We get asked all the time - should I get a CISM, CISSP, or both?
The short answer is you should get the CISSP certification.
The long answer is that it really depends on your goals and what you are trying to accomplish. When I say get the CISSP, I'm making the following assumptions:
You want to make more money
You want to have more career options
You want to get promoted
You may have DoD 8570 requirements
You have five or more years of cybersecurity experience
So, what's the main difference between the CISM and CISSP certifications? The CISM is more "management focused", whereas the CISSP is more "technical focused". I'm assuming you are familiar with both the certifications to some degree, otherwise, you wouldn't be reading this post. Download the official CISM Overview and official CISSP "Ultimate Guide" for more info on the respective certifications.
Let's run through the five assumptions I listed above to see how the CISM and CISSP certifications compare.
#1 You want to make more money
Determining average salaries based only on a certification is a difficult endeavor, but let’s try…
Indeed was able to determine a CISSP salary range - from $12.75 per hour to $93.50 per hour. Indeed claims to not have enough salary data for CISM.
A search on Glassdoor shows a couple jobs for CISM that also accept CISSP as a required certification and many jobs for CISSP, but does not list salary data.
Glassdoor CISM search:
Glassdoor CISSP search:
salary.com shows nothing for a search for "CISM" or "CISSP".
PayScale claims to know the average salaries in the United States for both the CISM and CISSP. Bear in mind that these are "average" salaries. Your salary may vary drastically depending on where you work, your experience, you role, your responsibilities, benefits, travel requirements, etc.
If you look closer at the PayScale results, you'll see the results are skewed for CISM because it only has "precise" data for the following job titles - "Information Security Manager" and "Chief Information Security Officer". Every other job title is "estimated".
For CISSP, none of the data is "estimated". It is interesting to note that the same job title "Chief Information Security Officer" makes an average of $200,000 on the CISM results and $165,391 on the CISSP results. The interesting thing is if you click on the title "Chief Information Security Officer" from either the CISM or CISSP results, it takes you to the same page, where the average is shown as $158,006. This doesn’t make much sense to me, but it is 100% feasible I don't know how PayScale works. The results seem suspect to me. We have ball park salaries though.
My conclusion, based on the research is they both allow you to get similar jobs, so the pay will be similar. Of course, pay is relative to a lot of factors, like the ones I already mentioned, plus your negotiating skills and the value you bring the organization.
There’s not enough data to support one way or the other. And, if you think about salary research, it's difficult to determine, as most companies give a salary range in a job description. It's not like a company reports to PayScale or anyone else the salaries they are paying employees.
#2 You want to have more career options
The CISSP certification easily gives you more career options. Let's look at CyberSeek. CyberSeek shows the following:
CISM - 29,905 open jobs in the United States
CISSP - 77,492 open jobs in the United States
Indeed shows the following:
CISM - 4,377 open jobs in the United States
CISSP - 13,415 jobs in the United States
#3 You want to get promoted
Neither the CISM or CISSP certification guarantee you'll get promoted. Due to around 3 times more job openings for CISSPs, I would say your chances are better with the CISSP certification.
I might lean towards CISM though, just because it has "Manager" in the title. Just kidding 🙂
#4 You may have DoD 8570 requirements
The CISM and CISSP certifications allow you to fill similar roles, according to DoD 8570. Here's a quick breakdown:
CISM: IAM Level II, IAM Level III, CSSP Manager
CISSP: IAT Level III, IAT Level II, IAT Level III, IASAE I, IASAE II
It appears the DoD shares our opinion that the CISM is more management-focused than the CISSP. The CISM doesn't apply to any IAT (Technical) positions, whereas the CISSP does. The CISM does allow you to fill a role that the CISSP does not - the CSSP Manager.
You can find the complete table here: https://public.cyber.mil/cwmp/dod-approved-8570-baseline-certifications/
Unless, you are explicitly looking for a role as a CSSP Manager.
#5 You have five or more years of cybersecurity experience
The CISM requires five years of information security work experience, but you can get by with three years if you already have a CISSP or CISA or four years if you a Security+ or other options - see the sceenshot. The CISSP requires 5 years of experience or 4 years plus a college degree or other approved cybersecurity certification.
CISM = 0 Wins
CISSP = 2 Wins
We have 3 Ties.
Overall Winner: CISSP
It seems the CISSP is a good choice if you have to decide one or the other. You can always add the CISM after the CISSP, which seems like a logical progression because the CISM is more management focused. Best of luck on your cybersecurity career journey. Regardless if you decide to purse the CISM, CISSP, or both remember to take some time to enjoy the journey along the way. It's not the certifications that matters most, but the pursuit that makes you better tomorrow than today. If you are seeking a CISSP certification, consider taking one of Alpine Security’s CISSP Boot Camps.
Christian Espinosa is Alpine Security's CEO/Founder and a Cybersecurity Professor at Maryville University. He holds over 25 certifications, including the CISSP, CCISO, and PMP. Christian is a US Air Force veteran with a BS in Engineering from the US Air Force Academy and MBA from Webster University. Christian holds multiple patents on cybersecurity attack and defense. Major recent projects include penetration testing and assessments of commercial aircraft, medical device penetration testing, and numerous incident response projects. When Christian isn’t protecting us from cybercriminals, he climbs mountains, travels the world, teaches outdoor wilderness survival, and competes in Ironman triathlons.