Last year, I passed the Certified Information Security Manager (CISM) exam and, surprisingly to me, earned the top global score. It is a great achievement for me in my professional educational activities, and I was glad to be recognized at the 2018 EuroCACS conference in Edinburgh, Scotland. Below are some insights and guidance from my experience that I hope will be useful to other CISM candidates.
Why CISM certification is important for me
CISM is a worldwide-recognized certification and is of great benefit for me as an information security professional and for my organization. It helps me to advance my career and be recognized among other information security practitioners.
In my professional activities, CISM certification helps me to adapt and adopt best practices, standards and frameworks that best fit my organization and align our information security program with business objectives and regulatory requirements. In addition, it helps my organization get competitive advantages, provide our customers with professional expertise, secure products and put in place advanced security services that meet their demands.
If you decide to take the CISM exam and become certified, it would be a good incentive for your professional growth and great opportunity to advance your career.
I would like to share some tips for preparing for and passing the CISM exam that may be useful for you.
Before you start
I recommend identifying the study materials and additional resources you’ll need to prepare for the exam and accomplish your goal.
I used the following study materials:
The CISM Review Manual helps to refresh your existing knowledge in the field of information security and also get additional knowledge and relevant information. The CISM Review Questions, Answers and Explanations Database is a very useful resource during the preparation and before passing the exam. It helps you evaluate the level of knowledge in each CISM domain and test your readiness for an exam. It also helps to test yourself in conditions that mimic the actual CISM exam.
This might be enough if you already have a broad knowledge and work experience in the field of information security. If not, ISACA’s exam prep courses and additional resources may be useful. You may also join the CISM Exam Study Community to connect with other professionals who are on the path to CISM certification or have already successfully passed the CISM exam.
Preparing for the exam
During the preparation for the exam, I reviewed each domain in the CISM Manual and then answered relevant study questions in the Q&A Database after each domain. After the full preparation, it may be useful to dedicate additional time to:
- Go through the study materials one more time. You may spend several additional weeks, but it can have a good effect.
- Try to answer problem questions again (Q&A Database provides this function) and make sure the underlying concepts and knowledge statements are clear to you.
- Make several attempts to pass a full CISM exam (150 questions) to determine if you need to adjust the time needed for answering the questions. Test yourself in conditions as close to the real certification exam as possible. It will help you to avoid time issues during the exam.
After the exam preparation, you should have a strong understating of the underlying information security management principles, concepts, methodologies and frameworks. Try to map the study material to real-world tasks and scenarios to better understand the knowledge statements and how they can be applied to accomplish your work tasks. If you don’t have enough experience, you may contact other professionals and experts in your organization or in your professional community.
Taking the CISM exam
Before taking the exam, I recommend reviewing the exam information and recommendations regarding the exam process and time management, contained in CISM Review Manual.
During the exam:
- Try to not spend additional time on problem questions where the answer is not clear until you have completed the ones with which you are more confident.
- Bookmark problem questions so you can quickly return to them later to review you answers.
- If you have additional time after answering all the questions, review bookmarked questions and check your answers.
After passing the exam
If you successfully passed the CISM exam and became certified, do not forget about continuous professional educational activities. It is especially important in such rapidly changing business, regulatory and technology environments. In addition, ISACA conferences and online events may be beneficial for you.
I hope some of these tips are helpful on your path toward certification. Good luck!
The Certified Information Systems Auditor (CISA) certification has truly benefited my professional aspirations.
In 1997, when I transitioned from active duty as a Captain in the US Army, I had a 10-year-old computer science degree and not a great deal of experience in corporate America, particularly in the financial services industry. The extent of my background at that time was having an IRA. Fortunately, I was able to gain an entry level position as an IT Auditor at Prudential Insurance Company of America (now Prudential Financial) in Newark, New Jersey, through their junior military officer (JMO) hiring program.
It became very clear that on-the-job training was not going to be sufficient for me. During my first couple of months, I concluded that pursuing the CISA professional certification would give me the jump-start I needed to gain a baseline understanding of IT audit and risk management, IT general controls, and IT auditing—especially with regards to assessing applications and the technology environments they resided in. Studying for six months, two nights a week and a number of weekends, becoming a member of my local ISACA chapter, and taking full advantage of the available local chapter CISA preparation courses and materials enabled me to successfully pass the CISA examination and become a credentialed IT audit practitioner.
The professional payoff was immediate for my career development. Understanding IT risk management and associated controls to establish or maintain a well-controlled IT environment served to differentiate me from others in competing for positions and, honestly, just helped me be more successful in meeting or exceeding expectations. While these foundational audit and risk management skills helped to launch my IT audit career, more importantly, they also served to enhance what I had to offer in other risk management and project management roles.
