GSLC vs CISM, thoughts?

CV33CV33 Member Posts: 22 ■□□□□□□□□□
Haven't seen anything on the forum comparing the two so I thought I would post.


  • Options
    beadsbeads Member Posts: 1,531 ■■■■■■■■■□
    Individual SANS certs are best in preparation for the GSE. Some folks will look for or ask about individual certs but SANS certs become very expensive over time whether you complete the individual GSE/Master's or maintain fees on say half a dozen certs every three years; write a paper; take another cert - covering one other certification.

    CISM is renewable every three years and ISACA is a very well run organization with amazing branding built up over 40 years.

    I will say you need to ensure you have three years of security management in order to qualify to sit for the exam but like most cert holders I have meet haven't or didn't qualify for the exam when they sat for the exam. So I guess in that regard is a wash.

    - b/eads
  • Options
    636-555-3226636-555-3226 Member Posts: 975 ■■■■■□□□□□
    What type of job are you thinking of the two for? Auditing? Infosec mgt?

    While similar in name, they're different.

    For resumes - CISM is widely asked for in infosec mgt circles. Oddly enough I'm actually seeing it in analyst/engineer posts too - when I see that I see a company that doesn't understand infosec and that i would DEFINITELY not want to work for. GLSC you won't see listed on job reqts or postings.

    CISM is high level business oriented. You won't really learn anything technical. You'll learn about governance (polices, relating strategy to the business), risk mgt (assets, threats, vulnerabilities, controls, what to do with them), strategizing, and incident handling. None of this on a technical level. CISM also has "hard" requirements in terms of experience. Test you can take whenever, but you can't get certified CISM until you meet the prereqs.

    GSLC you'll get a little bit of that stuff but also with (mostly 101-level) technical stuff mixed in. Don't think it's necessarily easy 101 stuff. If you don't know what 775 means in terms of unix permissions then you'll learn stuff here.

    If you're going to be running a very small infosec shop and have the budget, I'd recommend the GSLC first followed by the CISM after.

    If you're in a bigger shop and don't need to be the technical guy or need to know enough to know when your guys are BS'ing you, then the GSLC isn't as valuable as the CISM.
  • Options
    CV33CV33 Member Posts: 22 ■□□□□□□□□□
    My role will be transitioning to InfoSec risk mgmt. Based on what I'm seeing, I might get the GSLC training and cert for CISM. The CISM cert is easier to maintain and is arguably more recognized.

    All that considered, I plan to get my CRISC, GSEC, CISSP before this capstone (^) cert (CISA already passed).
  • Options
    636-555-3226636-555-3226 Member Posts: 975 ■■■■■□□□□□
    GSEC and GSLC intercept a bit. I wouldn't recommend doing both. I guess if you asked me for what to take in what order, I'd probably do CISSP, GSLC, CISM, CRISC (builds on the CISM).

    CISSP is for the good, broad, mile-wide inch deep infosec stuff. And helps with resumes. GSLC will further develop the CISSP skills and add in management/leadership concepts (management is different than leadership). CISM will add onto the GSLC with more business-oriented high level mgt items. CRISC builds on the risk-management concepts of the CISM. This assumes, again, you meet the prereqs for CISSP, CISM, CRISC.
Sign In or Register to comment.