Kenneth Kasuba Logo

Certification writeup

Certified Information Systems Security Professional

Kenneth Kasuba 4 min read

I hold nine certifications. I only talk about two. Here's why the CISSP still matters at the principal and director level.

Certified Information Systems Security Professional

Why I Still Renew My CISSP — And Stopped Talking About CompTIA

I hold nine certifications. I only talk about a few. The CISSP is one of them.

Not because ISC2 has great marketing or because HR filters demand it — but because it's the only security certification that actually changed how I think about risk, not just how I execute against a checklist.

Here's my take on why the CISSP still matters at the principal and director level, why I renew it every cycle, and why I quietly let lower-tier certs fade into the background.

The Cert Landscape Is Broken

Let's be honest about what most security certifications actually test: memorization. You study a dump, you pass a proctored multiple-choice exam, you put three letters after your name on LinkedIn, and you move on. The industry rewards this. Recruiters filter on it. HR systems score it. But none of it tells you whether someone can actually assess risk, communicate it to a board, or design controls that survive contact with production.
CompTIA Security+, CySA+, Network+ – I've held all of them.

They served their purpose when I was early-career and needed to prove baseline knowledge to get past automated filters. But I haven't renewed them in years, and I don't list them on my resume. Not because they're bad certifications and they're fine for what they are. But they test operational knowledge at a level that stops being differentiating once you've spent a few years doing real security work.

The CISSP is different. Not because the exam is harder (it is), but because of what it forces you to think about.

What the CISSP Actually Tests

The eight CISSP domains read like a table of contents for security leadership:

  1. Security and Risk Management: governance, compliance, risk frameworks, legal considerations.
  2. Asset Security: data classification, ownership, retention, privacy.
  3. Security Architecture and Engineering: secure design principles, cryptographic systems, zero trust.
  4. Communication and Network Security: network architecture, segmentation, secure channels.
  5. Identity and Access Management: authentication systems, federated identity, authorization models.
  6. Security Assessment and Testing: vulnerability management, audit strategies, penetration testing.
  7. Security Operations: incident response, disaster recovery, forensics, monitoring.
  8. Software Development Security: secure SDLC, application security, DevSecOps
    What makes this different from a CompTIA cert isn't depth – it's breadth with decision-making.

The CISSP doesn't just ask "what is AES-256?" It asks you to evaluate tradeoffs between competing controls, prioritize risk in ambiguous scenarios, and think like someone who owns the security program – not just someone executing tasks inside it.

That shift in perspective is the real value.

When I moved from Security Engineer to Senior to Principal at Certus Cybersecurity, the thing that changed wasn't my technical skill – it was my ability to frame security decisions in terms of business risk, regulatory exposure, and engineering velocity. The CISSP domains map directly to that thinking.

Why It Matters at the Director Level

When I became Director of Security & AI Research, nobody asked me to configure a firewall or write a Semgrep rule. They asked me to:

  • Define AI governance strategy for organizations deploying LLM-based systems- Architect cloud-native research infrastructure with identity segmentation and tamper-evident evidence workflows.

Deliver board-ready risk reporting aligned to NIST AI RMF, NIST CSF, and ISO 27001- Establish standards for research integrity, responsible disclosure, and evidence handling.

Every single one of those responsibilities maps to CISSP domains. Security and Risk Management. Asset Security. Security Architecture. Security Assessment and Testing. The cert didn't teach me how to do these things – experience did.

But it gave me a structured mental model for thinking about security programs holistically, which is exactly what leadership roles demand.

This is the gap that CompTIA certs don't fill. Security+ teaches you what a SOC analyst needs to know. The CISSP teaches you what the person *building the SOC* needs to think about.

Why I Renew It

ISC2 requires 40 continuing professional education (CPE) credits per year to maintain the CISSP. Some people complain about this. I think it's the best part.

The CPE requirement forces you to stay current. Not in a "read a blog post and check a box" way — in a "demonstrate that you're actively contributing to the field" way. Publishing research counts. Speaking at conferences counts. Building open-source security tools counts. Leading red teaming engagements counts.

My CPE credits come from real work:

  • Publishing STRATA-8, a bottom-up discovery framework for AI agent security, in Towards AI
  • Building AI Purple Ops, an LLM security testing framework with 200+ adversarial test cases- Leading AI red teaming engagements that bypassed production LLM safety controls- Conducting FedRAMP-aligned reviews of AWS and Azure infrastructure- Delivering SOC 2, ISO 27001, and NIST 800-53 control implementations
    I'm not hunting for CPE credits.

The work I already do generates them naturally. That's the signal that the CISSP is aligned with how I actually practice security – not just something I passed once and forgot about.

Why I Stopped Talking About the Others

Here's the uncomfortable truth: listing every certification you've ever earned dilutes your signal. When a recruiter or hiring manager sees "CISSP, AWS DevOps Professional, Security+, CySA+, Network+, A+" — they don't see breadth. They see someone who's collecting badges instead of building depth.

At the principal and director level, your certifications should tell a story. Mine says: I understand enterprise security governance (CISSP) and I can secure the cloud infrastructure where it runs (AWS DevOps Professional).

Everything else is noise.

I'm not saying CompTIA certs are worthless. If you're breaking into security, Security+ is one of the best investments you can make. CySA+ is underrated for SOC roles. But once you've moved past the "prove I know the basics" phase of your career, you need to curate what you present. The certs you *don't* list say as much as the ones you do.

The Bottom Line

The CISSP isn't a perfect certification. The exam is overly focused on policy and process at the expense of technical depth. ISC2's pricing model is extractive. The "experience requirement" gatekeeps people who've done the work but haven't done it in the right corporate structure.

But for all its flaws, it's the only widely-recognized certification that tests whether you can think like a security leader. Not a technician. Not an analyst. A leader who can assess risk across domains, communicate it to executives, and build programs that scale.

That's why I renew it. That's why it's on my resume. And that's why, fifteen years into this career, it's still the cert I point people toward when they ask what matters.

Kenneth Kasuba is a CISSP (ID 633076, issued 2020) and Director of Security & AI Research at the Tyrian Institute of AI and Cybersecurity. He specializes in AI/ML security architecture, LLM red teaming, and security program leadership.*

Weekly Security Intelligence

Get actionable insights on AI security, cloud architecture, and emerging threats delivered weekly.

No spam. Unsubscribe anytime. Privacy

Sending...
Check your inbox — click the confirmation link to start receiving weekly security insights.

Share this analysis

Twitter LinkedIn