Bob Smart, CISA, CISM, CRISC, MACS Snr, MBIS
Conventional wisdom says that professional certifications provide individuals with improved career1 and income prospects, greater networking opportunities,2 professional respect, and increased self-confidence through independent validation of competencies. But what is in it for organizations hiring certified professionals?
Engaging certified professionals can be considered a risk management tool. Professional certifications can be defined as a promise made by the certifying body that the recipient has demonstrated a minimum level of capabilities.3 Therefore, hiring professionals with reputable credentials reduces the likelihood of poor judgments or missed opportunities. This can also boost a company’s image and success rate in winning contracts and new customers.4
Consequently, organizations are willing to pay 27 percent more for a certified professional than an uncertified comparable specialist.5 This pay premium differs among credentials, reflecting business benefits delivered. This value comes from increased credibility, standardization with industry frameworks, and having skilled and motivated people.
A professional designation is an independent confirmation of credibility. This is invaluable for job roles without other opportunities to effectively demonstrate capabilities to management, boards, business partners, regulators, customers and third parties. Certification provides assurance that the individual possesses the required competencies and is, therefore, a source of credibility. Examples are roles where high-impact discretionary decisions are made—such governance, risk management and assurance functions or any positions that are likely to be required to demonstrate credibility to a judge or jury, such as a security investigator, digital forensic professional or incident response specialist.
Because credibility is inherited from the professional credential, it is directly related to the credibility of the certifying body and the certification process. For this purpose, even certifications can be certified against the ANSI/ISO/IEC 17024 standard for personnel certification programs. Knowing that a certification has been independently assessed for conformity against requirements of ANSI/ISO/IEC 17024 gives it a certain level of credibility. According to ANSI/ISO/IEC 17024, a credential should clearly state competencies being examined.6 The examination must be independent and include a suitable test of demonstrated ability to apply knowledge, skills and appropriate personal attributes, which constitute required competencies. The certifying body should ensure a consistent examination approach over time and for all regions where the certification is offered. Some credentials are also accompanied by a code of ethics that shapes personal attributes and supports credibility and ethical conduct of the certified individuals. Finally, reputation, history and governance of the issuing body are inseparable from the certifications themselves.
Alignment of certified competencies with skills and industry frameworks simplifies skills management and helps organizations better utilize industry frameworks intended for “matching the skills of the IT workforce to the needs of the business.”7 For instance, if position descriptions are aligned to the Skills Framework for the Information Age (SFIA), professional designations, such as the Certified Information Systems Auditor (CISA) and the Certified Information Security Manager (CISM), that are aligned to the same framework would be easier to incorporate in hiring, learning and development plans.8 Additionally, if a certification is mapped to SFIA, it makes it apparent if it is intended for coordinator, management or executive levels, which may not be clearly disclosed in certification materials.
Furthermore, if an organization has embraced an industry framework, such as COBIT, Sherwood Applied Business Security Architecture (SABSA) or IT Infrastructure Library (ITIL), focusing on the corresponding certification issued by the framework-originating body would deliver greater business benefits.
Finally, although national certification schemas may address local requirements, global certifications improve collaboration and communication among specialists from business partners in a globalized business environment.
The final and, arguably, most important benefit for employers is related to having skilled and motivated people in the organization. This is a key organizational objective as identified in COBIT 5,9 and certifications both identify and prove the existence of skills and motivation in a positive loopback system.10
The dynamic nature of the current IT environment demands that certifications have a shelf life and must be kept up to date through monitored continuous learning and development. While centrally managed organizations in less-dynamic business sectors may have professional development programs that are inadequate for IT specialists, continuing professional education requirements of leading professional organizations prevent obsolescence of skills. Furthermore, most issuing bodies provide cost-effective education services to members. Certifications without expiry and supporting professional development programs may be preferred by some individuals, but they will certainly be less valued by employers.
Continuous education provisions of leading certifications provide organizations with assurance that the credential holders have kept their skills current and covered the required breadth of knowledge.
Professional certifications also assist with developing staff for emerging skills gaps. Certifying bodies are usually faster than traditional educational institutions to respond to changing market demands as they often have strong industry and research alliances that contribute to keeping their body of knowledge current.11 For example, as a consequence of the increased focus on risk management within the information security management profession, the domain of risk in ISACA’s CISM job practice and, therefore, in the exam recently increased from 22 to 33 percent.12 Furthermore, the new converging and rapidly digitized world has created a demand for cross-disciplinary skills in areas such as digital forensic science, IT audit, health care information management, information security management and IT governance. Professional certifications commonly deliver required outcomes faster in addressing these skill gaps.13
Even for supposedly single-disciplinary fields, such as IT security management, very few universities offer the required breadth of knowledge to equip students with the skills necessary to develop and implement an information security management program—not to mention that academic credentials do not cover practical situational experience and competence, which are crucial for any decision-making role. Fortunately, professional certifications have sufficient geographical reach and agility to help individuals develop the necessary IT capabilities to serve changing business needs.
