5 Best information security management certifications

For anyone looking into the CISSP, here's an article that talks a bit about some other certifications in the same space, and what each of them are best for. Clearly, the CISSP is at the top of the list, as it's widely considered the most in-demand ISM cert. The other certs that were mentioned on this list were:

CISSP-ISSMP
CISM
CISA
CCISO

Do you agree with this list, or do you think there are others that better fit the role of Information Security Manager?

Full article here

Find more posts tagged with

Comments

dinger68

I personally don't think that CISA should be on the list for a Security Manager. I also feel that the CCISO is not that difficult to get and doesn't fully represent the skills or knowledge needed to be a CISO. Again, just my opinion.

Clm

Infosec_Sam said:

For anyone looking into the CISSP, here's an article that talks a bit about some other certifications in the same space, and what each of them are best for. Clearly, the CISSP is at the top of the list, as it's widely considered the most in-demand ISM cert. The other certs that were mentioned on this list were:
CISSP-ISSMP
CISM
CISA
CCISO
Do you agree with this list, or do you think there are others that better fit the role of Information Security Manager?

Full article here

Sam what is your background in Infosec?

Infosec_Sam

dinger68 said:

I personally don't think that CISA should be on the list for a Security Manager. I also feel that the CCISO is not that difficult to get and doesn't fully represent the skills or knowledge needed to be a CISO. Again, just my opinion.

To be honest with you, I had never even heard of the CCISO before reading this article - I guess now I know why! Do you think it just doesn't cover anything better than the CISSP or CISA?

Infosec_Sam

Clm said:
Sam what is your background in Infosec?

Thanks for asking! I have 5 years of IT experience, about 1.5 of which are in security. Now, I'm in more of a marketing role as the community manager for Infosec. Along with my work experience, I have an AS degree in Network Security, as well as a couple of entry-level certs. I'm hoping to collect a couple more certs in the next few years here as well. Suffice to say, there are plenty of members here who are much smarter than I am!

PC509

dinger68 said:

I also feel that the CCISO is not that difficult to get and doesn't fully represent the skills or knowledge needed to be a CISO. Again, just my opinion.

That's how I feel about most of EC|Council's certifications. The ones I've taken have been pretty easy and definitely not representative of their relative roles (CEH, CHFI). Good foundations, but I feel they could be much more in depth and more difficult to be where someone could claim those titles.

JDMurray

This list should be amended to include the GIAC management certs GSLC and GSTRT.

There are also SANS management training classes with no corresponding GIAC cert, such as MGT535: Incident Response Team Management.

And yes, there are very few certs designed specifically for information security managers (of people), such as myself.

cyberguypr

I think your local flavor of CIPP should be in this list, especialyl if you are in healthcare, finance, or .edu sectors.

Infosec_Sam

cyberguypr said:

I think your local flavor of CIPP should be in this list, especialyl if you are in healthcare, finance, or .edu sectors.

I've seen some discussion about the CIPP recently, but I'm not exactly sure which type of role it would be best for. I see some mention about compliance specialists benefiting from it, as well as product/security managers. I guess my question is: What does the CIPP do better than some of the other certs on that list?

paul78

Infosec_Sam said:
I've seen some discussion about the CIPP recently, but I'm not exactly sure which type of role it would be best for. I see some mention about compliance specialists benefiting from it, as well as product/security managers. I guess my question is: What does the CIPP do better than some of the other certs on that list?

CIPP is targeted at privacy professionals - not necessarily security professionals. However, it's often useful for a security professional that secures data for privacy reasons to understand the various privacy mandates and obligations.

In the US, privacy is not considered a right like in many other countries (except for maybe in California) and privacy in the US tends to be sectorial in nature and geared towards financial loss. For security managers, it's actually useful to understand the intersection of privacy and security - and where certain topics overlap.

JDMurray

Realize that there are managers of people, managers of devices, and managers of information. Think of which category a "management" cert fits. Managers of people (like me) are not necessarily interested in certs of the other management types.

paul78

JDMurray said:

Managers of people (like me) are not necessarily interested in certs of the other management types.

That's actually a super good point - I actually didn't have any certs for the first 2 decades of my career. I only got them because I was curious about them.

@Infosec_Sam - I probably should have mentioned re:CIPP - that I learned about that certification from lawyers that I work with. The IAPP was started by a lawyer and I believe that it originally targeted lawyers - at least when I first learned of it, the only people that I knew that had a CIPP were lawyers.

Infosec_Sam

@paul78 @JDMurray Thank you both - that's some really great insight!

UnixGuy

In consulting, CISA is considered an entry level cert for junior consultants...

CISSP/CISM are more aligned with InfoSec management positions

JDMurray

I just found out the SANS MGT517 and MGT535 courses have been discontinued. Details on blog at https://montance.blogspot.com

isc2cisspbouncr

dinger68 said:

I personally don't think that CISA should be on the list for a Security Manager. I also feel that the CCISO is not that difficult to get and doesn't fully represent the skills or knowledge needed to be a CISO. Again, just my opinion.

Agree that CISA should be for auditors. I know a few CISA folks and they keep going: You should do this and you should do that........... Drove me nuts as I'm a very operations Do this and do that type of person.

isc2cisspbouncr

cyberguypr said:

I think your local flavor of CIPP should be in this list, especialyl if you are in healthcare, finance, or .edu sectors.

I'm thinking about going for CIPP GDPR even though I'm not in the EU. It's so easy to bleed through... users from the EU are a dime a dozen. These GDPR people are not fooling around.........

JDMurray

GDPR is a serious thing for any organization that does business with EU customers. The fines for violations are very large and very real. We'll see how France does collecting its GDPR fine of Google.

CIPP/E Certification

isc2cisspbouncr

JDMurray said:

GDPR is a serious thing for any organization that does business with EU customers. The fines for violations are very large and very real. We'll see how France does collecting its GDPR fine of Google.

CIPP/E Certification

Yes, I'm watching the French vs Google case closely too $$$$$$$$$$$