As a result of increased threats to the digital processing environments and subsequent increased regulatory expectations, financial services companies gained an increased appreciation for employees who have the skills that the CISA certification fosters. Since my initial IT auditor role, I have continued to leverage the knowledge and experiences gained through not just the efforts required to gain the CISA certification, but also through completing required continuing education to stay abreast of emerging technologies and becoming a more active participant in ISACA-provided training (such as webinars, local chapter offerings, and attending or presenting at national conferences).
Whether managing IT or operational audit responsibilities at Wachovia, Wells Fargo, or TIAA, a mission-based company where I am fortunate to currently work, or performing project/risk management roles at previous employers such as Goldman Sachs and Ernst & Young, having an IT audit and risk management perspective has been a huge component of my personal success. I am grateful that for 40 years, ISACA has continued to provide the CISA certification, and I encourage all my employees and mentees to pursue the CISA to grow as professionals.
After I passed the CISM exam late last year, ISACA offered to let me share my experience of how (and why) I chose to become a CISM, and what I did to accomplish my goal. I hope this article provides some useful ideas to help you go after your professional development goals, as well.
Why the exam mattered to me
GSWS is a small business that provides cybersecurity and compliance-related services to other small and mid-size organizations in the Southern California region of the U.S. Our clients include optometrists, dentists, CPAs, attorneys, etc. – I mention this because our work environment isn’t like that of a lot of other CISMs, who are employed by much larger organizations.
Our clients are woefully unprepared for the type of cyber risks they face on a daily basis. They are highly skilled within their respected trades, but they have no clue when it comes to understanding cybersecurity. They rely on us to provide this knowledge, experience and solutions. I needed a way to ensure my skills were of a high level and communicate our qualifications to clients and prospects in an easy-to-understand way.
I was familiar with www.cyberseek.org, but when revisiting the site, I saw how highly the CISM and CISA certifications were recognized. I had recently joined ISACA and passed the CSX-F exam, which gave me some degree of familiarity with how ISACA works. That’s when the CISM and CISA certifications became the obvious choices for me. I chose to go after the CISM first.
How I studied
In preparing for the exam, I used the following resources:
Depending on your budget, select what is best for you. I was fortunate to have access to all these resources.
Some additional recommendations to help you prepare for and pass the exam:
- Get involved in your local ISACA chapter. Your local chapter is a great resource for support from experienced peers who want to see you succeed.
- Understand the principal intent of the domains covered. Many times in dealing with a cybersecurity issue, we are faced with more than one option, so the goal is to select the best option. Questions on the exam are set up in the same manner.
- Don’t shoot for a perfect score. I suppose some of you can score an 800, but perfection is not necessary. The exam’s intent is to show that you have an understanding and competency – not perfection.
- Use the ISACA online Question Review Database. The database includes 1,000 questions, tracks your progress, allows customization of questions by domain, number of questions, more difficult questions, etc.
- Study when you are in different moods. Try studying and taking practice tests when you are fresh, tired, happy, sad, stressed, relaxed, etc. While it’s inevitable you will have more anxiety on test day, seeing questions with different mindsets ahead of time helped me mentally prepare for anything.
- Practice real test simulation exams. As it gets closer to your exam date, use the online Question Review Database to take some tests under conditions that mimic the actual exam – for example, four hours to answer 150 questions. That will build your mental calluses for the big exam.
I hope this helps. I’m scheduling for my CISA exam in April and studying for that now. My preparation for the CISA is identical to what I’ve described in this article. Good luck to you!
I recently received my CGEIT exam result, with a final score of 557. It is not an elite score, but surpassed the required number of 450. I was happy with this result, and glad about my CGEIT learning journey.
For me, each autumn is a yearly planning and budget discussion season. It has become harder to balance all stakeholders’ expectations and to keep pace with the fast-changing business landscape. Through CGEIT preparations, I could verify my perceptions, discover theoretical systems to support my ideas, and find more methods to convince others.
Let me share my lessons learned in preparing for the CGEIT. I hope it is helpful for your preparations.
For me, the “journey” took about two months, from getting two books – the CGEIT Review Manual and CGEIT Review Questions, Answers & Explanations Manual – to passing the exam. Because my daily job is very busy, I estimate I spent about 30 hours in total to read the books and other related materials.
My approach was:
- Quickly go through the CGEIT Review Manual, and find the knowledge gaps
- Read the related materials to fill knowledge gaps (most of related materials can be found at the end of each chapter under “suggested resource for further study”)
- Use the material from the CGEIT Review Questions, Answers & Explanations Manual; conduct a rehearsal
- Based on the rehearsal result, review the CGEIT Review Manual.
