New highly validated data from 3,305 employers reveals that the average cash market value for hundreds of tech certifications is at its lowest point in four years. Meanwhile, pay premiums for non-certified skills in the same period have gained 6 percent in value on average. What gives?
There’s always been a tug of war within employers about hiring tech people with skill certifications versus those who have learned by experience on the job. Eventually the question of comparable pay arises, shining a light on whether certification is a valid factor when measuring a worker’s value or potential on the job. And if it isn’t, then how should employers be assessing skills competence?
Pay disparities between certified and non-certified tech skills
While the performance of ISACA certifications in the compensation landscape has been mixed, as a group they are earning the equivalent of 12.4 percent of base salary in average pay premium, with CGEIT and CRISC earning the most. Compare this to the 7.5 percent average premium across all 466 certs reported in Foote Partners’ quarterly updated IT Skills and Certifications Pay Index™ (ITSCPI).
The fact is, employers have been perfectly willing to throw cash at both certified and non-certified skills for many years, typically in the form of premiums above and beyond base salary. Foote Partners has been capturing and reporting these cash premiums since 2000. Until 2007, certified skills were earning more on average than non-certified skills, but beginning in mid-2007 this trend reversed. Since then, the gap in pay premiums between the two has widened, with 551 non-certified skills now earning, on average, the equivalent of nearly 2 percent of base salary among more than 466 tech certifications tracked at more than 3,300 employers.
Certifications had a long run of consistently losing overall value from late 2006 to 2012. These were dark years marked by charges of fraud in the certifications-testing business and a prevailing opinion by many that certifications were simply too easy to attain, in particular those being offered by vendors to support their product lines. Technology vendors and vendor-independent certifying organizations fought back by adding prerequisites to sites for exams, real-time labs and peer-review panels.
It seemed to work, as certifications pay began to rise, although not nearly to the level of non-certified skills premiums, often for the same technologies. More and more management, process, and methodology skills and certifications gained popularity in the growth years for both intermediate and advanced skill levels, and pay continued to rise for both segments until about two years ago.
Average pay premiums for tech certifications recorded in the ITSCPI have most recently decreased in the last quarter of 2018, down 1.8 percent overall. They lost 2.4 percent of their value in calendar year 2018 and nearly 3 percent over the last two years. In the last three months of 2018, 57 certifications recorded cash pay premium losses against 17 gaining value.
Meanwhile cash pay premiums for non-certified skills increased 0.6 percent overall in October-November-December with 87 of these skills recording pay premium gains and 72 losing market value. Pay gains have been consistently higher in most quarters in each of the past three years.
Declines in certification market value can be misleading
Certification values decline in the marketplace for a number of obvious and not-so-obvious reasons.
Pay premiums diminish as certifications expire, are retired, or as technology evolves, and they’re replaced with more appropriate certifications. Since certifications have traditionally been attached to infrastructure tech (networking, systems, security) they have natural market pay volatility: nearly 17 percent per calendar quarter in the past four years. Volatility measures the percent of total certs that reported that change value every three months.
There also are certifications for architecture and for processes such as project management, frameworks and methodologies; as a group, they earn the highest average premiums among all categories reported, but they have their non-certified skill counterparts. This subjects them to pay erosion as employers feel more confident measuring talent in these disciplines based on work experience, especially at intermediate and advanced certification levels.
Non-certified skills can be found in far greater numbers than certifications in other segments such as programming and applications development, web, and database. Again, employers devise their own ways to judge proficiency in these areas; for example, coding tests, evaluating past work experience, references, and trial-to-hire employment. They drive down certification values by building their own robust internal training and development program, in effect devising their own certification programs.
There also remains a lingering bias that passing a proctored exam does not necessarily confer onto the test-taker an expertise in a subject, especially in cases when the pass rate entails getting only 70 percent of answers correct. Adding a laboratory requirement only works if the lab is a sufficient test of a candidate’s capabilities in the real world.