Many organizations have taken a focused effort to best utilize the value of professional certifications. This is particularly evident within government and regulatory bodies. In India, Indian CERT-IN, the Reserve Bank of India, Securities and Exchange Board of India (SEBI) and the Controller of Certifying Authorities have prescribed mandatory certification for specific assurance roles.14 In the US, the Department of Defense,15 the Drug Enforcement Administration (DEA) and the Federal Reserve Bank also specify certifications for IT audit and cybersecurity management roles. Similar requirements are placed on the staff of Colombian Superintendencia General de Entidades Financieras and the Banking Regulation and Supervision Agency of Turkey and government IT auditors in Mauritius and Poland.16
The governments of Japan and South Australia have gone one step further by specifying professional designations as part of IT procurement requirements. The South Australian Government’s Office of the Chief Information Officer (OCIO) reviews IT audit and advisory reports from professional services firms. While the lack of a certification does not equate to a lack of capabilities, it is far less likely that the work of a certified professional would contain serious error of judgment or incorrect advice. As a result of these and other assessments, South Australia’s OCIO has identified valuable certifications and recommended common credentials for cybersecurity services (figure 1).17
While creating such comprehensive certification criteria may not be feasible for smaller organizations, they can leverage the work of other organizations, such as local and foreign governments and specialized media that publish annual lists of top professional certifications18 or certifications commanding the highest salaries.19
Monitoring relevant job listings could also be an indication of preferred credentials20 for certain roles, including how much the market values them.
With obvious arguments for embracing certifications, it is surprising that some organizations still do not actively support the certification of their staff. Perhaps it is because a large number of variables make it difficult to conclusively measure and attribute the impact of certified professionals to business outcomes.21 Another reason is that IT has very few regulations that mandate certification. With the increased complexity of modern information systems and high-impact decision making based on risk assessment rather than a best-practice- prescribed approach, it is obvious that professional certification plays a critical role in skillfully managing organizational risk with benefits that are bound to surpass the relatively modest investment in certifications. Without regulations, audit functions should perhaps pay more attention to whether organizations are embracing professional certifications of staff and contractors and within vendors as a risk management tool. Rather than waiting on a regulation, embracing professional certifications is a simple solution in the hands of organizations that will also pay back through an improved bottom line.
1 Asher, Donald; Who Gets Promoted, Who Doesn’t, and Why: 10 Things You’d Better Do If You Want to Get Ahead, Ten Speed Press, 2007, p.352 Peryam, Susan; “Why Professional Certification Is So Worth It,” 15 March 2010, http://facilitate.com/blog/index.php/2010/03/why-professional-certification-is-so-worth-it/3 Douglas, David; “Making ICT Careers Accessible: The Value of Certification” Australian Computer Society Journal, July/August 2012, p. 544 Adams, Paul S.; et al; “Professional Certification: Its Value to SH&E Practitioners and the Profession,” Professional Safety, December 2004, p. 26-315 Luckwaldt, Jen; “Best Certifications for Boosting Your Salary,” PayScale.com, 2012, http://career-advice.monster.com/salary-benefits/salary-information/salary-increase-certifications/article.aspx6 International Accreditation Forum, “IAF Guidance on the Application of ISO/IEC 17024:2003,” 2005, www.compad.com.au/cms/iaf/workstation/upFiles/228543.IAF-GD24-2004_Guidance_on_ISO_17024_Pub.pdf7 ISACA, “ISACA and SFIA Foundation Partner to Map CISA and CISM Certifications to Skills Framework for the Information Age,” 8 March 2012, www.isaca.org/About-ISACA/Press-room/News-Releases/2012/Pages/CISA-and-CISM-Certifications-to-Skills-Framework-for-the-Information-Age.aspx8 Ibid.9 ISACA, COBIT 5: Enabling Processes, 2012, p. 1410 Ruscitto, Bob; “Professional Certification Highlights Your Skills,” NFPA Journal, March/April 2004, p. 26-2711 Ashford, Warwick, “Skills shortage means no unemployment in IT security, says (ISC)2,” 11 September 2012, http://www.computerweekly.com/news/2240163010/Skills-shortage-means-no-unemployment-in-IT-security-says-ISC212 ISACA, CISM Review Manual 2012, USA, 2011, p. iii13 Frowen, Andy; “National Skills Shortage in Computer Forensics,” 2012, http://ezinearticles.com/?National-Skills-Shortage-in-Computer-Forensics&id=188078014 ISACA, “ISACA Regulatory & Legislative Impact,” 2011, Government and Regulatory Advocacy Committee Papers15 Department of Defense, “Information Assurance Workforce Improvement Program,” DoD 8570.01-M, USA, 19 December 2005, http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf16 ISACA, “ISACA Regulatory & Legislative Impact,” 2011, Government and Regulatory Advocacy Committee Papers17 Government of South Australia, Office of the Chief Information Officer, “Cyber Security Services Panel: Practitioner Statement,” 2012, www.sa.gov.au/upload/entity/1670/Doing%20business%20with%20us/eProjects_Panel_Supplier_Application_Pack.zip18 SC Magazine, “Best Professional Certification Program & Best Professional Training Program,” 8 November 2011, www.scmagazine.com/best-professional-certification-program-best-professional-training-program/article/21632019 Crisp360 Editors, “7 Expert Certifications That Command The Highest Salaries in IT,” 27 January 2012, www.crisp360.com/news/7-expert-certifications-command-highest-salaries-it20 Seeklearning.com.au, “Top IT Certifications 2012,” 2012, www.seeklearning.com.au/it-training/top-it-certifications-2012.asp?CampaignCode=LRN:SEM:SEMG13&s_kwcid=TC|1026387|cissp%20certification||S|b|10224363124&gclid=CMPQ7oi18bECFWZNpgodYzcAEA 21 Ulmer, Jeffrey; “Professional Certification: A Study of Significance,” Journal of Industrial Technology, April 2010, http://atmae.org/jit/Articles/ulmer032610.pdf
Bob Smart, CISA, CISM, CRISC, MACS Snr, MBIS, is the IT security advisor within the South Australian Department of the Premier and Cabinet. He previously managed IT audit and advisory teams within PwC. Smart shares his experience in cybersecurity management, IT audit and risk management through facilitation of Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) study sessions and as a guest lecturer at the University of South Australia (Adelaide, South Australia).
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.