Category Archives: certification

State University Gives Copies of Security Career Books to Students

Earlier this year, Georgia State University asked me to speak at an information session for students in its Masters of Science in Information Systems (MSIS). Students needed to choose their study concentration; my job was to describe the information security profession to them so that they could choose whether to elect the security concentration, or one of two other concentrations. 
The university gave to all of its MSIS students a copy of one of my recent books, Getting an Information Security Job For Dummies. University officials recognized that the book accurately describes the profession, how professionals can learn more about the profession, career choices within the profession, and steps someone can take to get into the profession.

After my talk, university officials informed me that twenty-five students elected to pursue the information security concentration. This was greater than they expected, and they were pleased with the outcome. They expressed their gratitude to me for the time I took to describe the profession to them and answer their questions.

Insights into CRISC certification quality

ICRISC.h2 spent the previous Friday+weekend at ISACA HQ in Chicago at a workshop. The objective: to examine about 360 candidate exam questions for the CRISC (Certified in Risk and Information Systems Control) certification.

There were about 30 of us that worked in three independent groups that consisted of a facilitator (Richard Norman, a security manager in the UK), a scribe (Kim Cohen, the Certification Exam Development Manager at ISACA), and 8 risk management experts from many different organizations including Bank of America, Caterpillar, Premera Blue Cross, and Verizon Business.

We had our work cut out for us. Each group had about 120 exam questions to examine, discuss, edit, and ultimately determine whether it’s a good question based on many different quantitative and qualitative measurements. Oftentimes our discussion of the question became a discussion about how a security or risk management practices (including what companies should be doing and what they are actually doing). Richard, our facilitator, and Kim, our scribe, kept us on task and on pace.

The hard work began long before the three day weekend. Going back to May 2013, we each began our training on writing certification exam questions for ISACA, and over a four or five week period we each wrote a total of twenty exam questions.  Anyone who thinks this is an easy task does not understand the rules and the discipline required for the task. It is quite difficult.

I’ve been trained by two other certification organizations in exam question writing, but ISACA has really upped the game.  The rigor and quality that ISACA puts into certification exam question development is impressive. There are several levels of review, by different teams, on each question, by vetted subject matter experts, before it sees the light of day. And the analysis does not stop after the exam question has been finalized and approved. Analysis on how test takers answer the question continue throughout the life of the exam question.  It is no wonder that CRISC won the Certification of the Year Award from SC Magazine.

ISACA has been in the certification business longer than just about anyone in information technology. ISACA itself started in the 1960s, and the CISA certification began in the 1980s; tens of thousands of security and IS audit professionals have earned the CISA certification, and it remains one of the top IT security certifications today.