Tag Archives: security career

CISM vs CISSP

2 Replies

A reader recently asked me about the CISM versus the CISSP. Specifically, he asked, “How hard is the CISM for someone who passed the CISSP?”

Having earned both certs (and a few more besides), and having written study guides for both, I felt qualified to help this individual. My answer follows.

CISM is much heavier on security management and risk management than CISSP. You’ll have to study these topics, and the business side of information security.  To paint with a broad brush, you could say that CISM is for CISO’s while CISSP is for security engineers. That, in essence, is the distinction.

Oh and there’s a great study guide out for the CISM: https://www.amazon.com/Certified-Information-Security-Manager-Guide-ebook/dp/B079Z1J87M

I passed my CISSP almost 20 years ago while I was still a hands-on technologist.  I studied for my CISA two years later. I learned through my ISACA CISA study materials (provided by my employer) that ISACA has a vastly different vocabulary for infosec than does (ISC)2.  Think of it as a business perspective versus an engineering perspective.  Both are right, both are valid, both are highly valued in the employment market.  But they are different.  Master both, and you’ll be a rare treasure.

Study guides for CISSP:

CISSP For Dummies

CISSP Guide to Security Essentials

Study guides for CISM:

CISM All-In-One Exam Guide

 

 

State University Gives Copies of Security Career Books to Students

Leave a reply

Earlier this year, Georgia State University asked me to speak at an information session for students in its Masters of Science in Information Systems (MSIS). Students needed to choose their study concentration; my job was to describe the information security profession to them so that they could choose whether to elect the security concentration, or one of two other concentrations. 
The university gave to all of its MSIS students a copy of one of my recent books, Getting an Information Security Job For Dummies. University officials recognized that the book accurately describes the profession, how professionals can learn more about the profession, career choices within the profession, and steps someone can take to get into the profession.

After my talk, university officials informed me that twenty-five students elected to pursue the information security concentration. This was greater than they expected, and they were pleased with the outcome. They expressed their gratitude to me for the time I took to describe the profession to them and answer their questions.

Which security certification should you earn next?

1 Reply

A reader who recently received his CISA certification asked, “Which certification should I earn next: CEH or CRISC?”

I see this question a lot, so I’d like to answer this in two different ways.

Sometimes when someone asks which certification they should earn next, sometimes I wonder if that person is asking others to choose their career direction for them.

In this case, the person wants to know whether CRISC or CEH is the right direction. If this person were asking me personally, I would respond with these questions: what aspects of information security interest you? For which aspects do you have good aptitude? What kind of information security job do you want to be doing in five years?

In the case of CEH and CRISC, these two certifications could not be more different from each other. One is a hands-on certification that has to do with breaking into systems (and helping to prevent adversaries from doing same), and the other has to do with risk management, which is decidedly hands-off.

Now for my second answer: you choose. Both are well respected certifications. Which one aligns with your career aspirations?

Another thing – for anyone who is just trying to figure out the next cert to add after their name – stop asking that question and do some other things first.

1. Assess your experience.
2. Figure out where your experience can help you go next.
3. Determine your aptitudes. Meaning: what are your talents.
4. Decide what you want to be doing in five years, ten years.
5. Only after you have answered 1-4 can you then think about certifications. They should reflect your knowledge and experience.

Knowledge and experience come first. Certifications are a reflection of your knowledge and experience, not a forecast of future events.

– from my posting to the CISA Forum

Career advice: how to begin a security career

Leave a reply

Bookmark This (opens in new window)

Today a colleague from Melbourne wrote me and said,

Hi Peter,

Greetings from Melbourne, Australia.

It was refreshing to read your site esp your Christian perspective on the profession.

I’m after some career guidance if you don’t mind –
I have a Business Analyst background and am currently working in IT consulting for a company that specialises in custom app development and systems integration. I have taken a keen interest in Info Security and will sit the CISSP exam at the end of this year with the intention to certify as an ISC2 associate (until such time as I possess the relevant experience to be a CISSP)…

In terms of specialising in the Information Security field are there any particular areas where demand will be highest? (application, network,governance etc.) Also, what blend of technical/personal abilities will the profession require of its practitioners going forward… any insight you can provide will be much appreciated. Thank you.

Cheers,

(name)

* * * * * * *

Hi (name),

Thank you for your message and your kind comments.

If you were in the U.S., I could give you more precise perspective on what’s in demand.  But I have an idea.

I suggest you find a local chapter of ISSA and/or ISACA (the ‘owner’ of the CISA and CISM certifications) and sign up.  This will give you many networking opportunities to meet and know others in the information security profession.  Through your contacts and communications with local members, you should soon get a good idea of what’s in demand.

