I sat for the CISSP a week ago. CAT, 100 questions, minimum length, passed. I'd given myself a week to prepare. I spent most of it reading the official study guide, working through practice questions, and confirming for myself that the work I'd been doing all along had names that ISC2 also used.
This isn't a study-plan post. There are a hundred of those, and the people writing them know more about test-taking strategy than I do. This is a post about what the experience actually meant, which turns out to be different from what I'd expected.
Here's what I expected: a credential ceremony. A piece of paper that says I'm allowed to apply for the jobs I'm going to apply for. Useful, necessary.
Here's what I got: validation.
Not validation that I knew the material. I'd been reasonably sure of that going in, which is why a week was enough. Validation in a different sense. The CISSP, more than any technical exam I've taken, asks you to think about security the way a senior practitioner thinks about it. There's a phrase that gets repeated in CISSP study circles to the point of cliché: "think like a manager." It means that on a question with two technically valid answers, the correct answer is usually the one that addresses risk at the policy or governance level rather than the one with the more clever technical mitigation.
When I was studying, I noticed something: I didn't have to learn that framing. It was already how I think. A career of running infrastructure, leading incident responses, and sitting in front of boards explaining why the budget for security needs to be what I'm asking it to be had quietly trained me into the exact mode of thinking the exam was testing for. The "think like a manager" advice that other candidates were drilling into themselves was already my default.
That was the thing the exam confirmed. Not that I knew the eight domains, though I do. That the way I'd developed of approaching this work was, in fact, the way the senior security community approaches it. It's a small thing to learn about yourself, but it's not nothing. Most of what we do in IT happens without external validation. You make calls, you live with the outcomes, you adjust. You rarely get an authoritative voice telling you "yes, you've been thinking about this correctly." The CISSP, in its strange standardized-test way, did that.
The exam itself was a slightly disorienting experience. CAT, computerized adaptive testing, adjusts the difficulty of each question based on how you've been doing. If the engine decides early enough that you're either clearly above or clearly below the bar, it stops asking and ends the exam. I got the minimum 100-question version, which means the engine had made up its mind before the maximum 150. You don't know which side of the bar it landed on until you walk out of the testing center and check.
There's a particular kind of quiet you experience between submitting your final answer and seeing the result. I'd told myself I was prepared for either outcome, which I was, but the prep was sitting somewhere in my body that wasn't doing me much good in that two-minute window. Walked out, checked, passed. I didn't feel triumphant. I felt the way you feel when a thing you've been carrying lightly for a while turns out to be done. The lightness gets a little lighter.
I texted a few people. I told my wife. I went to work on Monday.
The endorsement step took less time than I'd planned for. ISC2 requires that a current CISSP holder vouch for your professional experience before the credential is officially conferred. I asked Sean, a colleague I've worked with long enough that the experience verification was a formality, and he signed the same day. I appreciated the speed but I appreciated the gesture more. The CISSP is a credential, but the endorsement is a small ritual where someone in the field looks at your work and says yes, this person is one of us. That meant more than the certificate.
The certificate showed up. I haven't framed it. I probably won't. The four letters live in an email signature I rarely use and on a few profile pages where they'll be scanned by people I'll never meet.
I'd recommend the exam to people who've been doing the work long enough to feel ready for it. That sounds tautological, but the more specific version is: if you find yourself reading sample questions and your gut answer matches the official answer most of the time, you're probably ready. If you find yourself reading sample questions and thinking "wait, none of these match how I actually think about this," you're either not ready or you're the kind of practitioner the exam isn't designed to certify, and either of those is fine, just know what you're walking into.
For me, the week of preparation was the right amount. Not because I'm particularly fast, but because the exam was mostly asking me to recognize a worldview I already had. The studying was confirming the vocabulary, not learning the material. Other people will need a different ratio. The honest version is: the prep time you need is roughly inversely proportional to how long you've been doing security-adjacent work at a senior level.
I'm glad I sat for it. I'm gladder that the experience was less about clearing a hurdle and more about a quiet confirmation of something I'd suspected but never had reason to say out loud: I've been doing this at a senior enough level, and well enough, that the field's standardized way of testing for senior-level thinking and my own way of thinking are essentially the same. That's not the kind of thing that comes up in a performance review. It's the kind of thing you can only really learn from a stranger who designed an exam.
So: passed. CISSP. The ledger checks out.
Chris