As the technology landscape evolves, security managers face the challenge of addressing an increasingly complex threat environment while calibrating their security programs to align with shifting business contexts.
We asked five CISM certification-holders how the lessons they learned from their CISM apply to the current security landscape. See their answers below, and learn more about CISM here.
“Today’s threat landscape is constantly changing, especially with the rising use of AI by both organizations and attackers. Nevertheless, many core risks persist, particularly in areas like business email compromise and third-party supply chain vulnerabilities. The CISM certification has reinforced a grounded, pragmatic, and risk-based approach in my operations, whether it's shaping governance and policies, supporting product decisions, or managing customer and regulatory requirements.
Combined with hands-on experience, it provides a consistent framework for making clear, defensible decisions and embedding repeatable processes across the organization. The focus is on applying security in a way that is practical and sustainable, ensuring it supports the business and keeps pace with change rather than slowing it down.” — Simon Backwell, CISM, CIPM, Information Security and Data Protection Officer, Recite Me
“I apply my CISM certification as a management-focused framework to align security governance, risk appetite and program goals with day-to-day decisions in a fast-changing threat and technology landscape. It helps me translate technical and compliance requirements into clear priorities, ownership and measurable outcomes so stakeholders and leaders can make timely, defensible risk decisions. It improves how I lead through influence by coaching teams and ensuring security and privacy requirements are implemented and maintained across the full system lifecycle.” — Kathleen Peery, CISM, CRISC, AAISM, Sec+, Sr. Cyber Risk Analyst
“Studying for and acquiring the CISM certification has been instrumental in refining my approach to enhancing key information security processes within my organization, especially in the Information Security Risk Management and Security Incident Management domains. The Information Security Risk Management domain improved my ability to design and implement a thorough, fit-for-purpose information security risk assessment framework applicable to all information assets and systems organization-wide. This framework ensures timely identification, management in line with business risk appetite, and thorough understanding by both business and IT stakeholders, promoting shared ownership of information security responsibilities.
More recently, I have extended this framework to address AI related security risks, which is a growing concern in the area of information protection and data leakage prevention (DLP). At the same time, the Security Incident Management domain of CISM deepened my understanding of how to conduct effective incident impact analysis based on established proven methodologies, incident investigation and evaluation, and the importance of clear and detailed incident documentation. I have applied these principles consistently for multiple years now and they have significantly helped to strengthen stakeholder communication and collaboration throughout the investigation and remediation process, resulting in good contributions and outputs, and ultimately translating in a timely and accurate regulatory reporting process. Finally, the clear and detailed documentation has been instrumental in the capture of lessons learned, translating improvement suggestions into actionable plans and initiatives that help continuously improve the security posture.”— Glenda Suarez Cabrera, CISM, CISA, CISSP
“As the Director of Information Security & Compliance, I have found that earning the CISM certification has significantly enhanced my ability to lead and manage our security program. In today’s cybersecurity environment, threat conditions shift quickly and stakeholders expect clearer accountability. I found the skills from the CISM to have been immediately practical.
CISM deepens my understanding of governance and risk management, crucially aligning with my company’s security initiatives, organizational goals, and regulatory obligations. It equips me with practical frameworks for policy development, incident management, and ensuring compliance across complex environments. Additionally, CISM enhances my ability to communicate security priorities to executive leadership and external partners, making me a more effective advocate for risk-based decision-making. Overall, CISM has enhanced my job performance and positioned me as a strategic leader in information security, paving the way for continuous career advancement and influence within the industry.” — Alexander Rhyne, Director of Information Security and Compliance
“Earning the Certified Information Security Manager (CISM) certification has been pivotal to my company’s success, bolstering our ability to deliver top-tier cybersecurity solutions to clients. It has enhanced my expertise in risk management, governance, and incident response, enabling me to build a security-focused business aligned with industry best practices. With CISM, I’ve gained credibility as a trusted leader, attracting high-profile clients and securing significant contracts. The certification has refined my technical and strategic skills and positioned my company as a cybersecurity leader, ensuring we provide innovative and business-driven security solutions. Ultimately, CISM has played a key role in our company’s growth, reputation, and overall success in the ever-evolving cybersecurity landscape.” — Todd Broadbent