CISA, What Next: CRISC or CEH
A reader who recently received his CISA certification asked, “Which certification should I earn next: CEH or CRISC?”
I see this question a lot, so I’d like to answer this in two different ways.
Sometimes when someone asks which certification they should earn next, sometimes I wonder if that person is asking others to choose their career direction for them.
In this case, the person wants to know whether CRISC or CEH is the right direction. If this person were asking me personally, I would respond with these questions: what aspects of information security interest you? For which aspects do you have good aptitude? What kind of information security job do you want to be doing in five years?
In the case of CEH and CRISC, these two certifications could not be more different from each other. One is a hands-on certification that has to do with breaking into systems (and helping to prevent adversaries from doing same), and the other has to do with risk management, which is decidedly hands-off.
Now for my second answer: you choose. Both are well respected certifications. Which one aligns with your career aspirations?
Another thing – for anyone who is just trying to figure out the next cert to add after their name – stop asking that question and do some other things first.
1. Assess your experience.
2. Figure out where your experience can help you go next.
3. Determine your aptitudes. Meaning: what are your talents.
4. Decide what you want to be doing in five years, ten years.
5. Only after you have answered 1-4 can you then think about certifications. They should reflect your knowledge and experience.
Knowledge and experience come first. Certifications are a reflection of your knowledge and experience, not a forecast of future events.