I Passed CISSP Without a Manager Telling Me To - Here Is Whether It Was Worth the 18 Months
Most CISSP advice is written either by people selling you a course, or by people whose employer paid for everything and put them on study leave. Neither perspective is that useful if you are considering it on your own time, on your own dime, while holding down a full-time security role. I did it that way - 18 months, ~800 hours, around $1,400 out of pocket, no manager telling me to. Short answer: yes, it was worth it for me, because I needed a credential to bridge from "senior engineer" to "security architect" and the cert moved that transition in months not years. Long answer is whether *you* are in the same situation, because if you are not, the same 800 hours might be better spent elsewhere. Here is the honest cost-benefit, including the parts nobody writes about.

The cost, fully loaded
Exam fee: $749 USD (~$1,150 AUD) at time of writing, plus $125 USD annual maintenance fee (AMF) once certified. That is real money even if your employer covers it. If they do not, it is the price of a decent laptop.
Study material: the Sybex Official Study Guide is $80, the Sybex Practice Tests book is another $50, and most candidates also use one of the major courses (Pete Zerger, Kelly Handerhan/CyberCop, or Destination Certification) which run from $200 to $700. Realistic spend if you are self-funded: $300-$1,000 on books and one course.
Time: I logged my study time. Eighteen months, averaging 8 hours per week, with a final 6-week sprint of ~20 hours per week. Total around 800 hours. Other passers I know report between 400 and 1,200 hours. The variance is mostly in how much security work the candidate already does day-to-day - it is meaningfully easier if you already touch GRC, risk management, or architecture professionally.
Lifestyle: the part nobody writes about. Eighteen months of "no, I can't" to evenings out, hobbies, fitness slipping, weekend study blocks. If you have small kids or a partner who works opposite hours to you, do the maths honestly before you start. The exam fee is not the part that hurts.
What CISSP actually gets you
Salary uplift, mostly. The honest answer. Multiple salary surveys (ISC2's own, Robert Half, the SANS GIAC reports) put CISSP holders 10-25% above non-holders in equivalent mid-level security roles, with the gap widening at senior-and-above levels. In Australia, the typical bump on a new role is $15-30K. Over a 10-year career horizon that easily clears six figures of accumulated gain. The cert pays for itself dozens of times over if it lands you a single role you would not otherwise have got.
Recruiter signal. Recruiters filter LinkedIn searches by "CISSP" because it is the closest thing the security industry has to a universally-recognised mid-level credential. Without it, you are competing with everyone. With it, you appear in a smaller shortlist that recruiters trust more. The signal is real even if the underlying knowledge is overlapping with what you already do at work.
Doors that open without explanation. Some senior roles, particularly in government, defence, and large enterprise security, simply require it as a hard filter. You do not get to argue your way past the requirement, and they do not let you sit for it on the day. Having it ahead of time is the only way through that door.
Confidence in your own breadth. The eight CISSP domains force you to know the parts of security you avoid in your day job. If you work in SOC, you will be forced to learn architecture and governance. If you work in GRC, you will be forced to learn cryptography and software security. Whether or not that "broadening" is worth 800 hours is the real question.
What CISSP does not get you
Technical skill. CISSP is a breadth-not-depth exam. You will not become better at writing detections, configuring firewalls, doing incident response, or any actual hands-on security work as a result of passing it. The cert is famously, sometimes proudly, "a mile wide and an inch deep". If your career goal is to be a hands-on engineer, OSCP or PNPT or one of the SANS GIAC technical certs will move you further faster.
Permission to lead. A CISSP does not make you a security leader. You become a security leader by leading - by running an incident, by building a programme, by translating risk to the C-suite. The cert helps you get the interview where you can demonstrate that. It does not substitute for the demonstration.
