What if I have an MBA plus business management experience and am transitioning into cybersecurity? Would you recommend cissp or cissm? Especially with no experience and just starting school?
That situation really doesn't impact the decision. Both certifications require experience in Cyber Security to get certified and to be honest, without any direct experience, you are going to have a hard time passing. I would highly recommend you check out my Getting Started page ( www.jongood.com/getting-started/ ) where I give you a road map of certifications and skills to learn. If you are trying to transition into management, the specialization part for you should consist of project management and more managerial-based certifications.
@@JonGoodCyber Hi Jon, I have similar type of an inquiry - would you happen to have an email address where I can communicate with you on my specific scenario? Thanks
@@bertranddias9887 For more specific scenarios, I highly recommend scheduling a career coaching session ( www.cybertrainingpro.com/p/career-coaching ). Otherwise, you can certainly leave a comment and I will respond as I am able.
Certifications are not the only thing you look for there are membership fees associated with all the exam. And you need to plan accordingly otherwise you will end up paying upto 1000$ dollar each year for annual memberships. For e.g isc member is 125$ isaca 85$ for non members. CEH is 80$, CompTIA is 50$ for CE, CISCO is 60$ and so on a so forth. So anyone who is planning to take multiple certs make sure to keep this in mind, So select carefully or stick with one or two organization.
Typically we get certifications because we see value in them to get us to the next level in our career (along with the salary bumps), so the maintenance fee isn't a concern. Usually the fee becomes a consideration when a certification comes up for renewal (or yearly) and you have to decide if you are still getting enough value from it. Some vendors like CompTIA, allow you to pay one fee for all your certifications, while other vendors like GIAC, require you to pay individually...also some vendors will allow you to pay your fees at the end of your three year cycle and some require it annually. There is nothing wrong with getting a certification to setup higher achievements and then letting it expire...it's the certification circle of life. I will also add that it's a lot more common to let technical certifications expire because of the ongoing maintenance of knowledge than it is for non-technical certifications.
Interesting perspective...I would definitely say like a lot of things that it depends. They both are useful but focus on different skill sets when it comes to Information Security / Cyber Security.
4 роки тому
i attended both classes. CISM reshaped by approach to cybersecurity. very relevant and practical for my job
Hi I have been a program, project manager in IT infra for last 13 years I do not have hands on IT experience however I do get in to details for troubleshooting and really enjoy learning nuances my question is can I go for CISSP?
Thanks. Having listened to you and Jai, CISM is better for me being a senior risk professional. I want CISM to boost my profile and extension into cyber and more on the management side rather than on the analytical side.
I'm glad that you enjoyed the video. One word of caution is to be careful avoiding too much technical training or certifications just because you work in risk or want to be a manager. I see that specific situation occasionally where we end up talking to a "risk professional" who can't accurately do their job because they don't understand what's truly happening. Also, have you looked at the CISA? It's a great pairing for working in risk or auditing.
Now I have the CISM certification and it indeed helped me a lot. Some say CISSP is the holy grail for an IT professional,.but for me I think CISM is just as good as CISSP.
The CISSP and CISM each serve different purposes and aren't really equals. I've detailed many of the reasons in this video but there's probably more situations where the CISSP has value alone versus the CISM, specifically because what they cover and the target audience.
I know people who have been in similar situations. The CISSP should not be underestimated because there are a lot of factors that make it difficult, and they aren't just because of the material itself.
@@JonGoodCyber I personally took the CISSP and failed it, when it was 6 hrs. I would have taken it again really quickly, but I found out isc2 has some ordeal that I cannot take it again for at least 30 days. Since then 2 other coworkers have taken it and failed with the new version. One of them is the one I was talking about. So I think my best option is to do the same thing and pursue the CISM and eventually within the year of getting my CISM try for my CISSP again.
Most certifications have some type of "cooling off" period after a failed attempt but no question that the one for the CISSP is one of the least forgiving. The new version of the exam definitely has its challenges but there is nothing wrong with taking a break and then going after it again. Make sure you don't take too big of a break though because you don't want to forget what you've learned.
That can be extremely frustrating. Honestly one of the things that benefited me the most personally was that I've been in environments that gave me exposure to several of the domains, and industries that focus heavily on best practices. The more experience you get, typically the easier it SHOULD be.
That tends to be a very good learning environment because things usually are pretty strict. The CISM is good, however if you are in the DOD/military realm the CISSP is the most ideal. Even though the CISM is seen as similar, there is definitely a hierarchy with the CISSP being preferred if it's just for one certification.
For the CISM required work experience, it doesn't actually mean experience with the title of "manager", but more so just in the management of systems related to the domains, correct?
In my opinion, the verbiage on the experience requirement has always been a little bit ambiguous. With that being said, there are waivers to decrease the 5 year professional work experience requirement but then it specifically states "The experience substitutions will not satisfy any portion of the 3-year information security management work experience requirement." Given that phrasing, I've always taken that to mean direct management experience, which means you could be more of a technical manager (or similar) and not have direct reports. I would get the official stance from ISACA though because ultimately they make the final decision.
@@JonGoodCyber Thanks for the quick response. I just chatted with someone at ISACA and they gave me the scripted response that we can all read, and when I pushed for more clarity she said "As my previous message states, You must MANAGE Information Security. It does not refer to being a manager of people". So that sounds like you don't HAVE to be a "Manager", but just be involved with managing systems. I wish they would be more clear.
@@JonGoodCyber So after more pushing with the person I was chatting with, she said "You are required to be part of a team that manages information security, you are not required to be the leader of that team" I think that was best clarification yet.
That is definitely a better clarification to the requirement. Thank you for letting us know what ISACA said! In all honesty, I think the manager title is getting thrown around too much in general because I've seen titles like "risk manager" that are nothing more than an individual contributor like a security analyst.
i would very much love to sit for both but the fact that i have to retain information from 8 CISSP domains is just insane. i will sit for CISM thank you very much
I'm not sure that I would say it's insane because both are meant for managers but you might be a low/mid level manager where the CISSP knowledge is required and you aren't actually leading the entire security program like with the CISM. Remember too that the eligibility requirements are different with the CISSP needing years of experience and the CISM requiring management experience.
I've been a IT project/program manager for the past 15 years, I've been working on the security projects for the past 3 years and i'd like to solely work in Cyber Security by niching down into the risk/compliance space. I'm leaning more towards the CISM, what are your thoughts?
Do you already have a CISSP? I like the idea of the CISM along with CISA and CRISC (all great for governance/risk/compliance), but love it or hate it the CISSP is one of those certifications that people will still ask about so just be aware. In the U.S. defense sector the DOD 8570/8140 see the CISSP and CISM as equal but I'm not so sure that is the case in other industries. Also, do you have your PMP? Given your experience that would be the very first thing I would do if you don't already have it.
Jon Good oh yes, I’m already PMP and PMI-ACP(agile) certified. Right now I’m studying for the CompTia Security+ for foundational knowledge to build up to the next exam. It looks like from your comment the CISSP is more wildly accepted industry standard certification at least in private sector.
Excellent! It definitely is interesting with the CISSP vs CISM debate. Beyond the information I give in the video, typically if employers have their choice of just one then they tend to prefer the CISSP. I think they both have their place because the focuses are different but if I had to guess it's because companies expect their security leaders to have broad knowledge across the different domains.
@@JonGoodCyber " broad knowledge across the different domains"... ding! ding! ding!... that's what I needed to hear. Thank you so much for taking time to respond. I really appreciate it!
I'm glad that you enjoyed the content! CISSP - www.isc2.org/certifications/cissp/cissp-experience-requirements CISM - support.isaca.org/s/article/What-are-the-requirements-to-become-CISM-certified
You can find all the information regarding the exam process on the ISC2 website ( www.isc2.org/exams ). In 2021, they piloted online exams but found they didn't live up to their standards, which probably means it was difficult to prevent cheating ( www.isc2.org/exams/online-proctor-pilot-test-faq ).
You would need to get four years of experience to qualify (includes a one year waiver for Security+). Of course ISC2 could always change the requirements but it's been that way for a while so I don't anticipate a change.
Hi Jon, I am an IAM specialist and currently have 3+ years of experience. I completed sec + and AZ-900 so far. I am worried that CISSP is too hard and after 6 months of studying, I won't be able to pass. Do you recommend me taking the CISM instead?
I recommend reviewing the comparison of the two certifications that I made this video and which one makes sense depending on the situation. Regarding studying for the CISSP, if you aren't feeling confident in the information or scoring very well on practice exams, then you might be better served by focusing on the areas that you're weak in and trying to improve that knowledge. For example, if you're weak in networking or network security, then looking at some additional certifications or training in those areas. Six months of studying for most certifications is definitely on the longer side, especially if you have never sat for the exam by that point.
@@JonGoodCyber thank you Jon. My weakness is networking because I don't have any certs or experience in it. You think I should do a network cert or I can just study networking concepts and understand it thoroughly would be enough? Is cissp more hands on networking questions?
I recommend grabbing my free eBook ( jongood.com/getstarted/ ) where I provide a roadmap of skills and certifications that can help prepare somebody for a successful Cyber Security career and for higher level certifications. As far as the CISSP goes, it's covers a lot of information but not very deep so you don't have to be an expert in a lot of areas but you need to have broad knowledge. Also, the CISSP is focused on management-level decision making (high level) and not about hands-on the keyboard type activities (i.e. configuring a device).