But, in a counterintuitive twist, cash market value can be a victim of a certification’s success. As interest in a certification escalates and more people attain the certification, the gap between supply and demand for the certification narrows, driving down its price as the laws of scarcity would dictate. This has been documented in the case of hundreds of certifications over the almost two decades of Foote Partners tracking and reporting cash pay premiums. The media rarely recognizes this contradiction in its reporting.
Perhaps the most common reason for certification values falling is a fundamental weakness that persists in the certification industry: a vast number of popular tech skills simply do not have a certification associated with them. No vendor owns the particular tech with products that are supported by certification training necessary to ensure sales and upgrade investments.
And what about so-called soft skills? Employers often are just as willing to recognize their value with pay premiums both inside and outside of salary, especially if they are combined with hard tech skills and industry, domain, or customer knowledge and experience.
Author’s note: For more information on certification market value in 2018, view this news release summarizing our latest IT Skills Demand and Pay Trends Report.
Editor’s note: The ISACA Now blog occasionally highlights the impact ISACA certifications have in the evolving business landscape, as well as how certifications have impacted individual members of the ISACA professional community. Today, we profile Marco Schulz, CISM, CISA, CGEIT, CEO at marconcert GmbH (Germany). For more information on ISACA certifications, visit www.isaca.org/certification.
ISACA Now: What motivated you to pursue your CISA certification?
As a CISO, I was subject to internal and external reviews for many years and impressed by the instincts of some natural-born auditors. When I took a new supervisory role, I had to conduct on-site audits of subsidiaries around the globe and I suspected I needed to learn some basics before comfortably leading bigger audit engagements. Oh, and there was still some space left next to the CISM on my business card.
ISACA Now: What was your biggest key to success in passing the exam?
Undoubtedly it was my professional experience. When I took the CISA exam in 2008, I had already worked in information security for 12-plus years. From the CISM exam the year before, I was already familiar with the line of questioning and – I should probably not confess – went to the exam with only very little preparation.
ISACA Now: How does the knowledge you gained through CISA fit in with the current technology landscape?
In my view the general IT audit principles have not changed much over the decades. In the meantime, the complexity of technology and its business relevance have gone through the roof. More than ever, a risk-based approach and continuous compliance monitoring are needed to manage IT compliance in a cost-effective manner. The CISA knowledge domains support these objectives and are regularly updated to incorporate major business changes.
ISACA Now: How has the CISA helped advance your professional development and career objectives?
The CISA designation helped me to demonstrate IT audit competencies. It was also a formal prerequisite for some client engagements.
ISACA Now: What does it mean to be part of a global network of ISACA-certified professionals?
Even though I enjoyed speaking at ISACA conferences at times, I had been a rather passive member for many years. But in November 2018 I decided to engage in the German chapter and started to manage our social media accounts on Twitter, LinkedIn and a closed member group on XING. Today I am working from the German chapter office in Berlin, where recently I was dining with the president and the CEO of our Kenyan chapter. I like the professional and personal exchanges in our community and call some ISACA member my friends.
Anyone can succeed with the right information and tools. One of the best ways for information systems professionals to ensure career success with all its attendant benefits is to earn ISACA's CISA certification. The CISA certification has made a tremendous difference in the lives of thousands of people across the globe. In fact, it is one of the certifications that will retain its relevance because of several drivers discussed below.
Increasing criticality of information. Decades ago, traditional assets like land, buildings, oil wells, gold and cash used to be the main considerations for businesses. In this century, it is possible to run a multi-million dollar business with a single laptop and internet connection. Data life cycle management has become extremely critical to the survival of businesses. For organizations regardless of size or geography, information is the business. Because of their expertise in the areas of IS audit, controls, assurance and security, CISA certification-holders will continue to be in demand, as they have been for the past 40 years.
