CCISO vs. CISSP: Which Certification Is Best For Aspiring CISOs?

Are you an InfoSec specialist hoping to ascend to the C-suite? The average base income for aspirant CISOs is $126,505 annually, according to Indeed, but joining the C-suite club demands upskilling. To upskill, you must opt for any good security certification course. The top two security certifications – CISSP and CCISO, are discussed in this article. Let’s find out which suits your skill sets the best and helps you become a competent CISO.

While it may be possible to move into the C-suite with a bachelor’s degree and a few years of pertinent information security experience, you will likely need a security certification. But which one? Among the many security certifications that can help advance your career, two, in particular, stand out for prospective CISOs: EC-Council’s Certified Chief Information Security Officer (CCISO) and (ISC)²’s Certified Information Systems Security Professional (CISSP). Both are two of the most valued security certifications worldwide. 

CISSP vs CCISO

With over 180,000 CISSPs worldwide, (ISC)²’s CISSPOpens a new window certification has become the leading training program for and validation of IT security management skills. Because of its emphasis on both technical and managerial skills, the CISSP certification has become essential for several different job roles in IT security, including IT security engineer, security manager, security consultant, auditor, IT architect, information assurance analyst, security system administrator, information security risk officer, and IT director/manager.

When CISSP was first instituted in 1994, few companies had a full-time security manager. Security was typically the responsibility of the CIO. Fast forward to today, we find that most organizations are placing their enterprise’s security in the hands of a chief information security officer (CISO or CSO), a high-level executive with vastly different skills and responsibilities than security managers two decades ago. CISOs now need to manage budgets strategically, determine which projects to fund and which to delay, what technology to replace, what training they should provide for their staff in-house, and what roles to outsource. None of these high-level executive functions are validated with a CISSP certification. At most, CISSP validates a candidate’s technical and management skills for middle management security positions, not those of an upper-level executive involved in keeping an entire organization’s technology and information secure. Hence, in 2011, EC-Council developed a new certification to cover the CISO domains that the CISSP lacked. 

EC-Council’s CCISOOpens a new window certification does more than validate one’s technical security or management skills; it also validates the leadership skills of the aspiring CISO. As stated by EC-Council, the “CCISO was designed from the beginning as a next step from CISSP.” In fact, almost all the founding members of the CCISO advisory board, who worked to develop the CCISO program, were CISSP certified themselves. Thus, the EC-Council board concentrated on domains that not only would complement and build upon the CISSP program but also be able to move “middle security managers into executive roles” by focusing on the “application of information security management principles from a C-level point of view.” So while CCISO wholly or partially covers all eight domains within the CISSP program, it does so from a business executive perspective. It also covers a domain not covered by CISSP: Strategic Planning, Finance, Procurement, and Vendor Management.

See More: CISM vs CISSP: Which Security Certification is Right for You?

Five Points To Consider Before Choosing the Right Certification

Are you proficient in the security domains covered in each exam?

CISSP

To pass the CISSP exam, you must correctly answer 70% of the questions in each of the eight security domains covered. These domains include:

• Management of Security and Risk
• Asset Protection
• Engineering and architecture for security
• Security of communication and networks
• Management of identification and access
• Assessment and testing of security
• Operational security
• Security in software development

CCISO

Passing scores for the CCISO exam can range from 60% to 85%, depending on the difficulty of the particular exam form that is administered. The 2.5-hour exam consists of 150 scenario-based, multiple-choice questions covering these five domains:

• Governance and risk management
• Information security controls, compliance, and audit management
• Security program management and operations
• Information security core competencies
• Strategic planning, finance, procurement and vendor management

What training opportunities are available to help prepare you for the certification exam?

CISSP

Training materials for the CISSP exam can be found on the (ISC)² CISSP webpage. You can find an exam outline, a study app, a study guide, practice tests, CISSP flash cards and other exam-prep aids. There is also an official textbook. (ISC)² and its third-party training partners also provide CISSP classroom-based and online training. 

