CISM or CISSP?
The scarcity of skilled IT security professionals today poses a major challenge for organizations of all sizes and industries. The (ISC)² Foundation estimates the shortfall of workers will grow to 1.5 million people by 2020. While the skills gap is a barrier for many organizations, it’s an opportunity for IT workers who can stay up-to-date. Surveys of IT leaders find that security certifications are increasingly important in today’s environment.
IT professionals who have certain types of certifications are more competitive and can earn more money than their peers. The two most popular certifications that are recognized widely in the industry are CISM (Certified Information Security Manager) and CISSP (Certified Information Systems Security Professional). However, both require an investment of time to become certified. So which one is right for you?
Both certifications, offered by independent nonprofits, are vendor-neutral. They draw on the most current knowledge in the industry to provide deep, comprehensive training in understanding and responding to information security threats.
CISM certification is provided by ISACA (formerly known as the Information Systems Audit and Control Association). Designed for information security managers, the certification emphasizes the relationship between information security and the business goals of the enterprise.
CISSP certification, backed by (ISC)², is suitable for a variety of positions, including security managers and consultants. The certification focuses on the operations side of information security and threat response.
CISM or CISSP?
Both certifications verify an individual’s skills against a common body of knowledge and take a global approach to information security. Each requires at least five years of work experience in specific domains.
A key difference between CISM and CISSP certifications is that the former is focused more on management and strategy, and only covers technical topics in a cursory way, while the latter addresses the tactical aspects of security operations and delves much deeper into those areas.
Some professionals get both certifications, typically starting with CISSP in order to build a better technical understanding of cybersecurity. The decision of which certification is right for each individual depends on the desired career path.
Professionals whose goal is to progress to a management level in IT security will find more value in CISM than those who want to stay in a tactical role. For those aiming to become a chief information security officer (CISO), each certification has its own merits and both will provide a more holistic understanding of information security systems and management.
The eight competencies covered by CISSP are:
- Security and risk management
- Asset security
- Security engineering
- Communications and network security
- Identity and access management
- Security assessment and testing
- Security operations
- Software development security
Professionals typically taking the CISSP exam include IT security practitioners such as network architects, security consultants, auditors, analysts, systems engineers or aspiring CISOs.
CISSP is accredited by the Department of Defense for use in certifying its own employees. The agency requires all military and civilian personnel with access to sensitive DoD systems to have specific commercial security certifications.
One thing to consider, because the certification is highly technical in nature, individuals with more basic knowledge generally have to invest more time into understanding the concepts covered by CISSP in order to pass the certification exam.
The CISM covers topics such as:
- Regulatory issues
- Information security governance
- Cost-benefit analysis of risk mitigation
- Risk management
- Disaster recovery
IT and IT security directors and managers, auditors, and consultants are jobs roles most commonly pursuing CISM. This certification can also benefit chief information officers (CIOs), CISOs, CEOs and Chief Financial Officers (CFOs).
Should Practitioners Seek Certification?
According to a survey by the Certification Magazine, 48% of security professionals who obtained a certification reported receiving a salary increase within one year. However, 68% of respondents said the increase less than 5 percent. A quarter of respondents reported a 20-25 percent raise, and a small group even higher.
Of the 12 security certifications evaluated, the magazine found that CISM is associated with the highest average salary ($127,063) while CISSP certified professionals report the second highest average salary ($117,030).
For many professionals, the value of these certifications is the fact that they provide a standard understanding of key concepts. For practitioners, they are an avenue of continuing education from organizations that are recognized internationally as leaders in the field.
For employers, they are a screening mechanism that signal a candidate’s in-depth expertise and increase that potential employee’s credibility and caliber. It’s a way to measure the quality of a candidate. However, some employers may rely too much on certifications alone instead of evaluating a person’s fit within the company’s culture and mission. By itself, a certification is not an indicator that a practitioner will be successful at a particular organization.
From a practical standpoint, certified practitioners are not necessarily more experienced or knowledgeable than their uncertified peers. Other factors, such as academic background and industry tenure, contribute to job performance and knowledge. And, like any other academically-based achievement, certifications serve more as a foundation that needs to be applied in practice in order for a security practitioner to become more successful.
Ultimately, the decision of whether or not to pursue certification needs to be aligned with the person’s long-term career goals.