Increased sophistication of cyberattacks. Denial of service, ransomware, phishing, spam, zero-day attacks and other threats are becoming rampant, causing extensive losses to individuals and businesses. Research has shown that businesses lose up to 5 percent of their annual revenue to fraud and irregularities. This reality is prompting many businesses to implement preventive controls by hiring CISA certification-holders to provide assurance on information security and risk management.
Improved governance awareness from boards of directors. ISACA frameworks such as COBIT, Val IT and Risk IT have yielded considerable fruits as business leaders have become more open to the alignment of IT and the business. This commitment from boards of directors is making approval of funds and setup of assurance functions easier than before for many organizations.
Increasing pressure from the regulatory authorities. For many businesses, it is no longer business as usual. Regulators are coming up with stringent rules with dire consequences in cases of non-compliance. The Sarbanes-Oxley Act (SOX) changed the face of corporate reporting in the US, with ripple effects felt globally. More recently, this year, the General Data Protection Regulation (GDPR) began affecting businesses that process personal data of European customers. In order to ensure compliance, businesses will need the services of CISA-certification holders for implementation and audit of the processes.
Increasing relevance of standards and IT frameworks. Certifications and frameworks by bodies such as the International Organization for Standardization (ISO) are fast becoming tools for competitive edge. Globalization is shifting the advantage to the customers, who can be more discerning in their purchase decisions. ISO 27001, ISO 22301, ISO 20000, ITIL, COBIT 5, PCI DSS and other frameworks are being implemented as a result of regulatory directives and as an agent of differentiation. This trend is creating opportunities for CISA certification-holders, who are hired to implement and audit the related considerations.
Increasing disruptive trends in computerization. The reduction in pace of digital change is nowhere in sight. We are now talking of smart cities, e-government, blockchain technology, mobile banking, and so on. Artificial Intelligence and robotics engineering are taking over the manufacturing and aviation sectors. The increased dependence on technology will ensure that CISA certification-holders continue to be needed for assurance and security functions. The certification is being updated to keep pace with the changing technology environment.
With all these benefits for CISA certification-holders, you should consider taking the CISA exam. Here is some guidance on approaching the exam:
Attend an online or classroom lecture. I am an advocate of learning from CISA veterans who can share their own academic and field “war stories.” Their experience can position you to pass with ease.
Master the knowledge statements. Every domain has task and knowledge statements. The task statements contain tasks you should be able to carry out at the end of the study. The knowledge statements contain knowledge you are supposed to have at the end of the study. After reading through a domain, review the knowledge statements to determine if you understand the required concepts. In order to ensure that you have mastered the concepts, read through the CISA Review Manual at least twice (I did it thrice).
Realize that the database is non-negotiable. It is difficult (perhaps impossible) to pass the CISA exam without effectively using the database. Read through the database at least twice. Do not cram the answers. Focus on the detailed justifications made in determining the correct answers.
Choose your answers using the elimination method. The greatest challenge with the CISA exam is that there are similarities among the answer options. This is where many candidates make wrong decisions. Do not just pick an option that “jumps” at you. Analyze each option carefully and justify its correctness or incorrectness based on your knowledge of CISA concepts.
Get practical IS audit experience. Having practical IS audit experience will help you to pass the CISA exam with ease. Arrange for a relevant internship, part-time work or full-time work. If this is not possible, interact with professionals, attend ISACA local chapter meetings/conferences and read articles written by IS audit veterans.
In conclusion, the CISA certification will open doors for global opportunities. Thousands of CISA-certified professionals all over the world will confirm to you that CISA is an investment worth making – perhaps now more than ever.
Of all the certifications represented annually in the Global Knowledge IT Skills and Salary Report, ISACA is more prominent in our top-paying certifications list than any others. This year, ISACA occupies five spots in the top 20, including three in the top six worldwide.
ISACA is associated with two important truths for business technology professionals:
- Enhancing a wide range of careers
- High salaries
ISACA’s certifications in cybersecurity and governance produce the highest salaries. This is in line with our overall salary data, as governance ranks second and security fifth in average global salaries by category.