Hi, as you said you can ask any question so here it goes ... I hold PMP and COBIT foundation certifications and in past I worked for a Microfinance Bank as Head of IT (CTO) however now I moved to Oman and joined a commercial bank as Senior Project Manager. I suggest what next certification should I be targeting for my career path (where I can get good salary). Few examples are: cloud solution architect or CISM
Which kinds of jobs are you look to land? Your path is conflicting as being a CIO is a very different path than the project management side of a company and then you mention the CISM, which is a very different path than the other two.
@@JonGoodCyber thank you for your reply. Yes I agree to your concern on conflict however when I was working as CIO I did not hold any certification (however I was holding Masters in IT degree from a University in Pakistan). So I decided to do some professional certifications and hence completed PMP and COBIT. Now due to PMP I got job in middle east and moved to Oman. Now what next certification should I be choosing. Regarding your question, what king of job I am looking for? The answer is simple, which pays good with my background and experience in IT field:-). Job that pays good and has good demand in UAE, EU, USA, Canada etc.
Your desired job path should always drive your choices and saying a path that "pays good" is simply too vague as that applies to just about anything in technology. For example, Cloud certifications would give you almost zero benefit in project management. I encourage you to pick the path that you realistically want to work towards so you have a direction to go but I'll give you some high-level ideas. If you're looking at high level leadership positions then something like the CISSP would be reasonable to show you have broad knowledge of security but I wouldn't probably go after the CISM unless you want to be a security leader. If you are interested in project management then looking at agile and scrum certifications is reasonable ( www.scrumalliance.org/get-certified ).
Hack The Box ( www.hackthebox.eu/ ) and Try Hack Me ( tryhackme.com/ ) are two of the most popular practice platforms to work on your skills at an affordable price. Try Hack Me has more instruction for learning than Hack The Box but both have pros and cons.
So I've been doing research on both of these, and from the sounds of it, maybe I'm not ready for them. I have been in the industry as an IT Auditor for 2 years now and want to make a transition to a second level of defense job in Information Security. However, I'm in a tough spot because my experience doesn't seem to be good enough to make a job transfer since I have been rejected from job applications for five months now. I figured getting a certification would help, but it seems like all the good ones are meant for high-level managerial type roles. I already have Security+ but it doesn't seem to do much and I have no interest in getting a CISA since I don't want to keep pursuing auditing. Does anyone have any advice on any other certs that could boost my resume and help my limited experience?
If you only have two years of experience, the CISSP and CISM are definitely not appropiate options just yet. Typically, a mid-level or level 2 type job requires somewhere in the ballpark of 2 to 5 years of experience in a directly applicable area. It's a little unclear on the type of role that you want, but if you are trying to transition from an IT Auditor to a more technical role like a SOC Analyst, your experience isn't exactly the same as if you spent 2 years in a SOC. Auditors typically have technical knowledge gaps to address to be considered qualified. Again, it depends on the type of role that you are trying to transition into, but there are plenty of certifications that you can pursue to make you more competitive. If you haven't seen Paul Jerimy's chart ( pauljerimy.com/security-certification-roadmap/ ), I highly recommend checking it out, and you might consider cloud certifications, but again, you haven't given enough context about your desired role, so it's hard to give a more specific direction. Also, remember that certifications are only one piece of the puzzle that makes you a competitive candidate.
It’s easy, go on indeed or any job site of your choice. Make sure to select the location of your choice. The one with the most hits win. Hint: it’s most likely CISSP.
I'm a huge fan of using job searches to identify trends in skills and certifications to pursue. It's probably one of the more underutilized searches when people are trying to improve their careers.
IMO, when it comes to recognition it's not as simple as doing job searches using keywords. On the surface, CISSP yields ~4x more jobs compared to other more recognizable high-level security certs like CISM or CASP+ (at the moment, on Indeed it's 2,014 for CASP+, 2,772 for CISM and 9,388 for CISSP). So the CISSP is way more recognizable and, therefore, should offer better ROI. That said, I've also seen CISSP being mentioned for positions where it doesn't make any sense. For example, company's looking for a pentester or application security engineer and certs being listed are like GPEN, OSCP, eCPPT, CISSP, CEH. I mean, how is CISSP (or even CEH, for that matter) relevant here?? Or when you see in the same job posting Security+ and CISSP, and those two are literally on the complete opposite ends of the skills and experience spectrum. In other words, I think CISSP being so well known by (many times - clueless) HRs around the world is what also inflates the numbers in favor of CISSP. When you see CISM being mentioned as a requirement or a nice-to-have, it usually makes sense (the position is about governance and management), while CISSP is all over the place, even when it doesn't make much or any sense. So that's that - my 2c being added to the pile.😁🍺
Using job searches to help identify certifications and trends in jobs is only a start point, not the entire source for a strategy. With more experience, the process becomes much easier to determine what makes sense or why a specific certification might be listed. That said, a job posting is what an employer is requesting so it's generally a bad idea to ignore the criteria that will be used to evaluate candidates...unless you really don't care about the job. To address your statement about the CISSP and Penetration Testing...I'm not really going to dive deep into the relevance that this can have, but understand that there can be expectations of how a penetration tester helps customers identify & resolve vulnerabilities at a broader level...it's rarely just about popping shells.
@@JonGoodCyber I generally agree, however I think you misread/misunderstood my comment a bit. :) I'm saying that CISSP has no place in job postings for 100% technical positions, especially for pentesters. You can argue that a CISSP holder can understand and convey to others the importance of pentests and their place in the overall security testing picture, but if you're looking for *a penetration tester* (i.e. the doer, the one that's actually doing the testing and writing a report) then you want a *highly* technical person and certs that confirm _that_ (like OSCP, PNPT, eCPPTx...) not someone with general understanding of how penetration testing works and why it is important. :) And being a pentester myself for the last 4 or so years, I agree - pentesting is actually _the least_ about popping shells (that's CTF, which is fun in it's own way, but not a pentest :) and more about reporting on a posture of primarily technical controls in place. Anyway, thanks for the quality discussion! Cheers!🍺
I am definitely not saying that's the only credential. I've never heard of a penetration testing firm or job hiring somebody based on just a CISSP or some certification not directly related to a role unless they have a lot of street credibility. Generally, when postings are broad, the employer either doesn't know exactly what they want and/or they want to allow flexibility for cases that might not fit the exact traditional mold where they have other characteristics that make up for deficiencies. Making ideal job postings is an extremely difficult task where you can easily miss out on candidates by being too specific or getting overwhelmed with candidates because you aren't specific enough.
Hi Jon, I have 15 years of Exp (12-Telecom, 3-IT), I have been into management role for last 10 years. I have PMP, CISSP (Cleared recently). Should I go for CISM next ( Does it make it more worth after having CISSP already which is management cert) or shall i go for CCSP (Cloud is in thing, more demand, going to stay for long- I already have Sol architect cert from AWS) ? pls help clarify?
What kind of management position are you in now? What kind of position do you want? In my opinion, the certifications and path that you've listed would be pulling in opposite directions (technical staff vs management).
Neither right now. I'm a little green for some of the requirements. I'm currently studying for the CompTIA Network+ and have my eyes on the CompTIA Security+ after that. I have definitely heard a lot more about the CISSP though. I'm currently a web/mobile developer with my eyes on CEH or PenTest+ and beyond!
Awesome! The biggest piece of advice that I can give is to stay flexible because there can be excellent opportunities that open their door to you if you can recognize them. Make sure to check out my free eBook ( jongood.com/getstarted/ ) that has a lot of great advice and Cyber Training Pro ( www.cybertrainingpro.com/ ) for training and career services that can help you get to where you want to go.
Infrastructure Supervisor with a Master degree in Wireless telecom and in IT filed for a decade now .. going for CISM for sure but the 3 years security management will be an issue resolve ! if I sit for the test will I also be an Associate for ISACA till I have my 3 years security management experience ?
I would check the domains to see if you managed any of those areas. There is typically a lot of overlap between IT and security even if your job isn't a full security job. There isn't an official "Associate for ISACA" designation like there is with (ISC)2, however they give you five years to get the experience needed once you pass. www.isaca.org/credentialing/cism/get-cism-certified
I would definitely start by grabbing a free copy of my eBook ( www.jongood.com/newsletter/ ) where I provide a certification and skill road map for Cyber Security. You might also consider looking at security certifications on Amazon AWS and Microsoft Azure if you happen to deal with those at your company.
Good info. I have pretty much all the CompTIA certs up to and including CASP+, and am debating between these two next. CASP+ is a LOT like CISSP in that it covers an absurd amount of ground, but doesn't get too far in the weeds. That may be easiest. But CISM looks like a better cert for my career path. Maybe I'll do both LMAO
The CISM is definitely much more focused on a small set of subjects when compared to the CISSP. Also, remember that the experience requirements are different for both certifications to match the intended audience.
CASP+ is more technical right? Did you have prior cert like cysa+ or pentest+ before taking casp+? i don't see many job postings with casp+ though. i want to take the cissp. what do you recommended?
@@myway8950 I had a few certs, highest from CompTIA was Sec+ though, until CASP+. I'm about to take my CISM test, and I can tell you that it's much less technical than CASP+ I had Linux labs on the CASP test for crying out loud lol
@@nukeim oh wow. 😮 Is it better to take cism before cissp or vice versa? Does it matter as much? I am worried I won't pass the cissp because it's very difficult but cism I have chances.
