A year since CISSP, whats next?

richymartin

So I've already posted in this board asking about ISSAP. But now I'm having second thoughts!

At the minute my job includes;
Process & procedure management
A bit of Pen testing
Advisor to software architects
Daily security activities
Customer fancing consultant
Config audits
Code audits

I'm branded a 'Security Test Engineer'

I want to go down the ISO - CISO route, whilst still keeping my hand in with the technical pen testing side.

What would you guys recommend? CISM? Or other?

Thanks!

636-555-3226

If you're looking to move into management then CISM is a good next step. If you're interested in the ISACA quadrumvirate, I recommend, in order, CISA > CISM > CRISC > CGEIT. They all overlap to a degree, but that order is how I personally feel you could go up in terms of increasing difficulty and knowledge base as each consecutive one builds on the previous.

CGEIT & CRISC are sort of interchangeable after CISM since they don't overlap too much and each are follow-ups to the CISM. In order of real-world applicability and usefulness I'd recommend CRISC first.

Never stay out of the technical realm, though, since you need to how how the bad guys do what they do in order to protect against it. I'd intermix some technical stuff if you go for multiple ISACA certs since they aren't technical in the least bit.

dustervoice

If you want to go down the CISO route i would suggest you try to gain more responsibilities in whatever role you are in. Certs only validate knowledge. I doubt there is any company out there what will promote someone to CISO because of a Cert. But to answer the broader question ... CiSM and CRISC are good certs to have.

richymartin

Thanks for the reply guys. Appreciate it!

is the SSCP worth it if I already have the CISSP

dustervoice, understood about more responsibility... im on it

bpenn

I have heard the SSCP is more technical but there are better technical exams if you already have the CISSP.