Note: As everyone’s knowledge gap is different, the time required for step two will be a big range.
The exam time is four hours for the candidate to answer the questions. I spent about 130 minutes to complete the 150 questions. Everyone should have enough time to complete the exam. The questions are designed very well to match real business situations. If a candidate has the capability to make a proper business decision in his or her daily work, getting the right answer is no problem.
Lastly, I want to recommend three other resources for candidates who want to start the CGEIT journey.
- COBIT 5
- The Val IT Framework
- The Risk IT Framework
Good luck with your CGEIT journey!
Indian banks have deployed IT-based solutions to cater to increasing demands in the banking industry required for a growing economy. Adoption of technology has necessitated improving IT-related skills of experienced bankers. Considering the unavailability of internal IT skills, most banks resort to outsourcing IT activities. This has resulted in over-relying on third-party vendors and slackened the pace of acquisition of skills by bank employees.
Considering these limitations, the Reserve Bank of India (RBI) – India’s central bank – appointed a ‘Committee on Capacity Building’ that has made recommendations relating to particular areas/components of function, such as recruitment, performance assessment, promotion, placement, job rotation, and skills and capacity building. The committee also has made a number of recommendations for certification of staff in specialized areas, emphasizing that banks should make certification mandatory for the following areas:
- Treasury operations – dealers, mid-office operations
- Risk management – credit risk, market risk, operational risk, enterprise-wide risk, information security, liquidity risk
- Accounting – preparation of financial results, audit function
- Credit management – credit appraisal, rating, monitoring, credit administration
- Information and cyber security
- Governance of enterprise IT (GEIT)
The Indian Banks’ Association (IBA), in consultation with RBI, identified 10 institutes, such as the Indian Institute of Banking and Finance (IIBF), the National Institute of Bank Management (NIBM), ISACA, and others, as certifying organizations. ISACA is identified for its certifications in audit, risk management, security and GEIT.
RBI’s directives for banks
RBI had made a compliance requirement for banks in 1999 to perform annual IS audit of IT-based systems deployed and used by banks, with the report of the audit to be submitted to RBI. The notification recognized CISA as a qualifying certification for conducting IS audits.
Another committee provided guidelines for IT governance, information security, IS audit, outsourcing management, business continuity and compliance in 2011. These guidelines recommended banks to use COBIT 5 or similar frameworks for GEIT. Recommendations for other areas include adopting global best practices, including ISO 27001.
In June 2016, RBI issued a notification for banks specifying compliance requirements for cyber security.
Considering these compliance requirements and skills and competency development requirements, banks have already taken steps to recognize ISACA certifications. Some banks provides examination and membership fees reimbursement on passing the examination.
Role of ISACA certifications in skills development of bank staff
ISACA offers certifications in governance of enterprise IT (CGEIT), risk and control (CRISC), information systems audit (CISA), information security management (CISM) and performance-based cyber security (CSXP).
Certified Information Systems Auditor (CISA)
Most banks have made this certification mandatory for IS auditors, both internal and external.
Certified in Risk and Information Systems Control (CRISC)
Most banks have a defined chief risk officer (CRO) to implement enterprise risk management (ERM); however, there is a gap in aligning them with IT risk. CRISC helps bankers in aligning IT risk with ERM.
Certified Information Security Manager (CISM)
CISM is designed for information security and cyber security professionals including CISOs, information security managers and enterprise leadership.
Certified in Governance of Enterprise IT (CGEIT)
CGEIT is designed for senior management personnel who are responsible for overall governance of IT to ensure that investments in IT realize the expected benefits. This certification is ideal for the CIO, CEO, and members of the board of directors. Considering the RBI’s expectations from banks to implement GEIT, this certification is valuable for bankers in understanding the steps to implement an IT governance framework.
CSX Practitioner (CSXP)
This performance-based cyber security certification provides technical skills for much-needed and critically important cyber security responders working in the area of threat intelligence, incident response, SOC, etc.
Current challenges and next steps
Banking professionals with these skills are needed all over India and in many other countries throughout the world. Therefore, IBA has decided to develop and launch e-learning certification courses, and certifications in other areas are being developed by different institutes.
ISACA’s CISA, CISM, CRISC and CGEIT certifications are experience-based; however, there is some level of preparation required. There are 10 ISACA chapters in India, some of which offer review courses. Many banks officers, therefore, may not have access to the review courses conducted by chapters. However, ISACA is launching online review courses for some of its certifications and has moved to global computer-based testing, which should expand accessibility for bankers interested in pursuing these important certifications.
I was recently blessed to have attained the highest CISM exam score in the world for the June 2016 sitting, and to be recognized at the 2017 North America CACS conference as a result.
