I’ve had two different people ask me in the last month if CISSP is still worth it in 2024. I have mixed feelings, so in this blog post, I’ll explore this complicated question so you can decide if CISSP is still worth it for you.
The argument against CISSP in 2024
Let’s take care of the elephant in the room first. I know a lot of former CISSPs. If anything, it’s trendy right now to reject your CISSP. And there are three key reasons why. Maybe four.
Disagreements with the certifying body
In some cases, it’s due to disagreements with the certifying body, (ISC)², over its overall direction. And I have to respect that. Being a card carrying member of an organization comes with the implication that you share its values. And in the cases I am thinking of, all involved tried for years to change the things that bothered them. It’s not like they took their ball and went home.
The CISSP being too general to be worth it
In some other cases, it’s just that the CISSP is too general. These are people who are extremely good at what they do, and if CISSP is any indication, their life’s work is just one question on a 6-hour test.
CISSP mills
And the third criticism is probably true of any certification, but it has validity. I once worked for a company that was basically a CISSP mill. The company has been sold and renamed enough times that I don’t feel bad about talking about it now. One manager in particular believed anyone could get CISSP, so he really treated people who had that certification as a commodity. Ironically he never managed to get it himself. The reason he believed it was a collection of study questions that circulated around that company. If you could memorize the answers to about 3,000 questions, you’d probably pass the test. It’s not that any of those questions were on the test directly. But more than 70 percent of the questions on the real test could be broken down into somewhere between two and five of those study questions.
That meant that at the time, if you approached the real test by breaking each question down into five simpler questions, and you knew the answers to them, you probably passed the test.
Ideally, the question bank was shoring up field knowledge you already had. That’s the difference between field knowledge and book knowledge. When a test covers as much ground as CISSP does, it’s always going to be a combination of field knowledge and book knowledge that gets you through it. Ideally, it’s more field knowledge than book knowledge. But someone with good test-taking skills and a good memory can theoretically pass the test on book knowledge alone.
I can also tell when I’m talking to someone who only has book knowledge.
Too many CISSPs
The fourth reason is probably related to the third. There was a time when CISSPs were very rare. The more people have that certification, the less valuable it becomes. Some people argue there are too many CISSPs out there for it to still be valuable. As best I can tell, there are about 156,000 CISSPs worldwide.
So the CISSP isn’t perfect. Let’s talk about ways that it might be able to help you.
Why the CISSP may still be worth it in 2024 and how to know
When I first started studying for CISSP, the promise was that no CISSP ever has any trouble finding a job. At the time, there were more jobs requiring CISSP then there were CISSPs in the world. Having lived through the dotcom bust, and having a young family to provide for, of course I was ready to sign up.
And at least to an extent, that early promise was true. One time a recruiter messed up and tried to recruit me for positions not only at the company I was working for, but for the positions on my own team. They even included the pay ranges for those positions. That told me two things. One, the company wasn’t considering me for those roles but was interviewing people who profiled just like me. Two, it told me they were paying me on the low end of their pay scale.
I’m not sure which keywords people were looking for, but I do know CISSP was one of them. Even if that’s not a common mistake recruiters make, the number of recruiters reaching out to you can be a good indication you’re ready for the next move up in your career.
I’ll also push back a bit on the too-many-CISSPs argument. There are about four times as many CPAs out there as there are CISSPs. Does anyone really think we have a surplus of accountants? And while you can be a successful accountant without being a CPA, you have more options with it. My theory is the same is true for CISSPs.
How CISSP helps get you through HR
The last time I applied for a job, I was up against 170 applicants. There were times early in my career when I was up against one candidate. There were other times early in my career where I was up against 10-15 other candidates, but none of them were qualified.
And if 170 candidates sounds like a lot, a hiring manager at one of my former employers told me the typical SOC analyst position has 3,000 applicants. Nearly 20 times as many.
I remember from the early days of my career when we would have an opening and we might get 10 applicants, the hiring manager would use any excuse to decline an interview. If you misspelled a word on your resume, he stopped reading and binned your resume.
When you’re up against large numbers of candidates, you need anything and everything you can get to keep your resume on the pile rather than in the bin.
Anymore, the only time a CISSP is a deciding factor in you getting a job is when you are offered a promotion and the promotion requires it. That’s why I got mine. Every time since, CISSP may have helped me get in the door, but I had to demonstrate something else during the interview to land the job. I can also think of 3-4 jobs I applied for where I was a slam-dunk but didn’t get the interview. When you’re up against hundreds or thousands of others, that’s going to happen.
When the competition for jobs is as tough as it is now, I want every little thing I can find to help me stay in the game long enough to get the interview.
Look at the job market
But I think the big thing that helps you answer the question of whether CISSP is worth it is looking at the job market. Before I had CISSP, I looked at my local job market. I found a handful of jobs I was qualified for, but all of them were a lateral move at best. Sometimes you can’t avoid making a lateral move. But it’s always better if making a lateral move isn’t your only option.
Then I looked for CISSP jobs and found it at least tripled the number of jobs I could apply for if I needed to.
Arguably, I’m approaching the point in my career where CISSP is more of a nice-to-have than a need-to-have. But in two of the last three times I’ve changed jobs, I’ve been in a multi-offer situation, even in 2023 when the job market was abysmal.
So if you are having difficulty deciding whether CISSP or any other certification can help you, take a look at the job market. Look at how many jobs you can get that don’t list it versus jobs that prefer it or require it.
You will probably find there are certain specialty certifications that will help you just as much or more. The question is, is that an area of specialty you want to stay in? The nice thing about CISSP is that it applies to almost any security job, where a specialty certification like GCIH does not.
So I hope that helps you decide whether CISSP is worth having in 2024. Because the right answer for you might not be the right answer for somebody else.
David Farquhar is a computer security professional, entrepreneur, and author. He has written professionally about computers since 1991, so he was writing about retro computers when they were still new. He has been working in IT professionally since 1994 and has specialized in vulnerability management since 2013. He holds Security+ and CISSP certifications. Today he blogs five times a week, mostly about retro computers and retro gaming covering the time period from 1975 to 2000.