We are studying for the test while the building burns

In 2025, 48,185 CVEs (Common Vulnerabilities and Exposures) were published, a record, up 20.6 percent year over year. That’s 131 new vulnerabilities every single day. Median time to exploit dropped under five days. AI finds real bugs autonomously. Anthropic disclosed a Chinese state-sponsored actor running an 80-to-90 percent autonomous campaign against thirty global targets via Claude Code last November.

Meanwhile, the major risk and security credentialing bodies refresh exam content on four-to-five year cycles through volunteer Job Task Analyses. ISACA’s CISM (Certified Information Security Manager) outline, current since 2022, refreshes November 2026. CISA (Certified Information Systems Auditor), CRISC (Certified in Risk and Information Systems Control), and CISSP (Certified Information Systems Security Professional) run on similar cadences. Between revisions, roughly 190,000 vulnerabilities will have been disclosed. The exam will still test on the threat model from before half of them existed.

Who writes that content? Not active red teamers. Not threat intel analysts. Volunteer committees. Multiple choice with “best answer” rubrics. Validated to ANSI ISO/IEC 17024 standards designed for legal defensibility, not technical currency. By the time a candidate sits the exam, the material is two to four years old and anyone who has real world experience is baffled by the answers to the questions. 

The CPE treadmill makes it worse. Credits earned by attending vendor presentations and webinars hosted by the people selling tools to the people getting credentialed. Self-study counts. Mentoring other test-prep candidates counts. The entire apparatus is a closed loop. The prep industry, hundred-dollar manuals, fourteen-hundred-dollar bootcamps, six-figure instructor salaries, exists because the test rewards test-craft, not practitioner judgment.

Risk professionals are being trained to pass exams. Threat actors are being trained by AI to scale attacks. One training cycle measures in years. The other measures in days.

Buyers should stop asking what letters a candidate holds. Ask what they have defended. What they have attributed. What breach they have cleaned up. Which regulator they have sat across from. Which board they have briefed when something was on fire. I understand the credentials make it easier for HR who does not understand the field but you are part of the overriding issue. 

The credentials prove someone studied for the test. The work proves the work. They have never been the same thing, and the gap is widening every single day. The threat actors already know it.

We need to start placing more emphasis on real world experience and not propping up hiring managers who don’t know the right questions to ask.