Passing the CISSP: Lessons Learnt, and What Comes Next

The result first

In November I sat the CISSP and passed. The endorsement process is done, the letters are official, and I have had a few weeks to let the experience settle — which is about the right distance to write down what actually mattered, separate from the adrenaline of the test centre.

This is the post I went looking for before I started studying and never quite found: not a resource dump, but an honest account of what the exam rewards, where I spent effort badly, and how I am choosing what comes next.

What the CISSP actually tests

The most useful thing anyone told me: the CISSP is not a technical exam that happens to mention management — it is a risk-management exam that happens to mention technology. Eight domains, from security architecture and IAM through to software development security, but the questions rarely ask can you do this. They ask what should be done first, and who decides.

Coming from hands-on detection engineering and incident response, that reframing was the single biggest adjustment. My instinct on a scenario question was to reach for the technical fix. The exam consistently wanted the answer one level up: assess the risk, consult the policy, protect life and safety, involve the owner of the decision. Once I started answering as the adviser in the room rather than the engineer at the keyboard, my practice scores jumped.

The experience requirement does real work here. Years of incidents, post-incident reviews, and executive briefings meant large parts of the exam were recognition rather than recall. Domains seven and eight — security operations and software development security — cost me very little study time. Governance frameworks and the legal and regulatory material cost me the most.

How I prepared

Nothing exotic, deliberately:

• One primary text, read properly. The official study guide, cover to cover, with notes — rather than skimming three different books. Most of the value was in the domains furthest from my day job.
• Practice questions early and in volume. Not to memorise answers, but to train the style of CISSP reasoning — eliminating the two technically-correct-but-wrong options and picking the answer ISC2 wants. I tracked scores per domain and let the weak domains direct the reading.
• Experience as revision. For every governance concept I mapped a real engagement or incident onto it. Abstract frameworks stick when they have a war story attached.
• Respecting the CAT format. The adaptive exam gives you no feedback, no review, and no second pass. I practised committing to answers and moving on, because hesitation is the real time-killer.

Total elapsed time was around three months of evening and weekend study, heavier in the final month.

What I would do differently

• Book the exam first. I studied for several weeks without a date and drifted. The moment the booking existed, the studying became serious. Deadlines are the cheapest productivity tool there is.
• Start practice questions in week one, not week five. I "saved" them until I had read more, which only delayed the diagnostic information I needed about where I was actually weak.
• Spend even less time on my strong domains. Comfort reading feels like progress. Re-reading incident response material I use every week was reassurance, not preparation.
• Trust the first instinct in the exam. The questions I agonised over were rarely improved by the agonising.

What comes next: CCSP, OSCP, CEH

With CISSP, GSEC, and the OCI Security Professional in place, the question is what adds signal rather than wallpaper. My current thinking:

CCSP is the natural next step. My day job is cloud detection and cloud security architecture, the CISSP satisfies its experience requirement, and the overlap in study discipline is real. It deepens the credential set in the exact direction my work already points.

OSCP is the one I want for the engineering, not the CV. Detection work is better when you genuinely understand offence, and my CTF time on Hack The Box and TryHackMe keeps confirming it. The OSCP is a serious time commitment — months of lab work, a 24-hour practical — so it earns a dedicated block of the calendar rather than being squeezed into evenings. It also feeds directly into Project Vivarium: the better I am at the red side, the better the adversarial agents and the detections that answer them.

CEH is the honest maybe. It opens doors with HR filters and some government frameworks, but technically it sits well below OSCP, and as a knowledge check it overlaps with ground GSEC already covers. If it happens, it will be opportunistic — not a goal in its own right.

So the order is CCSP next, OSCP as the project for the year after, CEH only if circumstance makes it cheap. Ask me again after the CCSP — test centres have a way of revising plans.