Here’s a list of the five top-paying ISACA certifications for 2018 (average salaries are for North America):
1. CGEIT: Certified in the Governance of Enterprise IT
Average salary: $117,544
CGEIT is the top-paying certification in the United States and ranks third worldwide ($92,821). Its North American salary is 34% higher than the average for all certified professionals. This certification is designed for individuals who manage, advise or provide assurance services around enterprise IT governance.
Tenure is among the reasons CGEIT-certified professionals typically have higher salaries. To take the exam, an individual needs at least five years of experience in at least three of the five domains the certification covers, including at least one year in the IT governance framework area.
2. CRISC: Certified in Risk and Information Systems Control
Average salary: $107,968
CRISC ranks sixth in North America and second worldwide in average salary. Its average salary is 23% higher than the average for certified professionals. CRISC is a risk management and security credential designed for IT professionals, project managers and others whose job it is to identify and manage IT and business risks through information systems controls.
Globally, six security certifications made our top-20 list, with CRISC trailing only CISSP in average salary. Cybersecurity positions in general pay well, with the average among North American respondents at $101,083, which is more than $13,000 above the average.
Related training: CRISC - Certified in Risk and Information Systems Control Prep Course
3. CISM: Certified Information Security Manager
Average salary: $105,926
CISM ranks seventh in North American salary and sixth globally. It’s aimed at information security management professionals, focusing on security strategy and assessing the systems and policies in place. To take the exam, certification candidates are required to have at least five years of experience in IS, with at least three as a security manager.
It’s now common that many government agencies require their IS and IT professionals to have a CISM certification.
Related training: CISM - Certified Information Security Manager Prep Course
4. COBIT 5 Foundation
Average salary: $102,112
This premier governance credential has a North American salary that tops $100,000 and a worldwide salary that ranks 11th overall ($77,300). COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT.
ISACA’s governance credentials (COBIT 5 Foundation and CGEIT) are two main reasons why governance certifications have the second highest average salary globally ($84,420).
Related training: COBIT 5 Foundation
5. CISA: Certified Information Systems Auditor
Average salary: $97,117
CISA ranks 13th in the US and globally in average salary. It’s also the most popular certification amongst our survey respondents, with 1,923 CISA-certified professionals. The CISA is perfect for individuals whose job responsibilities include auditing, monitoring, controlling and assessing IT and business systems. The exam tests the ability to manage vulnerabilities.
Originating in 1978 and now in its 40th year, CISA is ISACA’s oldest certification. It requires at least five years of experience in information systems auditing, control or security.
Check out these additional Global Knowledge resources to learn more:
Last year, I passed the Certified Information Security Manager (CISM) exam and, surprisingly to me, earned the top global score. It is a great achievement for me in my professional educational activities, and I was glad to be recognized at the 2018 EuroCACS conference in Edinburgh, Scotland. Below are some insights and guidance from my experience that I hope will be useful to other CISM candidates.
Why CISM certification is important for me
CISM is a worldwide-recognized certification and is of great benefit for me as an information security professional and for my organization. It helps me to advance my career and be recognized among other information security practitioners.
In my professional activities, CISM certification helps me to adapt and adopt best practices, standards and frameworks that best fit my organization and align our information security program with business objectives and regulatory requirements. In addition, it helps my organization get competitive advantages, provide our customers with professional expertise, secure products and put in place advanced security services that meet their demands.
If you decide to take the CISM exam and become certified, it would be a good incentive for your professional growth and great opportunity to advance your career.
I would like to share some tips for preparing for and passing the CISM exam that may be useful for you.
Before you start
I recommend identifying the study materials and additional resources you’ll need to prepare for the exam and accomplish your goal.
