Hi all
Am posting this for a friend (no… really… it is for a friend LOL). I am hoping those more knowledgeable than me in the IT Sec field will be able to help. Here is the question
He wants to concentrate on IT Security for Corporations/Businesses
He has completed his CISA (Certified Info Systems Auditor)
He wants to do the CISM (Certified Info Security Manager), but the certification is by the same body as the CISA - namely ISACA
His peers have suggested that he should do the CISSP.
So…
- Is CISM as valuable as the CISSP?
- Which one should he do?
- He wants to do the CEH also, but if he does the CISSP, the CEH may not happen for a while since the CISSP prep will be long. With the CISM he may be able to do the CEH in short order.
ANY (and all) ADVICE IS APPRECIATED.
Thank you folks.
-=ART=-
What exactly does he want to do within the IT Sec field? It's pretty big.
lol
Jeff
I don't think he wants to go into the Forensic side of it from what I gather. He is more interested in corporate/network security. He is not sure if CISM or CISSP is the next step for him. (CEH is just an after thought for now)
I will ask and get back to the forum.
Thanks for the response, Jeff - regardless of what she said 😉
-=ART=-
Between the choices presented and with the vague idea of him pursuing corporate/network security (not knowning in what sector…healthcare, banking, publicly-traded companies, DoD contractors, etc. or what specialty), I would give the following advice (with too many caveats to mention) of…
IA = CISSP or CISM (with a slight slant towards the CISSP)
Vulnerability Assessments or Pen Testing = CEH (even though I dislike this cert)
There are more and better options than just these 3 certs, but there are many, many other factors to consider in order to get relevant and decent advice.
Jeff
One more thing to add In my experience, the CISM and the CISSP are equated about equally, however the CISSP has a better marketing engine behind it and therefore more name recognition.
- Is CISM as valuable as the CISSP?
CISSP has a certain value … but that is mainly because it is widely recognized. But as is clearly stated somewhere on the ISC2 website – CISSP is a rather superficial management certification it covers 10 square miles to a depth of an inch. CISA is often the next step after the CISSP.
I did the CISSP once … but I gave it up because it gave me the image of security management. Not where I want to be.
If CISA was the right move for your friend, then CISM and CISSP may be as well. CEH sounds as if it may be going in slightly different direction.
Between the choices presented and with the vague idea of him pursuing corporate/network security (not knowning in what sector…healthcare, banking, publicly-traded companies, DoD contractors, etc. or what specialty), I would give the following advice (with too many caveats to mention) of…
IA = CISSP or CISM (with a slight slant towards the CISSP)
Vulnerability Assessments or Pen Testing = CEH (even though I dislike this cert)There are more and better options than just these 3 certs, but there are many, many other factors to consider in order to get relevant and decent advice.
Jeff
Jeff,
I am just curious. You said you dislike the CEH. People either like or dislike the CEH. I was just wondering what certification you would recommend instead of the CEH for vulnerability assessments or pen testing? -Thanks.
Thank you all!
He wants to get into IT Security Auditing - not the ISO compliance side and also wants to get into technical audits of Windows, Linux etc.
I have forwarded your responses to him.
Your responses are greatly appreciated.
-=ART=-
Between the choices presented and with the vague idea of him pursuing corporate/network security (not knowning in what sector…healthcare, banking, publicly-traded companies, DoD contractors, etc. or what specialty), I would give the following advice (with too many caveats to mention) of…
IA = CISSP or CISM (with a slight slant towards the CISSP)
Vulnerability Assessments or Pen Testing = CEH (even though I dislike this cert)There are more and better options than just these 3 certs, but there are many, many other factors to consider in order to get relevant and decent advice.
Jeff
Jeff,
I am just curious. You said you dislike the CEH. People either like or dislike the CEH. I was just wondering what certification you would recommend instead of the CEH for vulnerability assessments or pen testing? -Thanks.
I would answer your question with
I wouldn't recommend a certification for anyone pursuing a career in penetration testing. I don't believe there are any current, comprehensive certifications which can truly demonostrate someone's ability to hack into a network. It's one thing to be able to "define" the terms hacker/cracker or choose the most correct answer for what the Ping of Death was (come on, is that really relevant anymore?) and it's quite another to fuzz a proprietary protocol and create your own exploit and shellcode.
If I were the hiring manager for a penetration testing position or I were hiring a company to perform a pen test, I would not put any stock in any certifications, rather I would rely exclusively on experience, technical prowess (as measured during a live interview) and education/training - in that order.
If I were hiring an individual to run vulnerability scans, then I may give some weight to the CEH and training related to Nessus, Core Impact, Canvas, Metasploit, etc.
A good pen tester is 1) technically smart 2) inquisitive 3) creative and 4) persistent. The CEH marginally measures the first of those, but on a level which I consider to be inadequete for real pen testing. And the real reason I dislike this certification is because of how EC-Council markets it and what the people who posess it claim to know or be able to do.
Passing a multiple-choice test does not a hacker make.
Jeff
To tack on - if someone were really interested in beginning a career in penetration testing - I'd advise them to either pursue a CompSci degree or if they're an autodidact, to teach themselves a few programming languages and attend some various training courses related to penetration testing.
Then, if they really wanted to make a splash, discover a new vulnerability and publish it to Bugtraq or the like.
