CISSP vs. CISM (which exam is tougher?)
Hey folks, I was wondering if anyone perusing the CISSP and SSCP forum has taken the CISM exam. If so, my real question is around how it compares to the CISSP. Not the typical "CISM is management only and CISSP is are more technical and all inclusive security cert" answer. I get that CISM is more around risk and management. I'm more curious around the level of PAIN the actual exam is to prepare for and succeed in passing. I get mixed feelings with all of the research I'm doing. It basically breaks down as follows: 50% of the people - They're both really hard so choose which fits your role 50% of the people - CISSP is Advanced and CISM is Intermediate (difficulty level) I was just hoping to get some input from anyone that may have sat both exams.
Comments
I found both to be annoying but for different reasons.
YMMV
- b/eads
I will second this. You MUST use their Q/A database. I used a printed one for the CISA but the online one for the CISM. Use the online one!
CISSP was harder but I enjoyed studying for it so much more. After the CISSP my mind seriously was spinning after 5 1/2 hours.
ISACA exams are a bit strange. The ISACA way is a real thing that you have to change your mindset to their way of thinking in to pass!
passed exams all last year
CISSP - May
CISA - Sept
CISM - Dec (passed test, waiting on application approval)
not sure if I will do another ISACA exam although they did finally goto CBT... meh
When I sat for the exam, the scanner at the testing center (luckily) was broken. However, this caused a delay and we had to wait for an additional 30 minutes or so before we were allowed to take it.
Out of curiosity, have you tried calling the ISC2 office nearest you to ask if you can waive some of the information being asked?
I believe that both ISC2 and ISACA exams are now CBT based too. When I took these exams, it was paper and pencil and the other odd reason why I found the CISM harder was that there was less time to circle in those dots with a number 2 pencil.
Well, that could give me a slight edge on the CISM then, since I've heard CISM is more managerial type questions and that is my current role. Yeah they are both CBT now, which I'm happy because it would drive me crazy waiting for the results. I've known guys who took the paper tests and watched how they were so anxious waiting lol.
I find this to be highly ironic and am shocked that an organization that provides certs *only* related to security & privacy would collect such PII.
What I find ironic is the people complaining about ISC2 collecting information, thereby verifying identities, especially for security related certifications, don't seem to realize one, both ISACA and ISC2 collect even more information when vetting experience, and two, in many security jobs you are often required to submit even more personal data, and all jobs requiring a clearance, you have to supply very intrusive information about yourself to get the clearance.
Finally, why would anyone value a certification from an agency or test center that makes no effort to verify identities? You couldn't trust a single thing about that certification.
LOL well I hope I am amusing you a little bit
" Thank you for contacting us. I have heard back from HQ and it is not possible to waive the palm vein scan unless you can provide a medical/religious reason I’m afraid. (ISC)² requires a signature, two forms of photo identification, palm vein scan, and a photograph in order to sit for our exams. This is to properly verify the identity of our exam takers and ensure the security and integrity of the testing environment. Thus, these requirements are necessary in order for an individual to sit for the exam."
I thought GDPR was supposed to allow the control of PII data across the borders (from UK to US) and to opt out if you did not want it. Personally providing that much PII information to one company is too risky for me. I have no idea who else they will be providing that information once it goes to the US. Also don't know how palm vein scanning will progress in the future and what else it may be used for.
GDPR doesn't quite work like that. The regulation does require that the collecting organization explain what they need to collect, what they will use it for, and who they will share it with. "Opting out", that is by not consenting to the collection or use or or sharing of your personal data does not mean a business or organization still has to provide the service. This is no different than if you wanted to purchase life insurance, but refused to provide some of all of the info they requested. You can always refuse to do so, but you can't force the insurance company to provide you the coverage, GDPR does not allow for that.
I will repeat, it's people who took coding boot camps and are making great money with no formal education or certification.
So, I am not going to say I agree 100% with you. But, you have a valid point somewhere in your paragraph. I will say that some areas of the Information Technology Field could care less about a certification or a degree. We can both agree on that one point.
Self taught more than 5 coding languages, whitehat hacking, data analytics and have been a network engineer most of those years. I've moved thru industries so fast I didn't have time for formal EDU. That's the reality.
The best programmers I know barely finished high-school and make more money today than the average college grad.
This industry evolves to fast you have to be on your toes, eager and ready to shift. There are the staple jobs like techs and networking but I have watched those roles salaries drop by half over 20yrs or basically stay stagnant because they've become so easy to do. Learn databases, data analytics, IoT and then do it. We have about 10yrs to make money in this category before AI replaces us 😉
Learn Python, R and AI Analytics in the meantime so you can endure a full life time career path before something else takes over and replaces that 😊
Want the big bucks? Get a masters in Math and then name your price 👍 That's the ONLY money I would spend on a formal education.
Example: I went for an interview in Silicon Valley. The CEO personally told me - "most companies in this valley will not hire based on certs. Not just that, they frown on it". Company un-named, it was a very large tech company in the cellular 'industry'.
Everyone has to decide for themselves but I am trying to make ppl think before they decide.
Tribal knowledge is very, very, valuable.