Jon Good @ I'm planning for CISSP.I'm 36 yrs old and I've 9+ years of experience in IT security. I didn't get anything from this video to decide. All these basic info already part of requirement of certification. Plz can u tell me, how do I decide which certificate should I do?
I asked questions and gave information that you need to evaluate starting at 5:43 till the end of the video so what were your answers? Those will help me give you guidance.
For specific questions on eligibility, you will want to reach out to ISACA or ISC2 to get confirmation. However based on what I see on the websites as of today: -CISSP: No experience waiver since your degree isn't Information Security -CISM: Two year waiver because it's a related post-graduate degree (does not count towards required management experience) www.isc2.org/Certifications/CISSP/experience-requirements www.isaca.org/credentialing/cism/get-cism-certified
@@JonGoodCyber Last time, i have passed SSCP, I have a Master of MIS degree, and they Accepted my Degree as 1 year experience. Because not all domains of CISSP or SSCP are about infosec directly, MIS is about Managing Information Systems, and as it is about managing, you also manage security part of it. I think we should not read what they write there as hard statement.
I'm not arguing the fact that an MIS is related to the domains because they clearly are linked and don't act in isolation from each other in the real world. The unfortunate part is that certifications that have experience requirements, frequently can be vague when it comes to situations that don't match exactly. Currently for waivers the ISC2 website says " _hold a four-year college degree or regional equivalent or an advanced degree in information security_ " which really could go either way depending on how it's interpreted. All of these reasons are why sometimes it's better to direct you straight to the decision maker, ISC2 or ISACA in this case, to get an official answer since I won't be the one approving or denying the application.
The CISM has an experience requirement to get certified so although you can pass the exam, you are a long ways from meeting the requirement. I would start with something like the Security+ and get the fundamentals down first.
Hello John, am an experienced project manger already, PMP certified and keen to get InfoSec / CyberSec. I have a good understanding of technology and information security as well with an instance of implementation of iso27001 and iso20000 and besides also familiar with itil. Could you recommend between CISM and CRISC?
Without knowing more about your experience it's hard to tell if you would meet the experience requirement because if you were just managing projects, it might not be enough to qualify you. I typically recommend that everybody follow my eBook's roadmap ( www.jongood.com/getstarted/ ) to make sure that you have a solid foundation before going for the higher level certifications. Specifically with the CISM and CRISC, if you have the experience then I recommend this order: CISSP...CISM...CRISC. For full transparency though, it depends on your experience and knowledge level, and the types of positions that interest you. Since you've been dealing with frameworks and compliance requirements, you might also look at the CISA which is a really good fit in the GRC space.
Hey Jon, seriously need advice on my career move. I am 43 years old female, have over 15+ years experience in IT Service delivery and project management in aviation industry. I do have certifications like PMP, ITIL, CCNA, MCSD. I want to transition to security field. Please could you as advice what certification would be best for me considering the pre-requisites. Thank you in advance
What exactly do you want to do in security? We need project managers like anybody and with the PMP, you probably could fairly easily transition but if you want to be technical then you are going to have to build up your technical knowledge.
Thanks Jon for your prompt reply. I have no clue on what I must do in security. I have been made redundant and since then most of the jobs opportunities are in security field. I was wondering may be this the right time to transition into this field. Any advice. Right now I am just evaluating my options. I don’t have the experience per say, did some penetration testing for some application.
I would start by grabbing a copy of my eBook on Cyber Security careers ( www.jongood.com/newsletter/ ). In the eBook I provide a road map of what I recommend people learn to set them up for success. It's possible you already have some of that knowledge, but if not it will help get you on the right path. I would also research some different security roles to see what sounds interesting. Since project management is typically a pretty flexible job, keep in mind that the closer you are to operations jobs, the more strict the job requirements are (work hours, location, etc.).
Hi jon good, I am going to college this year so is it better to get a bachelor degree in computer science or do you think you can study computer stuffs like programming and cyber security by myself and with the help of certifications and no need to get a bachelor degree in computer science and it is better to get a bachelor degree in something that i can't study by myself like : accounting or logistics.
You should get a degree in a subject that you enjoy learning and would like to work in that area. With that being said, there are plenty of people who don't have computer science degrees working in Cyber Security.
@@JonGoodCyber do you think it will be a smart move if i got a bachelor degree in accounting or logistics then i would get for cyber security certifcations so if anything wrong happend to my computer career like i didn't have a time or money for certifications i can easily swich to be an accountant or logistics or it is better to get a bachelor degree in computer science ?
Again, you should study what you enjoy learning. I don't know anything about logistics but accounting and computer science are both quality areas to work with high demand. A lot of accountants that shift to technology type jobs frequently become auditors. Why don't you take a class or two of each and see if you enjoy it? Ultimately I can't decide which one you like more...you have to decide.
Ibrahim hinai10 maybe try to get a degree in IT Management? You’ll learn both the business side and IT side. I’m currently pursuing a degree in that right now.
I recommend checking out the video I just did on GRC certifications ( ua-cam.com/video/6wLL4taItQ8/v-deo.html ). Unfortunately the CEH isn't really in high demand for the GRC space but the certifications that I list will be helpful.
I'm glad that you enjoyed the content! In regards to your question, the CISSP will make sure you have a broad base of knowledge in Information Security, the PMP makes sure that you know how to manage projects, and the CISM teaches you how to actually run a security program. As you can see based on the focus of each certification, you aren't really overlapping a lot of the content and if you want to be in management then it's a good idea to pursue the CISM.
Just got my Sec + and thinking about getting the CISSP exam taken care of next. I'll have the Assoc. CISSP but will definitely get a job in Cyber very soon to satisfy the years of experience requirement
Congratulations! I typically don't recommend anybody going for the CISSP until at least around the 3.5 year mark because there are far better return options until you can qualify to get endorsed (example cloud certifications). To be honest, the exam is also a challenge because it's meant for managers who can make decisions based on broad knowledge and experience, which you won't have if you try to take the exam very early. Additionally, there is no "Associate CISSP" title because if you pass your title becomes "Associate of ISC2" and per ISC2 you aren't even supposed to list the CISSP in any form (because you aren't one without the experience and endorsement). The CISSP is a valuable certification in the market but only when you have the experience and get officially endorsed. I would recommend grabbing a free copy of my eBook ( www.jongood.com/getting-started/ ) to get a roadmap which includes certifications and skills to work towards.
@@JonGoodCyber i will grab your free ebook..i think it might help me as well..i have a degree in cybersecurity and 3 years experience as a DB..I am planning on taking Security + next month.. so i am confused about which cert to take after that..my goal is to became cybersecurity auditor ..any advice or recommendations?
I'm guessing you might need to improve your knowledge on some areas if you haven't worked in other technology jobs but it really depends on what you want to do or like doing.
Hi Jon, I have 13+ year of experience... Of which 5 years in IT Quality with bank.. and than 5 years of experience in IT companies... I have done ITIL, ISO 27k LA ... Currently working in with leading bank of US.. which certification should I do CISA or CISM...
What exactly is your end goal? Based on the limited information that you provided, the CISM doesn't really fit into the kinds of roles that I would expect you to pursue and the CISA or PMP would be much more likely to fit your ideal job.
@@JonGoodCyber Currently I am working as GRC consultant.. and takes care of Risk Register, Vulnerability management / Security Incident Management Certificate Management, SLA Report, Training Monitoring, Support When External Audit happen, periodically check all the ISMS controls are Implemented, DLP, DR etc.. Thanks
Hey.. As checked cissp cost is US $749 .It is the total cost for getting the complete certificate or there is additional cost also like registration or apply for certificate post complete the cissp.
ISC2 does not currently charge an application fee but they will make you pay your first Annual Maintenance Fee once you get approved. You can find the full details on their website ( www.isc2.org/Endorsement ).
currently I am in engineering role from 8 years with security experience but I want to transition into management. I completed comptia security exam. Can I take CISM now and then plan for CISSP
Are you trying to move into security management specifically? If so, does your experience include a dedicated security role or just partial responsibilities? The reason why I'm asking is because usually security managers come from within the security ranks and not directly from other areas like IT. Either way, for your situation the CISSP sounds like a better first step.
Thank you, I have been working as an IT Pro with more than 15+ years of experince, I have good knowldge on security but don't have cyber security cert, which one do you recommend as there are lot of players in the market..
Are you trying to change jobs or what is your overall objective? What kinds of jobs have you done before? Which IT certifications do you currently have?
I would look at either the Azure Security Engineer Associate or the AWS Security Specialty. From there you might look at either the CISSP or a project management certification like the PMP so you have a high level certification since with that much experience, you'll tend to have higher responsibility roles.
Getting the CISSP needs to be on every security professionals career development plan if they want to reach the highest level possible. Even as penetration testers advance in their career, it becomes valuable even if it's just to have better appeal to clients.
Hi Jon, thank you for the video. I have experience on sox itgc, but I don't know what certificate would be preferable for my experience. If you help me on that would be appreciated.
Which types of jobs are you looking at? Auditing jobs would be best matched with the CISA from ISACA but if you are looking to transition more into cyber security, the CISSP would be a good place to go if you already have the foundational knowledge.
