Cybersecurity manager certifications compared: CISSP vs. CIPM vs. CISM vs. GSLC [updated 2021]
No large organization can run successfully these days without cybersecurity managers. In their oversight role, cybersecurity managers ensure staff follow safe practices, manage the protection of the IT infrastructure, coordinate the response to incidents and ensure the recovery after an attack. They are responsible for good security governance.
The roles and responsibilities are varied for cybersecurity managers. The cybersecurity manager/administrator role includes a variety of advanced-level information security positions focused on overseeing security systems and teams. They also manage IT security programs enabling workers to recognize and deal with a cybersecurity incident like a data breach or cyberattack while ensuring that controls and policies are implemented to mitigate risks.
Ways to prepare for a security manager career
With many organizations in search of qualified security managers, it’s a great time for professionals to prepare for a cybersecurity manager or information security manager career with great opportunities and salary projections. In addition to a college degree in computer science, cybersecurity or a related technical field, candidates need years of experience managing security operations and teams and, above all, the ability to prove continued training and solid security and management certifications.
Most in-demand cybersecurity certifications
The Certified Information Systems Security Professional (CISSP) from (ISC)² is one of the most respected and in-demand cybersecurity certifications available. It’s designed for cybersecurity managers who need to build their knowledge across a broad range of technical and management topics.
The CISSP was refreshed in May 2021 to reflect the security and privacy issues cybersecurity management professionals currently face. As (ISC)² states, “Earning the CISSP proves you have what it takes to effectively design, implement and manage a best-in-class cybersecurity program.”
CISSP is vendor-neutral and covers eight domains:
- Security and risk management (15%)
- Asset security (10%)
- Security architecture and engineering (13%)
- Communication and network security (13%)
- Identity and access management (13%)
- Security assessment and testing (12%)
- Security operations (13%)
- Software development security (11%)
Candidates have 3 hours for the CISSP CAT exam and 6 hours for the non-English linear, fixed-form exam. The Computerized Adaptive Testing (CAT) version allows candidates to answer approximately 100-150 questions tailored to their preparation. The linear version requires approximately 250. A passing score is 700 out of 1000. Testing is all done through Pearson Professional Centers (PPCs) and (ISC)²-authorized Pearson VUE Select Test Centers (PVTC Selects). There is no difference in price for CISSP CAT (English) and CISSP Linear (all other languages); exams cost $699. However, pricing and taxes will vary by country based on the location of the exam.
An increased focus on data security has driven interest in privacy certifications like the CIPM. The International Association of Privacy Professionals (IAPP) offers the Certified Information Privacy Manager (CIPM) credentialing program, which assesses candidates’ understanding of information privacy laws and practices. As IAPP explains, “The CIPM designation says that you’re a leader in privacy program administration and that you’ve got the goods to establish, maintain and manage a privacy program across all stages of its lifecycle.” The IAPP CIPM, which was launched in 2013 as the first and only certification in privacy program management, suits risk managers and others responsible for privacy within their teams.
CIPM has been accredited under ANSI/ISO standard 17024:2012 and covers many aspects of creating and implementing a good privacy program. This can range from creating a privacy team to setting up a working privacy program framework to covering all of its life cycle scheme.
Candidates are given 2 hours, 30 minutes, to answer 90 questions. Exam scores are based on the number of questions answered correctly; they are converted to a common scale ranging from 100 to 500 to account for slight differences in the difficulty of exam forms. The passing score for all IAPP exams is 300 (which does not represent 60%). The cost is $550. Exams are taken on a computer and offered year-round in English. French and German exam versions are also available. Scheduling is done by Pearson VUE but the applicant will be able to choose a convenient testing place and time. Results are given to the testers after the session.
If a professional is looking to move from a technical to a managerial career or wants to prove possession of management skills as well as technical knowledge, then the Information Systems Audit and Control Association (ISACA) offers a great option. “ISACA’s Certified Information Security Manager (CISM) certification indicates expertise in information security governance, program development and management, incident management and risk management.” The CISM suits cybersecurity and IT security managers but is also ideal for information risk managers.
To be certified, testers need to submit a proper application, pass the exam and have the required work experience (at least five years in information security management). The test covers four domains: information security governance, information risk management, information security program development & management and information security incident management.
Candidates have four hours to answer 150 multiple-choice questions covering the latest knowledge required for the job. A passing score is 450 out of 800. The exam costs $575 for ISACA members, and $760 for non-members, and is offered in four languages (English, Japanese, Korean and Spanish). The exam is either by an online remote proctored testing appointment or can be scheduled at an in-person testing center.
