During 2024, John Young, MBA, ISSAP, ISSEP, ISSMP, CISSP, CCSP, CSSLP, CGRC, SSCP, CC, became the 11th person to hold all nine ISC2 certifications at the same time. This achievement was made even more challenging as he achieved this across a period of just six months. He explains why he did this and shares his advice for anyone looking to work towards a certification.

John Young, MBA, ISSAP, ISSEP, ISSMP, CISSP, CCSP, CSSLP, CGRC, SSCP, CCDisclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.

Earning the CISSP certification is a significant accomplishment in itself and can be career changing, as it’s considered the cybersecurity professional gold standard. However, ISC2 offers eight others. I could have easily been satisfied with achieving the CISSP, but what motivated me to pursue all nine ISC2 certifications?

As a hiring manager, I know the three criteria a cybersecurity candidate is assessed on during an interview is their experience, education, and certifications. I wanted to be comfortable that I didn’t have any weaknesses in those critical areas, nothing a tough interviewer could pick apart. With 40 years of experience, the majority spent at IBM and McDonnell Douglas, and an MBA, my lack of recent certifications was easily my weakest point, and I knew that had to change.

Breaking down my main motivating factors:

  • I mentor many students, and people who want to get into cybersecurity, or advance their careers if they’re already in the field. Preaching about certifications without having them myself was hypocritical, and I decided to be a good role model, not a hypocrite.
  • The company I work for, Quantum eMotion, is a quantum encryption and communication security company. After Nasdaq posted that QeM had named an international cybersecurity expert to their Board of Directors (me), I felt the responsibility to prove my qualifications beyond a shadow of a doubt. I decided it would be an excellent challenge, my experience versus the toughest, most well-respected certifications in cybersecurity; and yes, that certainly proved to be the case, as it was a very tough challenge!
  • At the 2024 ISC2 Security Congress in Las Vegas I learned there were only 10 people worldwide who’d earned all nine ISC2 professional certifications, and I became determined to be the 11th.
  • Everything these days revolves around branding, and I knew it had to be good for my personal brand. ISC2 has 265,000 members and associates, so being one of 11 people globally to hold the nine certifications would help me stand out in an increasingly crowded field.
  • This is an admission, but at age 65 I wanted to prove my mind was as sharp as ever, and my cybersecurity skills were relevant, even cutting edge. I couldn’t think of a better way to do it than to attain the nine ISC2 certifications, yet I surprised myself when I got them all in six months.
  • It inspires me when other people post about their certification achievements. I wanted to inspire others in the same way. Even older people who have nothing to do with cybersecurity, I hope to inspire them as well, no matter what goals they’re pursuing.

Why Take on Such a Challenge?

Did I tell anyone about my plans? No, I did not. I’m not crazy. For people in cybersecurity, it’d seem like an off-the-wall idea for any number of reasons. For people outside it, they would not understand the relevance or importance of what I was trying to do. It became my Big Little Secret, but after I’d passed the CISSP, ISSMP, ISSAP, CCSP, and ISSEP, in that order, the possibility I could pull it off became a driving force.

I believe it’s good advice for anyone to keep it to themselves when they’re going for a certification, or for an important personal goal. Why? I feel it’s a waste of time to explain to others what I’m trying to do, time that’s better spent on studying, and focusing on goals, instead.

Initially, I gave myself two years to complete the nine certifications, but I admit I got caught up in the festivities at the Security Congress in Las Vegas, especially the celebration of the 30th Anniversary of the CISSP. I thought it would be amazing if I could pass each of the exams by the end of the year, and that sped up my timeline.

Now that I’ve covered “The Why” in detail, let’s move on to how I did it.

Working Towards a Certification, or Nine

First off, I have an excellent memory, but no, I don’t have a photographic one, if that even exists. I didn’t do bootcamps for any of the certifications, which have a place, but they’re not for me. For those unfamiliar with these, a bootcamp is a highly intensive learning program, usually lasting a week or two where you are completely immersed in the subject. Bootcamps are normally residential so you eat, sleep and breathe it away from other distractions. At the end of the study program before you leave, you sit the exam.

Rather than going down that route, I relied mainly on two things: my experience and diligent studying in the areas I had less experience, to fill in the gaps.

It takes serious discipline to earn any kind of legitimate professional certification, just like it takes it in the gym to build a great physique. Another critical factor is being able to find quality information related to the exam domains, which sounds easier than it is. One of the keys to my success was using sources I trusted, namely people and organizations who’d been doing this for quite some time. Anyone seeking shortcuts that falls down the rabbit hole of “guaranteed results” from exam dump scams is not only cheating, but setting themselves up for failure, and bitter disappointment.

 

For the CISSP and CCSP there’s an overwhelming number of great resources to tap, it’s almost an embarrassment of riches. For some of the other certifications, not so much. Since I was paying for everything out of my own pocket, I expended considerable amounts of time researching where to get information for the least amount of cost, time I could’ve used better on studying.

Every day, thousands of people on Reddit, Discord, YouTube, and LinkedIn are searching for the magic formula to pass their next exam, with hundreds more telling them how they personally did it. If you ask ten CISSPs what resources they used, you’ll find it’s like questioning a chef about their favorite recipes; there are some common ingredients, but I’ve not seen any two CISSPs who did it exactly the same.

The biggest complaint you’ll see online for certain certifications is that the Common Body of Knowledge (CBK) study materials haven’t been refreshed recently. The good news is that in January of 2024, ISC2 launched the Unified Body of Knowledge Project, a massive undertaking with the stated goal of transitioning ISC2 away from separate CBKs to a new singular reference covering all the certifications. I experienced frustrations relating to a lack of updated study materials myself and have volunteered to work on the project, which is open to all interested parties.

