I’ve written before about getting my start in the tech industry, and my experience with security since. What I haven’t written about is my experience with the “Certified Information Systems Security Professional”, or CISSP, certification, and what it means to me. This is a story 25 years in the telling.
It’s only fair to acknowledge that 25 years ago I was a stupid young guy in his early 20’s with the responsibility of a young family and the immaturity of a college kid. I also thought I was much more clever than I actually was. Looking back on that guy now all I can say is that I had a lot to learn. So, if anyone who knew me back then sees this post at some point, well, I have indeed learned a lot. Some lessons were very hard indeed.
One thing that guy had on his desk back then is a massive three-inch book titled the “CISSP Study Guide”. Our boss, Senior, had said that it was the only certification that he thought was worthwhile. It was also the only certification that none of us at the time could get, because one of the requirements for it then was, and remains now, that you must have five-years of security experience before you can be certified. But I was cocky and figured I could get it soon as I had the experience.
Time went on, I’d page through the book sometimes. We moved, I got out of the military and we moved again, I brought that book with me and it sat on the shelf. I did continue to work in both security and sysadmin, and later programming and devops, but my aspirations for passing the exam went by the wayside. It was hard, I mean hard, and expensive. So it was a gamble that I never felt confident enough to take. Eventually, I think the book was sold to a second-hand bookstore. I don’t have it anymore.
But then there was AI. ChatGPT, Claude, and the like turned the tech industry on its head, and it doesn’t look like there’s any going back. The genie is out of the bottle. I’ve been watching as thousands of jobs have been lost in the tech industry over the past few years. Some of that’s due to over-hiring during COVID, some of it’s due to economic pressure, and some of it is at least claimed to be due to “efficiencies” from AI. So, I saw a confluence of pressures pointing towards security being a safe bet.
For one, I’m an old-school sysadmin at heart. And the number one rule of being a sysadmin is “always have a backup”. I feel very confident in my current position, and I’m optimistic about the future of the company. However, that doesn’t mean that I don’t also need to prepare for things taking an unexpected turn.
Secondly, I’m turning 50 this year, and regardless of what should be, ageism is a very real thing in the tech industry. I’m still looking at 10-15 years of work ahead of me before I retire, so I wanted to make sure that whatever direction I went in would be far enough removed from dev work that age wouldn’t be an issue, and close enough to it that my decades of experience would make a difference. I’m an engineering manager now, of a very small (but awesome!) team. I think that’s a pretty good place for me, all in all, but if worse came to worse, could I rely on only my experience as an engineering manager to get me to whatever comes next? I didn’t feel quite comfortable yet.
So, I started thinking about my security experience again. I realized that a significant number of deployed applications were built using AI. Some developers even claimed that they didn’t even look at the code anymore, just let the robot deploy to production. Between using AI to both find security holes and create them, it seemed like a good idea to be right in the middle.
So, about six months ago, I sat down with my wife and explained my reasoning. We looked at the signup page for the CISSP exam, pondered the $750 price tag, discussed the commitment in time that I’d be signing up for, and decided to go for it.
I initially thought I’d only need three months to study. Every morning I’d load up the Udemy course I’d signed up for, watch the lecture, and take notes by hand in my notebook. I went through the entire course, and started taking all of the practice exams. As the date grew nearer, I got more and more uncertain that I was ready. So, I made a call and pushed the date back another three months, to July 9th.
I continued to study, though not as often. I spent many mornings taking practice exams, and many nights after dinner transcribing my notes from hand into the computer. When I got a question wrong in the practice exam I’d write the question and answer down on a notecard. I learned a lot. The place of policy in an organization, how to think about risk management, how to prioritize work in different environments, and how to accept risk when the cost of the system being attacked is less than the cost of protecting it. The CISSP requires a deeply technical background with a lot of breadth. That background is necessary, but not sufficient. The CISSP requires you to change the way you think, more like a manager, less like a technician.
The day of the test finally came. I made my way to the Pierson testing center in Des Moines, and was cleared by their security to go in the room to take the test. The process to enter the room was surprisingly thorough. I had to provide two forms of ID, get my picture taken, rather unflatteringly, and get both palms scanned. I had to take everything out of my pockets and put what I had in a locker which they gave me the key to. Finally, I got scanned three times by different wands, looking for metal, video, or any signals being sent out. Finally I was able to sit down for the test.
After the first five questions I was certain that I had made a mistake. The questions all seemed to have no good answers, or all good answers, or two answers that were entirely equal in possibility. I felt my pulse rise. After the first 15 or so I got into the rhythm and started ignoring every previous question and focusing entirely on the one in front of me. When I answered a question I moved on, no looking back, no second guessing. When I hit question 85 I started wondering how many questions past 100 I was going to have to go.
The test is meant to be between 100 and 150 questions in an adaptive format, so if you get too many wrong in a particular domain it will ask you more questions in that domain. Also, if you didn’t get to the 75% correct needed to pass in the first 100 questions, you got more chances up until 150 questions or till it’s mathematically impossible. I answered the 100th question and, instead of the computer telling me I passed, it just kicked me over to a survey asking me what I thought of the test, where I took the test, and what studying was like.
My heart fell. I thought for sure I had failed at 100 questions. The proctor saw that I was done, escorted me out of the testing room, and started printing papers at the front desk. Finally, she handed me a printout. It said “Congratulations!” After 25 years of thinking about this exam, this certification, I’d finally passed.
I don’t know where this will take me. I know that right now, and probably for the next few years at least, I have no plans to leave my current job. I’m an engineering manager in charge of the cloud infrastructure at the TARA Group and it’s a fantastic place to work. I’ve got a great team, we’re part of a great team, and there’s certainly no lack of work to be done. But, like I said, I’ve always got to have a backup, and the CISSP can only help, no matter what the future brings.
More importantly, I feel like I’ve finally closed a loop that’s been open for a very, very long time.