Best Certifications for Transitioning from Cybersecurity Technical to Management Roles

At some point in a cybersecurity professional's career, they may decide to leap into a leadership role. Many run into the issue that there is no clear path to management. Should one pursue an MBA? What skills should one develop? What leadership position best fits one's skillset? If there is no opportunity for promotion, where should one look for the best fit? There is no one-size-fits-all answer to these questions; however, there are few steps that anyone can take to get them one step closer to their dream management-level job. One vital step is gaining the appropriate certifications.

Here (in no particular order) are five top certifications for those who plan to transition from their technical role to a management-level position in cybersecurity.

Certified Information Systems Security Professional (CISSP)

What is the CISSP?

As defined by (ISC)², the CISSP certification "proves you have what it takes to effectively design, implement, and manage a best-in-class cybersecurity program." The organization also notes that it is the ideal certification for practitioners, managers, and executives.

The CISSP Covers Eight Domains of Knowledge:

• Domain 1: Security and Risk Management
• Domain 2: Asset Security
• Domain 3: Security Architecture and Engineering
• Domain 4: Communication and Network Security
• Domain 5: Identity and Access Management (IAM)
• Domain 6: Security Assessment and Testing
• Domain 7: Security Operations
• Domain 8: Software Development Security

Why should you take it?

The CISSP is one of the most well-known cybersecurity certifications. Those who pass the exam show their dedication to the field and show they have a base knowledge of the significant domains of cybersecurity – which is often a requirement for management roles in cybersecurity. Passing the CISSP will also make you a member of the (ISC) ² community with a strong commitment to continuous education and staying on top of cybersecurity trends.

__What are the requirements? __

Along with passing the exam, there are additional requirements to obtain the CISSP.

• All candidates must have five years of experience in two or more of the eight CISSP CBK domains. A four-year degree (or equivalent) or an approved credential will satisfy the one-year requirement for the certification. If you do not meet the required experience to become a CISSP, you can still pass the exam and receive the Associate of (ISC)² designation until you have the experience necessary.

• Candidates must receive an endorsement from someone with a CISSP.

• All candidates must also agree to the (ISC) ² "Code of Ethics."

Certified Information Security Manager (CISM)

What is CISM?

The CISM Certification is an information security management certification by the International Professional Association (ISACA). ISACA states that the CISM "indicates expertise in information security governance, program development and management, incident management, and risk management."

The CISM consists of four domains:

• Domain 1: Information Security Governance
• Domain 2: Information Risk Management
• Domain 3: Information Security Program Development and Management
• Domain 4: Information Security Incident Management

Why should you take it?

As the name of the certification applies, this certification covers the base skills for an Information Security Manager. In contrast to the CISSP, the CISM includes similar content but from more of a manager's focus. Obtaining this certification will further add to one's resume that they can develop and manage Information Security Programs.

What are the requirements?

• Have at least five years' experience in information systems auditing, controls, or security work.
• Pass the certification test – which can be taken before the experience requirements.
• Adherence to the ISACA Code of Professional Ethics.
• Abiding by the Continuing Professional Education Policy.

Certified in Risk and Information Systems Controls (CRISC)

What is the CRISC?

The CRISC Certification is a risk management certification by the International Professional Association (ISACA). As defined by ISACA, the CRISC is a certification that "indicates expertise in identifying and managing enterprise IT risk and implementing and maintaining information systems controls."

The CRISC consists of four domains:

• Domain 1: IT Risk Identification
• Domain 2: IT Risk Assessment
• Domain 3: Risk Response and Mitigation
• Domain 4: Risk and Control Monitoring and Reporting

Why should you take it?

All cybersecurity activities performed in an organization tie back to the risk to the organization. As a cybersecurity manager, it is vital to understand risk management and discuss cybersecurity concerns in terms of risk. Being able to effectively communicate risk to all stakeholders (from developers to the C-suite) will actively contribute to the success of a cybersecurity program.

What are the requirements?

• Have at least three years' experience in at least two out of the four CRISC Domains (stated above) – At least one of those required must be from Domain 1 or Domain 2.
• Pass the certification test – which can be taken before the experience requirements.
• Adherence to the ISACA Code of Professional Ethics.
• Abiding by the Continuing Professional Education Policy.

Project Management Professional (PMP)

What is PMP?

The Project Management Institute's PMP certification is the industry-leading project management certification. As noted by the Project Management Institute, the PMP "validates your competence to perform in the role of a project manager, leading and directing projects and teams."

The PMP focuses on Ten PMBOK Project Knowledge Areas:

• Project Integration Management
• Project Scope Management
• Project Schedule Management
• Project Cost Management
• Project Quality Management
• Project Resource Management
• Project Communications Management
• Project Risk Management
• Project Procurement Management
• Project Stakeholder Management

The PMP also focuses on Five PMBOK Process Groups:

• Initiating
• Planning
• Executing
• Monitoring and Controlling
• Closing

Why should you take it?

One of the top skills for anyone in any type of technology-related management is project management. As cybersecurity expectations and requirements change quickly in an organization, those managing will need strong project management skills. These skills will help keep cybersecurity teams and the cybersecurity strategic goals on track.

__What are the requirements? __

• A four-year degree
• 36 months of leading projects
• 35 hours of project management education/training or CAPM® Certification
• Passing the certification test

OR

• A high school diploma or an associate's degree (or global equivalent)
• 60 months leading projects
• 35 hours of project management education/training or CAPM® Certification
• Passing the certification test

Certified Information Systems Auditor (CISA)

What is CISA?

The CISA Certification is an information systems auditing certification by the International Professional Association (ISACA). As defined by ISACA, the CISA is the "standard of achievement for those who audit, control, monitor, and assess an organization's information technology and business systems."

The CISA consists of five domains:

• Domain 1: Information System Auditing Process
• Domain 2: Governance and Management of IT
• Domain 3: Information Systems Acquisition, Development, and implementation
• Domain 4: Information Systems Operation and Business Resilience
• Domain 5: Protection of Information Assets

Why should you take it?

Depending on your role, having a strong understanding of auditing and controls may be a valuable skill at the management level. Cybersecurity managers may be in charge of, or contribute to, audits and/or assessments. If not, cybersecurity management's departments may be subject to auditing at some point to meet compliance with various specified controls.

What are the requirements?

• Have at least five years' experience of information systems auditing, control, or security work experience (defined by the job practice areas stated above. There are possible substitutions and waivers for up to three years, which are outlined here. (https://www.isaca.org/credentialing/cisa/get-cisa-certified)
• Pass the certification test – which can be taken before the experience requirements.
• Adherence to the ISACA Code of Professional Ethics.
• Abiding by the Continuing Professional Education Policy.

Conclusion

These are many great certifications for the transition into management, but depending on an individual's goals, this is not an all-inclusive list. If the management role is technology- or vendor-specific, such as AWS or Azure for cloud, it may be valuable to achieve those relevant certifications. Regardless, demonstrating the desire for continuing education through certifications will show the dedication and passion towards the cybersecurity field.