Leveraging Training Resources

Near the end of my run, I took pity on myself and went for the ISC2 self-paced training before attempting the CGRC, CSSLP, and SSCP. The 90-day courses were offered at a 40% discount at the time, which was the perfect option for me.

Once again, though, what worked for me may not work well for you. In the forums, channels, communities and subreddits, potential candidates are desperate for the “how they did it secrets” from someone who’s passed the certification they want. This leaves them wide open for scammer exploitation. My recommendation is to avoid anyone who promises you great success, but with minimal effort. Odds are, they’re just looking to take your money, and leave you hanging.

That’s not to say there isn’t a common thread running through these success stories, because many reputable people and organizations DO provide excellent study materials. I’ve seen those who pass the exams testify who helped them get their certifications and it’s the same names repeatedly. I personally used most of them myself and obviously, they helped me, too. Besides study materials from ISC2, there are organizations recognized by ISC2, like Infosec Institute and Cybrary, when, upon completing their courses, I was able to count credits towards my Continuing Professional Education (CPE) total.  

Quick tangent; another common question I get is about the required CPE credits needed to maintain the nine certifications. On paper, my total over the next 3 years is 525 CPEs.

Certification

CPEs Over 3 Years

CISSP

120

ISSAP

20

ISSEP

20

ISSMP

20

CCSP

90

CSSLP

90

CGRC

60

SSCP

60

CC

45

Total

525

Fortunately, as activities that can be cited for CPE credit can apply to multiple certifications, the reality is that I won’t need to earn 525 unique credits. This reduces the overall maintenance and continuous education workload required to keep my knowledge up to date, without compromising the integrity of the process.

Getting back to study materials, which ones did I trust and use myself, or people raved about?

I’ve already listed ISC2 itself, Infosec Institute, and Cybrary, but there are others: Cert Mike, Pocket Prep, Destination Certification, Boson Exam Simulator, Pete Zerger’s free YouTube videos, the WannaBeA CISSP or CCSP series, and The Official Study Guide (OSG) bundle, with practice questions.

These are also the dedicated and talented instructors that advance the profession every day with their training videos, study guides, classes and positive outlook, who I suggest you follow on social media: Professor Mike Chapple, Pete Zerger, Dr. Jeff Crume, Gwen Bettwe, Rob Witcher, John Berti, Lou Hablas, Prabh Nair and Leo Dregier.

I’m also compelled to recognize Ben Malisow, who I stumbled on by way of the Carnegie Mellon University FedVTE cybersecurity courses that were free to military veterans. CISA took over from FedVTE after I was finished with my certifications, so look there. These were older videos, but incredibly worth it for the CISSP, ISSEP, and ISSMP series. Ben Malisow explained complex details extremely well, and I was really impressed by him.

Outside of the ISC2 world is Ian Neil, an absolute legend in cybersecurity who helped countless people get certified. I was honored when he asked me to be a technical editor on his bestselling Security+ 701 study guide book based on my experience, before I had any certifications. I worked closely with Ian, and give a lot of credit to it, because this set me up for success as the ISC2 entry-level CC and SSCP are closely aligned with his Security+ materials.

Advice to Anyone Working Towards a Certification

My tips apply to any certification exam show it’s important to recognize the physical, not just mental, components to studying and test taking:

  • Don't continue to study when you're struggling, because you're not going to remember much. Stop, take breaks, or call it a night, otherwise there's a good chance you're just wasting your time.
  • Get a good night's sleep the night before the exam.
  • Spread your studying out. Don't try to cram it into the last few days.
  • Review the material for a couple of hours on the day of the exam. A few right answers picked up during this refresh period can put you over the top.
  • This is no joke; make sure you're well hydrated to help your brain work better.
  • If you have a back problem, or need to stand up during the exam, the Pearson-Vue site I was at had single person rooms to stand up in without disturbing others. Ask the proctor about it.
  • Use the restroom right before taking the exam; the timer doesn't stop for a break, so don't lose valuable time that can be the difference between a pass or fail.
  • Find your peak hours to easily answer questions. I try to book my exam time at 3pm. 8am felt too early, and after 5pm, it felt too late.
  • Mondays were the best exam days for me, because I could devote the weekend to studying.
  • Try the free ear plugs, they'll help block out exam room distractions.
  • Studying for any certification is a long haul and can drain your confidence. Watch videos on YouTube from Motivation2Study and Motiversity, their content will help.
  • My ritual was to stop at Starbucks and get a coffee just before the exam. I know it might sound simple and a little weird, but it worked for me. Having structure in what you do in the run up to an exam can help with focus.

I’ll end with this; I wish you all good fortune during your certification journey, and know in my heart that, at the very least, you’ll feel great satisfaction from following your dreams!

John Young, MBA, ISSAP, ISSEP, ISSMP, CISSP, CCSP, CSSLP, CGRC, SSCP, CC, has spent his entire 40 plus year career in cybersecurity and IT, the majority as an employee with IBM and McDonnell Douglas. He’s authored four books, dozens of articles and has appeared on over 20 podcasts as a cybersecurity guest expert. Johnretired from IBM’s Cloud Division in 2023 and in 2024 he was named to the Board of Directors for Quantum eMotion, a world-class quantum encryption and communications security corporation. In April of 2025 he assumed the COO role at its subsidiary Quantum eMotion America. He was also appointed to the Board of Advisors at the Cal State Fullerton Business School’s Giles-O’Malley Leadership Center in 2024, where he mentors aspiring business students. 

Related Insights