Why I Wish I’d Taken the CISSP Ten Years Ago

For the past few months, I’ve been deep in the weeds studying for the CISSP — the certification that defines what it means to lead in cybersecurity. It doesn’t test whether you’ve done the job; it tests whether you understand the job. It measures whether you grasp the frameworks, principles, and language that drive modern security leadership. The content is relentless. It’s broad, dense, and humbling.

Anyone who has gone through it will tell you. It’s ten miles wide and a few inches deep. You can’t brute-force it with memorization or depend on muscle memory from years in IT. The exam forces you to think differently. It’s not about configuration or troubleshooting; it’s about strategy, governance, and risk. It forces you to stop thinking like a technologist and start thinking like a manager. And that shift? It doesn’t happen easily.

During practice exams is where it shows up. I find myself sliding back into my comfort zone. I’ll start analyzing a question like I’m on a call with a network engineer: what’s the most efficient path, how would I fix this, where’s the flaw? Then I catch myself, take a breath, and remind myself:

“Think like a manager, not a technologist. Read the question twice. Don’t overthink it.”

At first, that felt like just test-taking advice. But the more I studied, the more I realized it was something deeper. The practice tests became a mirror reflecting how I used to lead. The mindset shift the CISSP requires is the same shift every IT manager eventually needs to make: move from the tactical to strategic.

And that’s why I wrote this post. Because after months of late-night studying and endless self-doubt, the biggest thing I’ve learned isn’t about access control models or cryptographic algorithms. It’s about perspective. Looking back, I wish I’d taken the CISSP ten years ago when I was an IT manager, running operations and infrastructure teams. Because if I had, I would have led differently. The CISSP would have given me context and the critical “why” behind the “what.”

When You’re in the Trenches

When you’re managing IT, it’s easy to get stuck in survival mode. You live in the moment. You are fighting fires, managing projects, answering executive escalations, and trying to keep your team sane through the constant churn. Your day is defined by uptime, tickets, and deadlines. You’re focused on making things work, not necessarily on understanding how those things contribute to the organization’s risk posture or long-term strategy.

That was me for years. I defined success by how quickly we restored service or how clean our maintenance windows went. I measured outcomes in operational terms: stability, speed, efficiency. I didn’t yet realize that what I was doing every day. Just finding a clear moment to do so was near impossible. Yet prioritizing systems, approving changes, balancing resources was actually risk management. I was already practicing security leadership without the language or framework to recognize it.

That’s what the CISSP gives you. It connects the dots. It shows how the tactical decisions you make as a manager fit into a much larger system of governance, risk, and trust. It forces you to step back and see the big picture. It’s not just the systems you’re running, but the value those systems protect.

How does CISSP help?

It Clarifies the Manager’s Strategic Role

One of the biggest insights from the CISSP is how it reframes what leadership in IT really means. It teaches you to see technology not as a collection of tools or projects, but as a business enabler. It gives you the vocabulary and frameworks to link day-to-day operations to organizational value.

Through its eight domains, CISSP shows how risk, governance, and compliance intersect with every technical decision. It connects the dots between a change control meeting and the company’s risk appetite, between a patch cycle and regulatory compliance, between user onboarding and data protection obligations. Once you see those connections, you can’t unsee them.

When I was running global networks, I had a deep understanding of the technology but not always the context. I could tell you which routing protocol was best or how to optimize WAN links, but I wasn’t framing those decisions in terms of risk or governance. If I’d had the CISSP mindset back then, I would have led conversations differently I’d be tying our work directly to business outcomes, not just system uptime.

It Moves You from Tactical to Strategic

The breadth of the CISSP is its real value. It forces you to think beyond your lane. The eight domains cover everything from security operations and IAM to policy, architecture, and even software development. That scope pushes you to connect dots you didn’t realize were related.

When you understand how identity, encryption, and incident response fit together, you start to see your organization as an integrated system instead of isolated silos. You realize that your team’s choices ripple outward. The decisions your team makes affect compliance, audit, user experience, and brand trust.

It Sharpens Leadership and Decision-Making

The CISSP isn’t just a test of knowledge — it’s a test of judgment. It trains you to think in terms of risk, cost, and impact, and to make decisions based on those variables. That’s a very different mindset than troubleshooting or design work. It’s not about “what’s technically possible,” it’s about “what’s strategically right.”

You start framing choices around the organization’s goals: What’s the likelihood of this risk? What’s the potential business impact? Which control gives the best return on risk reduction? How do we balance protection with performance and user experience?

This is where the CISSP really levels you up. It gives you the structure and vocabulary to justify decisions. You begin to communicate in a way executives understand. It’s not about being the smartest technical person in the room; it’s about being the one who can connect technical and security decisions to business risk.

It Improves Communication and Credibility

One of the most underrated benefits of the CISSP is how it strengthens communication. It gives you a shared languagethat bridges the gap between engineers, auditors, and executives. You learn how to talk about controls, compliance, and governance in ways that resonate outside IT.

When you can explain why a control exists not in terms of configuration, but in terms of risk mitigation and business continuity you are building credibility. You shift from being the “technical manager” to being a trusted advisor. You start influencing decisions, not just executing them.

That’s the difference between being in the meeting and being part of the strategy.

It Redefines How You See Your Career

Studying for the CISSP changes how you view your work — and your career. It reframes IT as the backbone of organizational trust. Every system you build, every policy you enforce, every process you optimize contributes to that trust.

You stop defining success by uptime or efficiency alone. You start defining it by resilience. How well your organization can adapt, recover, and continue to operate securely in the face of change.

If I’d learned that a decade ago, I think I would have moved toward security leadership sooner. Not because it’s a “next step,” but because it’s a broader one. CISSP teaches you to think holistically about the ecosystem you support, and it gives you the mindset to lead at scale.

In Hindsight

Hindsight, of course, is always 20/20.

If you’re an IT manager today, even if security isn’t in your title, don’t overlook the CISSP. It’s not just a security certification, it’s a leadership framework. It will challenge you, frustrate you, and probably humble you, but it will also change how you think. It will connect the dots between technology, people, and purpose.

I used to think the CISSP was for CISOs or security architects. Now I see it as one of the most valuable things any IT leader can study. Because it forces you to ask bigger questions — not just how something works, but why it matters.

And if I could go back to 2015, I’d tell that version of myself:

“Stop firefighting for a minute. Step back. Learn the strategy behind the systems you’re protecting.”

The ability to see the forest, not just the servers is what the CISSP ultimately gives you!

Wish me luck on my upcoming test 60 days….