Developing cybersecurity prime candidates should pursue the GIAC Security Leadership Certification (GSLC). This credential suits high-ranking professionals with managerial or supervisory responsibilities and, in particular, those that plan and manage security projects and initiatives. The GSLC certification covers key management topics addressing the overall security life cycle including technical topics like cryptography, network concepts and application security, as well as structuring an effective security program, creating proper security policies, running an awareness program and managing the whole security architecture.
The certification also addresses incident response and business continuity. This is a very important topic for security managers who are normally asked not only to protect the IT infrastructure but also to be able to put the organization in the condition to resume operations as soon as possible after an incident.
Candidates have 3 hours to answer 115 questions and are required to answer 65% of the questions correctly. The test is web-based and requires either remote proctoring through ProctorU or onsite proctoring through Pearson VUE. This is an open-book exam with no open-internet or open-computer. Unlike CISM, GSLC requires no specific training for the certification and has no particular professional experience prerequisite.
Each certification is a valid option for professionals who need to validate their knowledge and abilities and provide a managerial level of information security for their business. CISM, however, is more business-oriented and focuses on information risk management. It is particularly valuable for professionals with technical security and control experience that are looking to move into a managerial role.
The GSLC prepares candidates on how to secure an enterprise, while CISSP covers in-depth critical security topics that are more technical-oriented. The CISSP is often valued by recruiters due to its experience requirement, which signals that CISSP holders have on-the-job experience in addition to validating their wide-ranging technical expertise.
The CIPM certification has a strong focus on privacy and is a great credential for professionals in managerial roles that are responsible for data privacy.
Most also have a component for testing the important “soft” skills (communication, analytical thinking and problem-solving) needed in managerial positions to complement the “hard” skills (“To have the technical know-how to design and evaluate systems and network architectures, as well as be able to keep up to date and understand the latest information on trends, best practices, standards and methods”).
Other certifications that focus on cybersecurity management skills
CompTIA Security+ is a great starting point for anyone looking to pursue a career in cybersecurity, as the exam also focuses on the latest trends and techniques in identity management and risk management. However, the CompTIA CySA+ is a more advanced cybersecurity certification that takes a deeper dive into topics such as threat management and vulnerability management, in addition to best practices as a response. This is a credential that gives a high-level overview of the business/management side of things.
Note: As CompTIA’s most advanced certification, CASP+ qualifies you for senior-level cybersecurity positions, but the credential is not necessarily geared toward managers. Together the Security+ and CySA+ span a variety of roles.
Salary and career info for security managers in the cyber realm
According to PayScale, the average salary for a security manager is $69,458 (as of Feb. 2021). From the job description, we learn “[They] are generally expected to streamline their companies’ security processes, regardless of the industry,” to protect valuable information from cyber breaches. For information security managers with a bachelor’s degree, advanced computer security knowledge and about five years of experience who get tasked to “coordinate and execute security policies and controls, while assessing a company’s vulnerabilities,” the salary is about $142,530 a year, as mentioned by the U.S. Bureau of Labor Statistics (May 2018).
Note: “The average salary for a CISM certified professional ranges from $52,402 to $243,610,” whereas, “the average salary in the U.S. for CISSPs is, according to Payscale.com, between $68,594 and $128,338 if you’re male, and between $59,810 and $119,553 if you’re female.” The average male salary for GSLC ranges from $75,000 – $189,000. The average salary for CIPM is $84,000.
Putting all the skills together
Security managers are the driving force behind the company’s security measures, strategies and solutions. They play a significant role in handling security incident management, vulnerability management and device management.
In addition to assigning, directing and controlling the work of employees under their supervision, they also provide senior-level support regarding incident response functions through technical activities. They’ll manage an organization’s IT security in every sense of the word.
Knowledge and soft skills are both important, so credentials that address the basic leadership requirements of professionals in managerial roles are important to validate skills and help security managers in their career progression.
- CIPM Certification, IAPP
- Cyber Security Certification: GSLC, GIAC
- CISM, ISACA
- CISSP, (ISC)², Inc.
- CISM vs CISSP, EDUCBA
- Be an Information Systems Security Manager: Career Roadmap, Study.com
- Become a Security Manager, CyberDegrees.org
- Average Security Manager Salary, PayScale, Inc.
- A guide for understanding cybersecurity certifications, Cybersecurity Guide