ISC2 member Bryan Green, CISSP, reflects on his two decades as a certification holder and discusses the value he has derived from being a certified cybersecurity professional.
As an airman enlisted in the U.S. Air Force, I never imagined delivering a presentation to the man across from me. During my service, General Colin Powell was the Chairman of the U.S. Joint Chiefs of Staff, the highest-ranking officer in the military, and principal advisor to the President of the United States.
Now, he was waiting for me to speak.
I felt nervous but also prepared. As a Business Information Security Officer (BISO) at Salesforce, I was responsible for briefing members of the board of directors on the company's enterprise cyber strategy.
I can’t reflect on the journey between being a military teen to presenting to a future Secretary of State without acknowledging the role ISC2s Certified Information Systems Security Professional (CISSP) played in my career development.
On my 20th anniversary of holding the accreditation, I wanted to reflect on the value of a CISSP certification and offer some advice for practitioners considering testing for theirs.
The CISSP is the de facto cybersecurity “bar exam.” It is the most comprehensive and rigorous assessment of cybersecurity knowledge available. When the letters “CISSP” follow someone’s name on their LinkedIn profile (and nearly all who hold the certification put them there), it demonstrates the certification's significance. For many, a CISSP becomes an essential part of their professional persona.
Like the bar exam, the CISSP is a sprawling knowledge check covering a range of disciplines, from risk management to security operations. Like the bar, the CISSP is meant to prepare holders to have mastery across a breadth of disparate cyber domains. This common body of knowledge is then applied by practitioners who work in highly focused, disparate specializations (e.g.: engineering, architecture, or governance roles). CISSP holders often start their careers in a single domain or specific cyber discipline, then rise through the ranks of cybersecurity as they achieve mastery of the various subdisciplines.
The exam roots out one-trick ponies, ensuring passing CISSP candidates possess a well-rounded understanding of all topics they may encounter throughout their careers in infosec. For those looking to eventually manage multiple functions, as a CISO or BISO for instance, this can be an indispensable background.
The test is also admirably vendor-agnostic, lending it additional credence in a field that prizes objectivity and effectiveness over badges and bluster. Those that pass the CISSP exam build credibility among their professional peers, expand their employment options, and display their commitment to growing in the field.
If I were to offer my advice to prospective CISSP candidates, it would be this: Focus on developing your professional experience before rushing into the exam. ISC2 has tailored the test to “experienced” practitioners “interested in proving their knowledge,” so make sure to accrue it first. Just like you wouldn’t jump into an MBA or Ph.D. program without practical experience, the CISSP deserves the same forethought. It takes time to build your professional credibility and to decide where to focus in this expansive field we call infosec.
Honing practical, hands-on skills doesn’t cease to be necessary after earning your CISSP, either. I did not jump from becoming a CISSP to briefing boards populated by top military brass. I remained focused on deeply understanding the fundamentals and being brilliant at the basics for years. This experience, as well as mastering the material covered by (ISC)2’s knowledge domains, ultimately led me to where I am.
Had I skipped any of these steps, I would not have been prepared to confidently present to General Powell, Zscaler’s Board of Directors, or serve as the Chief Information Security Officer at Andreessen Horowitz, a venture capital firm that backs bold entrepreneurs building the future through technology.
A lot has happened in the 20 years since I sat for the CISSP exam.
In the intervening years, the role of cyber in promoting positive business outcomes has developed to the point where the two are nearly impossible to detangle. As cybersecurity grows in importance, cyber professionals must learn to speak the language of the business.
Security leaders evangelize their efforts as enablement-obsessed, outcome-oriented, and aligned with core strategic objectives to effectively manage risk effectively.
As well as increasingly being a business function, I see cybersecurity putting a greater emphasis on privacy and data governance in the coming years. The rise of generative AI and large language models will increase productivity and enable increasingly sophisticated and effective attacks. Organizations of any size and seriousness will need professionals who can thoughtfully craft controls and policies mitigating AI attacks and governing the use of AI tools.
It’s a cliche to say that the digital world is rapidly evolving. But it’s true. Anything I write today could be undone tomorrow by progress in blockchain, IoT, AI, or some unforeseen technological advancement.
Yet, those with the most comprehensive understanding of today’s cyber challenges will be best prepared to tackle tomorrow’s. If that sounds like the career you’re looking for, you could do worse than going for your CISSP certification.
Thanks for reading. I now invite you to geek out, and if you have a lower CISSP number (#54648) than me, I'd love to hear from you.
Bryan Green, CISSP is CISO of Andreessen Horowitz.