Is the CISSP Worth It? And is it Future-Proof?

To remain qualified, professionals need to pay an annual maintenance fee, and earn a quota of Continued Professional Education (CPE) credits. 

Becoming CISSP certified is a significant cost and time commitment. The exam is notoriously challenging to pass, leading many prospective candidates to ask: is the CISSP worth it? And will it remain so as the industry evolves? 

In this post, we’ve explored whether the CISSP is worth pursuing as a professional, and whether it’s still valuable from the perspective of a hiring manager. We’ll also look at how ‘future-proof’ the qualification is, and how important it may be considered in the years to come.  

‍

CISSP: a trust shortcut for hiring managers

Some sources suggest that the pass rate for the CISSP exam is as low as 20%, while others place this closer to 60%. ISC2 does not publish official figures for this, making it hard for candidates to draw meaningful conclusions about their chances.

While this pass rate makes the whole prospect of the CISSP more daunting, it’s a plus for hiring managers looking for the very best candidates; not only can they trust that the candidate has relevant hands-on experience and training, but they can also be confident that they’re a top performer. Simply put, it’s a shortcut to trusting the extent of the candidate’s technical ability and grounding experience. 

But, of course, it doesn’t tell the full story. Curiosity, collaboration, problem-solving, speed, ability under pressure, people management… these are all qualities and skills that the CISSP doesn’t measure so effectively. 

It’s essential that hiring managers don’t become ‘dazzled’ by a CISSP certification, affecting their impartiality in other areas, or encouraging them to bypas other parts of their hiring process. 

Improved earning and hiring prospects for cybersecurity professionals

The exclusivity and robust content of the CISSP make certified candidates more desirable, and this generally translates to better career prospects after completing the exam. 

However, passing the exam and maintaining your qualifications both require a significant time and money investment. 

‍

The cost of the CISSP exam and maintenance fee

The CISSP exam costs $749, and CISSP membership is $135 per year to renew. If you wish to take a training course in the leadup to the exam, this is an additional $2,000 to $5,000.

You will also have to build up 120 Continued Professional Education (CPE) credits every three-year cycle, proving you have spent time honing your skills as a professional (outside of work) and staying abreast of the latest developments in our industry. 

As an example, you can earn CPR credits through: 

• Volunteering for pro-bono work
• Attending webinars or conferences
• Teaching cybersecurity 
• Actively participating in professional groups or networks
• Taking additional cybersecurity courses

Even maintaining your CISSP certification is no easy task. This only serves to make it more credible in professional circles – but candidates must be willing and able to invest the time.

Change to career prospects and pay following passing the CISSP

From a financial point of view, professionals seem to agree fairly unanimously that the CISSP is worth it, and that they were quickly able to recoup the cost of the exam and maintenance fees.  

A subreddit titled ‘How worth it is the CISSP?’ is full of success stories. 

“I was studying for my CISSP while slowly being hired. I was offered the job a week after I told them I had passed. I went from around 40k to 92k.”, writes one Reddit user. “Personally, I think it's just because I'm awesome, but the CISSP may have contributed in some minute fraction of a way.”

“The instant I put my CISSP on my LinkedIn and resume my inbox got BLOWN UP. Even in this current job market.”, writes another. “Got a new job with 30% raise, way better benefits, the works. Inbox is still getting blown up.”

But it’s not all success. For some professionals trying to move into cybersecurity from an adjacent career path, their lack of hands-on experience within cybersecurity specifically meant they still had trouble securing a cybersecurity role after qualification:

“After 10 years of IT experience, I got my CISSP along with a sec plus”, writes one. “Still get told I don’t have enough experience for cyber, so I went back to SA lol. I get tons of interviews tho!”. It was one of the most upvoted posts within the subreddit. 

‍

Is the CISSP keeping pace with changes in the industry?

The CISSP is officially updated every three years to reflect changes within the industry, and ensure it’s still equipping candidates with the skills needed within the workplace. This is a big update that impacts the structure and weighting of the exam, and smaller updates may be made more frequently than this. 

‍

The future of the CISSP

The CISSP is a highly respected and internationally recognized certification which has helped professionals improve their earnings and job prospects. But will it remain as valued as it is currently?

We have a few thoughts on how this could theoretically play out. 

Highly qualified cybersecurity professionals will become more in-demand

Cybersecurity is a fast-growing industry, and there have historically been too many jobs to go around. But as AI agents become a more useful tool, and companies continue to look for smarter ways to allocate stagnant budgets, the number of entry-level jobs may be reduced. This might lead to more candidates taking the CISSP to improve their chances against the competition and for more job roles to make this a requirement. 

That said, the rise of the ‘non-technical CISO’ is real

An increasing number of CISOs do not have a technical cybersecurity background; their role has shifted, becoming more about liaising with boards and fostering a culture of security and productivity than having hands-on knowledge and experience. It’s not at all unheard of for a CISO to not have the CISSP qualification – something that would have been more surprising only a few years ago. 

Does the future lie with more specialized qualifications?

The CISSP provides a very broad education in cybersecurity, and this has been a core selling point of the qualification. But will that remain the case? 

With the threat landscape expanding and new technology emerging at pace, it’s unrealistic to expect one person to know enough about every area of cybersecurity. We believe the future lies with specialists rather than generalists, which could see field-specific qualifications gain more weight.

‍