Hi John I am actually thinking of a new career. And here I am thinking between Cissp or AWS. Cloud or security. I am 40 because of COVID19 I might lose my job very soon and I am thinking what would be the best to go for. I don't mind to spend days and night to study but I would like to learn something that I know it will give me a good job. Don't want to waste my time. I am in London, please let me know thanks ( good video)
Are you in IT right now or starting from scratch? I would grab a copy of my eBook ( www.jongood.com/newsletter/ ) and look at the certification path provided. If you are just starting out, you are several years from being able to get CISSP certified, let alone pass the exam. Both cloud and security are rewarding careers but I'm not sure what you mean by waste your time. Also, if you are just starting out you definitely won't be walking in making the big bucks because there is a lot to learn.
Hello Jon, hope u r doing gud. I had completed my UG in Electronics and communication engineering and have 4 years of experience in devops and information security engineering and now I am pursuing PG program in Cyber security. so which one will be gud for Me if I prefer for managerial roles
If you are in the U.S. then I recommend one of the NSA National Centers for Academic Excellence ( www.nsa.gov/Academics/Centers-of-Academic-Excellence/ ). If you are outside of the U.S., I would try to find programs that follow a similar curriculum. Specifically for management roles, you would want to find a program that is more concerned with the policy and strategy side of things instead of some of the more technical programs.
My courses are available on my website ( www.jongood.com/courses/ ). Some of the advanced courses (CISSP, etc.) are being developed as time permits but you get access to everything with a membership.
Hey Jon , what's best for a fresher ? I have a bachelor's in engineering degree and I'm looking forward to start my career in cybersecurity currently I have no experience which certification would you recommend?
I would check out my Getting Started page ( www.jongood.com/getting-started/ ) for resources that go in-depth on all the information you need to kick off your journey.
How does your experience compare to the requirements ( www.isaca.org/credentialing/cism/get-cism-certified )? You need experience in the domains as well as information security management experience to qualify. Based specifically on what you have said, you probably do not qualify for the certification but even then you might be ok to take the exam and try to switch into a management role. Eventually you would have the experience and could qualify.
The technical knowledge requirement to be an IT project manager is pretty low because it isn't the same skillset. If you are interested in project management look at certifications like the PMP (Project Management Professional) and CSM (Certified Scrum Master).
You might try looking at your resume because based on those facts, I would think that you qualify for a lot of PM jobs. Are you bullets measurable (i.e. including rough budgets for projects, etc.)? Does your resume read like you want to be a PM?
Did you have experience managing projects as another role? The PMP has an experience requirement to get certified, so there has to be something you can list. I would look for entry level PM jobs because they definitely exist and that way you can build up your experience.
Hi Jon, Thanks for the video, I have more then 10 years of telco experience as a project coordinator, business analyst, assistant project manager (not in risk management/cyber security) . I am planning to switch to cyber security and as a first step recently passed my CRISC. I am non technical person, more into business & management , I would appreciate if you could help me selecting CISM or CISSP as my next target. Thanks
Honestly, both would be very challenging for you because it doesn't sound like you have any background in the domains. Also, I'm not sure that you could even qualify at least given the job titles you listed and what those typically involve. I would watch my video on a non-technical path to the CISSP ( ua-cam.com/video/XQTY1Da2DJE/v-deo.html ) to give you an idea of certifications. I would consider the CISM after that path. Also, do you have your PMP? If not, you need to make that a high priority because that will help in the long run.
@@JonGoodCyber Thanks for your reply, yah I have done PMP, ITIL and now CRISC and as mentioned earlier just planning to get a new start in risk/cyber security. I have some generic risk management experience like risk identification, setting up risk appetite & threshold through workshops, setting up risk management guidelines ( but its non technical). Goal is to gradually move into cyber security and what would be the next step. I would appreciate if you could suggest.
I would check out the video from my previous response...I also have a technical path if you are interested but you need some of that foundational knowledge even if you aren't going to be in a technical role. After that, I would also aim to get all of the ISACA certifications (CISA, CISM, CGEIT) at some point down the road because they are geared much more towards the non-technical side. Once you get out of the certifications I go over in the video, ISACA has the majority of non-technical certifications that currently exist or at least they are the heavy hitters.
Apreciate you sir good content.sir if i do CISAM,CISA,CISSP,security+ course what it would be for job field for international student in USA although my major is electrical and computer engineering sir.my interest is cybersecurity sir.Thank you for your time sir.
I recommend grabbing my free eBook ( jongood.com/getstarted/ ), which includes a roadmap of skills and certifications that you should pursue. Once complete, you'll have a good foundation and a better idea of the types of work that you would like to dive deeper into and the relevant certifications.
It really comes down to your goals because although knowledge is good, having both might not be the most effective path for everybody. With that being said it wouldn't hurt somebody if they were to get both.
Q: I am a systems Engineer and want to go into Cyber security... Which are the steps I should take? I'm brand new to this. Btw just came upon your channel... Like it so far! Awesome content
I recommend checking out my Getting Started page and grabbing my free eBook ( jongood.com/getstarted/ ) where I breakdown the skills and certifications to pursue. Also, I'm glad that you are enjoying the content!
Of course CISSP it is way better than CISM. If we are talking about Real Security staff and knowledge. If company has a value itself (like Google, Microsoft, Apple, and any other big one) they will definitely value your Real knowledge, and only then papers. As a manager, it is Important to Know your staff. And as Isaca will anyway check, whether or not you have enough experience as a manager, CISM will not give you additional value, as you ALREADY have experience as a manager. But with CISSP, you may work in one field of Information Security, and Having CISSP will prove that you have at least knowledge about Different Domains. You can of course Pass CISM, but i know guys those work as info sec Managers, and cannot differentiate Digital Signature and Digital Certificate..... Learn your staff, at least in theory. How you are going to manage things, that you have no idea how it works.
I can make arguments for or against any certification and the value that it brings to the table but I disagree that simply having an experience in a role automatically provides you with the experience or knowledge that you actually need. It is very hard to know everything on any certification let alone execute on everything for the relevant jobs. The value is and always will be tied to how relevant the certification is to the job you hold or that you are seeking.
I'm glad that you enjoyed the content! CISSP - www.isc2.org/certifications/cissp/cissp-experience-requirements CISM - support.isaca.org/s/article/What-are-the-requirements-to-become-CISM-certified
CISSP Study Resources:
-My CISSP Training Course: www.jongood.com/product/isc2-cissp/
-Official CISSP CBK: amzn.to/2THCPhy
-Official CISSP Study Guide: amzn.to/369BT7Z
-Eleventh Hour CISSP: amzn.to/2Rfavl4
CISM Study Resources:
-CISM Review Manual: amzn.to/3gfe4kG
-CISM Review Questions: amzn.to/2ZvdRTV
What if I have an MBA plus business management experience and am transitioning into cybersecurity? Would you recommend cissp or cissm? Especially with no experience and just starting school?
That situation really doesn't impact the decision. Both certifications require experience in Cyber Security to get certified and to be honest, without any direct experience, you are going to have a hard time passing. I would highly recommend you check out my Getting Started page ( www.jongood.com/getting-started/ ) where I give you a road map of certifications and skills to learn. If you are trying to transition into management, the specialization part for you should consist of project management and more managerial-based certifications.
@@JonGoodCyber Hi Jon, I have similar type of an inquiry - would you happen to have an email address where I can communicate with you on my specific scenario? Thanks
That's great. Thanks Jon for your prompt response
@@bertranddias9887 For more specific scenarios, I highly recommend scheduling a career coaching session ( www.cybertrainingpro.com/p/career-coaching ). Otherwise, you can certainly leave a comment and I will respond as I am able.
Certifications are not the only thing you look for there are membership fees associated with all the exam. And you need to plan accordingly otherwise you will end up paying upto 1000$ dollar each year for annual memberships. For e.g isc member is 125$ isaca 85$ for non members. CEH is 80$, CompTIA is 50$ for CE, CISCO is 60$ and so on a so forth. So anyone who is planning to take multiple certs make sure to keep this in mind, So select carefully or stick with one or two organization.
Typically we get certifications because we see value in them to get us to the next level in our career (along with the salary bumps), so the maintenance fee isn't a concern. Usually the fee becomes a consideration when a certification comes up for renewal (or yearly) and you have to decide if you are still getting enough value from it. Some vendors like CompTIA, allow you to pay one fee for all your certifications, while other vendors like GIAC, require you to pay individually...also some vendors will allow you to pay your fees at the end of your three year cycle and some require it annually.
There is nothing wrong with getting a certification to setup higher achievements and then letting it expire...it's the certification circle of life. I will also add that it's a lot more common to let technical certifications expire because of the ongoing maintenance of knowledge than it is for non-technical certifications.
I have both, CISM has more value on the job market. CISSP has more respect.
Interesting perspective...I would definitely say like a lot of things that it depends. They both are useful but focus on different skill sets when it comes to Information Security / Cyber Security.
i attended both classes. CISM reshaped by approach to cybersecurity. very relevant and practical for my job
How is possible for a less respected certification (CISM) to be more valuable than the more respected one(CISP)? Supply and demand?
@@equalizer3320 Because CISM has a managerial aspect versus CISSP being more technical, by perception
Hi I have been a program, project manager in IT infra for last 13 years I do not have hands on IT experience however I do get in to details for troubleshooting and really enjoy learning nuances my question is can I go for CISSP?
Thanks. Having listened to you and Jai, CISM is better for me being a senior risk professional. I want CISM to boost my profile and extension into cyber and more on the management side rather than on the analytical side.
