IT security requires a high potential task force that can work towards securing networks and data efficiently. Of late, it has been observed that there is a scarcity of IT security professionals which is posing a major threat to organizations worldwide. As per various reports, the skills gap is continuously increasing. The (ISC)2 Foundation has estimated that by 2022, an estimated 1.8 million cyber security positions will be seen vacant. Though this raises a huge concern for organizations, this can also be seen as an opportunity by IT professionals to either start their career afresh or increase their skills further.
To gain skills related to cyber security, it is important to achieve a valid certification. Certifications showcase your expertise and help you get recognized easily by employers. There are two certifications that are being considered by many professionals seeking cyber security skills – CISSP (Certified Information Systems Security Professional) and CISM (Certified Information Security Manager). Both the certifications provide similar skills against a Common Body of Knowledge and the approach that they follow for information security is globally recognized. They are offered by vendor neutral and independent non-profits.
But which one of the two should be opted? Which one is better?
It is better to get a thorough understanding of what both the certifications offer and then settle for any one of the two.
First Things First
What is CISSP?
CISSP is offered by (ISC)2 (International Information Systems Security Certification Consortium) which is a global non-profit organization that specializes in IT security. The certification proves a candidate’s mastery in almost all fields of information security. CISSPs are well trained to design, engineer, implement and manage information security programs to protect organizations from cyber-attacks.
What is CISM?
CISM is offered by ISACA (Information Systems Audit and Control Association) which is an independent association focusing on IT security. This is an advanced certification that validates an individual’s expertise in developing, managing and assessing an enterprise information security program.
Let us now look at some of the prominent differences between the two and then ponder upon the suitability of either of the two.
CISSP demands a minimum of five years of experience in two or more of the total number of domains offered in the CISSP Common Body of Knowledge.
However, one year out of the total required experience can be waived off if a candidate holds a four-year college degree in the same field, its regional equivalent or educational eligibility as stated by (ISC)2.
CISM requires a minimum of five years of information security work experience including minimum of three years of information security management work experience in three or more of the Job Practice Analysis Areas.
- Two years of the above required experience can be waived off if the following security related certifications and experience is submitted:
- Certified Information Systems Auditor (CISA) in good standing
- Certified Information Systems Security Professional (CISSP) in good standing
- Post-graduate degree in information security or a related field (e.g., business administration, information systems, information assurance)
- One year of the above experience can be waived off if the following security related certifications and experience is submitted:
- One full year of information systems management experience
- One full year of general security management experience
- Skill-based security certifications (e.g., SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +, Disaster Recovery Institute Certified Business Continuity Professional (CBCP), ESL IT Security Manager)
- Completion of an information security management program at an institution aligned with the Model Curriculum
Another waiver can be leveraged if you are working as a full-time university instructor teaching the management of information security. In this scenario, two years of teaching can be submitted for every one year of experience.
Therefore, professionals who wish to stay in a strategic role will find more value in CISSP than the ones who aim to progress to a management level in IT security.
CISSP is basically targeted at IT security practitioners such as Network Architects, Auditors, Analysts, System Engineers, Security Consultants or aspiring Chief Information Security Officers (CISOs).
On the other hand, CISM is directed at IT Security directors and managers, auditors and consultants. Other professionals that may benefit from this certification include Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), Chief Executive Officers (CEOs) and Chief Financial Officers (CFOs).
As per PayScale, a CISSP earns an average salary of $107,000 per year while the average salary of a CISM amounts to $121,000 per year.
The higher salaries of CISMs are also backed by a survey conducted by the Certification Magazine which states that CISM is associated with the highest average salary while CISSP lets professionals earn the second highest average salary.
CISSP or CISM? Which is the best?
Before coming to any decision, the very first question that needs to be asked is, “what are my long term career goals?” If one desires to move to the management level or become a CISO, they must opt for CISM. On the other hand, for anyone planning for a long term career as a security engineer, a better choice could be CISSP.
Many professionals achieve both the certifications, the sequence generally being CISSP followed by CISM, although any of the two can be opted first.