← Zurück
July 9, 2026

Two Hours for the CISSP: What Certifications Really Prove

The CISSP had been on my to-do list for years. A few months ago, with some downtime between projects, I finally ticked it off — with about two hours of preparation.

That sounds like very little, and it was. But the story behind that number is more interesting than the number itself — and it says something about what a certification like the CISSP actually measures.

A Spontaneous Decision — and a Misleading Test

With time on my hands, I looked for nearby exam dates and found one for the coming weekend. Would that be enough time to prepare? No idea. So I had ChatGPT put together a sample exam to gauge where I stood.

ChatGPT dutifully did exactly what I asked — the questions appeared instantly. My mistake: I'd assumed it would know the style and depth of the real CISSP questions. The generated questions were fairly easy for me. So I figured: if the exam is at this level, I won't need to study more. After more than ten years in the field, I was pretty confident in my experience. I booked the exam.

The Reality Check the Night Before

The evening before, I had some time to spare, and curiosity got the better of me: I downloaded a specialized CISSP prep app that advertised realistic exam questions, and paid the ~15 € for the subscription.

Surprise: those questions were considerably harder than ChatGPT's. And suddenly I wasn't so sure I was ready.

It was already late evening, with the exam early the next morning. So I spent about an hour and a half practicing with the app — then deliberately went to bed to sit the exam well-rested.

The Exam Itself

The next morning, the real questions turned out to be a notch harder still than the app's. But the trickiest part wasn't the knowledge — it was that the answers were rarely clear-cut. Often several options were "correct"; the task was to pick the best, most appropriate one.

And that's exactly where the CISSP shows what it really tests: not memorized facts, but judgment built on experience. In the end, my ten-plus years in practice were broad and deep enough to pass.

What That Says About Certifications

The CISSP is deliberately experience-based — it requires several years of relevant professional experience. So for me it was less a learning exercise than a confirmation of what I've built up over the years in real projects — from secure software development to threat modeling to pentests.

And a small reminder along the way: AI is a fantastic tool — but its output is only as good as the context you give it. That ChatGPT missed the exam's difficulty wasn't its fault; it was mine. That's a lesson I keep running into in my work, too.

Certifications are valuable. But they don't replace experience — at best, they confirm it.


#CISSP #ITSecurity #CyberSecurity #InfoSec

CISSPCertificationIT SecurityCybersecurityExperienceInfoSec