It was an awesome experience to be honored on stage in a theater with 1,500 peers in the audience – something I hadn’t expected when I started out to attain the certification. Truth be told, I would have been happy to have received regional recognition.
How did I end up there? Well, I have to take you back to 2015, when I first started thinking about taking the exam. I “retired” in 2013 from full-time corporate work and hung out my consultant shingle. I focused on attaining the CISSP certification, as I thought this was needed to consult in the field. That experience, after years of not taking high stakes tests, was a jolt to my system. It brought me back to flash cards, material consumption goal-setting, test time management, etc. It was a grueling exam, but it wasn’t too long before I identified the need to focus on information security governance, risk management, and program development and management.
So, I decided to seek out a second infosec certification to help me focus. After some research, and learning that CISM is consistently listed as one of the top information security certifications and is listed as a DoD Directive 8570.1 Information Assurance Management Tier III-approved baseline certification, I made my decision.
Prepping for the exam
I searched the Internet for everything that I could find on CISM. Having been a grandfathered CISA early in my career, I was quite familiar with ISACA (and the EDP Auditors Association before that), and I was impressed with how much the organization had grown since my active involvement in the Philadelphia Chapter in the 1980s. I found and highly recommend reading Brian K. Johnson’s ISACA blog post, “Top Scorer Asks: Are You Ready for the CISM Exam?,” which I found very helpful.
One of the things that I did to assess my readiness was to take a weekend study course led by a chapter member who had scored highly at a previous setting. That two-day experience convinced me that I wasn’t ready to take the exam and that I needed to pick up the pace in my study schedule. It also made me realize that I would benefit greatly from purchasing a subscription to the CISM Questions, Answers and Explanations (QAE) database. I would drill almost daily, with my weekend study course leader’s words in mind, that I should not feel like I’m ready until I consistently scored at least 80% or higher.
When it came close to the day of the exam, I focused on little things, like reserving a room in the hotel where the exam was being offered, so that I didn’t have to worry about traffic the day of the exam, staying hydrated, eating a healthy breakfast, pacing myself during the exam so that I had enough time left over to go back and re-examine my answers, etc. And standard test-taking techniques apply, such as eliminating the obviously wrong answers first.
The questions themselves were, of course, not the same ones as in the study materials, or in the QAE database, but those materials helped me formulate the same logic approach to derive the intended answer. Remember, the exam is offered around the world, so everyone has to have a common understanding.
Don’t rely totally on your personal work experiences, but on the approach that the ISACA materials espouse, and you’ll be successful.
Editor’s note: For more information on pursuing CISM and other ISACA certification exams, view the ISACA Exam Candidate Information Guide.
One thing is certain: The need for cyber security professionals isn’t going away any time in the near future. As our digital footprint and the Internet of Things (IoT) continue to expand, we become increasingly vulnerable to having our private information poached with a single click, swipe or utterance. As a result, this is a field where 95 percent of people are certified, and within that group, 87 percent are specifically certified in security or privacy.
As major data breaches have demonstrated time and time again, cyber security and compliance is the responsibility of all employees—not just those who formally specialize in cyber security efforts. Of course, if you’re reading this blog, you’re probably already well aware of the importance of everyday cyber security measures and know it’s not a matter of “if” so much as “when” your organization or company will experience a breach.
We can’t move fast enough
There’s one statistic circulating that lends itself to a real sense of urgency in the field.
According to the consulting firm Frost & Sullivan, there is expected to be a 1.8 million person worldwide workforce shortage in cyber security by 2022. Let that sink in for a minute. Nearly 2 million people are needed to cultivate cyber security know-how to protect their organizations from breaches in the next five years. That’s a huge vacancy in skills and, more importantly, leadership.
And who is helping create cyber security and business technology leaders of today and tomorrow? Meet ISACA. As an organization driven to promote cyber security awareness and skills, ISACA provides a deeper validation of skills for those working in governance, IT audit and assurance, risk, as well as information and cyber security.
ISACA enables professionals to take a leadership role by increasing their depth of knowledge. Greater skills validation translates to being better able to leverage that background into leadership positions.
As a result of those advanced, validated skills, ISACA-certified professionals typically have average salaries 44 percent higher than those of their non-certified peers worldwide, according to the Global Knowledge 2017 IT Skills and Salary Report. In fact, ISACA certifications (CRISC and CISM) earned the top two spots in top-paying certifications this year, and overall, six of the top 20 highest-paying certifications are in the field of cyber security.
“It’s clear from the growth in certifications from organizations like ISACA that companies and employees put increasing value on investment in skills and abilities. We see that investment across the board as the IT industry realizes that the return on investment for people exceeds the ROI for technology,” said Dave Buster, Global Senior Portfolio Director for Cybersecurity at Global Knowledge.