I'm glad that you enjoyed the video. One word of caution is to be careful avoiding too much technical training or certifications just because you work in risk or want to be a manager. I see that specific situation occasionally where we end up talking to a "risk professional" who can't accurately do their job because they don't understand what's truly happening. Also, have you looked at the CISA? It's a great pairing for working in risk or auditing.
Now I have the CISM certification and it indeed helped me a lot. Some say CISSP is the holy grail for an IT professional,.but for me I think CISM is just as good as CISSP.
The CISSP and CISM each serve different purposes and aren't really equals. I've detailed many of the reasons in this video but there's probably more situations where the CISSP has value alone versus the CISM, specifically because what they cover and the target audience.
Going for the CISSP first, then CISM. Thanks for the information!
Awesome strategy...good luck!
I have a co-worker who attempted the CISSP at least twice and then went for the CISM and passed the first time. And is now going for the CISSP again.
I know people who have been in similar situations. The CISSP should not be underestimated because there are a lot of factors that make it difficult, and they aren't just because of the material itself.
@@JonGoodCyber I personally took the CISSP and failed it, when it was 6 hrs. I would have taken it again really quickly, but I found out isc2 has some ordeal that I cannot take it again for at least 30 days. Since then 2 other coworkers have taken it and failed with the new version. One of them is the one I was talking about. So I think my best option is to do the same thing and pursue the CISM and eventually within the year of getting my CISM try for my CISSP again.
Most certifications have some type of "cooling off" period after a failed attempt but no question that the one for the CISSP is one of the least forgiving. The new version of the exam definitely has its challenges but there is nothing wrong with taking a break and then going after it again. Make sure you don't take too big of a break though because you don't want to forget what you've learned.
UA-cam Algorithm Comment: I tested for the CISSP twice and just can't get over the amount of information they expect people to retain.
That can be extremely frustrating. Honestly one of the things that benefited me the most personally was that I've been in environments that gave me exposure to several of the domains, and industries that focus heavily on best practices. The more experience you get, typically the easier it SHOULD be.
@@JonGoodCyber I was in the military doing mostly cyber plans and programs. It may benefit me just to pursue the CISM.
That tends to be a very good learning environment because things usually are pretty strict. The CISM is good, however if you are in the DOD/military realm the CISSP is the most ideal. Even though the CISM is seen as similar, there is definitely a hierarchy with the CISSP being preferred if it's just for one certification.
You got to be IT
Great video, thanks. So from what I know now, I should be aiming for CISM due to the managerial side.
Glad it was helpful!
Thanks John! very informative video.
Glad you enjoyed it!
Your time is appreciated.
No problem!
Already have the CISSP test for CISM in two weeks. Thanks for the video.
Best of luck!
@Tomáš Rakuščinec how was it?
Hi Jon, can you please advise providers and/or courses for CISM?
All of my recommendations for the CISM can be found on my website: jongood.com/resources/certifications/isaca/cism/
For the CISM required work experience, it doesn't actually mean experience with the title of "manager", but more so just in the management of systems related to the domains, correct?
In my opinion, the verbiage on the experience requirement has always been a little bit ambiguous. With that being said, there are waivers to decrease the 5 year professional work experience requirement but then it specifically states "The experience substitutions will not satisfy any portion of the 3-year information security management work experience requirement." Given that phrasing, I've always taken that to mean direct management experience, which means you could be more of a technical manager (or similar) and not have direct reports. I would get the official stance from ISACA though because ultimately they make the final decision.
@@JonGoodCyber Thanks for the quick response. I just chatted with someone at ISACA and they gave me the scripted response that we can all read, and when I pushed for more clarity she said "As my previous message states, You must MANAGE Information Security. It does not refer to being a manager of people". So that sounds like you don't HAVE to be a "Manager", but just be involved with managing systems. I wish they would be more clear.
@@JonGoodCyber So after more pushing with the person I was chatting with, she said "You are required to be part of a team that manages information security, you are not required to be the leader of that team"
I think that was best clarification yet.
That is definitely a better clarification to the requirement. Thank you for letting us know what ISACA said! In all honesty, I think the manager title is getting thrown around too much in general because I've seen titles like "risk manager" that are nothing more than an individual contributor like a security analyst.
i would very much love to sit for both but the fact that i have to retain information from 8 CISSP domains is just insane. i will sit for CISM thank you very much
I'm not sure that I would say it's insane because both are meant for managers but you might be a low/mid level manager where the CISSP knowledge is required and you aren't actually leading the entire security program like with the CISM. Remember too that the eligibility requirements are different with the CISSP needing years of experience and the CISM requiring management experience.
I've been a IT project/program manager for the past 15 years, I've been working on the security projects for the past 3 years and i'd like to solely work in Cyber Security by niching down into the risk/compliance space. I'm leaning more towards the CISM, what are your thoughts?
Do you already have a CISSP? I like the idea of the CISM along with CISA and CRISC (all great for governance/risk/compliance), but love it or hate it the CISSP is one of those certifications that people will still ask about so just be aware. In the U.S. defense sector the DOD 8570/8140 see the CISSP and CISM as equal but I'm not so sure that is the case in other industries. Also, do you have your PMP? Given your experience that would be the very first thing I would do if you don't already have it.
Jon Good oh yes, I’m already PMP and PMI-ACP(agile) certified. Right now I’m studying for the CompTia Security+ for foundational knowledge to build up to the next exam.
It looks like from your comment the CISSP is more wildly accepted industry standard certification at least in private sector.
Excellent! It definitely is interesting with the CISSP vs CISM debate. Beyond the information I give in the video, typically if employers have their choice of just one then they tend to prefer the CISSP. I think they both have their place because the focuses are different but if I had to guess it's because companies expect their security leaders to have broad knowledge across the different domains.
@@JonGoodCyber " broad knowledge across the different domains"... ding! ding! ding!... that's what I needed to hear. Thank you so much for taking time to respond. I really appreciate it!
Not a problem! I'm glad to help.
I have CISSP and want to get CISM and would like to transition to management.
Awesome...good luck!
Hey! Great video. Where can I find out if my degree is a qualifying degree?
I'm glad that you enjoyed the content!
CISSP - www.isc2.org/certifications/cissp/cissp-experience-requirements
CISM - support.isaca.org/s/article/What-are-the-requirements-to-become-CISM-certified
One questiob the CISSP this test needs to be taken by us going directly to office or can the test be taken same as for a PMP certification?
You can find all the information regarding the exam process on the ISC2 website ( www.isc2.org/exams ). In 2021, they piloted online exams but found they didn't live up to their standards, which probably means it was difficult to prevent cheating ( www.isc2.org/exams/online-proctor-pilot-test-faq ).
I have a Bachelor's Degree in IT: Software Design and I have Security+ Certification.... what would be required for CISSP or CISM?
You would need to get four years of experience to qualify (includes a one year waiver for Security+). Of course ISC2 could always change the requirements but it's been that way for a while so I don't anticipate a change.
Hi Jon, I am an IAM specialist and currently have 3+ years of experience. I completed sec + and AZ-900 so far. I am worried that CISSP is too hard and after 6 months of studying, I won't be able to pass. Do you recommend me taking the CISM instead?
I recommend reviewing the comparison of the two certifications that I made this video and which one makes sense depending on the situation. Regarding studying for the CISSP, if you aren't feeling confident in the information or scoring very well on practice exams, then you might be better served by focusing on the areas that you're weak in and trying to improve that knowledge. For example, if you're weak in networking or network security, then looking at some additional certifications or training in those areas. Six months of studying for most certifications is definitely on the longer side, especially if you have never sat for the exam by that point.
@@JonGoodCyber thank you Jon. My weakness is networking because I don't have any certs or experience in it. You think I should do a network cert or I can just study networking concepts and understand it thoroughly would be enough? Is cissp more hands on networking questions?
I recommend grabbing my free eBook ( jongood.com/getstarted/ ) where I provide a roadmap of skills and certifications that can help prepare somebody for a successful Cyber Security career and for higher level certifications. As far as the CISSP goes, it's covers a lot of information but not very deep so you don't have to be an expert in a lot of areas but you need to have broad knowledge. Also, the CISSP is focused on management-level decision making (high level) and not about hands-on the keyboard type activities (i.e. configuring a device).
Hi, as you said you can ask any question so here it goes ...
I hold PMP and COBIT foundation certifications and in past I worked for a Microfinance Bank as Head of IT (CTO) however now I moved to Oman and joined a commercial bank as Senior Project Manager.
I suggest what next certification should I be targeting for my career path (where I can get good salary). Few examples are: cloud solution architect or CISM
Which kinds of jobs are you look to land? Your path is conflicting as being a CIO is a very different path than the project management side of a company and then you mention the CISM, which is a very different path than the other two.
@@JonGoodCyber thank you for your reply. Yes I agree to your concern on conflict however when I was working as CIO I did not hold any certification (however I was holding Masters in IT degree from a University in Pakistan). So I decided to do some professional certifications and hence completed PMP and COBIT. Now due to PMP I got job in middle east and moved to Oman. Now what next certification should I be choosing.
Regarding your question, what king of job I am looking for? The answer is simple, which pays good with my background and experience in IT field:-). Job that pays good and has good demand in UAE, EU, USA, Canada etc.