I used the following study materials:
The CISM Review Manual helps to refresh your existing knowledge in the field of information security and also get additional knowledge and relevant information. The CISM Review Questions, Answers and Explanations Database is a very useful resource during the preparation and before passing the exam. It helps you evaluate the level of knowledge in each CISM domain and test your readiness for an exam. It also helps to test yourself in conditions that mimic the actual CISM exam.
This might be enough if you already have a broad knowledge and work experience in the field of information security. If not, ISACA’s exam prep courses and additional resources may be useful. You may also join the CISM Exam Study Community to connect with other professionals who are on the path to CISM certification or have already successfully passed the CISM exam.
Preparing for the exam
During the preparation for the exam, I reviewed each domain in the CISM Manual and then answered relevant study questions in the Q&A Database after each domain. After the full preparation, it may be useful to dedicate additional time to:
- Go through the study materials one more time. You may spend several additional weeks, but it can have a good effect.
- Try to answer problem questions again (Q&A Database provides this function) and make sure the underlying concepts and knowledge statements are clear to you.
- Make several attempts to pass a full CISM exam (150 questions) to determine if you need to adjust the time needed for answering the questions. Test yourself in conditions as close to the real certification exam as possible. It will help you to avoid time issues during the exam.
After the exam preparation, you should have a strong understating of the underlying information security management principles, concepts, methodologies and frameworks. Try to map the study material to real-world tasks and scenarios to better understand the knowledge statements and how they can be applied to accomplish your work tasks. If you don’t have enough experience, you may contact other professionals and experts in your organization or in your professional community.
Taking the CISM exam
Before taking the exam, I recommend reviewing the exam information and recommendations regarding the exam process and time management, contained in CISM Review Manual.
During the exam:
- Try to not spend additional time on problem questions where the answer is not clear until you have completed the ones with which you are more confident.
- Bookmark problem questions so you can quickly return to them later to review you answers.
- If you have additional time after answering all the questions, review bookmarked questions and check your answers.
After passing the exam
If you successfully passed the CISM exam and became certified, do not forget about continuous professional educational activities. It is especially important in such rapidly changing business, regulatory and technology environments. In addition, ISACA conferences and online events may be beneficial for you.
I hope some of these tips are helpful on your path toward certification. Good luck!
The Certified Information Systems Auditor (CISA) certification has truly benefited my professional aspirations.
In 1997, when I transitioned from active duty as a Captain in the US Army, I had a 10-year-old computer science degree and not a great deal of experience in corporate America, particularly in the financial services industry. The extent of my background at that time was having an IRA. Fortunately, I was able to gain an entry level position as an IT Auditor at Prudential Insurance Company of America (now Prudential Financial) in Newark, New Jersey, through their junior military officer (JMO) hiring program.
It became very clear that on-the-job training was not going to be sufficient for me. During my first couple of months, I concluded that pursuing the CISA professional certification would give me the jump-start I needed to gain a baseline understanding of IT audit and risk management, IT general controls, and IT auditing—especially with regards to assessing applications and the technology environments they resided in. Studying for six months, two nights a week and a number of weekends, becoming a member of my local ISACA chapter, and taking full advantage of the available local chapter CISA preparation courses and materials enabled me to successfully pass the CISA examination and become a credentialed IT audit practitioner.
The professional payoff was immediate for my career development. Understanding IT risk management and associated controls to establish or maintain a well-controlled IT environment served to differentiate me from others in competing for positions and, honestly, just helped me be more successful in meeting or exceeding expectations. While these foundational audit and risk management skills helped to launch my IT audit career, more importantly, they also served to enhance what I had to offer in other risk management and project management roles.
As a result of increased threats to the digital processing environments and subsequent increased regulatory expectations, financial services companies gained an increased appreciation for employees who have the skills that the CISA certification fosters. Since my initial IT auditor role, I have continued to leverage the knowledge and experiences gained through not just the efforts required to gain the CISA certification, but also through completing required continuing education to stay abreast of emerging technologies and becoming a more active participant in ISACA-provided training (such as webinars, local chapter offerings, and attending or presenting at national conferences).
