What Is CISSP or CISM Worth?
Open positions for both Certified Information Systems Security Professional (CISSP®) and Certified Information Security Manager (CISM®) certifications are plentiful.
CISSP and CISM Job Opportunities
CISSP experience is required for Cloud Support Engineers, Security Operations Analysts, Auditors, Pen Testers, Data Protection Analysts, Cyber Incident Managers, Application Security Engineers.
CISM specific job openings include those for ISSO Analysts, Infrastructure Support Engineers, Business Process Engineers and Internal Controls Consultants.
More Job Openings Require CISSP
Many of the positions require either the CISSP certification or CISM certification. However, there are a small number that only want CISM and not CISSP.
Conversely there were 100X more openings that listed CISSP and made no mention of CISM.
CISSP Opportunities in the DC Area
There are many factors to consider when deciding on which certification to achieve but if looking solely at the number of job listings requiring CISSP or CISM then hands down CISSP is the winner.
In the DC area, about 25% of the jobs related to CISSP and CISM positions specify that either certification would be accepted. The rest of the jobs specifically want CISSP.
Extending the analysis beyond Washington DC, we note that for several metro areas on the East Coast there are more positions that would accept either CISM or CISSP. However, it is still the case that for the overwhelming number of positions, CISSP is the main certification.
CISM may be added in 25-40% of the time as acceptable. But in the end there are very very few positions that list CISM and not CISSP.
DC Area Has Most CISSP/CISM Job Openings on East Coast
The DC area has the most demand for CISSP and CISM professionals as compared to other East Coast areas. In some cases there are over 10X the number of job openings here in the DC area for CISSP professionals than elsewhere on the East Coast.
CISSP professionals are in high demand and their salaries reflect that fact. According to (ISC)²® the average annual salary for CISSP holders in North America is over $120k while Global Knowledge estimates the average annual salary to be over $138k for North America.
What Are the CISSP Requirements
The CISSP is an information security certification sponsored by the International Information System Security Certification Consortium, also known as (ISC)². Earning the CISSP demonstrates that you have the knowledge to design, implement and manage a cybersecurity program.
The (ISC)² requires candidates to have a minimum of five years work experience in at least two of the eight total domains covered in the exam:
- Domain 1. Security and Risk Management
- Domain 2. Asset Security
- Domain 3. Security Architecture and Engineering
- Domain 4. Communication and Network Security
- Domain 5. Identity and Access Management (IAM)
- Domain 6. Security Assessment and Testing
- Domain 7. Security Operations
- Domain 8. Software Development Security
Note: Earning a four year college degree can be used to satisfy one year of the required experience.
The (ISC)² offers two types of computer-based exams – linear and adaptive. The standard linear exam is six hours while the Computer Adaptive Testing (CAT) can result in a shorter (i.e. three hour) test of as few as 100 questions compared with the 250 questions required for the linear test.
The CISSP exam contains a mixture of multiple-choice questions and advanced innovative questions. To pass, you must obtain a minimum passing score of 700. You only receive a score of pass or fail.
The CISSP exam is challenging and typically has around a 20% pass rate for first time test takers. Given that the CISSP certification exam typically costs $749, the right preparation and resources are essential to exam success.
What Are CISM Requirements
ISACA® is the organization sponsoring the CISM exam. They have an extensive membership of well over 100k professionals in 150+ countries who work in assurance, governance, risk and information security.
The CISM exam is focused on four work related domains:
- Information Security Governance (24%)
- Information Risk Management (30%)
- Information Security Program Development & Management (27%)
- Information Security Incident Management (19%)
ISACA requires candidates to have a minimum of five years of professional information security management work experience in the job practice areas.
The CISM exam consists of 150 multiple-choice questions that must be answered within the 4 hour testing time window. Exam scores can range from 200-800. Minimum passing score is set at 450. However, this 450 number is not a straight arithmetic or percent average.
The CISM exam is a financial investment. It's not cheap, costing as much as $760, though a discounted price of $575 is available for ISACA members. Given that it is estimated that only 50% - 60% of individuals pass the test the first time through, it certainly makes sense to prepare well ahead of time to avoid having to pay that test fee multiple times!
Differences Between CISSP and CISM
The CISSP and CISM are complimentary certifications. There is much overlap between them and each has a distinct area of focus.
CISSP has more technical depth and typically attracts those who want to continue with at least some level of technical work within their career.
CISM is for IT professionals who want to shift from the purely technical career path into a management track. It is especially helpful for those aspiring to senior management roles in IT security and control.
Summary
According to ISACA there are 46k+ individuals who hold the CISM certification and these professionals earn $118k average salary. The (ISC)² notes there are 147k+ individuals who hold the CISSP certification and earn an average salary of around $120k. These are valuable certifications and are well worth the time and effort to achieve.
If you have any questions or need additional info, please contact me.
Christine has 15+ years in the technical industry developing software, leading teams along with extensive experience as a hiring manager. She found that she really enjoyed the process of building teams and interacting with candidates and business customers. As a result, Christine decided to make the hiring process her focus and started Vector Recruiting.