Your desired job path should always drive your choices and saying a path that "pays good" is simply too vague as that applies to just about anything in technology. For example, Cloud certifications would give you almost zero benefit in project management. I encourage you to pick the path that you realistically want to work towards so you have a direction to go but I'll give you some high-level ideas. If you're looking at high level leadership positions then something like the CISSP would be reasonable to show you have broad knowledge of security but I wouldn't probably go after the CISM unless you want to be a security leader. If you are interested in project management then looking at agile and scrum certifications is reasonable ( www.scrumalliance.org/get-certified ).
Sir i think I should go with OSCP
The OSCP is definitely a highly regarded certification. Are you trying to get into Penetration Testing?
@@JonGoodCyber yes, can u suggest me more what the other stuff can be done in Penetration Testing
Hack The Box ( www.hackthebox.eu/ ) and Try Hack Me ( tryhackme.com/ ) are two of the most popular practice platforms to work on your skills at an affordable price. Try Hack Me has more instruction for learning than Hack The Box but both have pros and cons.
So I've been doing research on both of these, and from the sounds of it, maybe I'm not ready for them. I have been in the industry as an IT Auditor for 2 years now and want to make a transition to a second level of defense job in Information Security. However, I'm in a tough spot because my experience doesn't seem to be good enough to make a job transfer since I have been rejected from job applications for five months now. I figured getting a certification would help, but it seems like all the good ones are meant for high-level managerial type roles. I already have Security+ but it doesn't seem to do much and I have no interest in getting a CISA since I don't want to keep pursuing auditing.
Does anyone have any advice on any other certs that could boost my resume and help my limited experience?
If you only have two years of experience, the CISSP and CISM are definitely not appropiate options just yet. Typically, a mid-level or level 2 type job requires somewhere in the ballpark of 2 to 5 years of experience in a directly applicable area. It's a little unclear on the type of role that you want, but if you are trying to transition from an IT Auditor to a more technical role like a SOC Analyst, your experience isn't exactly the same as if you spent 2 years in a SOC. Auditors typically have technical knowledge gaps to address to be considered qualified. Again, it depends on the type of role that you are trying to transition into, but there are plenty of certifications that you can pursue to make you more competitive. If you haven't seen Paul Jerimy's chart ( pauljerimy.com/security-certification-roadmap/ ), I highly recommend checking it out, and you might consider cloud certifications, but again, you haven't given enough context about your desired role, so it's hard to give a more specific direction. Also, remember that certifications are only one piece of the puzzle that makes you a competitive candidate.
It’s easy, go on indeed or any job site of your choice. Make sure to select the location of your choice. The one with the most hits win. Hint: it’s most likely CISSP.
I'm a huge fan of using job searches to identify trends in skills and certifications to pursue. It's probably one of the more underutilized searches when people are trying to improve their careers.
IMO, when it comes to recognition it's not as simple as doing job searches using keywords. On the surface, CISSP yields ~4x more jobs compared to other more recognizable high-level security certs like CISM or CASP+ (at the moment, on Indeed it's 2,014 for CASP+, 2,772 for CISM and 9,388 for CISSP). So the CISSP is way more recognizable and, therefore, should offer better ROI.
That said, I've also seen CISSP being mentioned for positions where it doesn't make any sense. For example, company's looking for a pentester or application security engineer and certs being listed are like GPEN, OSCP, eCPPT, CISSP, CEH. I mean, how is CISSP (or even CEH, for that matter) relevant here?? Or when you see in the same job posting Security+ and CISSP, and those two are literally on the complete opposite ends of the skills and experience spectrum. In other words, I think CISSP being so well known by (many times - clueless) HRs around the world is what also inflates the numbers in favor of CISSP. When you see CISM being mentioned as a requirement or a nice-to-have, it usually makes sense (the position is about governance and management), while CISSP is all over the place, even when it doesn't make much or any sense.
So that's that - my 2c being added to the pile.😁🍺
Using job searches to help identify certifications and trends in jobs is only a start point, not the entire source for a strategy. With more experience, the process becomes much easier to determine what makes sense or why a specific certification might be listed. That said, a job posting is what an employer is requesting so it's generally a bad idea to ignore the criteria that will be used to evaluate candidates...unless you really don't care about the job. To address your statement about the CISSP and Penetration Testing...I'm not really going to dive deep into the relevance that this can have, but understand that there can be expectations of how a penetration tester helps customers identify & resolve vulnerabilities at a broader level...it's rarely just about popping shells.
@@JonGoodCyber I generally agree, however I think you misread/misunderstood my comment a bit. :) I'm saying that CISSP has no place in job postings for 100% technical positions, especially for pentesters. You can argue that a CISSP holder can understand and convey to others the importance of pentests and their place in the overall security testing picture, but if you're looking for *a penetration tester* (i.e. the doer, the one that's actually doing the testing and writing a report) then you want a *highly* technical person and certs that confirm _that_ (like OSCP, PNPT, eCPPTx...) not someone with general understanding of how penetration testing works and why it is important. :) And being a pentester myself for the last 4 or so years, I agree - pentesting is actually _the least_ about popping shells (that's CTF, which is fun in it's own way, but not a pentest :) and more about reporting on a posture of primarily technical controls in place.
Anyway, thanks for the quality discussion! Cheers!🍺
I am definitely not saying that's the only credential. I've never heard of a penetration testing firm or job hiring somebody based on just a CISSP or some certification not directly related to a role unless they have a lot of street credibility. Generally, when postings are broad, the employer either doesn't know exactly what they want and/or they want to allow flexibility for cases that might not fit the exact traditional mold where they have other characteristics that make up for deficiencies. Making ideal job postings is an extremely difficult task where you can easily miss out on candidates by being too specific or getting overwhelmed with candidates because you aren't specific enough.
Hi Jon, I have 15 years of Exp (12-Telecom, 3-IT), I have been into management role for last 10 years. I have PMP, CISSP (Cleared recently). Should I go for CISM next ( Does it make it more worth after having CISSP already which is management cert) or shall i go for CCSP (Cloud is in thing, more demand, going to stay for long- I already have Sol architect cert from AWS) ? pls help clarify?
What kind of management position are you in now? What kind of position do you want? In my opinion, the certifications and path that you've listed would be pulling in opposite directions (technical staff vs management).
I love your content Jon Good , keep it coming man
Thanks, will do!
Thanks for the requested video i have decided now what to choose
You are welcome! I'm glad the video helped out.
Neither right now. I'm a little green for some of the requirements. I'm currently studying for the CompTIA Network+ and have my eyes on the CompTIA Security+ after that. I have definitely heard a lot more about the CISSP though. I'm currently a web/mobile developer with my eyes on CEH or PenTest+ and beyond!
Awesome! The biggest piece of advice that I can give is to stay flexible because there can be excellent opportunities that open their door to you if you can recognize them. Make sure to check out my free eBook ( jongood.com/getstarted/ ) that has a lot of great advice and Cyber Training Pro ( www.cybertrainingpro.com/ ) for training and career services that can help you get to where you want to go.
Infrastructure Supervisor with a Master degree in Wireless telecom and in IT filed for a decade now .. going for CISM for sure but the 3 years security management will be an issue resolve ! if I sit for the test will I also be an Associate for ISACA till I have my 3 years security management experience ?
I would check the domains to see if you managed any of those areas. There is typically a lot of overlap between IT and security even if your job isn't a full security job. There isn't an official "Associate for ISACA" designation like there is with (ISC)2, however they give you five years to get the experience needed once you pass. www.isaca.org/credentialing/cism/get-cism-certified
Hi Jon, which security certification is best for Desktop Support Manager.
I would definitely start by grabbing a free copy of my eBook ( www.jongood.com/newsletter/ ) where I provide a certification and skill road map for Cyber Security. You might also consider looking at security certifications on Amazon AWS and Microsoft Azure if you happen to deal with those at your company.
Kaspersky
Thanks for sharing this valuable information 👍
You are welcome! I'm glad you enjoyed the video.
Good info. I have pretty much all the CompTIA certs up to and including CASP+, and am debating between these two next. CASP+ is a LOT like CISSP in that it covers an absurd amount of ground, but doesn't get too far in the weeds. That may be easiest. But CISM looks like a better cert for my career path.
Maybe I'll do both LMAO
The CISM is definitely much more focused on a small set of subjects when compared to the CISSP. Also, remember that the experience requirements are different for both certifications to match the intended audience.
@@JonGoodCyber yeah, I have the experience covered for both. I'm good there.
CASP+ is more technical right? Did you have prior cert like cysa+ or pentest+ before taking casp+? i don't see many job postings with casp+ though. i want to take the cissp. what do you recommended?
@@myway8950 I had a few certs, highest from CompTIA was Sec+ though, until CASP+.
I'm about to take my CISM test, and I can tell you that it's much less technical than CASP+ I had Linux labs on the CASP test for crying out loud lol
@@nukeim oh wow. 😮 Is it better to take cism before cissp or vice versa? Does it matter as much? I am worried I won't pass the cissp because it's very difficult but cism I have chances.
I have recently transitioned to Cyber Security.
What would be the best choice for me?
I recommend grabbing my free eBook ( jongood.com/getstarted/ ) where I have provided a roadmap of skills and certifications to pursue.
Beautifully explained. Will EC council C-CISO certification will help into Senior Management role or CISM ? Pls suggest
Nobody cares about the C-CISO...it just occasionally gets publicity because it has CISO in the title.
Thanks
Jon Good @ I'm planning for CISSP.I'm 36 yrs old and I've 9+ years of experience in IT security. I didn't get anything from this video to decide. All these basic info already part of requirement of certification. Plz can u tell me, how do I decide which certificate should I do?