Whether managing IT or operational audit responsibilities at Wachovia, Wells Fargo, or TIAA, a mission-based company where I am fortunate to currently work, or performing project/risk management roles at previous employers such as Goldman Sachs and Ernst & Young, having an IT audit and risk management perspective has been a huge component of my personal success. I am grateful that for 40 years, ISACA has continued to provide the CISA certification, and I encourage all my employees and mentees to pursue the CISA to grow as professionals.
After I passed the CISM exam late last year, ISACA offered to let me share my experience of how (and why) I chose to become a CISM, and what I did to accomplish my goal. I hope this article provides some useful ideas to help you go after your professional development goals, as well.
Why the exam mattered to me
GSWS is a small business that provides cybersecurity and compliance-related services to other small and mid-size organizations in the Southern California region of the U.S. Our clients include optometrists, dentists, CPAs, attorneys, etc. – I mention this because our work environment isn’t like that of a lot of other CISMs, who are employed by much larger organizations.
Our clients are woefully unprepared for the type of cyber risks they face on a daily basis. They are highly skilled within their respected trades, but they have no clue when it comes to understanding cybersecurity. They rely on us to provide this knowledge, experience and solutions. I needed a way to ensure my skills were of a high level and communicate our qualifications to clients and prospects in an easy-to-understand way.
I was familiar with www.cyberseek.org, but when revisiting the site, I saw how highly the CISM and CISA certifications were recognized. I had recently joined ISACA and passed the CSX-F exam, which gave me some degree of familiarity with how ISACA works. That’s when the CISM and CISA certifications became the obvious choices for me. I chose to go after the CISM first.
How I studied
In preparing for the exam, I used the following resources:
Depending on your budget, select what is best for you. I was fortunate to have access to all these resources.
Some additional recommendations to help you prepare for and pass the exam:
- Get involved in your local ISACA chapter. Your local chapter is a great resource for support from experienced peers who want to see you succeed.
- Understand the principal intent of the domains covered. Many times in dealing with a cybersecurity issue, we are faced with more than one option, so the goal is to select the best option. Questions on the exam are set up in the same manner.
- Don’t shoot for a perfect score. I suppose some of you can score an 800, but perfection is not necessary. The exam’s intent is to show that you have an understanding and competency – not perfection.
- Use the ISACA online Question Review Database. The database includes 1,000 questions, tracks your progress, allows customization of questions by domain, number of questions, more difficult questions, etc.
- Study when you are in different moods. Try studying and taking practice tests when you are fresh, tired, happy, sad, stressed, relaxed, etc. While it’s inevitable you will have more anxiety on test day, seeing questions with different mindsets ahead of time helped me mentally prepare for anything.
- Practice real test simulation exams. As it gets closer to your exam date, use the online Question Review Database to take some tests under conditions that mimic the actual exam – for example, four hours to answer 150 questions. That will build your mental calluses for the big exam.
I hope this helps. I’m scheduling for my CISA exam in April and studying for that now. My preparation for the CISA is identical to what I’ve described in this article. Good luck to you!
I recently received my CGEIT exam result, with a final score of 557. It is not an elite score, but surpassed the required number of 450. I was happy with this result, and glad about my CGEIT learning journey.
For me, each autumn is a yearly planning and budget discussion season. It has become harder to balance all stakeholders’ expectations and to keep pace with the fast-changing business landscape. Through CGEIT preparations, I could verify my perceptions, discover theoretical systems to support my ideas, and find more methods to convince others.
Let me share my lessons learned in preparing for the CGEIT. I hope it is helpful for your preparations.
For me, the “journey” took about two months, from getting two books – the CGEIT Review Manual and CGEIT Review Questions, Answers & Explanations Manual – to passing the exam. Because my daily job is very busy, I estimate I spent about 30 hours in total to read the books and other related materials.
