Get Started

Soaring up to Cybersecurity Leadership: How I got my CISSP

  • 5 min read

Share this post

I last wrote about transitioning my career as a paragliding instructor to one in cybersecurity back in 2021! By then, I had already been a cybersecurity analyst here at Fractional CISO for about two years and had ISC2’s SSCP certification under my belt. 

The learning curve was steep, but the exposure to different industries and their security challenges was invaluable. Each client had unique security needs—healthcare with its strict data protection rules, finance with its focus on risk management—you name it. Working here was like drinking from the cybersecurity firehose! 

What started as an uncertain leap has now led me to an exciting and fulfilling career; by 2022, I had been working in cybersecurity for five years. Five is a big number in cybersecurity, because it’s the number of years of full-time work experience needed to get the CISSP certification, the next rung up on ISC2’s certification ladder and commonly considered to be the gold standard of cybersecurity certifications. 

I’m happy to report that, after a lot of studying and a very challenging test, I got my CISSP last year! I’m writing this to help those of you considering getting this certification yourself.  

Why I Chose to Get a CISSP

As I looked ahead at my career, I knew I wanted to transition from a supporting analyst role to an account lead vCISO role at Fractional CISO. Our clients value having very experienced vCISOs to lead their cybersecurity and compliance programs – which means they want to see that CISSP credential. If I wanted a leadership role, I needed to prove I had the experience and capabilities to back it up. 

What Exactly Is the CISSP?

The CISSP (Certified Information Systems Security Professional) is one of the highest-regarded certifications in cybersecurity, especially for leadership and management roles. According to ISC2, “Earning the CISSP proves you have what it takes to effectively design, implement, and manage a best-in-class cybersecurity program.” 

The certification covers expertise in eight key information security domains:

  1. Security and Risk Management
  2. Asset Security
  3. Security Architecture and Engineering
  4. Communication and Network Security
  5. Identity and Access Management (IAM)
  6. Security Assessment and Testing
  7. Security Operations
  8. Software Development Security

As I previously mentioned, you need at least five years of full-time experience in at least two of these domains to qualify. If you have a relevant degree or another ISC2 certification, you can knock off one year of the required experience.

How I Prepared for the CISSP

To get ready for the exam, I took a well-rounded approach, mixing self-study, formal training, and practice tests. I started with the official CISSP study guide, working through the end-of-chapter questions. If I got any wrong, I’d go back and reread the entire section. For topics I already felt comfortable with, I skimmed to reinforce my knowledge.

Knowing that I learn best in structured environments, I signed up for a week-long, in-person bootcamp. This was a game-changer. Being in a room with other CISSP candidates kept me focused, and the ability to ask questions on the spot made a huge difference. I took tons of notes and made sure to schedule my exam soon after while everything was still fresh.

In the final month before my exam, I used the official CISSP study app, grinding through practice tests to sharpen my knowledge. I focused on reviewing my bootcamp notes and studying some mind maps the instructor had shared.

My Certification Testing Experience

The CISSP exam is proctored and must be taken at an official testing center. When I arrived, I noticed several test-takers freaking out when they realized they couldn’t have study materials in the waiting room.

You get three hours to answer somewhere between 100 and 150 multiple choice questions. 

Sounds easy? It’s not. 

The test itself was brutal, not because I didn’t know the material, but because of the way the questions were worded. The adaptive format meant that if I got a question right, the next one would be even harder. If I got one wrong, it’d test me again in the same area to check if I really didn’t understand it or if I just flubbed one question. That made it impossible to tell how I was doing!

On top of that, most of the questions were “best answer” questions—where multiple answers could be correct, but one was better than the others. That meant carefully reading every single question multiple times. 

When I finished, I went back to the proctor, who handed me my results. I was thrilled to read:

 “Congratulations! We are pleased to inform you that you have provisionally passed the Certified Information Systems Security Professional (CISSP) examination.”

After passing, I had to complete the endorsement process, which meant getting an existing CISSP to vouch for my experience and passing an ISC2 background check. 

The only annoying part? The approval process took over two months. I took my exam on December 12, 2022, and my certification was officially approved on February 28, 2023.

How to maintain the certification with CPEs

Getting CISSP-certified is great, but keeping it requires continuing education. To maintain the certification, you need to earn 120 Continuing Professional Education (CPE) credits over a three-year cycle, with at least 40 credits per year. (CPE Handbook)

CPEs are split into two categories:

  • Group A: Directly related to cybersecurity domains, like attending conferences, taking training courses, or giving security presentations.
  • Group B: General professional development, such as leadership courses or project management training.

On top of earning CPEs, CISSP holders must pay an Annual Maintenance Fee (AMF) of $125. It’s a bit tedious to track and submit CPEs through the ISC2 portal, but it’s a pretty straightforward process. Personally, I make it a habit to attend at least one cybersecurity conference each year, watch webinars, and listen to security podcasts to keep up with the field.

Is the CISSP right for you? 

While preparing for the CISSP, I learned that it isn’t for everyone. I think you should… 

Skip the CISSP If:

  • You prefer “red team” or technical work like penetration testing or malware analysis—other certs like Offensive Security Certified Professional (OSCP), GIAC Exploit Researcher and Advanced Penetration Tester (GXPN), or GIAC Reverse Engineering Malware (GREM) might be better.
  • You are terrible at standardized tests. It’s a standardized test on steroids. The CISSP’s tricky wording and adaptive format really adds to the difficulty.

Go for the CISSP If:

  • You want to move into security management or consulting.
  • You need to prove your cybersecurity leadership skills.
  • You want a broad understanding of cybersecurity beyond just technical execution.

The CISSP is best for those who want to lead security programs and manage risk. If that sounds like your career path, it’s a solid investment in your future.

It’s the path I wanted to follow, and it has worked out great for me so far! 

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Samantha Pyrcz
As the Manager of Cybersecurity Analysts, Samantha helps with training, guidance, and enablement of the analyst team. Samantha has been employed at Fractional CISO since 2019 and previously worked as a cybersecurity analyst herself. She has worked at Hewlett Packard Enterprise’s Global Security department and Centene Corporation’s Cybersecurity Incident Response Team (CSIRT). Samantha is a Certified Information Systems Security Professional (CISSP). She has a bachelor’s degree from Western Governor’s University in Cybersecurity and Information Assurance.

Tales From The Click

Sign up for our monthly newsletter for business leaders on minimizing cybersecurity risk.

Suceed at SOC 2

Free eBook:
5 Things to Know for your First SOC 2

  • How to scope your SOC 2
  • Estimate the cost and length of your SOC 2
  • Prepare for your SOC 2
  • Manage the SOC 2 audit period
  • Leverage your SOC 2 for growth

Related Posts

Just Show Up

Rob Black

The NIST Cybersecurity Framework is Secretly a Communication Framework!

Elazje Carillo

What to Know About Encryption Now, at the Dawn of the Quantum Era

RJ Russell
Is your Cyber Insurance really going to cover you?

Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.

To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!

New Release: Free SOC 2 eBook!

Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.

Learn:

  • How to scope your SOC 2 project
  • How to estimate the cost and length of your SOC 2 project
  • How to prepare for your SOC 2
  • How to succeed in your SOC 2 audit period
  • How to leverage your SOC 2 report to enable your business and sales
Is your Cyber Insurance really going to cover you?

Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.

To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!

New Release: Free SOC 2 eBook!

Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.

Learn:

  • How to scope your SOC 2 project
  • How to estimate the cost and length of your SOC 2 project
  • How to prepare for your SOC 2
  • How to succeed in your SOC 2 audit period
  • How to leverage your SOC 2 report to enable your business and sales