I asked questions and gave information that you need to evaluate starting at 5:43 till the end of the video so what were your answers? Those will help me give you guidance.
@@JonGoodCyber thanks for reply. I really appreciate that. :) I'm going for CISM since I already in consulting and management role.
Awesome and good luck! I can definitely see a fit in that type of role.
Thanks for the video. Informative
Glad it was helpful!
Thanks, John Good. You are doing good, indeed.
Thanks for watching!
Q: If you have a MS in information systems, how much would that count for the experience requirement?
For specific questions on eligibility, you will want to reach out to ISACA or ISC2 to get confirmation. However based on what I see on the websites as of today:
-CISSP: No experience waiver since your degree isn't Information Security
-CISM: Two year waiver because it's a related post-graduate degree (does not count towards required management experience)
www.isc2.org/Certifications/CISSP/experience-requirements
www.isaca.org/credentialing/cism/get-cism-certified
@@JonGoodCyber Last time, i have passed SSCP, I have a Master of MIS degree, and they Accepted my Degree as 1 year experience. Because not all domains of CISSP or SSCP are about infosec directly, MIS is about Managing Information Systems, and as it is about managing, you also manage security part of it. I think we should not read what they write there as hard statement.
I'm not arguing the fact that an MIS is related to the domains because they clearly are linked and don't act in isolation from each other in the real world. The unfortunate part is that certifications that have experience requirements, frequently can be vague when it comes to situations that don't match exactly. Currently for waivers the ISC2 website says " _hold a four-year college degree or regional equivalent or an advanced degree in information security_ " which really could go either way depending on how it's interpreted. All of these reasons are why sometimes it's better to direct you straight to the decision maker, ISC2 or ISACA in this case, to get an official answer since I won't be the one approving or denying the application.
I went to Votech for A+/N+, that field isn't going to get me a good wage, could I skip these and go right into CISM?
The CISM has an experience requirement to get certified so although you can pass the exam, you are a long ways from meeting the requirement. I would start with something like the Security+ and get the fundamentals down first.
Hello John, am an experienced project manger already, PMP certified and keen to get InfoSec / CyberSec. I have a good understanding of technology and information security as well with an instance of implementation of iso27001 and iso20000 and besides also familiar with itil. Could you recommend between CISM and CRISC?
Without knowing more about your experience it's hard to tell if you would meet the experience requirement because if you were just managing projects, it might not be enough to qualify you. I typically recommend that everybody follow my eBook's roadmap ( www.jongood.com/getstarted/ ) to make sure that you have a solid foundation before going for the higher level certifications. Specifically with the CISM and CRISC, if you have the experience then I recommend this order: CISSP...CISM...CRISC. For full transparency though, it depends on your experience and knowledge level, and the types of positions that interest you.
Since you've been dealing with frameworks and compliance requirements, you might also look at the CISA which is a really good fit in the GRC space.
@@JonGoodCyber Thanks John for your kind advise. I shall go through your eBook.
Hey Jon, seriously need advice on my career move. I am 43 years old female, have over 15+ years experience in IT Service delivery and project management in aviation industry. I do have certifications like PMP, ITIL, CCNA, MCSD. I want to transition to security field. Please could you as advice what certification would be best for me considering the pre-requisites. Thank you in advance
What exactly do you want to do in security? We need project managers like anybody and with the PMP, you probably could fairly easily transition but if you want to be technical then you are going to have to build up your technical knowledge.
Thanks Jon for your prompt reply. I have no clue on what I must do in security. I have been made redundant and since then most of the jobs opportunities are in security field. I was wondering may be this the right time to transition into this field. Any advice. Right now I am just evaluating my options. I don’t have the experience per say, did some penetration testing for some application.
I would start by grabbing a copy of my eBook on Cyber Security careers ( www.jongood.com/newsletter/ ). In the eBook I provide a road map of what I recommend people learn to set them up for success. It's possible you already have some of that knowledge, but if not it will help get you on the right path. I would also research some different security roles to see what sounds interesting. Since project management is typically a pretty flexible job, keep in mind that the closer you are to operations jobs, the more strict the job requirements are (work hours, location, etc.).
Got my CISSP last year. Now trying to go for my CISM.
Awesome...which resources are you going to use?
@@JonGoodCyber going to a week long CISM boot camp
Excellent and good luck! Did you use a boot camp for your CISSP?
@@JonGoodCyber Yes. I also had some help from another CISSP who also gave my recommendation.
Hi jon good,
I am going to college this year so is it better to get a bachelor degree in computer science or do you think you can study computer stuffs like programming and cyber security by myself and with the help of certifications and no need to get a bachelor degree in computer science and it is better to get a bachelor degree in something that i can't study by myself like : accounting or logistics.
You should get a degree in a subject that you enjoy learning and would like to work in that area. With that being said, there are plenty of people who don't have computer science degrees working in Cyber Security.
@@JonGoodCyber do you think it will be a smart move if i got a bachelor degree in accounting or logistics then i would get for cyber security certifcations so if anything wrong happend to my computer career like i didn't have a time or money for certifications i can easily swich to be an accountant or logistics or it is better to get a bachelor degree in computer science ?
Again, you should study what you enjoy learning. I don't know anything about logistics but accounting and computer science are both quality areas to work with high demand. A lot of accountants that shift to technology type jobs frequently become auditors. Why don't you take a class or two of each and see if you enjoy it? Ultimately I can't decide which one you like more...you have to decide.
@@JonGoodCyber ok thanks
Ibrahim hinai10 maybe try to get a degree in IT Management? You’ll learn both the business side and IT side. I’m currently pursuing a degree in that right now.
Hi John , I have 2 years experience in cybersecurity, in the Grc domain - which certification do you suggest I get (I have CEHv10)
I recommend checking out the video I just did on GRC certifications ( ua-cam.com/video/6wLL4taItQ8/v-deo.html ). Unfortunately the CEH isn't really in high demand for the GRC space but the certifications that I list will be helpful.
I love your content.Question: would you find it beneficial to get the cism certification if you already have a PMP and cissp? Your thoughts?
I'm glad that you enjoyed the content! In regards to your question, the CISSP will make sure you have a broad base of knowledge in Information Security, the PMP makes sure that you know how to manage projects, and the CISM teaches you how to actually run a security program. As you can see based on the focus of each certification, you aren't really overlapping a lot of the content and if you want to be in management then it's a good idea to pursue the CISM.
Just got my Sec + and thinking about getting the CISSP exam taken care of next. I'll have the Assoc. CISSP but will definitely get a job in Cyber very soon to satisfy the years of experience requirement
Congratulations! I typically don't recommend anybody going for the CISSP until at least around the 3.5 year mark because there are far better return options until you can qualify to get endorsed (example cloud certifications). To be honest, the exam is also a challenge because it's meant for managers who can make decisions based on broad knowledge and experience, which you won't have if you try to take the exam very early. Additionally, there is no "Associate CISSP" title because if you pass your title becomes "Associate of ISC2" and per ISC2 you aren't even supposed to list the CISSP in any form (because you aren't one without the experience and endorsement). The CISSP is a valuable certification in the market but only when you have the experience and get officially endorsed. I would recommend grabbing a free copy of my eBook ( www.jongood.com/getting-started/ ) to get a roadmap which includes certifications and skills to work towards.
@@JonGoodCyber i will grab your free ebook..i think it might help me as well..i have a degree in cybersecurity and 3 years experience as a DB..I am planning on taking Security + next month.. so i am confused about which cert to take after that..my goal is to became cybersecurity auditor ..any advice or recommendations?
I'm guessing you might need to improve your knowledge on some areas if you haven't worked in other technology jobs but it really depends on what you want to do or like doing.
Hi Jon,
I have 13+ year of experience... Of which 5 years in IT Quality with bank.. and than 5 years of experience in IT companies... I have done ITIL, ISO 27k LA ... Currently working in with leading bank of US.. which certification should I do CISA or CISM...
What exactly is your end goal? Based on the limited information that you provided, the CISM doesn't really fit into the kinds of roles that I would expect you to pursue and the CISA or PMP would be much more likely to fit your ideal job.
@@JonGoodCyber Currently I am working as GRC consultant.. and takes care of Risk Register, Vulnerability management / Security Incident Management Certificate Management, SLA Report, Training Monitoring, Support When External Audit happen, periodically check all the ISMS controls are Implemented, DLP, DR etc..
Thanks
Got it...yeah I think the CISA and PMP are a better fit. There would be some overlap into the CISM but I don't think it's the BEST option.
Hey.. As checked cissp cost is US $749 .It is the total cost for getting the complete certificate or there is additional cost also like registration or apply for certificate post complete the cissp.
ISC2 does not currently charge an application fee but they will make you pay your first Annual Maintenance Fee once you get approved. You can find the full details on their website ( www.isc2.org/Endorsement ).
currently I am in engineering role from 8 years with security experience but I want to transition into management. I completed comptia security exam. Can I take CISM now and then plan for CISSP
Are you trying to move into security management specifically? If so, does your experience include a dedicated security role or just partial responsibilities? The reason why I'm asking is because usually security managers come from within the security ranks and not directly from other areas like IT. Either way, for your situation the CISSP sounds like a better first step.
Thank you, I have been working as an IT Pro with more than 15+ years of experince, I have good knowldge on security but don't have cyber security cert, which one do you recommend as there are lot of players in the market..