But I stress this: the best people in information security are those who already have technology experience, and begin to build expertise on the risks in that technology.  So I see you are in an app dev and integration firm.  I’ll presume that this is a field where you have good expertise.  So what I would suggest is that you begin to build your security experience by beginning to understand the risks around “safe coding” principles and the processes to ensure that the entire SDLC (systems development life cycle) includes procedures to ensure that the proper measures are taken to ensure that changes to software do not introduce vulnerabilities at any level.  So if s/w dev is your thing, you might pick up a copy of Michael Howard’s book, Writing Secure Code (or something close to that – a huge best seller).

For me, my career was in computer operations, systems administration, software engineering, and network engineering.  Then, it became my job to secure systems and networks, so I began to read all I could and made systems and networks secure.  Then, I branched out from there to better understand other sources of risk, like unauthorized intruders and secure coding.

So my advice is, begin to build security expertise in the area of technology where you are most familiar, and branch out from there.  Networking with others will help to broaden your knowledge about risk overall.

Hope this helps,

Peter

CISSP one of the hottest certs for 2008

2 Replies

Bookmark This (opens in new window)

Tech RepublicToni Bowers, senior editor for Tech Republic, cites CISSP as one of the ten hottest IT certifications of 2008. Ms. Bowers states, “With CISSPs earning $94,070 a year on average, it’s easy to see why Trapp puts this one on the list. (Note that the exam costs $500, lasts up to six hours, and includes 250 multiple choice questions.”

CISSP for Dummies, 2nd editionLink to full article here.

Study for the CISSP certification with the best-selling CISSP study guide, CISSP for Dummies, here.

Security+ one of the hot certs for 2008

1 Reply

Bookmark This (opens in new window)

Tech RepublicToni Bowers, senior editor for Tech Republic, cites Security+ as one of the ten hottest IT certifications of 2008. Ms. Bowers states, “Growth in Security+, which covers topics like communication security, infrastructure security, cryptography, access control and authentication, shows no signs of slowing down. According to Michael Trapp, writing for knowhow-now.com, “Comptia’s Security+ Credential is must have in today’s world.”

Link to article here:

http://blogs.techrepublic.com.com/career/?p=223

securityplusfd.jpgStudy for the Security+ certification with the best-selling Security+ study guide, Security+ Certification for Dummies, here.

Security+ Study Guides

Leave a reply

Bookmark This (opens in new window)

There are several books in print that the Security+ candidate can use as a study aid for the Security+ exam.

CompTIA Security+ Study Guide: Exam SY0-101CompTIA Security+ Study Guide: Exam SY0-101 by Mike Pastore and Emmett Dulaney



The Ultimate Security+ Certification Exam Cram 2 Study Kit (Exam SYO-101) (Exam Cram 2)The Ultimate Security+ Certification Exam Cram 2 Study Kit (Exam SYO-101) (Exam Cram 2) by Que Certification



Security+ Certification All-in-One Exam GuideSecurity+ Certification All-in-One Exam Guide by Gregory White

Security+ Guide to Networking Security Fundamentals, Second Edition by Mark Ciampa



Security+ Study GuideSecurity+ Study Guide by Ido Dubrawsky, Jeremy Faircloth, Michael Gregg, and Eli Faskha



Security+ Certification for DummiesSecurity+ Certification for Dummies by Lawrence H. Miller and Peter H. Gregory



A Real World Guide to CompTIA Security+ SkillsSecurity Administrator Street Smarts: A Real World Guide to CompTIA Security+ Skills by Michael Gregg and David Miller

CISM exam study guides

Leave a reply

There are a few books in print that the CISM (Certified Information Security Manager) candidate can use as a study aid for the CISM exam.

CISM All-In-One Exam Guide by Peter H Gregory

CISM Review Review Manual 2007, 15th Ed by ISACA

The CISM Prep Guide: Mastering the Five Domains of Information Security Management by Ronald L. Krutz and Russell Dean Vines

Complete Guide to CISM Certification by Thomas R. Peltier and Justin Peltier
CISA exam study guides

 

Five ways to keep current with security

1 Reply

Bookmark This (opens in new window)

In many organizations, security professionals have too much to do and too little time to do it in. Nevertheless, security professionals need to stay current – ours is a rapidly developing and changing profession. Current events often force us to re-think time-honored principles to make sure they still hold.

Spending 100% of your time doing security work in your organization may be good in the short-run, but it will hurt both you and your organization in the long-run. I recommend you recalibrate your priorities, to allow time to catch up and stay current. Follow these guidelines:

1. Spend 2-4 hours/week reading journals, articles, etc on security processes and technology.

2. Spend time with vendors with security products and services; understand how they work and how they might benefit your organization.

3. Spend time with department heads in the enterprise to understand how their departments work.

4. Accumulate a library of books on information security. The suggested reading lists from ISACA and ISC2 are good sources of good security books.

5. Go to conferences and other events where other security people attend. Talk with them and better understand how they protect their own businesses.