EC CISO Cert - thoughts?
wearingmyrolex
Member Posts: 58 ■■□□□□□□□□
in CHFI
All,
Have any of you considered the EC CISO certification and is it as negatively viewed as the CEH?
I took the CEH exam:
- Was super excited BEFORE sitting the actual exam - utterly deflated after - didn't even need to study frankly.
- Realized that it barely prepares you for actual Pen Testing assignments - I'm looking at the OSCP later this year.
- Working/engaging with EC was an awful experience - lots of posts here refer to that.
Having said that, I'm keen to pickup a CISO text which gives me the outline so I can start preparing for CISO type opportunities in a few years time; just don't want to use EC if there are better alternatives.
Any feedback is appreciated. Thanks
Have any of you considered the EC CISO certification and is it as negatively viewed as the CEH?
I took the CEH exam:
- Was super excited BEFORE sitting the actual exam - utterly deflated after - didn't even need to study frankly.
- Realized that it barely prepares you for actual Pen Testing assignments - I'm looking at the OSCP later this year.
- Working/engaging with EC was an awful experience - lots of posts here refer to that.
Having said that, I'm keen to pickup a CISO text which gives me the outline so I can start preparing for CISO type opportunities in a few years time; just don't want to use EC if there are better alternatives.
Any feedback is appreciated. Thanks
Comments
-
renacido Member Posts: 387 ■■■■□□□□□□ISACA's CISM is the most recognized CISO level cert.
As for CEH, I'm not an EC-Council cheerleader but
- the curriculum is solid as an introduction to ethical hacking but as with anything, you get what you give. If you just study to pass the exam there's not that much prep to do for a 125 question multiple choice exam with no labs. If you go after it to really learn the material it is still not advanced but it covers what an INFOSEC professional needs to know unless they are pentesting a high-threat or highly specialized target. If you've read Mandiants and Verizon's threat and forensic trend analyses you know the vast majority of exploited vulnerabilities had patches available for several months and the vulnerabilities had Metasploit exploits. Which means custom exploit code was not needed and these are NOT zero day attacks for the most part that are the vectors involved in most breaches.
- For advanced pentesting and network hardening I don't think CEH is challenging enough to certify someone as capable from a hiring manager perspective and it is most definitely not on the level of PWK/OSCP. But CEH is a good preparatory course for OSCP and for some infosec roles OSCP is out of scope.
Just my $.02