Sec+, CISM and CISSP....oh my!

Banzai_Joe · 8 Mar 2022 at 10:02

Hi all,
I was a senior Group IT Manager for 15 years. Simply put I've done a lot.......yet there's plenty i don't know.
My plan is (was) to do Sec+, CISSP and CISM in 2022.
However (ISC)2 have just moved the goalposts on the CISSP whereby in May it goes to 4 hours and 200 questions and if I'm honest its put me off a bit.
I'm on my 2nd run through the Sec+ course and thinking maybe CISM next to give me some extra info and confidence prior to going for CISSP.

To be clear, whilst i want the extra knowledge, a lot of the material touches on stuff I've been doing for years, the courses will fill in the blanks and formalise a lot of it I guess and I'd certainly need to study hard to pass the exams. I also (mainly) want to add these certs to my CV as I feel I'm stagnating in my current job as an IT Consultant on a zero hour contract. The pay and the hours are good but if I move back into a full time job i could do with really respected IT security quals like the ones above.

Soooo.........bearing in mind I have no real intention of fully becoming a cyber security specialist in its own right (i still enjoy all other aspects of IT management), and whilst I certainly think they'd massively add to my experience and credentials of 16 years in IT management which would you do?

I guess this is really aimed at those who have knowledge of CISM and CISSP.

Any advice appreciated.

Ev0 · 9 Mar 2022 at 15:30

CISSP was 6 hours and 250 questions (paper based) when I did it!

Given what you are doing, and want to do (I.e not be a security consultant) CISM makes more sense to me out of the two.

But ultimately if it’s a learning exercise for you then more going to be a case of look at the content of them all and see what appeals.

Been a long time since I did it so probably out of touch, but CISSP could be pretty involved for just a passing fancy.

CISM I did a course for but never bothered with the exam, feels like it would align more to an IT manager than CISSP.

Banzai_Joe · 9 Mar 2022 at 17:42

Thanks Ev0,
Thing is that as I work my way through the sec+ (for the 2nd time) AND look at some of the CISSP material, I’m getting more interested in cyber security. However some of the domain stuff is as boringly dull as dishwater.
I’m counting on CISSP and/or CISM enticing me into more diverse senior IT management roles…..and I can go from there. It’s not like I’d be “winging” it after all. I’ve done ok for 16 years so far.

ivrytwr3 · 10 Mar 2022 at 06:50

Personally i think CompTIA is your starter stuff, building to CISSP/CISM.

CISM is more management/governance and i found CISSP more hands on. Both are highly respected, but up to the individual - do one or do both!

Banzai_Joe · 10 Mar 2022 at 09:53

Thank you sir.

Stu999 · 10 Mar 2022 at 19:39

I’ve read the Sec+ and CISSP study materials about twice each (chickened out of the exam) and there’s a lot of overlap on the domains. The main difference I found was CISSP was more in depth on certain topics like encryption to a level I doubt anyone in an Info Sec role would actually need (correct me if I’m wrong!). I’m proper rubbish at encryption - I understand the concept and which encryption standards should and shouldn’t be used but not the ‘maths’ side of it.

I would imagine CISM will be more high level (I did CISA many moons ago). The only thing with ISACA exams is the American English factor leading to confusion but this can be overcome.

Banzai_Joe · 10 Mar 2022 at 21:19

Thanks Stu999.
I’m actually using (ISC)2 for CISM (not ISACA) and CISSP to keep them together as there are benefits for being a certified member of (ICS)2.
If I can get into a proper rhythm of study (which is hard at my age) then hopefully things will slot into place easier and I can get a crack on with them.

Stu999 · 11 Mar 2022 at 11:12

Banzai_Joe said:
Thanks Stu999.
I’m actually using (ISC)2 for CISM (not ISACA) and CISSP to keep them together as there are benefits for being a certified member of (ICS)2.
If I can get into a proper rhythm of study (which is hard at my age) then hopefully things will slot into place easier and I can get a crack on with them.

I don’t think you’ll necessarily find them that hard given your experience but, as you say, it’s getting motivated to do the study and sticking to the routine that’s the challenge.

HangTime · 11 Mar 2022 at 11:12

Banzai_Joe said:
it goes to 4 hours and 200 questions and if I'm honest its put me off a bit.

Why? 200Qs in 240mins is a fast pace but what are the nature of the questions, is it multiple choice?

Assuming all questions are weighted equally I just break those sort of things down and say OK, if I spend an average of 1min per question that leaves 40mins left over, lets say 30mins of that is going over the questions you weren't sure about again and then 10mins contingency to allow for a question or two you get bogged down in. Obviously with a 200 question paper it's vital you maintain pace, if there's questions you know you will struggle with just put press on and come back to it if you get time.

Then it depends what the pass mark is, again if multiple choice you can often work on the basis of say even if I only know the answer to half of the questions, there's probably another quarter where you can dismiss some choices as being wrong (so perhaps a 50% chance of 'guessing' it) and then the remaining quarter if its 4 choices you have a 25% of just guessing it. So that's 50 + .25*.5 + .25*.25 or ~70% scored based on only having solid confident knowledge of half the questions.

