Sign in Subscribe
Careers

My CISSP story

Pierre-Paul Ferland

3 min read
My CISSP story
What is CISSP, why you should become one, how to become one, and some thoughts about the process.
💡
Last update: 2025

I got into infosec because of the TV show Mr. Robot. Of course, my initial idea was to become a pentester! While ethical hacking was enthralling, I quickly discovered my knack for delivering awesome risk assessment reports thanks to my love of writing. When faced with the choice of either being a good hacker versus an excellent Governance, Risk, Compliance (GRC) specialist, the latter was obvious.

All 3 facets of GRC require a thorough understanding of an organization, therefore the mindset and knowledge of CISSP are the most sought-after skills for proficiency. In other words, CISSP is sort of what you do when you get into GRC and that's that.

My CISSP Journey - Looking Back

To be honest, I went into the studies sort of backwards, feeling CISSP was over-rated. Let's face it, any Security Analyst job postings from companies who don't know better will add the CISSP as a requirement for good measure despite the tasks requiring none of the skillsets. CISSP doesn't make you an endpoint security architect, application security specialist, or incident responder. Yet, your old buddy CISSP is always getting squeezed into the listings... Plus, everybody in the infosec world has a story of that CISSP who spent so much time writing security policies and control maturity matrices that he doesn't know what an Active Directory is. The stereotype is so prevalent that I overhead the name "CISS-Papy" ("papy" in French meaning "grandpa").

Turns out "over-rated" is a poor choice of word. "Misunderstood"? Absolutely! Looking back at what I learned in my studies, especially during the last 8 weeks of the marathon, CISSP is exactly what it needs to be. Coming out of it, the training taught me an extremely valuable mindset: think high level or, as it's spelled out in some books: think like a manager.

The Best Career Decision I've Made

Now that I'm three years into my InfoSec career, I can confidently say that the best decision I've made was to move away from chasing certifications and instead focus on connecting with people online, sharing my knowledge, and building my personal brand. Don't get me wrong - the CISSP provided a solid foundation, but the real growth came when I started engaging with the community.

Creating content, participating in forums, speaking at virtual meetups, and writing blog posts about my experiences has opened more doors than any certification could have. I've built genuine relationships with peers who value my practical insights more than the letters after my name.

The incredible thing about sharing knowledge publicly is that it forces you to truly understand what you're talking about. There's no hiding behind technical jargon when you need to explain concepts clearly to others. This has sharpened my own expertise while simultaneously raising my profile in the industry.

How My Approach Has Evolved

My "Rocky Balboa" style of cert prep (2 months at 3-hours a day, 7 days a week) feels like a lifetime ago. While it served its purpose, I now invest that energy into creating meaningful content, engaging in community discussions, and solving real problems.

The knowledge I gained from the CISSP wasn't wasted. The high-level thinking still serves me well. But I've supplemented it with practical experience and continuous learning through projects and peer interaction. The combination of theoretical foundation and hands-on application has been far more valuable than accumulating more credentials.

What I've Learned About the Industry

The CISSP criticisms I had about opportunity costs, privacy invasiveness, and employee experience remain valid. But my community engagement has given me perspective on how different organizations navigate these challenges.

Some key insights I've gained through my knowledge sharing:

  1. Security teams that integrate well with development create far more value than those who operate as separate entities
  2. Empathy for end users and developers leads to better security outcomes than rigid policy enforcement
  3. Many organizations still struggle with the basics, making perfect the enemy of good
  4. Building trust and relationships across teams is often more impactful than technical prowess

In Conclusion

I still value what the CISSP taught me - that high-level manager thinking remains useful daily. But the real career acceleration came when I started contributing to the community, sharing my knowledge, and building relationships.

For those early in their InfoSec careers: yes, get foundational knowledge, maybe even certifications if they align with your goals. But don't stop there. Share what you learn, engage with others, and build your personal brand. The connections, opportunities, and growth that come from being an active contributor to the community are far more valuable than any certification could ever be.