Never content and always learning
What’s more, the report revealed ISACA-certified professionals weren’t content to rest on their laurels once certified. Globally, 89 percent of industry professionals holding ISACA credentials trained in the last year, and on top of that, 75 percent of respondents said they did so in order to cultivate new skills. Compared to their peers that are not ISACA-certified, professionals holding at least one ISACA certification were more likely to attend a webinar or conference and download white papers or articles to stay informed with industry trends and best practices.
Given their more senior-level roles within their organizations, generally, ISACA-certified professionals are more apt than their counterparts to report training in areas of business process improvement and leadership.
Driven to succeed
The takeaway: ISACA-certified professionals are driven to succeed and consistently re-evaluate the definition of success through continued engagement and learning. While ISACA can’t single-handedly solve the worldwide personnel shortage for those working in cyber security and related fields, according to the IT Skills and Salary Report, those who turn to ISACA for skills development and certification are committed to the cause and tend to be rewarded with higher salaries.
Editor’s note: For more information, visit Global Knowledge’s cybersecurity certification page and scroll to ISACA. To learn more about ISACA certifications, visit ISACA’s certification page.
Editor’s note: ISACA Now recently moderated a conversation among a trio of millennials to discuss topics including professional development, networking, certification and how their generation differs from others when it comes to career priorities and workplace dynamics. The first portion of the conversation can be read here. The following is the second installment of the two-part conversation – edited for length and clarity – between Ashley Spangler, CISA, CISM, CRISC, SunTrust Banks, Inc., AVP Information Security; Leigh Ann Montgomery, CISA, Solutions Architect, and Mick Gomm, CISA, GWEB, PMP, Sr. Information Security Engineer and Board Member, ISACA Utah Chapter.
ISACA Now: Are there any perceptions or stigmas of millennials in the workforce that you think are unfair?
AS: I don’t think I’ve had anything in a negative light, but it’s almost like I can see the difference of how some other individuals who might be a peer to me are treated if they have certifications versus individuals who don’t have certifications. And it’s not necessarily negative, but I think it is solidifying the value that you’re bringing to the table. I think Mick used the word ‘clout.’ I had an instance where I had a manager who I think technically is a Gen Xer but a borderline Baby Boomer in age, and when we were having a 1-on-1 conversation about my career and my next promotion, the question was ‘Well, you’ve only been in your role about a year and a half or two years, why don’t you just stay in that role longer and really get to know what you’re doing?’ I don’t mean this in a bragging way, but I think there’s still some old-school thought that you have to put a certain amount of years into a job to master that position, or the monotonous day-to-day that you do in that position should be acceptable. I think one thing that I’ve experienced is there’s a little bit of a struggle when you challenge that generation’s way of thinking.
MG: I’ve definitely had that experience, too. One stigma is that millennials are impatient – we want to get to that next step, whatever that is, if it’s on a technical or management track. That’s because I think we have a better understanding of technology in general, especially in this space, and there’s a belief that we’re maybe a bit impatient about our career progression.
LAM: I think within the [Dallas-Ft. Worth] area, our local chapter has really great penetration into universities and colleges, and really makes a point to get out there and even go through different classes on manners and etiquette over the business table and stuff like that. We’ve learned how to do business in the business world but also how to impart our own values in ways that we think as millennials onto whatever topic that we’re covering. And I think that’s been really interesting to know how to embrace those challenges and not necessarily have to change your ways to match a previous generation. It’s just like Ashley said, we like to go about things at kind of a quicker pace, and I think lots of research has shown we want to change careers even a few times, whereas before that might not have been the natural pace of what people normally do. I think it’s neat to fit into the work environment that is already established and to try to make our mark on it as well.
ISACA Now: What are some other types of professional development opportunities that are important to you?
AS: Being a part of two different [ISACA chapter] boards of directors, I think it’s so interesting. I mean, I network all the time, and it’s not necessarily looking for that next person who might help me get another job. I’m more interested in everyone’s journey and how they get to where they are because there’s truly not a one-way path. Everyone’s path is different, which is intriguing to me and provides me insight on how I can potentially maneuver through my career personally. I think I take a passion in that because I really fell into information security. Both of my degrees are in accounting and information systems, and I had actually applied for a financial auditor position, but I was the fourth person in line, and they were only hiring three people, so they liked that I had an information systems degree, and they were like ‘Hey, why don’t you come join our team?’ I was like ‘I don’t know anything about what you’re doing.’ So, similar to what Leigh Ann had mentioned, I know the Nashville chapter, we had six local universities, and I was a part of building that ISACA local chapter academic program, and I made it a point when I would present to those universities to explain that it’s not just about being a developer or a programmer or a help-desk analyst. I tried to broaden their horizons on the different career options we have in our industry because truthfully curriculum is not up to speed to explain all of these different avenues and facets of our industry. I felt like even when I was in school, and that was only six years ago, there were only a few options, and the reality is that is not true. I mean, who knew about information security architect positions. I didn’t learn about that in college.
