I remember 2012, I passed the CISSP that year.  I too do not use the alphabet soup, too many to write down.  I forgot about the Certification and Accreditation to Certified Authorization Professional.  I actually do not avoid ECC as much as ISACA, I recognize that each accreditation body has a space.  I'm not sure of the ISACA space as they created a business model which is ok, but not the best overall model.  My first Doctorate attempt was a Dr. of Org Management/ Information Systems Management - I ended up being an ABD (all but dissertation) in it.  It was good but the modeling for ISACA also doesn't agree with IEEE/ACM/INCOSE/IFIP so it is something I try to avoid. 

• ISC2 sits at a strategic level.
• ECC sits at an entry to middle level tech level.
• SANS sits at an upper level tech and specialist level.
• Microsoft is a specialization (Development).
• CompTIA started as the Information Technology (Computer Technology Industry Association of America) but they are attempting to compete with everyone.
• Cisco is a routing and switching specialization (again IT).
• Offensive Security - red teaming (IT)
• Oracle is of course Databasing.
• IAPP leads the way with privacy.
• etc.

It really depends upon the goals.  I teach ECC on a regular basis - their hands on labs far outpace most other vendors.  In fact their CEH (M) hands on exam is comparable with the OSCP - mostly the same flags.  The Licensed Penetration Tester (LPT) is far more advance than the CEH(M).  It really depends upon the void you are attempting to reach into. 

Typically I teach: ISC2, ECC, Microsoft, CompTIA, and Cisco for technical and of course management and process engineering.  Additionally, I teach protocols - DNS, DHCP, TCP/IP, etc.  Not the typical protocol route but specialty courses on them (they are some of my favorite topics), I spent 10 years as a linguist so a protocol is the same (in my mind) to another language.

Again, I do not do the ISACA route as their foundation of Cyber actually counter industry best practices - so it is hard for me to get behind them.  I have been asked multiple times to teach ISACA, as an academic institution and also as a private vendor but it is really different conceptually at their newest levels.

Cheers.

Ervin

HI All

Senior executives must do better to prepare for almost inevitable future cyber-attacks and cannot rely on government alone for protection, the UK government has warned.

UK Security Minister, Dan Jarvis, today warned that cybersecurity has remained a concern for the middle management “for too long” and “only gets escalated to the seniors in a crisis.”

“The UK government is creating a strong partnership on cybersecurity, as we have shown through our work on Jaguar Land Rover, but I am clear that businesses cannot be protected by government alone,” he said, speaking at the National Cyber Security Centre’s (NCSC) headquarters in London on October 14.

Richard Horne, the NCSC’s director, stressed: “Ask any organization that’s experiencing a crisis such as a ransomware attack: ultimately, the CEO and the executive committee and other board members will have to run the crisis management.”

“The time to act is now. Every leader, whether you’re one person at your kitchen table or the boss of thousands of people, you must have a plan to defend against criminal cyber-attacks and you must have a plan for continuity. You must know how to keep going without your IT systems should a cyber-attack get through,” Horne continued.

These warnings came as the NCSC’s 2025 Annual Review, published on October 14, showed record-high numbers of “nationally significant” cyber incidents, with 204 events of such impact between September 2024 and August 2025, of which 18 were “highly significant”.

https://www.infosecurity-magazine.com/news/execs-falling-short-cyber/

Regards

Caute_Cautim

@Caute_cautim Not quite sure how this conversation became a discussion of various organisations and certifications unless it is to point out the lack of trainings available for the C-Suite (these do not need to be certifications). 

ISACA, IIA and others have done a great job at getting the Board to recognise Audit (most boards have a seat for Audit) and have created trainings for audit committee members but unfortunately ISC2, CompTIA, EC-Council, etc. have not been able to crack that nut.  Some may have tried but others have not.

SO, this really leaves it to the folks doing Security to educate senior management.  KnowBe4 has a program tailored to executives however, this is a catch-22 unless you are able to justify funds for Security Awareness trainings.  Folks in private industries (non-government) may have an easier time with this.

Glad to see governments finally taken note and some otganisations restructuring the position of Security.  We see in many organisations that Audit reports to Finance and typically a Senior Manager whilst Security is typically placed in IT and usually two-three levels down the food chain.  Audit report are typically delivered to the CEO and hence read by the board, but Security reports seldom make it pass the CIO UNLESS it is to pen the reply to an audit report.

So getting off my soapbox

d

The discussion on cert bodies would seem very relevant (from my limited exposure as a CISO), each offers a different set of knowledge requirements - thus there is no uniform body of knowledge or skills. For instance in the CCISO there is a budgeting component, we don’t see that in other certs - which also explains some of the primary differences in perspectives. The CISSP and CISSP-ISSMP do not have it, although both the CCISO, CISSP-ISSMP, or CISM are required for the 8140.01 leadership roles (effectively “C” suites for govt service).  I cannot speak to the CISM as I have not spent my time working to obtain that one.

Ervin Frenzel, PhD
CEI, CCISO, CISSP-ISSAP, CISSP-ISSMP, E|CSA

@ervinfrenzel   I find this very relevant.  It is too bad that management is often not required to go through certifications as they are often the weakest link in the chain.  Too bad that they do not take this as seriously as we do.  I definitely appreciate the discussion from someone with different experiences than my own.  Some people just want to play king of the hill.  Glad that we are not one of them.