cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
fortean
Contributor III

CISA, CISM, nothing.. your advice please!

Folks,

 

you should never stop learning. But the question is: WHAT to learn.

 

I am currently considering passing the CISA or / and CISM accreditation. Thing is, this is the first time in my life that a have some hesitations. I would love to hear your opinion and get some advice.

 

Ever since 2000 or thereabout I have been an avid advocate of certifications and accreditations 1). I started out obtaining mostly technical certifications, e.g. SNIA, LPIC1 and LPIC2. I also obtained  ITIL foundation. Later on I did some accreditations too: HP/UX sysadmin and RHCE. All of these certifications and accreditations felt as "the right thing to do" at the time I studied them. Passing the exams was not difficult: passing merely consolidated what was already there from my work experience.

 

My 2011 CISSP was the first certification that required me to study some new topics, e.g. information security management. Passing the CISSP surely helped when I subsequently set out to obtain a masters in information security;.  I gradually shifted somewhat away from technology and learned a lot about people and processes too.

 

After passing my Masters, I had a deeper and broader insight in our trade, but felt I lacked sufficient knowledge about cloud computing. I subsequently studied for and passed the CCSP. This was the first certification that required me to learn (mostly) new technologies and jargon. The same held true for the CIPP/E I did next, which served as a lever to force me to study the GDPR and EU governance structures.  I passed that one too. I was very much intrinsically motivated to pass these exams, as I could immediately use the new knowledge to help our customers.

 

Then my employer asked me to become a SUSE certified trainer. SUSE requires (at least) three certifications for their trainers, so I subsequently studied for and passed the CTT+ certification and the SCA / SCE accreditation. This was the first time in my life that I was not deeply intrinsically motivated - it was simply something the boss required and payed me for. In hindsight, I really enjoyed the preparation for and subsequent CTT+ certification, and the technical certs were quite easy to obtain for a guy that has 40+ years of (mostly technical) experience.

 

The CTO of my employer had supported and sponsored me during all these years. We shared the same vision, namely that information security should be part of our business portfolio. But just after I completed my Masters, he left the company and the other managers decided they would not continue his efforts with regard to information security. There I was, fully accredited and certified, with a sales department that did not have the knowledge nor the mission to market my specific set of skills. I could have stayed there as a trainer, but I decided otherwise.

 

Well, at least all these credentials behind my name helped to get my foot inside the door of one of the better known infosec companies in my country, so I was hired. Good, end of story, Heinrich will work there for the coming 6-7 years and then retire. No need for more accreditations. Period.

 

But .. recently I felt a little itch here and there - I haven't passed an exam during the last few years and that somehow feels odd. So, is there another cert that I could obtain - and if so, is that a wise thing to do - or not?

 

After some consideration I figured that I probably still had something to learn in the field of auditing. Alas, (ISC)2 does not offer anything related so I visited the ISACA site and read up about CISA and CISM. Also well known and appreciated certs.

 

Now, the question here is WHY to do them (apart from scratching my itch) and what the consequences would be. Some considerations I have are:

 

  •  obtaining too many certifications and accreditations might actually work against me. People find it hard to believe that you can be a specialist in more than one field, and obtaining your umpteenth cert does not prove much anymore.
  • There are quite high costs involved in obtaining and maintainingn these certs. ISACA is quite expensive to join, and their exams aren't really cheap either.
  • To see if I really could learn much new, I took a number of on-line tests, fully unprepared. These are the official ISACA tests, 50 questions. I did the CISA and CISM test and scored around 70% on first try. I also did the 10 question minitest the offer (CISM) and scored 8 out of 10. This gave me the impression that I already have the knowledge and skills.

 

So - if one does not do it to obtain new knowledge, it is relatively expensive and it may work against me, why do it in the first place?

 

My dear peers - what do you think, should I do the CISA / CISM? Or any other certification / accreditation?

Or is there indeed a point in a person's life to stop doing new exams and focus on maintenance of existing knowledge?