LAM: To tack onto that thought, it’s amazing being part of that ISACA community and seeing all the different career types – even just through CISA, all of the different ways people can use it. I think that’s probably why I was drawn to that CISA in the first place over the CISM or any of the others – you could really see security professionals, audit professionals, governance and risk and compliance professionals, a whole bunch of different facets with ultimately the same baseline. I think that’s why the networking events that we do, the college events, are really important, because you get to see all the different ways it can be used in all of these different areas. It’s really neat.
ISACA Now: There’s a notion out there that young people are especially resistant to the idea of the rat race, showing up at an office day in and day out. Obviously you all are committed, serious professionals, but how do you feel about incorporating your career into your overall lifestyles?
MG: At least for me in information security, I think the work-life balance is fantastic. I get a ton of autonomy of how I balance my workload and where I do it and everything. I’ll tell you, Leigh Ann, I actually grew up in the [Dallas-Ft. Worth] area, my parents live in Mansfield, so I am headed home in a couple weeks, and my company actually has an office in Arlington. I’m just going to work there for about a month while I’m down there, so I can avoid taking a lot of PTO by getting work done remotely. It’s an increasing trend that you’re able to work from home or another site. That’s something I try to tell people who are trying to get into information security or are wondering about career planning and work-life balance.
LAM: I actually work from home 100 percent of the time other than the travel expectations. It’s really great, I think, given that the work-life separation is the threshold of my office door. I know that like many millennials I really throw myself at work. I probably spend more time than necessary, but I know my company definitely backs me up and gives me a lot of options and time off. I feel like we’re really flexible where I work, and I really appreciate that. It really helps me get my work done in a comfortable way.
AS: It also depends on your industry. Working in consulting, they really had to sell you on what their version of work-life balance is. We had a lot of fun. We had a lot of parties and big events, and we got to travel to some really cool places. There are a lot of benefits they really had to tack on above and beyond what you probably get at a typical 8 to 5 kind of organization or industry, like financial services. So, I think it’s a difference in the roles that I’ve been in, and in consulting it was ‘We’re not here to count your eyeballs,’ you can work from wherever you want, just give us quality deliverables, which being fresh out of college, that was very nice. I really took a lot of pride in having that opportunity because I knew a lot of people I went to college don’t get to work from home, so I really appreciated if I had a doctor’s appointment at 9 a.m., I would just work an extra hour in the evening or make it up on the weekend. In the role that I’m in currently, we get certain days of the week that we can work remotely, so it’s not as free as the last job that I had but we still have freedom to work remotely. Kind of like what Leigh Ann and Mick said, it’s nice to be able to have those options so you can plan for things that don’t necessarily fit in an 8 to 5 time slot.
ISACA Now: Anything else that any of you would like to add?
LAM: I’ve probably said it a million times, but I’m very serious about it, is getting young people involved in local ISACA chapters. It’s important. I think all three of us probably benefited from that experience. It’s a neat way to give back to a larger organization that helped you get certified, helped you to network to find jobs and meet other individuals that you might lean on for one-off conversations or one-off problems in your normal day-to-day work. Beyond the certification, it’s really a community that we’ve all gained together.
Editor’s note: ISACA Now recently moderated a conversation among a trio of millennials to discuss topics including professional development, networking, certification and how their generation differs from others when it comes to career priorities and workplace dynamics. The following is the first installment of the two-part conversation – edited for length and clarity – between Ashley Spangler, CISA, CISM, CRISC, SunTrust Banks, Inc., AVP Information Security; Leigh Ann Montgomery, CISA, Solutions Architect, and Mick Gomm, CISA, GWEB, PMP, Sr. Information Security Engineer and Board Member, ISACA Utah Chapter.
ISACA Now: Why did you decide to pursue certification at a relatively young age?
AS: Both of my degrees are in accounting and information systems. The firm I started to work for was creating this information security and assurance services group. I originally applied for a financial audit position and was not picked. However, they liked my background in information systems so they were like ‘Hey, why don’t you come join our team?’ Of course, I was completely green and didn’t really know what I was getting into. When I first got there, they said ‘You need to start working on certifications.’ I met an individual through ISACA, which is how I got intertwined with being a volunteer board member for the Nashville location, and I just started to learn more about the different certifications which were available in the information security industry. … I didn’t like being the only person that didn’t have a certification and especially when my name and bio would be listed on a statement of qualifications for bidding on work. CISA was most prominent in the information security assurance world that I was in at that point, so I made that my target for my first certification. So, I really looked at it, one, as validation for myself and what I was doing, and secondly for helping our group’s chances of winning engagements.
