CISSP and CEH are two of the most common computer security certifications you’ll see in security program job descriptions. If you want to advance your career by becoming a certified professional, you might consider each of them. Here’s my experience of CISSP vs CEH.
Both CISSP (Certified Information Systems Security Professional) and CEH (Certified Ethical Hacker) require full time work experience in multiple domains of cyber security. This ensures its professionals have some experience to back up their knowledge.
Both tests have training courses available that cover the exam’s common body of knowledge, but you aren’t required to use the official certifying body’s training, or any training at all. You are free to study on your own and take the exam if you wish.
It’s not at all uncommon to see security consultants with one or both of them, as well as full-time employees that work inside the security program of a large company or organization.
CISSP vs CEH: Policy vs tools
The most common criticism of CISSP is that it’s more security policy than anything else. CISSP is all about what you do and why you do it. While tools are certainly fair game for the test, that’s not the focus. When I took the test, I had to know what an Intrusion Detection System and an Intrusion Protection System was, and why you might buy one. But I didn’t need to know any specific brands, makes, or models. The question or questions I got about those tools were purely situational. The test wanted to know if I knew when they were appropriate to deploy.
CEH is much more tools and operations-oriented. CISSP expects you to know what vulnerability scanning is and when you do it. CEH expects you to be able to name some tools and know some differences between them.
For a lot of jobs, like penetration testing, CEH is more directly applicable.
Both certifications are big on ethics. CISSP will tell you not to take a job you’re not qualified for, for example. I know I’ve frustrated recruiters in the past over this. They’d send a job description knowing I’m half of what they’re looking for and encourage me to go for it. I’ll respond by giving them the name of someone more like what they’re looking for, if I have time. I won’t do a recruiter’s job for them, after all. But it’s not right to take a job and mislead an employer about what your capabilities are.
The other issue is that when you know a lot about computer security, you have to be ethical about it. Your knowledge is dangerous.
Now, ironically, the EC Council, creators of CEH, were accused a few years ago of plagiarizing material. The original authors would have permitted EC Council to use their material, but EC Council didn’t ask. That’s one reason I never pursued CEH.
Generalist vs specialist
If you wanted me to sum up CISSP vs CEH in three words, I would say generalist vs specialist. A CISSP is as generalist as it comes. The CISSP certification covers a little bit about risk management, a little about security controls, a little about physical security, a little about computer architecture, and hundreds, if not thousands, of other loosely related things.
A CEH is a specialist. A CEH doesn’t care about the placement of lights in a parking garage, or which way a door to a server room should open. CEH certification limits itself to computer systems, and largely to ethical hacking of computer systems or protecting systems from malicious hackers. Since CEH is specialized, it goes much deeper. You’ll probably never see the name of a specific tool like Qualys or Nessus or Nmap on a CISSP exam. A CEH exam may very well ask you about Nmap and some useful command line switches for it.
CISSP vs CEH in government contracting
In DoD contracting, CISSP used to be the certification to get. Once you attained CISSP, you were set for life. Today, the certification that opens the most doors in the DoD is the Certified Ethical Hacker certification. To get to the highest level positions, you may need both CISSP and CEH. But the combination of Security+ and CEH can get you places that used to require CISSP. In some cases, the combination of Security+ and CEH can get you to a better place than just CISSP would.
What certifications to get and in what order will vary from position to position, and it can and does change from time to time. But if I were going to get back into government contracting, one of the first things I would do is get CEH.
CISSP vs CEH in the private sector
Although some people consider CISSP overrated, it generally carries a great deal of respect in the private sector. CEH is more of a mixed bag. I once worked in the security department of a Fortune 20 company that employed dozens of CISSPs, but not a single CEH. The managers at the time saw CEH as a strike against someone, rather than a plus. That company employs a couple of CEHs now, but the managers I knew really preferred that someone have an alternative certification, like GPEN for penetration testing, or GCIH for incident handling. Those tests are more specialized than CEH, and that company’s management thought they were a better test of a security professional’s skills.