Security and risk-focused IT certifications are in high demand as organizations look to bridge the cybersecurity skills gap and boost data defense. While digital attack surfaces rapidly expand and attackers develop new techniques, the supply of skilled security professionals hasn’t kept pace, leaving companies on the hunt for experienced IT pros capable of recognizing key risks, developing effective defenses and deploying security measures at scale.
Along with emerging threats, however, are evolving compliance requirements — to demonstrate due diligence, companies now prioritize both front-line skills and top-tier qualifications. But with security certifications diversifying to meet market demand, what’s your ideal starting point: CRISC or CISSP?
Here’s what you need to know.
Will These Security Certifications Help Your DC-Area IT Career?
The market for certified IT security professionals in the Washington, DC area is growing: According to job search site Glassdoor, there are more than 9,000 unfilled infosec positions in Washington, DC. In addition, recent funding boosts to federal agencies such as CISA translates to an increased need for skilled cybersecurity pros across government institutions state-wide.
While it’s always worth investing in entry-level certifications such as CompTIA Security+ or Certified Ethical Hacker (CEH), intermediate qualifications like the Certified in Risk and Information Systems Control (CRISC) certification or the Certified Information Systems Security Professional (CISSP) designation offer excellent occupational mobility, especially in the evolving Washington, DC infosec industry.
But which is your ideal starting point — and which offers the biggest benefit for your career?
Why Should You Choose CRISC?
CRISC is all about risk: Identifying, assessing and evaluating risk to help companies reduce their chance of network compromise and protect critical assets. This certification is designed for IT professionals with at least three years of experience in cybersecurity. Common career tracks for CRISC holders include Director of Information Security, Information Security Officer or Information Security Analyst. While compensation varies by region, size of the enterprise and specific job role, CRISC holders typically earn six-figure salaries.
CRISC certification covers four key areas:
- Risk Identification — What current risks exist across enterprise infrastructure? Where are organizations potentially vulnerable to new IT risks?
- Risk Assessment — How severe are existing risks — do they require immediate intervention or can they be addressed over the long term? What are the potential impacts of these risks on data security, access or performance?
- Risk Response and Mitigation — What response and mitigation strategies offer the best return for security budgets and resources? How are they best implemented across the enterprise?
- Risk and Control Monitoring and Reporting — How are security risks monitored and controlled? What metrics are measured, and how are metric reports best used to further security aims?
Put simply, CRISC offers career benefits for IT pros who are passionate about controlling and mitigating risk across the enterprise and aspire to management or C-suite positions within their organization.
Why Would You Consider CISSP?
CISSP, meanwhile, focuses on vendor-neutral knowledge of enterprise network security functions, controls and systems. CISSP is widely recognized by both government agencies and private organizations and is often a prerequisite for highly technical IT positions. Earning the CISSP certification requires at least five years of infosec work experience across at least two of eight required domains. IT professionals who hold this certification typically make more than $100,000 per year, but in high demand areas — such as Washington, DC — can earn closer to $150,000.
The eight CISSP domains include:
- Security and risk management
- Asset security
- Security engineering
- Communications and network security
- Identity and access management
- Security assessment and testing
- Security operations
- Software development security
CISSP training and certification opens multiple career tracks, including: Cyber Security Engineer, Security Operations Technician, Information Security Analyst and Systems Cybersecurity Engineer.
How do You Get Started with CRISC or CISSP Certification?
While requisite experience is the only requirement to challenge the CRISC or CISSP exams, online training courses can help refresh key skills and knowledge along with aligning your study habits to key CRISC or CISSP knowledge domains. Hands-on training courses are ideal, since they combine both practical knowledge and front-line skills to ensure you’re fully prepared to tackle certification exams.
The CRISC exam consists of 150 multiple choice questions over four hours, while the CISSP exam includes 250 multiple choice questions completed in six hours. Both certifications are valid for 3 years and require 120 continuing professional education (CPE) credits to recertify; CISSP requires at least 40 credits per year, while CRISC requires 20.
Are you considering a security certification for your infosec career in Washington, DC? Both CRISC and CISSP offer advantages to broaden your job horizons and increase your earning potential. Best bet? Start with CRISC if you’ve got three years’ experience and want a better understanding of overall infosec risk; opt for CISSP if you want to dig deeper into the technical side of security deployment and defense.