CISM vs CISSP: Where to Start

If you plan on a career in information security, you'll likely eventually become a Certified Information Systems Security Professional (CISSP) or Certified Information Security Manager (CISM).

A few people go on to earn both: in this case, the typical progression is to pursue a CISSP first and a CISM second. That doesn't mean that one is a foundation for the other. Each certification has a distinct focus, and understanding the effect each will have on your career will determine your best fit.

CISM vs CISSP: An Overview

Both certifications have a stringent set of prerequisites, encompassing years of experience in specific fields and particular specializations. Familiarizing yourself with them now will allow you to focus on your career development between here and signing up for the exam.

• CISSP requires a minimum of five years of cumulative paid work experience in two or more of the eight domains covered by CISSP. Education achievements (e.g., a bachelor's degree in a related field or one of a list of approved certifications) can satisfy no more than one year of this.

• CISM requires a minimum of five years of experience in information security, with a minimum of three years in information security management. The latter requirement cannot be siloed and must cover at least three of the job practice analysis areas.

Very few cybersecurity professionals begin in security; most of us start our careers in various areas of IT, become experts in that field, and then move into related security-focused arenas. If you're in the beginning stages of your career, don't let a lack of security experience discourage you. Make a note of where you want to end up, then list the steps you need to take between here and there.

Volunteering for additional duties that will expose you to security issues in your current position is an excellent way to start. If you transition to a new job, express your desire to be involved in these areas when interviewing: it will demonstrate that you're intentional, career-focused, and goal-oriented.

Your Security Career: Choosing CISM or CISSP

The CISSP and CISM are not competing certifications. They're complimentary. Each is intentionally designed for a certain sector of cybersecurity professionals, and understanding the role that each plays at advanced career stages is the first step toward identifying which is best for you.

The emphasis of the CISSP is both technical and managerial. It typically attracts those who have backgrounds as directors of security, IT directors/managers, network architects, security analysts, security architects, security auditors, security consultants, or security systems engineers. If you want to continue interacting with the technical side throughout your career, the CISSP is more geared toward your interests. Because of its broader focus on technical competencies, it comprises eight domains versus the four covered by CISM.

A CISM certification dials in on the management side of cybersecurity. It draws from the ranks of information security managers and those with information security management responsibilities, even if ISM isn't your job title. While earning a CISM requires a high degree of technical competence, it is designed to reflect leadership within security management rather than someone who will be a senior-level "wrench-turner." All four of the CISM domains emphasize either governance or administration.

You don't have to lock either certification in stone early; even if you're midway through your career, you still have time to change directions if you find that another area is a better fit for you. Knowing how each certification differs will simply allow you to be intentional about any adjustments you make.

Specifically, focus on what interests you the most. As you explore that area, you'll either be drawn deeper into it or decide to try another approach.

Your Salary Will Be Higher: CISSP or CISM

Salary ranges vary substantially by years of experience, job title, and location, so keep in mind that anything we cover here will be ballpark figures. That being said, having a rough estimate of what each certification will do for your bottom line is helpful.

CISSP is widely recognized as one of the most valuable certifications an IT professional can achieve. Those with this certification earn an average of nine percent more than their non-CISSP counterparts, which can be as much as twenty percent higher in some regions of the world. Professionals who earn a CISM can make as much as 12 percent more than their counterparts who don't hold this certification.

Although it's fairly common to receive a small pay bump right after your certification, depending on your employer, don't expect the salary floodgates to open and drown you in cash immediately. The real value of these certs is what they can do for your career, opening the door to certain positions and development pathways that wouldn't have been available to you otherwise. For this reason, it behooves you to pursue either a CISSP or CISM earlier rather than later.

We want to be careful in what we're saying here: We're not telling you that there's a ticking clock and you need to apply tremendous pressure to yourself to knock this out at the earliest possible opportunity. The cybersecurity field isn't going anywhere but up, and you have plenty of time to figure out what niche is the best fit for you. We're saying that the more intentionally you approach your career, the more efficiently you'll knock out each prerequisite and consistently build on the foundation you've laid, which will result in a progressively increasing pay scale.

Regarding raw numbers of certified professionals, approximately 137,000 ISC2 members hold the CISSP certification worldwide, with more than 87,000 residing in North America. The CISM certification is quite a bit rarer, with only 23,000 professionals holding it worldwide.

This doesn't reflect as much on the value or difficulty of the cert as it does on each particular emphasis. Because the CISSP is designed for those engaged in the hands-on side of cybersecurity, while the CISM is exclusively focused on management, it makes sense that there would be six times as many CISSPs as CISMs.

CISSP or CISM Exam Costs

The exams for both certifications are extensive, ranging between three and four hours and covering 100 to 150 questions across as many as eight domains. While your career has prepared you for most of the material that the test covers, it's always a good idea to take a preparation course to familiarize yourself with the format and ensure you get spun up in any weak areas. It's also a good investment: each exam attempt will cost you between USD 415 (cheapest pricing for CISM) and USD 699 (CISSP), and a month of exam prep can cost as little as $59.

CISSP: What's Next?

After you earn the CISSP, you must remain a member in good standing with ISC2 and renew your certification every three years. Renewal is accomplished by retaking the CISSP exam or accumulating 120 continuing professional education (CPE) credits over the next three years, with a minimum of 40 credits earned each year. CISM requirements are similar: 120 CPE credits every three years, although the schedule is a bit more flexible, with a minimum of 20 credits earned annually.

Both ISACA and ISC2 have similar goals in instituting these requirements: They're less interested in providing a one-time piece of paper than in contributing to the overall development of cybersecurity worldwide.

Requiring that you continually engage in professional development within the cybersecurity realm bolsters the overall strength of the community and underscores each certification's value. This mindset should guide your entire security career, from deciding which certification is right for you to develop the building blocks that will lead you to the exam.

The Choice: CISSP for Pros, CISM for Managers

CISSP and CISM are complementary, not competing certifications. Although they share objectives and philosophies, they each have unique focuses: the CISSP targets cybersecurity professionals interested in designing, programming, and implementing technical solutions, while the CISM is geared toward information security management.

These certifications aren't a one-and-done deal, but crucial steps toward investing in your career as a cybersecurity professional. They require years of prerequisite preparation and a commitment to engaging with the security community on an ongoing basis.

The value to your career, salary, and the IT world is not so much a destination as it is a doorway, opening avenues that will lead you to higher pay, greater job satisfaction, and an increased ability to keep legitimate businesses and organizations safe from virtual threats.

Start learning both of these courses with CBT Nuggets today!