Banzai_Joe · 11 Mar 2022 at 16:51

It’s not really the content and time per questions, it’s them buggering about and changing the goalposts.
I’m not a fan of online proctored exams, so extending the time being scrutinised by some overzealous idiot on a power trip for even longer doesn’t sit well with me. I don’t think they have any exam centres anywhere near me.
I’ll be travelling to Lincoln to sit my security+ exam.

malachi · 11 Mar 2022 at 18:00

Banzai_Joe said:
It’s not really the content and time per questions, it’s them buggering about and changing the goalposts.
I’m not a fan of online proctored exams, so extending the time being scrutinised by some overzealous idiot on a power trip for even longer doesn’t sit well with me. I don’t think they have any exam centres anywhere near me.
I’ll be travelling to Lincoln to sit my security+ exam.

No surprise there. Microsoft did the same a few years back. When too many people pass the exams they make them harder.

Good luck on the Sec+ exam, I pass it over a year ago.

Zefan · 11 Mar 2022 at 19:09

HangTime said:
Why? 200Qs in 240mins is a fast pace but what are the nature of the questions, is it multiple choice?

Assuming all questions are weighted equally I just break those sort of things down and say OK, if I spend an average of 1min per question that leaves 40mins left over, lets say 30mins of that is going over the questions you weren't sure about again and then 10mins contingency to allow for a question or two you get bogged down in. Obviously with a 200 question paper it's vital you maintain pace, if there's questions you know you will struggle with just put press on and come back to it if you get time.

Then it depends what the pass mark is, again if multiple choice you can often work on the basis of say even if I only know the answer to half of the questions, there's probably another quarter where you can dismiss some choices as being wrong (so perhaps a 50% chance of 'guessing' it) and then the remaining quarter if its 4 choices you have a 25% of just guessing it. So that's 50 + .25*.5 + .25*.25 or ~70% scored based on only having solid confident knowledge of half the questions.

I'm think CISSP is like Cisco and Microsoft exams in that there is no going back to review questions. CompTIA is the opposite in 2019 and I believe they still are.

Also, I think the only evenly weighted cert exam I've done was ITIL.

Also also, many of the questions are "pick the correct answers", with no indication of how many to pick from the list. As well as this, Cisco and MS definitely have a "no partial points" philosophy, so you're either right or you're wrong, no points for getting it almost right.

Banzai_Joe · 11 Mar 2022 at 21:55

Well CISSP is one of the majorly respected certs in cyber security.
I don’t think you necessarily get the full amount of questions. if you hit the pass mark in fewer questions then I think you stop. That happens on other exams and I’m sure someone in my CISSP study group said the same of this one.
For now, I’m re-studying for the sec+ and when I walk my dog or driving in the car I listen to CISSP audio stuff, just to familiarise myself before deep diving when I finish the sec+.
The hope is to also do the CISM which is more exec/managerial and non-hands on. Something I’ll maybe end up doing, as you can only crawl through so many roof spaces with network cabling, or rebuilding comms racks, computers etc before it takes its toll…..

Banzai_Joe · 11 Mar 2022 at 21:57

malachi said:
No surprise there. Microsoft did the same a few years back. When too many people pass the exams they make them harder.

Good luck on the Sec+ exam, I pass it over a year ago.

Thanks bud. You did the 501? I decided to go for the 601 and take my time as I knew I’d not be ready before July 2021 to take the exams which was the retirement for the 501.

malachi · 12 Mar 2022 at 11:49

Banzai_Joe said:
Thanks bud. You did the 501? I decided to go for the 601 and take my time as I knew I’d not be ready before July 2021 to take the exams which was the retirement for the 501.

Yep, it was 501. I got it done just after they announced 601.

Only security cert I decided to do so I understood the fundamentals.

Will probably do CCNA Cyber Ops next year which should also renew my Sec+.

Zefan · 12 Mar 2022 at 11:59

malachi said:
Will probably do CCNA Cyber Ops next year which should also renew my Sec+.

Can I ask you why you don't go for the CySA+ instead? I ask because I did the CCNA Cyber Ops a few years ago (through a free training/cert exam scheme) however from my research I gathered CySA+ turned out to be the better recognised cert.

malachi · 12 Mar 2022 at 12:28

Zefan said:
Can I ask you why you don't go for the CySA+ instead? I ask because I did the CCNA Cyber Ops a few years ago (through a free training/cert exam scheme) however from my research I gathered CySA+ turned out to be the better recognised cert.

Honestly, I don't like Comptia, the way they do their exams and their exams are overpriced compared to other recognised certs which hold way more value like Microsoft.

When I did Sec+ I found their questions to be the structured in a crappy way and the performance based questions (I think they are called that) were too fiddly. It put me off taken them again.

Also having Cisco or CCNA on your profile gets more hits universally compared to Compita. Compita seems to be more focused towards the US market, even the Sec+ exam objectives has stuff based on US security laws...... I have no need for that if im living in other parts of the world .. Lol.