LAM: I was mentored by the president at the time of the North Texas ISACA chapter … He invited me to a meeting and talked about the different certifications, and mentored me through taking the CISA certification. Through that process, I really got to know my internal audit team of my company at the time. I took the test both to grow my knowledge of that type of audit and really understand what the terms were, and how to best get the information and pull evidence. It helped me in my day-to-day job and definitely added an acronym after my name, and got me exposed to a lot of really great people and networking in the process.
MG: I started out in audit consulting, and kind of the baseline or the bar to working in that space is an audit certification, and CISA is the most recognizable and known. I think the IT audit and information security industries really just look for that, especially in the past few years. Having multiple certifications is almost a barrier to entry. That’s why I got my third certification, the CISA, because starting in consulting, they were like ‘Alright, the first thing you need to work on is getting your CISA.’ Certifications like CISA are important, but I also think the industry is headed toward requiring additional specialization in specific technologies and spaces.
ISACA Now: How does your certification help you most on a daily basis?
LAM: On a day-to-day basis, part of my job is to build security programs and security awareness programs for other companies, and I always try to do that with audit principals in mind. Make a program metrics-driven, and seeing how we can improve year over year and clearly think about how, from an auditor’s perspective, how I can make my suggestions for other companies with those basic audit recommendation principles in mind. So, I go back to what I learned during my CISA certification studying. A lot of the language that I use for these types of recommendations are very similar to what I learned, so it definitely helps me communicate not only with security professionals, but audit professionals, and executives from both of those sides.
AS: It seems like there are so many moving pieces and parts within our enterprise, constantly dealing with different lines of business and their needs. I think having the CISA, CRISC and the CISM may have been most helpful in giving me those multi-faceted knowledge bases which I can leverage to solve problems for the various lines of business and segments of our bank. Overall, from a career perspective it helps solidify the knowledge that I use in solving those problems. I think people see my work in combination with the certifications as a justification of my value that I bring to the table, especially being a millennial.
ISACA Now: Can you elaborate on that?
AS: I don’t know if you’ve ever heard this, but the way I’ve heard it and thought about it is a lot of Baby Boomers and Gen Xers, they kind of have a strange feeling regarding millennials and how we impact the workforce. We’re essentially change agents and we’re ambitious and we want to impact our organizations in a positive way, and ultimately some of us want to be able to change the world. We don’t necessarily climb that ‘career leader’ that older employees or Gen Xers climb; we essentially just take the elevator. We don’t like the red tape. We don’t like the bureaucratic processes. We’re always looking for bigger and better ways to do things. In my situation, being as young as I am and having the certifications but not necessarily having extensive experience, it helps stabilize my footing when I’m interacting with more seasoned professionals.
LAM: I would absolutely agree with you, Ashley. Often I’m looked at as very young in the field and therefore very inexperienced. I think having the CISA and serving on my local ISACA board have really helped to get my name out there.
MG: I totally agree. When you meet face-to-face and people realize how young you are, they’re like ‘Oh, you’re not qualified.’ But when you have certifications, people pay attention more. You have more clout in those situations, especially when you’re interacting with other companies or vendors and you introduce yourself on a phone call, and somebody asks that question ‘What credentials do you have?’, it’s always nice to be able to respond that you have multiple certifications because people in the industry know what the certifications are and what they mean. I also think the industry is leaning toward the certifications being less book knowledge and more hands-on technical knowledge, which I think is really good.
AS: I can’t agree with you more about those times where, working in a larger organization, we have a little over 33,000 employees, and I speak with a lot of people on the phone, and when I meet them in person, they always say ‘Don’t take this wrong, but you sound so old’ or ‘I can’t believe how young you are.’ I’ve had that happen quite a bit.
LAM: My company works with many global organizations and currently we’re expanding into the Asia Pacific region. Especially with my age and length of experience, I find that when I speak to audit members or different security team members in that region about having CISA certification, they’re very impressed and willing to work with me when before they might not have been as willing. So, it definitely has helped me prove myself as a consultant trying to get into those types of deals. Despite any cultural differences, I have found that having a particular certification and serving on [an ISACA chapter board] has opened up a lot of communication with people who are very different from me. Being able to gain that common ground has been really interesting and has really opened a lot of doors.
Why would an employer pay its tech workers extra cash for a skill or certification if they're already getting a salary and annual bonus?