 

Your opinions please!

 

1) if one passes a series of independent and objective tests one can be said to be 'certified'. If there is a process in place to ensure that you are maintaining your knowledge and skills, one can be said to be accredited. CISSP is therefore not a certification, but an accreditation. CTT+ is therefore a certification, not an accreditation. I believe that the best system is accreditation, but it is also the most costly of the two.

--
Heinrich W. Klöpping, MSc CISSP CCSP CIPP/E CTT+
2 Replies
CraginS
Defender I


@fortean wrote:

Folks,

 

you should never stop learning. But the question is: WHAT to learn.

 

I am currently considering passing the CISA or / and CISM accreditation. Thing is, this is the first time in my life that a have some hesitations. I would love to hear your opinion and get some advice.

...

 

1) if one passes a series of independent and objective tests one can be said to be 'certified'. If there is a process in place to ensure that you are maintaining your knowledge and skills, one can be said to be accredited. CISSP is therefore not a certification, but an accreditation. CTT+ is therefore a certification, not an accreditation. I believe that the best system is accreditation, but it is also the most costly of the two.


Heinrich,

Well thought out approach to continuous improvement as a professional. Here are some thoughts, that go along with advice I have also given in other threads.

 

1. Consider expanding your education horizons outside of the infosec world of CISSP and CISM, for knowledge that will supplement and complement your infosec work. More on that below.

 

2. The CISA is specifically for hands-on auditors. If you are or plan to do infosec audit work t may help you build specific deep skills to supplement your CISSP, just as any of the CISSP concentrations (ISSEP, ISSAP, ISSMP) would. However, if you are not really interested in audit work, don't bother.

 

3. CISM is, like CISSP, a management certification. The only difference is that the CISM was designed specifically  for managers who supervise CISAs and auditors. As a CISSP, the CISM is duplicative; during the first year of the CISM, any CISSP could grandfather in to get the CISM, based on having the CISSP.  The only reason to pursue to a CISM if if you are focused on a career in audit and audit management. 

 

4. Back to #1, above: there are two important certification bodies outside the infosec world, that each in different ways, offer strong complements to the CISSP.

   a. First is the Project Management Professional (PMP),  from the Project Management Institute. PMP skills are about being in a position to meaningfully implement your security recommendations.

   b. Second are the systems engineering certifications from INCOSE. If you have not been doing SE work so far, they have an entry -level certification, the ASEP, and if you have actually been performing SE work, you can go for the CSEP.  Learning the SE Framework, and the SEMBOK will help you understand how traditional infosec skills are only part of the environment you hope to influence as an infosec pro. 

 

Essentially, I think every CISSP or CISM should be educated, if not also certified, in both project management and systems engineering, plus at least one deep-dive infosec field.

I just retired before I brought that advice to bear in my own career, although I did complete CSEP training , but not the exam. 

 

Good luck!

 

 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
dcontesti
Community Champion


@CraginS wrote:

 

4. Back to #1, above: there are two important certification bodies outside the infosec world, that each in different ways, offer strong complements to the CISSP.

   a. First is the Project Management Professional (PMP),  from the Project Management Institute. PMP skills are about being in a position to meaningfully implement your security recommendations.

   b. Second are the systems engineering certifications from INCOSE. If you have not been doing SE work so far, they have an entry -level certification, the ASEP, and if you have actually been performing SE work, you can go for the CSEP.  Learning the SE Framework, and the SEMBOK will help you understand how traditional infosec skills are only part of the environment you hope to influence as an infosec pro. 

 

Essentially, I think every CISSP or CISM should be educated, if not also certified, in both project management and systems engineering, plus at least one deep-dive infosec field.

I just retired before I brought that advice to bear in my own career, although I did complete CSEP training , but not the exam. 

 

Good luck!

 

 


As always, excellent advice @CraginS .  I believe one should keep their options open and always look to  advance their career and not become a niche player (that is don't lock yourself into just Security or if you do, really specialize in something like Firewalls).  

 

d