Problem solve Get help with specific problems with your technologies, process and projects.

Defining your security certification objective

In this SearchSecurity.com Q&A, security management expert Mike Rothman discusses which security certifications, such as CISSP and CISA, comply with specific objectives.

I am looking to attain a security certification. I have more than six years of experience working on security products like SIM deployments, ISS product implementations and database products like Oracle with RAC. Should I consider attaining my CISSP, CISM or CISA?
When examining specific security certifications, it's important to first figure out what your objective is. Are you trying to become more marketable, increase your salary, and open up new opportunities? If so, I'm not sure any specific certification will help with that. Some organizations look at certifications as favorable, some do not. If your long-term career strategy includes getting hired by or advancing within a particular organization, I'd recommend taking the time to learn whether certifications are valued there, and if so, which ones. But regardless, getting a CISSP or other certification won't guarantee wealth and happiness. A piece of paper will not get you a job, or help you with your mortgage payment -- you've got to do that yourself.

On the other hand, if you are looking to show that you've achieved a certain level of competence (which given your background seems to be the case), then a certification can help you convey that you have a minimum level of knowledge. Personally, that's how I view any of these certifications (of which I have none, by the way). You must be knowledgeable to get the certification, but that certainly doesn't indicate competence or ability to execute a project.

In terms of comparing and contrasting the various certifications, (ISC)2's CISSP has the best "brand" of all certifications in that most people understand what it is and what it means.

ISACA's security oriented certifications, CISA and CISM, aren't as well-known, but are respected. The Certified Information Security Auditor certification is targeted toward folks that want to roll up their sleeves and get into the audit game. So if you are looking to move away from the security group toward taking on an audit function (within either the internal audit or perhaps an external auditor), then the CISA is a good choice.

The Certified Information Security Manager (CISM) is analogous to the CISSP. I guess ISACA got sick of giving all the certification business to (ISC)2, so they built their own. My impression is that the CISM is a bit tougher to get than a CISSP, but in the end I'm not sure it matters. It all goes back to what you are trying to accomplish with the certification.

For more information:

  • Learn how to transition from a UNIX environment to the security management field.
  • In this expert Q&A, security pro Mike Rothman discusses the difference between CompTIA and CISSP certifications.
  • This was last published in August 2007

    Dig Deeper on Information security certifications, training and jobs