Defining your security certification objective

When examining specific security certifications, it's important to first figure out what your objective is. Are you trying to become more marketable, increase your salary, and open up new opportunities? If so, I'm not sure any specific certification will help with that. Some organizations look at certifications as favorable, some do not. If your long-term career strategy includes getting hired by or advancing within a particular organization, I'd recommend taking the time to learn whether certifications are valued there, and if so, which ones. But regardless, getting a CISSP or other certification won't guarantee wealth and happiness. A piece of paper will not get you a job, or help you with your mortgage payment -- you've got to do that yourself.

On the other hand, if you are looking to show that you've achieved a certain level of competence (which given your background seems to be the case), then a certification can help you convey that you have a minimum level of knowledge. Personally, that's how I view any of these certifications (of which I have none, by the way). You must be knowledgeable to get the certification, but that certainly doesn't indicate competence or ability to execute a project.

In terms of comparing and contrasting the various certifications, (ISC)2's CISSP has the best "brand" of all certifications in that most people understand what it is and what it means.

ISACA's security oriented certifications, CISA and CISM, aren't as well-known, but are respected. The Certified Information Security Auditor certification is targeted toward folks that want to roll up their sleeves and get into the audit game. So if you are looking to move away from the security group toward taking on an audit function (within either the internal audit or perhaps an external auditor), then the CISA is a good choice.

The Certified Information Security Manager (CISM) is analogous to the CISSP. I guess ISACA got sick of giving all the certification business to (ISC)2, so they built their own. My impression is that the CISM is a bit tougher to get than a CISSP, but in the end I'm not sure it matters. It all goes back to what you are trying to accomplish with the certification.

For more information:

Learn how to transition from a UNIX environment to the security management field.

In this expert Q&A, security pro Mike Rothman discusses the difference between CompTIA and CISSP certifications.