think of it, if you're taking CISA - you need to have a mindset of an IT auditor

if taking CISM - then you have to have Information Security manager mindset

but for CISSP is more on operational IT security mindset.

given that you company is paying for it, just go for it. however, the exam is not easy, a lot of people can pass the exam because there is a pattern to it (hint- the Q&As samples), but you need to know what they will ask. this goes the same for CISM too.

I think it's being debated here in the topics for so long.

the final word on this -> when it comes to certification, yes, if you have it, congrats and it's easier for you to get an "interview" not necessary a guaranteed job!

I have CISA, CISM and CEH, so what? the point as some have mentioned, company are looking for people who can do work and do it properly. you may have CISA, but if you cannot do IT Audit work (which is what my previous supervisor had full credentials but cannot do IT Audit work!). and you have lot of CISAs in big four companies, but they don't care about the work, they just need the CISAs word printed on their name cards to look good (quote - financial auditors!)

again, I was in an interview not long ago, yes, certs does get you to the interview, at the end, it's your experience and attitude that gets you the job. the paper collection is just that.....collection, but it does "help" you to get pass those who "dont" have it.

before I got the certs, there are times the clients would ask me, "why should I listen to you?", but when you have the certs to back you up, you know what you're doing, and you can tell them off, well, I'm a CISA and that shut their mouth!

 

indeed, you're technically well versed, I did recommend doing something out of being too "technical". because if you stay technical, you'll be just there, a techie.

to move up in the chain, you need to do something different, related to business / corporate world.

CISA - if you're want to try IT Audit
CISM - Info Sec - Managerial
CISSP - Info Sec - Operational

and since you like to travel, suggest a consultant role or where a job allows you to travel to other countries that requires your skills set. good thing about that you'll be expose to all sort of industries to work while learn to accumulate your experiences. ain't that great?

Big 4 companies do have technical competent staffs (most likely advisory role) to help out in certain works.
 

simple, certs get you passed HR filtering, whether you like it or not, that's the reality in this business / corporate world.

they see that having certs is your own initiatives and serious about the role you're currently doing.

other than that, experiences and how you sell yourself counts, otherwise, if you have a lot of certs, but can't talk / sell yourself during the interview, it's also no good and you won't pass the interview!

also, most interviewer will ask you to talk about your past experiences, what do you do etc, so that's the best time to sell whatever you did in the past.

besides, having certs make you stand out from those "without", really, your pay will be more than them.

to be frank, it depends on what field you're doing, let's say if you passed CISA, and got certified, at the end game, the result of the audit / report will then know if you are really an IT Auditor or not (IT audit can have financial auditors / or techies auditor). I have an ex supervisor who is CISSP, CISM, CISA, etc, long until name card cannot fit in, but when comes to "real work", he can't perform or even write a good report. end up was ask to leave by my director.

so, no certification is bullet proof, it only gets you pass HR filtering, but the end game is, where you can do the work or not. No one is really a specialised "know it all dude", otherwise we'll end up being a DBA who's only doing DBA work only. 

nothing about EC Council, I was given the opportunity to take it and paid by the company for free! took CEH v5 workshop, well, the instructor is OK, but he did skipped hands on for Linux part etc. rest are very theory based, and of course, the fun part was unpatched Windows 2000 and how you use metaspoilt to get in. that was 2007.

I'm not sure how their coursework or materials fare now, their previous print-screen books x 5 volumes was a mess, so i really skipped them when preparing for the exam.

so back to the topic, yes, Ec-council marketing is damn good to be fact. better than others, even the job posting are asking for CEH credentials. No big issue in Asian countries, as OSCP, GPEN, CPT, OPST, CEPT, NOP are not popular here!