My approach was:
- Quickly go through the CGEIT Review Manual, and find the knowledge gaps
- Read the related materials to fill knowledge gaps (most of related materials can be found at the end of each chapter under “suggested resource for further study”)
- Use the material from the CGEIT Review Questions, Answers & Explanations Manual; conduct a rehearsal
- Based on the rehearsal result, review the CGEIT Review Manual.
Note: As everyone’s knowledge gap is different, the time required for step two will be a big range.
The exam time is four hours for the candidate to answer the questions. I spent about 130 minutes to complete the 150 questions. Everyone should have enough time to complete the exam. The questions are designed very well to match real business situations. If a candidate has the capability to make a proper business decision in his or her daily work, getting the right answer is no problem.
Lastly, I want to recommend three other resources for candidates who want to start the CGEIT journey.
- COBIT 5
- The Val IT Framework
- The Risk IT Framework
Good luck with your CGEIT journey!
Indian banks have deployed IT-based solutions to cater to increasing demands in the banking industry required for a growing economy. Adoption of technology has necessitated improving IT-related skills of experienced bankers. Considering the unavailability of internal IT skills, most banks resort to outsourcing IT activities. This has resulted in over-relying on third-party vendors and slackened the pace of acquisition of skills by bank employees.
Considering these limitations, the Reserve Bank of India (RBI) – India’s central bank – appointed a ‘Committee on Capacity Building’ that has made recommendations relating to particular areas/components of function, such as recruitment, performance assessment, promotion, placement, job rotation, and skills and capacity building. The committee also has made a number of recommendations for certification of staff in specialized areas, emphasizing that banks should make certification mandatory for the following areas:
- Treasury operations – dealers, mid-office operations
- Risk management – credit risk, market risk, operational risk, enterprise-wide risk, information security, liquidity risk
- Accounting – preparation of financial results, audit function
- Credit management – credit appraisal, rating, monitoring, credit administration
- Information and cyber security
- Governance of enterprise IT (GEIT)
The Indian Banks’ Association (IBA), in consultation with RBI, identified 10 institutes, such as the Indian Institute of Banking and Finance (IIBF), the National Institute of Bank Management (NIBM), ISACA, and others, as certifying organizations. ISACA is identified for its certifications in audit, risk management, security and GEIT.
RBI’s directives for banks
RBI had made a compliance requirement for banks in 1999 to perform annual IS audit of IT-based systems deployed and used by banks, with the report of the audit to be submitted to RBI. The notification recognized CISA as a qualifying certification for conducting IS audits.
Another committee provided guidelines for IT governance, information security, IS audit, outsourcing management, business continuity and compliance in 2011. These guidelines recommended banks to use COBIT 5 or similar frameworks for GEIT. Recommendations for other areas include adopting global best practices, including ISO 27001.
In June 2016, RBI issued a notification for banks specifying compliance requirements for cyber security.
Considering these compliance requirements and skills and competency development requirements, banks have already taken steps to recognize ISACA certifications. Some banks provides examination and membership fees reimbursement on passing the examination.
Role of ISACA certifications in skills development of bank staff
ISACA offers certifications in governance of enterprise IT (CGEIT), risk and control (CRISC), information systems audit (CISA), information security management (CISM) and performance-based cyber security (CSXP).
Certified Information Systems Auditor (CISA)
Most banks have made this certification mandatory for IS auditors, both internal and external.
Certified in Risk and Information Systems Control (CRISC)
Most banks have a defined chief risk officer (CRO) to implement enterprise risk management (ERM); however, there is a gap in aligning them with IT risk. CRISC helps bankers in aligning IT risk with ERM.
Certified Information Security Manager (CISM)
CISM is designed for information security and cyber security professionals including CISOs, information security managers and enterprise leadership.
