moved into a more hands-on engineering role, the 800 hours would have been better invested in deep technical work - SANS courses, contributing to open-source security tools, building something. The cert is a positioning tool. It is worth its price if you need positioning. It is not worth it if what you actually need is depth.

Who should do it, and who should not

Do it if: you are 4-7 years into security, you are aiming at senior-and-above architecture or leadership roles, you are in a market where the cert is a hard filter (government, large enterprise, defence), and you have honest agreement from the people you live with about the time commitment.

Skip it if: you are early-career (do Security+ or SSCP), you want to be a hands-on technical specialist (do OSCP / GIAC / hands-on labs), you already have a senior role and the recruiters know you, or you cannot honestly make 6-10 hours per week for the next 12-18 months without sacrificing relationships or health.

Defer it if: your current employer will fund it within the next year. Wait. The opportunity cost of paying $1,000-$2,000 out of pocket for something your employer would have covered is real, and the certification is not going anywhere.

How ReadRoost helps you prep

ReadRoost ships a CISSP pack with all eight domains covered. Every question goes through our validation pipeline: Kimi K2 generates the question, Claude Opus reviews each against the latest CISSP Exam Outline and the Sybex Official Study Guide, and any question whose explanation cannot be supported by the official sources gets flagged and rewritten before publish.

Spaced repetition surfaces your weakest domains - which for most candidates ends up being Domain 3 (Security Architecture and Engineering) and Domain 8 (Software Development Security). Mat's own CISSP credential informs the question style, particularly around the scenario-judgement format that catches most first-timers off guard.

Frequently Asked Questions

How long does CISSP take to study for?

Realistic range is 400-1,200 hours total, spread across 6-18 months depending on your existing security background and weekly time available. Candidates who already work in GRC, risk, or architecture domains tend to be at the lower end. Hands-on SOC analysts or penetration testers often need more time on the governance and software-security domains.

Can I sit for CISSP without 5 years of experience?

Yes. You can take and pass the exam without meeting the experience requirement and become an "Associate of ISC2", with up to six years to gain the experience and convert. This is the right path if you are 2-4 years in and your manager is willing to mentor you toward the role that completes the requirement.

Is CISSP harder than Security+?

Substantially harder. Security+ is a foundational cert that rewards memorisation; CISSP is a scenario-judgement exam that requires you to think like a security manager evaluating trade-offs. People who treat CISSP like a memorisation grind typically fail. The right preparation includes a lot of "given this situation, what would a CISSP-mindset person do" practice, which is harder to scaffold than pure fact recall.

Does CISSP expire?

Yes. CISSP certification requires 120 CPE (Continuing Professional Education) credits every three-year cycle, plus the annual maintenance fee. CPEs are easy enough to accumulate through reading, podcasts, conferences, and writing - but it is an ongoing commitment, not a one-and-done.

CISSP or CISM - which one first?

For broad recognition and recruiter signal, CISSP is the safer first choice in 2026. CISM is more focused on security management and governance specifically and is excellent if your career is heading purely into security leadership. Many senior security folks end up holding both - CISSP first, CISM second within a year or two if the leadership path is the direction.

Master Your Exams with ReadRoost

Practice questions, flashcards, and timed exams for 57 certifications.

Start FreeView Pricing

Related Articles

CCA-F vs AWS AIF-C01: Which AI Certification Should You Get First?

The AI certification landscape is barely a year old and already crowded. If you only have time for one entry-level credential in 2026, the two that are actually worth comparing are Anthropic's Claude Certified Architect Foundations (CCA-F), launched March 2026, and AWS's Certified AI Practitioner (AIF-C01), launched August 2024 and now the fastest-growing AWS certification in the catalogue. They look superficially similar (both are foundational, both cover generative AI, both sit at roughly USD 100) but they validate different skills and signal differently to different employers. This post is the honest side-by-side: who each one is for, why doing both still makes sense, and an unflinching read on which one the job market actually rewards today.

How to Pass the CCA-F Exam: Complete Study Guide (2026)

The Claude Certified Architect Foundations exam is the first credential built around real production work with Claude: agentic loops, the Claude Agent SDK, Claude Code, prompt engineering, the Model Context Protocol, and context management. The exam rewards people who have actually built something, not people who have memorised feature lists. This guide is the 2 to 4 week plan I would give a developer with around six months of Claude experience: how to spend each week, which free Anthropic resources to use, what to drill on the last weekend, and how to manage time on exam day. For a deeper breakdown of the question style and difficulty, see the companion post at /blog/cca-foundations-practice-questions, which has 12 worked-through sample questions from the same blueprint.

I Studied SY0-701 for Three Months - Here Is What I Would Do Differently From Day One

Three months into studying for SY0-701, I realised I had spent the first six weeks doing almost exactly the wrong thing. The material was not too hard. The exam was not unfair. I had simply absorbed twelve hours of Professor Messer videos before touching a practice question, memorised every acronym in a vacuum, and assumed performance-based questions would be a small part of the exam. None of that was wrong - all of it was in the wrong order. After helping hundreds of people prep through ReadRoost, the same five mistakes show up in nearly every pass-second-time story I hear. Here is the version of day one I wish I had given myself.

We improve our products and advertising by using Microsoft Clarity to see how you use our website. By using our site, you agree that we and Microsoft can collect and use this data. Our privacy policy has more details.