Are you trying to change jobs or what is your overall objective? What kinds of jobs have you done before? Which IT certifications do you currently have?
@@JonGoodCyber No i am not planning to change the job, my current objective is to move towards a security domain, I have azure,AWS certifications
I would look at either the Azure Security Engineer Associate or the AWS Security Specialty. From there you might look at either the CISSP or a project management certification like the PMP so you have a high level certification since with that much experience, you'll tend to have higher responsibility roles.
CISSP is top cert in security field. Kind of like CCIE of security world. Unless you're pentester then Offensive Security certs rule.
Getting the CISSP needs to be on every security professionals career development plan if they want to reach the highest level possible. Even as penetration testers advance in their career, it becomes valuable even if it's just to have better appeal to clients.
What about ceh
The CEH has a specific value to it but it's not intended for the same audience as the CISSP or CISM.
What is best ..
Great question! Watch the video for the answer!
@@JonGoodCyber 🤣
Hi Jon, thank you for the video. I have experience on sox itgc, but I don't know what certificate would be preferable for my experience. If you help me on that would be appreciated.
Which types of jobs are you looking at? Auditing jobs would be best matched with the CISA from ISACA but if you are looking to transition more into cyber security, the CISSP would be a good place to go if you already have the foundational knowledge.
Hi John I am actually thinking of a new career. And here I am thinking between Cissp or AWS. Cloud or security. I am 40 because of COVID19 I might lose my job very soon and I am thinking what would be the best to go for. I don't mind to spend days and night to study but I would like to learn something that I know it will give me a good job. Don't want to waste my time. I am in London, please let me know thanks ( good video)
Are you in IT right now or starting from scratch? I would grab a copy of my eBook ( www.jongood.com/newsletter/ ) and look at the certification path provided. If you are just starting out, you are several years from being able to get CISSP certified, let alone pass the exam. Both cloud and security are rewarding careers but I'm not sure what you mean by waste your time. Also, if you are just starting out you definitely won't be walking in making the big bucks because there is a lot to learn.
Hello Jon, hope u r doing gud. I had completed my UG in Electronics and communication engineering and have 4 years of experience in devops and information security engineering and now I am pursuing PG program in Cyber security. so which one will be gud for Me if I prefer for managerial roles
If you are in the U.S. then I recommend one of the NSA National Centers for Academic Excellence ( www.nsa.gov/Academics/Centers-of-Academic-Excellence/ ). If you are outside of the U.S., I would try to find programs that follow a similar curriculum. Specifically for management roles, you would want to find a program that is more concerned with the policy and strategy side of things instead of some of the more technical programs.
Ok, thank you Jon
does this guy have courses available?
My courses are available on my website ( www.jongood.com/courses/ ). Some of the advanced courses (CISSP, etc.) are being developed as time permits but you get access to everything with a membership.
Hey Jon , what's best for a fresher ? I have a bachelor's in engineering degree and I'm looking forward to start my career in cybersecurity currently I have no experience which certification would you recommend?
I would check out my Getting Started page ( www.jongood.com/getting-started/ ) for resources that go in-depth on all the information you need to kick off your journey.
Sec+, you’ll be 8570 compliant
i am not having experience can i apply for the certification
Both allow you to take the exam before getting the required experience, however you can't actually apply until you satisfy the requirement.
Hi John,
I have more than 7 years of experience in Network Engineer domain (firewall experience). Is I am eligible for CISM. Kindly guide me...
How does your experience compare to the requirements ( www.isaca.org/credentialing/cism/get-cism-certified )? You need experience in the domains as well as information security management experience to qualify. Based specifically on what you have said, you probably do not qualify for the certification but even then you might be ok to take the exam and try to switch into a management role. Eventually you would have the experience and could qualify.
@@JonGoodCyber Thank you for your prompt reply...
great job keep going
Thank you for the feedback and support!
do i need it as IT Project Manager ?
The technical knowledge requirement to be an IT project manager is pretty low because it isn't the same skillset. If you are interested in project management look at certifications like the PMP (Project Management Professional) and CSM (Certified Scrum Master).
@@JonGoodCyber thanks a lot i am PMP & ACP certified.+ ha e bachelor degree in IT i got no luck searching for project management job ( IT )
You might try looking at your resume because based on those facts, I would think that you qualify for a lot of PM jobs. Are you bullets measurable (i.e. including rough budgets for projects, etc.)? Does your resume read like you want to be a PM?
@@JonGoodCyber i tailored my resume but i did not include skills like budgeting or scheduling as i do not have any actual experience in PM
Did you have experience managing projects as another role? The PMP has an experience requirement to get certified, so there has to be something you can list. I would look for entry level PM jobs because they definitely exist and that way you can build up your experience.
Video and sound are not in sync
Thank you for the feedback. The audio issue was discovered and corrected in more recent videos.
Thanks man, happy 4th
You are welcome! I'm glad you enjoyed the video and to you as well.
Hi Jon, Thanks for the video, I have more then 10 years of telco experience as a project coordinator, business analyst, assistant project manager (not in risk management/cyber security)
. I am planning to switch to cyber security and as a first step recently passed my CRISC. I am non technical person, more into business & management , I would appreciate if you could help me selecting CISM or CISSP as my next target. Thanks
Honestly, both would be very challenging for you because it doesn't sound like you have any background in the domains. Also, I'm not sure that you could even qualify at least given the job titles you listed and what those typically involve. I would watch my video on a non-technical path to the CISSP ( ua-cam.com/video/XQTY1Da2DJE/v-deo.html ) to give you an idea of certifications. I would consider the CISM after that path. Also, do you have your PMP? If not, you need to make that a high priority because that will help in the long run.
@@JonGoodCyber Thanks for your reply, yah I have done PMP, ITIL and now CRISC and as mentioned earlier just planning to get a new start in risk/cyber security. I have some generic risk management experience like risk identification, setting up risk appetite & threshold through workshops, setting up risk management guidelines ( but its non technical). Goal is to gradually move into cyber security and what would be the next step. I would appreciate if you could suggest.
I would check out the video from my previous response...I also have a technical path if you are interested but you need some of that foundational knowledge even if you aren't going to be in a technical role. After that, I would also aim to get all of the ISACA certifications (CISA, CISM, CGEIT) at some point down the road because they are geared much more towards the non-technical side. Once you get out of the certifications I go over in the video, ISACA has the majority of non-technical certifications that currently exist or at least they are the heavy hitters.
Apreciate you sir good content.sir if i do CISAM,CISA,CISSP,security+ course what it would be for job field for international student in USA although my major is electrical and computer engineering sir.my interest is cybersecurity sir.Thank you for your time sir.
I recommend grabbing my free eBook ( jongood.com/getstarted/ ), which includes a roadmap of skills and certifications that you should pursue. Once complete, you'll have a good foundation and a better idea of the types of work that you would like to dive deeper into and the relevant certifications.
Most people I know either have both, or if not both, only have the CISM. Just throwing this out there.
It really comes down to your goals because although knowledge is good, having both might not be the most effective path for everybody. With that being said it wouldn't hurt somebody if they were to get both.
@@JonGoodCyber I'm going for CISM, but CISSP holds more weight (gold standard). I plan to get CISSP after CISM.
Hi Jon, this was an excellent video. Thank you. I have a question. How long is CISSP valid for and do you maintain the certification? Thanks
Good question! The CISSP is valid for 3 years and has requirements for both continuing education credits, and an annual maintenance fee.
Q: I am a systems Engineer and want to go into Cyber security... Which are the steps I should take? I'm brand new to this.
Btw just came upon your channel... Like it so far! Awesome content
I recommend checking out my Getting Started page and grabbing my free eBook ( jongood.com/getstarted/ ) where I breakdown the skills and certifications to pursue. Also, I'm glad that you are enjoying the content!
Get both 😎
I would never fault anybody for going after both.
Great video
Thank you for the feedback! I'm glad you enjoyed the video.
Thank you
You're welcome!
Of course CISSP it is way better than CISM. If we are talking about Real Security staff and knowledge. If company has a value itself (like Google, Microsoft, Apple, and any other big one) they will definitely value your Real knowledge, and only then papers. As a manager, it is Important to Know your staff. And as Isaca will anyway check, whether or not you have enough experience as a manager, CISM will not give you additional value, as you ALREADY have experience as a manager. But with CISSP, you may work in one field of Information Security, and Having CISSP will prove that you have at least knowledge about Different Domains. You can of course Pass CISM, but i know guys those work as info sec Managers, and cannot differentiate Digital Signature and Digital Certificate..... Learn your staff, at least in theory. How you are going to manage things, that you have no idea how it works.
I can make arguments for or against any certification and the value that it brings to the table but I disagree that simply having an experience in a role automatically provides you with the experience or knowledge that you actually need. It is very hard to know everything on any certification let alone execute on everything for the relevant jobs. The value is and always will be tied to how relevant the certification is to the job you hold or that you are seeking.
CISSP for me
Awesome! Which materials are you using to study?
Thanks
You're welcome and I'm glad you enjoyed the video!
go john
Thanks for watching!
CISSP
Awesome...good luck!
Hey! Great video. Where can I find out if my degree is a qualifying degree?
I'm glad that you enjoyed the content!
CISSP - www.isc2.org/certifications/cissp/cissp-experience-requirements
CISM - support.isaca.org/s/article/What-are-the-requirements-to-become-CISM-certified