Certified in Governance of Enterprise IT (CGEIT)
CGEIT is designed for senior management personnel who are responsible for overall governance of IT to ensure that investments in IT realize the expected benefits. This certification is ideal for the CIO, CEO, and members of the board of directors. Considering the RBI’s expectations from banks to implement GEIT, this certification is valuable for bankers in understanding the steps to implement an IT governance framework.
CSX Practitioner (CSXP)
This performance-based cyber security certification provides technical skills for much-needed and critically important cyber security responders working in the area of threat intelligence, incident response, SOC, etc.
Current challenges and next steps
Banking professionals with these skills are needed all over India and in many other countries throughout the world. Therefore, IBA has decided to develop and launch e-learning certification courses, and certifications in other areas are being developed by different institutes.
ISACA’s CISA, CISM, CRISC and CGEIT certifications are experience-based; however, there is some level of preparation required. There are 10 ISACA chapters in India, some of which offer review courses. Many banks officers, therefore, may not have access to the review courses conducted by chapters. However, ISACA is launching online review courses for some of its certifications and has moved to global computer-based testing, which should expand accessibility for bankers interested in pursuing these important certifications.
I was recently blessed to have attained the highest CISM exam score in the world for the June 2016 sitting, and to be recognized at the 2017 North America CACS conference as a result.
It was an awesome experience to be honored on stage in a theater with 1,500 peers in the audience – something I hadn’t expected when I started out to attain the certification. Truth be told, I would have been happy to have received regional recognition.
How did I end up there? Well, I have to take you back to 2015, when I first started thinking about taking the exam. I “retired” in 2013 from full-time corporate work and hung out my consultant shingle. I focused on attaining the CISSP certification, as I thought this was needed to consult in the field. That experience, after years of not taking high stakes tests, was a jolt to my system. It brought me back to flash cards, material consumption goal-setting, test time management, etc. It was a grueling exam, but it wasn’t too long before I identified the need to focus on information security governance, risk management, and program development and management.
So, I decided to seek out a second infosec certification to help me focus. After some research, and learning that CISM is consistently listed as one of the top information security certifications and is listed as a DoD Directive 8570.1 Information Assurance Management Tier III-approved baseline certification, I made my decision.
Prepping for the exam
I searched the Internet for everything that I could find on CISM. Having been a grandfathered CISA early in my career, I was quite familiar with ISACA (and the EDP Auditors Association before that), and I was impressed with how much the organization had grown since my active involvement in the Philadelphia Chapter in the 1980s. I found and highly recommend reading Brian K. Johnson’s ISACA blog post, “Top Scorer Asks: Are You Ready for the CISM Exam?,” which I found very helpful.
One of the things that I did to assess my readiness was to take a weekend study course led by a chapter member who had scored highly at a previous setting. That two-day experience convinced me that I wasn’t ready to take the exam and that I needed to pick up the pace in my study schedule. It also made me realize that I would benefit greatly from purchasing a subscription to the CISM Questions, Answers and Explanations (QAE) database. I would drill almost daily, with my weekend study course leader’s words in mind, that I should not feel like I’m ready until I consistently scored at least 80% or higher.
When it came close to the day of the exam, I focused on little things, like reserving a room in the hotel where the exam was being offered, so that I didn’t have to worry about traffic the day of the exam, staying hydrated, eating a healthy breakfast, pacing myself during the exam so that I had enough time left over to go back and re-examine my answers, etc. And standard test-taking techniques apply, such as eliminating the obviously wrong answers first.
The questions themselves were, of course, not the same ones as in the study materials, or in the QAE database, but those materials helped me formulate the same logic approach to derive the intended answer. Remember, the exam is offered around the world, so everyone has to have a common understanding.
Don’t rely totally on your personal work experiences, but on the approach that the ISACA materials espouse, and you’ll be successful.
Editor’s note: For more information on pursuing CISM and other ISACA certification exams, view the ISACA Exam Candidate Information Guide.