Is The CISSP A Good Investment For Your Cybersecurity Career in 2025 ?
Plus a free copy of my new book !
It's hard to believe, but 2025 is almost here!
As people look at their remaining learning goals for 2024 and start making new ones for 2025 .. the topic of certs always pops up.
When it comes to cybersecurity certs .. nothing tops the list more than the Certified Information Systems Security Professional (CISSP)
The CISSP is the most well-regarded cybersecurity cert and is considered the “gold standard” within information security.
However, these last couple of years have seen a backlash against cybersecurity certifications.
People are frustrated at not getting jobs despite having many certificates, leading them to question the value of having them.
A lot of professionals now scoff at these “paper certs” which do not tell you anything about how qualified a person is
It is now considered “cool” not to have a cybersecurity cert
I understand SOME of the criticism as many people just become cert factories and do every certification under the sun without any real-world experience to back it up.
CISOs and companies are disappointed when they hire a (on paper at least) “certified” person, and it turns out he or she cannot deliver as they hoped.
So, will the CISSP still hold up in 2025?
First, let us take a quick look at what the CISSP is
What Is The CISSP Certification?
As per the exam outline itself.
CISSP validates an information security professional’s deep technical and managerial knowledge and experience to effectively design, engineer, and manage the overall security posture of an organization.
The CISSP Common Body of Knowledge (CBK) consists of the below eight domains:
Security and Risk Management
Asset Security
Security Architecture and Engineering
Communication and Network Security
Identity and Access Management (IAM)
Security Assessment and Testing
Security Operations
Software Development Security
Along with passing the exam, you must demonstrate five years of work experience in one of the eight domains listed above. Otherwise, you are considered an associate of (ISC)²
And that’s it, honestly. It is a comprehensive exam covering a huge number of cybersecurity topics, and (ISC)² has done a great job of keeping it updated over the years.
I passed my CISSP exam in 2005 ( yes, I am that old ), and it is quite impressive that two decades have passed, yet the CISSP has remained popular and relevant.
Criticism Against The CISSP
Despite its strong standing in the industry, many people have recently spoken out against the cert.
A few of the common criticisms against the CISSP are :
It only teaches concepts and is not technical in nature
The CISSP never claimed that it deep dives into specific technologies and is supposed to be vendor-neutral certification.
The whole point of the cert is to teach you concepts you can apply to any technology over time.
It does not make you an expert in any particular area
Yes .. again the CISSP covers every area of cybersecurity in its eight domains, and then it is up to you to decide what area you want to specialize in.
The exam will make sure you have the necessary knowledge in place to succeed in cybersecurity but won't tell you what area to dive deep into
It is too expensive to get and maintain
OK, this is something I will probably agree with, as the cost to get, maintain, and annually renew the certificate can definitely compound over time.
Do check if your company is nice enough to reimburse these costs, though!
Companies that get breached have CISSPs on their teams
Yes. Who was the genius that thought having a CISSP makes you hacker-proof?
PCI DSS and ISO-certified companies also become compromised, but that does not mean you should discard these standards.
There is no substitute for cybersecurity experience !
I agree 100%, which is why a five-year experience requirement exists.
Even with a CISSP, you have to interview the person and see if they meet your needs.
CISSP + Experience gives a person credibility, which changes with every person.
Having Realistic Expectations About The CISSP
Most of the above criticisms can be leveled at virtually any certification, not just the CISSP.
Part of the problem is the hiring manager’s perception of the CISSP.
They automatically assume the person is an expert if they spot the green cert on a person’s profile.
They have to realize that once a person is hired, it is not a “silver bullet” that will solve their cybersecurity problems.
At the same time, it is ridiculous to think that the CISSP does not give value.
You can have a dozen pentesters but they will not know how to create a high level cybersecurity roadmap or launch a risk management program. This is something a CISSP certified professional will have in-depth knowledge about.
Why You Should Get CISSP certified in 2025
As I mentioned, I became CISSP-certified in 2005, making me the fifth-certified person in my country at the time.
At that time, a person holding a CISA or a CISSP was a minor celebrity in the industry, and consulting companies would compete to hire you.
That is no longer the case, sadly ..
Times are tough, and tech layoffs mean there is a huge competition among job seekers, with many CISSPs looking for jobs.
But consider this.
While having a CISSP will not give you too much of an advantage .. NOT having a CISSP means you will not even pass the first screening phase
HR will probably screen your CV and remove it before it reaches the CISO’s desk.
Start preparing for the CISSP, AND get hands-on experience on your CV to stand out.
Whether you agree or not .. CISSP is considered the big daddy of cybersecurity certs and a great stepping stone to future management roles.
It will not harm your career and pave the way for future success.
Wishing you all the best in your cybersecurity career!
My new book “The Practical CISSP Study Guide” has just been published and free on Kindle. Do check it out HERE. Happy learning !
How would you rate the CISSP vs ISACA related certifications (CISA, CISM)?
I've learned ISC2 received a lot of bad feedback from the community regarding their exaggerating projections - which damages their credibility as a trustful institution.
Thank you very much!