There are a dozen good reasons why, and they all share one thing in common: None would be necessary if the company's compensation structure and pay practices were agile enough to successfully compete for talent in volatile labor markets. The nature of the tech labor marketplace is exactly that, where the market value of a job or skill can move like a roller coaster depending on what’s hot and what’s not at any given moment. If your employer doesn't have built-in flexibility to react quickly and correctly, it will struggle to find and keep people to execute tech-enabled business strategies.
Who Needs Skills Pay and Why
How do you know if your employer is a victim? Say, for instance, your company doesn’t normally have trouble retaining tech talent and suddenly the best people start walking out the door. Most likely your company wasn’t able to match competing salary offers. Then to make matters worse, it's soon discovered that the competing offers were actually realistic average local market salaries for these positions – so your employer was underpaying these people from the start. It’s called ‘salary compression,’ when market-driven pay for talent is growing at a faster rate than the annual salary increases employers are able to offer their workers.
Compression is a widespread systemic reality that tends to be much worse in the tech workforce because of the rapid evolution of technology, skills and jobs. Every employer must decide whether to fix it permanently (very difficult) or patch it occasionally (less difficult and more practical).
If there is little leeway in the incumbent’s salary range to sweeten the pot on a counter-offer, and a promotion is not a viable option, paying workers extra cash for critical skills and certifications can be the perfect solution. That is especially true when workers possess the very hot certified or noncertified tech skills that other employers are aggressively targeting. The trick is to tie this extra cash directly to current market value for the hot skill or certification and guarantee that premium for some period of time, usually one year or more. When time’s up, the employer can check whether market value has changed and decide if it makes sense to continue to pay the skills premium and how much to pay, or to switch it out for another hot skill that has become more valuable to the organization.
What is the current cash market value for certifications?
Extra pay awarded to 69,900 U.S. and Canadian IT professionals for 880 certified and noncertified IT and business skills – also known as skills pay premiums – has been tracked and updated quarterly since 1999 in the IT Skills and Certifications Pay Index™ (ITSCPI). About 3,000 private and public sector employers currently provide this data to Foote Partners, covering a total of 255,600 IT professionals at these companies.
ISACA certifications are doing extremely well. As a group they’ve gained 15.3 percent in cash market value in the last six months compared to nearly 8 percent growth in pay across all 80 security-related certifications in the ITSCPI. The Certified in Risk and Information Systems Control (CRISC) and Certified in the Governance of Enterprise IT (CGEIT) are the top gainers. The CSX Practitioner (CSXP) certification appeared for the first time in the latest ITSCPI, earning an average pay premium equivalent to 12 percent of base salary – a very strong number for a new certification.
The following security certifications are earning the highest pay premiums right now. They're paying median cash premiums equivalent to 13 percent to 19 percent of base salary, typically paid out each pay period as a cash bonus in addition to salary, and are shown below in descending rank order of market value including ties, arranged alphabetically within each rank.
- Certified Cyber Forensics Professional
- (Tie) Certified Forensic Computer Examiner
CyberSecurity Forensic Analyst
GIAC Reverse Engineering Malware
- (Tie) EC-Council Certified Incident Handler
EC-Council Computer Hacking Forensic Investigator
GIAC Certified Forensics Examiner
GIAC Certified Forensics Analyst
GIAC Exploit Researcher and Advanced Penetration Tester
GIAC Web Application Penetration Tester
- (Tie) GIAC Enterprise Defender
GIAC Secure Software Programmer--Java
InfoSys Security Architecture Professional (ISSAP/CISSP)
- (Tie) Certified Information Security Manager (CISM)
Certified Information Systems Security Professional
Certified in Risk and Information Systems Control (CRISC)
EC-Council Licensed Penetration Tester
InfoSys Security Engineering Professional (ISSEP/CISSP)
Market values for 412 tech certifications in the most recent ITSCPI data update are averaging the equivalent of a 7.7 percent of base salary and as a group recorded gains in 14 consecutive calendar quarters, unprecedented in the 18 years Foote Partners has been tracking and reporting compensation for certifications. Figuring prominently in this growth has been info/cyber security certifications.
Market values for 80 info/cyber security certifications have been on a slow and steady upward path for four years, up 10.7 percent in average cash value as a group in just the past 12 months and 15 percent during the past two years – the largest gain among all certification categories reported. Strong performing security certifications so far in 2016 cut a wide swath: cybersecurity, forensics, penetration testing, perimeter protection and enterprise defense, security analysis, risk and security software programming.
Editor’s note: Registration is open for the first testing window of 2017 for ISACA’s core certifications.
Exams for CISA, CISM, CGEIT and CRISC will be offered in 2017 at PSI testing locations worldwide during three, eight-week testing windows. The first testing window will be 1 May-30 June, with 28 February marking the early registration deadline. Exam registration via the ISACA website is available at www.isaca.org/examreg.