Earlier this year, I wrote a 25-year CISO perspective on the value of certification, and more specifically, the CISSP certification. This year, I decided to take the new ISACA Advanced in AI Security Management (AAISM) certification that was launched in 2025.
The Value of Certs is Often Debated, But Why?
I have long been an advocate for certifications and have earned about 15 of them over the years. The goal was never to get the letters after my name, but to accomplish a goal and an understanding that only comes from learning a topic deeply and being tested on it. These exams are built so you cannot “bluff” your way through the material – you either have learned it, or you haven’t. Isn’t this what we did as we progressed through school? Why should we change now that we have a degree? Or a job?
Experience vs. Education
Yes, experience matters. But experience also needs an educational foundation to operate on. These days it would be rare to fix something around the house without pulling up a YouTube video. I was building a new desk in a walk-in closet recently and needed to remove the trim boards. I had no idea how to do that. My experience told me that carpenters had to know a way or have a cool tool. I asked ChatGPT, I watched YouTube videos and, lo and behold, there is this little cool tool that removes those tiny nails the human eye no longer sees. No busted trim boards either. One trip to Home Depot and I was now the expert! OK, not really, but I was able to do the job. Experience + education = success.
Welcome the New AI Certs to the Neighborhood
Now that we have the reason why certs are important, let’s look specifically at the AI certs available – in this case, the new ISACA certifications of AAISM, AAIA and AAIR. I have worked with ISACA North America and Europe conferences for a long time and have respect for the organization and what they bring to the security, privacy, audit, GRC and risk communities. To be honest, I assumed they would quickly just repurpose the CISM, CISA and CRISC certs to get on the “AI train.” I was wrong. The materials are absolutely focused on the AI-specific parts of the job. They addressed governance, AI threats, AI terminology, leveraging AI to enhance the security program, AI risk mitigation strategies, etc. In short, I was impressed with the material coverage.
OK, Let's Get Down To the Hard Part
Luck is where preparation meets opportunity. We have heard it a thousand times before. Staying employed is important, right? What happens when one day you are the rock star security professional that is the go-to person in your company or network, and the new dude or dudette, with the same experience, walks up. They have been preparing for AI certs on the side, and they apply for that same new AI job that you want? We can either fight it ... or prepare for that 99% probability in the next few years. So, start now. Today.
Here is the Real Meat
Your mileage may vary as I share what worked for me. I am a reader of books and learn that way. You may process information differently. However, here is the approach I took.
Step1: Set an exam date and register for it. I looked at my calendar and found two weeks that I was not traveling and could devote some study time. I was speaking at the RSAC Conference in San Francisco and was traveling to Dublin, Ireland, so I also figured I had some airline time to study. In between, I was teaching a class and had a few other speaking engagements. I don’t have the market on “being busy” as I am sure you are, too.
Busy is not an excuse or a plan. I set a date exactly 45 days from the day I opened the registration page, not 45 days after I was comfortable and did the studying. ISACA said 2-3+ months of studying was suggested. I work better by setting a date, then working backwards. Gulp. Now I was committed to taking the AAISM exam. Pass or fail, didn’t matter – I was committed.
And the date I scheduled it for? Thursday, April 30, 2026, just before I was scheduled to speak the next week at the ISACA North America Conference. I knew myself and if I had taken the test after the conference, I would have been studying by the pool vs. celebrating my accomplishment and not studying – again, by the pool!
Step 2: Read the official ISACA study guide – not once, but three times. Every word. Not fun really. I read 50 pages at a time and my brain was full. The guides are about 200 pages. I found that there were things I picked up each time I read it. Study the tables inside the book; these are great sources for test questions.
Step 3: Use the 200 multiple choice practice questions database. For the questions, I scored only 73%. I scored 87% on each of the practice tests. I still wasn’t satisfied that I knew enough to pass, so Step 4 came about.
Step 4: Read the answers to every multiple choice question, including the ones you scored correctly and the ones that were wrong. The answers give you good clues as to why they were not the best answers and this becomes a learning to answer a similar question on the test.
Step 5: Repeat Step 4, focusing only on those answers that were wrong. Read the answers again, and again if necessary.
Step 6: Go back and read the book one more time. Don’t skip this step.
Tips for Taking the Test
First of all, do not study the day before the exam. Don’t pick up the book and look over the questions again. Don’t do it. You will thank me later.
I completed the 90-question test with at least 45 minutes to spare. So take the time and re-read the question again after reading the multiple choice answers. Sometimes we get a clearer picture of what is being asked, or we can correct ourselves if we read the question too fast.
I also don’t change answers once I make them. I find that when we second-guess ourselves, our mind plays tricks on us. Better to take your best shot and go with it.
The result?
It is always such a good feeling after you hit the submit button and it comes back and says “I passed.” I don’t know why, but it is still a thrill. Well, I passed and I believe if you put the time into it, you will, too. It is not an easy, slam-dunk test. Because of that, there is a feeling of accomplishment at the end.
I hope this has been helpful. Just go do it. You will be glad you did.
About the author: Todd Fitzgerald is a Former F500 CISO, author of #1 Best Selling (2019-2024) and CANON Cybersecurity Hall of Fame Winner CISO Compass: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers ,co-author (2024) The Privacy Leader Compass: A Comprehensive Business-Oriented Roadmap for Building and Leading Practical Privacy Programs, Founder CISO Stories podcast, and current keynote speaker.