A shortcut around experience. ISC2 requires five years of relevant work experience to be certified (you can take the exam and become an Associate of ISC2 first, then convert when you hit the experience threshold). The cert is calibrated for people who have already done the work. If you are early-career, it is the wrong cert to chase - Security+ or SSCP is a better fit.
Was it worth it for me?
Yes - but with a specific caveat. I was at a fork in my career. I had been doing cloud security and identity work for about six years and was bouncing between titles like "Senior Cloud Engineer" and "Security Architect" without a strong external signal that justified the senior framing. The CISSP closed that gap quickly. Within four months of getting certified I had moved into a Senior Cloud and Security Architect role with a meaningful pay rise.
The caveat is that the cert *was the right tool for that specific transition*. If I had stayed where I was, or moved into a more hands-on engineering role, the 800 hours would have been better invested in deep technical work - SANS courses, contributing to open-source security tools, building something. The cert is a positioning tool. It is worth its price if you need positioning. It is not worth it if what you actually need is depth.
Who should do it, and who should not
Do it if: you are 4-7 years into security, you are aiming at senior-and-above architecture or leadership roles, you are in a market where the cert is a hard filter (government, large enterprise, defence), and you have honest agreement from the people you live with about the time commitment.
Skip it if: you are early-career (do Security+ or SSCP), you want to be a hands-on technical specialist (do OSCP / GIAC / hands-on labs), you already have a senior role and the recruiters know you, or you cannot honestly make 6-10 hours per week for the next 12-18 months without sacrificing relationships or health.
Defer it if: your current employer will fund it within the next year. Wait. The opportunity cost of paying $1,000-$2,000 out of pocket for something your employer would have covered is real, and the certification is not going anywhere.
How ReadRoost helps you prep
ReadRoost ships a CISSP pack with all eight domains covered. Every question goes through our validation pipeline: Kimi K2 generates the question, Claude Opus reviews each against the latest CISSP Exam Outline and the Sybex Official Study Guide, and any question whose explanation cannot be supported by the official sources gets flagged and rewritten before publish.
Spaced repetition surfaces your weakest domains - which for most candidates ends up being Domain 3 (Security Architecture and Engineering) and Domain 8 (Software Development Security). Mat's own CISSP credential informs the question style, particularly around the scenario-judgement format that catches most first-timers off guard.
Frequently Asked Questions
How long does CISSP take to study for?
Realistic range is 400-1,200 hours total, spread across 6-18 months depending on your existing security background and weekly time available. Candidates who already work in GRC, risk, or architecture domains tend to be at the lower end. Hands-on SOC analysts or penetration testers often need more time on the governance and software-security domains.
Can I sit for CISSP without 5 years of experience?
Yes. You can take and pass the exam without meeting the experience requirement and become an "Associate of ISC2", with up to six years to gain the experience and convert. This is the right path if you are 2-4 years in and your manager is willing to mentor you toward the role that completes the requirement.
Is CISSP harder than Security+?
Substantially harder. Security+ is a foundational cert that rewards memorisation; CISSP is a scenario-judgement exam that requires you to think like a security manager evaluating trade-offs. People who treat CISSP like a memorisation grind typically fail. The right preparation includes a lot of "given this situation, what would a CISSP-mindset person do" practice, which is harder to scaffold than pure fact recall.
Does CISSP expire?
Yes. CISSP certification requires 120 CPE (Continuing Professional Education) credits every three-year cycle, plus the annual maintenance fee. CPEs are easy enough to accumulate through reading, podcasts, conferences, and writing - but it is an ongoing commitment, not a one-and-done.
CISSP or CISM - which one first?
For broad recognition and recruiter signal, CISSP is the safer first choice in 2026. CISM is more focused on security management and governance specifically and is excellent if your career is heading purely into security leadership. Many senior security folks end up holding both - CISSP first, CISM second within a year or two if the leadership path is the direction.
Reading is good. Practising is better.
Practice questions, flashcards and timed exams for 57 certifications. Start with a free starter pack — no card needed.