I hold CISA and CISM (in waiting for certification), so CEH when ppl asked me why I took it, I told them I did it for "fun", to learn thing ethical hacking stuffs, not something that can find a me high pay job. 

dynamik, hayabusa - thanks, I plan to do CISSP next, failed that end 2007, so plan to do again. Besides, that's part of my KPI for next year and since it's paid for exam and course fees, will take a stab at it!

dont' save on the supplement for CISM, sometimes, you'll be surpise that few questionaires are thrown out as bonus and looks exactly the exam questions!

sil - don't give up, cert is not that easy, but do have a mindset of info sec with business mind in place, sometimes we dont' agreed with ISACA's way of questionaires, but that's the fact we have to accept it if we want to pass the exam! CISA was to me harder than CISM, just that the different mindset you need to have and put another hat when doing CISM.

good luck to you and whoever taking it. 

thanks ziggy/awesec,

I used the review manual 2010, 450 Q&A CISM 2009, 100 Q&A 2009 and 2010 supplement. took me 3 months to prepare.

the review manual 2010 is very lengthy and to be frank too theory based. in otherwords, very long winded. I then used the Q&A 2009 and the supplements. although the sample questions wont be the exact same type coming out on the real exam, you have to understand how the questions was structured in order to tackle the exam!

CISM - is not too technical IMHO, but very business oriented and always related business with info sec alignment etc.

anyone taking it? 

w00t folks! passed the CISM exam that I took in June 2010!

now need to apply for the certification!

going for CISSP next year as company is paying for the exam fees and course fees (by ISC2 Kevin Henry!)

yes! 

like you, I took CISM last month June 12. Why I took it? well, it's related to my new job now that I've moved on to IT Security, so CISM is just nice. I haven't got CISSP yet...maybe next year.

I did CISA because my previous job requires me to be certified as I'm an IT auditor, and took CEH because part of the job is to learn new IT hacking stuffs, more like an interest to me to know how to use the tools, but not necessary means I'm going to do pen-test in my rest of the career.

cert or no cert, in reality, it does helps in passing thru the HR filtering, that segregates you out from those without having certs. then again, passing the interview is one thing, performing the job is another after you got the job! 

not too sure, it cost like USD499 for the grand-fathering program, if you not successful in applying - USD100 for the admin charges. you get back USD399. so unless you're into doing most of the domains that are required, then do consider, otherwise, if it's not related, I'm not sure if it's worth that $$$ unless your company don't mind paying it for you.

Also membership is USD130 per year, maintenance fee is USD40, so total you have to cough up USD170 per year if you're certified.  

anyway, no harm trying.

I'm actually more concern on the software that are installed on their machines. I have a case when I did the audit for a client, they have an employee notebook scheme (deducted from their salary over a period of time). Funny thing is the management allowed them to use either licensed Win XP and not. so you use original Win XP, you pay more. Imagine 250 notebooks used in the company for "business purposes", with majority using bootlegged XP and Office 2007.

We highlighted this to the management as a key concern. (company was listed), so they ended up buying original XP licenses and some uses free Open Office instead.

so better take that up in mind.

perhaps it's good to set up ground rules for the "outsiders" such as:

1) all thumbdrive must be surrender for virus/malware scanning
2) notebooks must be installed with anti virus with latest definition etc
3) the office or meeting room used by the auditors must be on a separate VLAN or the network port must be disabled until needed
4) access to the Internet must be authorized by the company before it's given to the auditors

anything else? 

sounds familiar! I had that incident too (I am an Internal IT auditor), auditing a company of mine where I used to passed my USB drive around for the auditee to copy files into the thumbdrive. I only noticed that there is a hidden virus when I enable "view all hidden files", and by then it was too late as the client showed me "print-screen" of the infection which comes from my thumb-drive. And yes, you're right, some AV in the auditor's notebook is useless in detecting malware etc. my notebook have the following, Symantec SEP 11, Malwarebytes and PC Tools Spyware etc. funny thing that thumb-drive I didn't use for a very long time.

anyway, back to your incident, isn't that a bit harsh to send all of them "packing" and out of the office? at least you got your message out loud and clear! :O

a bit late on this but better late than never! Congrats on the road you took to become a CEH. it's worth the effort whether you're doing this in long run in your career or otherwise, it's better to know more things!

well done!