CCISO

EC-Council offers two options to prepare for the CCISO exam: self-study and training. The self-study option is available to those with a minimum of five years of information security management experience in each of the five CCISO domains. After submitting an exam eligibility application proving they have the requisite experience, applicants can then purchase an exam voucher to take the exam. 

Note: Education waivers are available for those who lack the requisite experience that will enable candidates to waive up to three years of experience for each domain.

Candidates with five years of IS management experience in three of the five CCISO domains are eligible for the Training Option. These candidates must take the Official CCISO Training from EC-Council. The training is not technical but a leadership course designed specifically for experienced InfoSec professionals. Students are taught the five CISCO domains using real-life scenarios. After completing the training, candidates can submit the Exam Eligibility Application. Once approved, they can purchase the ECC Exam center voucher. 

See More: Making It in InfoSec: 7 Skills Security Pros Need To Sharpen

Do you have the required experience to become certified?

To get CISSP certified, you must have at least five years of paid information security job experience in at least two of the eight domains covered by the exam. You’ll also need to pass a personal background check and get a letter of recommendation from a current CISSP-certified expert. The CISSP certification cost is $699. 

To be eligible for the CCISO exam, you must have five years of working experience in each of the five domains by participating in either EC-Council’s self-study or training program options. The application fee for the eligibility application is $100. Once your application is approved, you can purchase an exam voucher for $500.

Suppose you currently work in information security but lack the necessary experience to qualify for either certification. For those with one or two years of security experience, (ISC)² offers the systems security certified professional (SSCP) credential, which covers many of the same domains as the CISSP and can also help you attain a position that will help you fulfill the CISSP work experience requirement. CCISO applicants who do not meet the experience requirements can still sit for EC-Council’s information security manager (E|ISM) exam as part of the associate CCISO program. Associates who complete the work experience requisite will later be eligible to take the CCISO exam at a discount. 

Can you score the required continuing education credits to keep your certification active?

The CISSP certification is valid for three years, after which you must recertify. To maintain your CISSP certification, you must earn at least 120 continuing professional education (CPE) credits every three years and maintain your (ISC)2 membership. Membership fees are $125 annually. 

CPE credits can be attained through courses, conferences, and technical materials that will help you stay current with the latest developments in the field. You can earn credits by attending webinars on cybersecurity topics, attending local CISM or CISSP meetings, volunteering for cybersecurity events, or becoming a mentor to other members. 

The CCISO certification is valid for three years. To renew, you must fulfill certain continuing education requirements and remit a renewal fee of $100.

Do you have the necessary business and soft skills to become a successful CISO?

Having Information security technical expertise alone is not enough to become a successful CISO. As a C-suite position, CISO requires determination, dedication, drive, leadership skills, and a willingness and ability to continually educate oneself on the latest trends in the information security industry. 

Successful CISOs must have great business acumen and be able to speak the language of business. (In fact, many employers require that their CISOs have an MBA degree with cybersecurity or IT concentration.) CISOs also must be able to present cybersecurity threats and vulnerabilities in business terms without delving into minute technical details behind those threats. They must work effectively with government oversight, regulatory agencies, policymakers, law enforcement agencies, and all relevant stakeholders within their organization. 

Before embarking on a CISO career, candidates must realize that not everyone with security experience and education is suited for a chief information security officer career. Thus, you need to ask yourself whether you have these necessary soft skills: superior interpersonal, written and oral communication skills, the ability to work under pressure, strong leadership, and strategic planning and execution skills. Those who excel technically in their current information security positions but find after self-analysis that they do not have the business or soft skills required of a CISO should probably consider the CISSP over the CCISO certification or any other security certification that is more immediately aligned with their talents and career goals. 

Do you think these credentials can help security professionals advance to executive positions? Let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you! 

MORE ON INFORMATION SECURITY

• Top Five Women in InfoSec and the Role Models Who Inspire Them
• 5 Valuable Tips from InfoSec Pros You Should Not Miss
• Breaking into Infosec: What School Won’t Teach You