Tag Archives: security certification

The Certification Conundrum

The world of certifications opened up to me in 1999, when one of my colleagues, a security manager, earned his CISSP. That is my earliest knowledge of IT professional certifications to the best of my recollection. This was when I made my pivot from IT engineering to security engineering and, soon after, later security management.

Immersed in IT security over several years, I already had the background and the experience, and passed my CISSP exam in November 2000 on the first attempt. Two years later, I studied for and earned my CISA. At the time, I thought that these two certs would be all that I would ever need. Funny how plans can go awry.

EC-Council released its CCISO (Certified Chief Information Security Officer) certification in 2011-2012 and offered me an opportunity to earn it through grandfathering. As is typical for security-related certifications, earning a certification through grandfathering involves a good deal of paperwork, documenting one’s experience in one or more domains, and having one’s current and former supervisors attesting in writing that the experience is genuine.

My reasons for obtaining the CCISO certification were two-fold: first, I wanted to show that I had the chops to be a security leader – a CISO. Second, I wanted to someday have a job where that was my job title, and I believed that having the cert would demonstrate that I had the background for such a job.

Four years later, I reached that goal, as the CISO for a Los Angeles-based public company, on a contracting basis, for two and one-half years. Mission accomplished.

A couple of years later, during certification renewal season, I re-evaluated all of my certifications and decided, for each, whether to renew them or not. For only the second time, I decided not to renew a certification, and I let my CCISO certification lapse.

Here was my thought process: I had had CISO in my job title for over two years, a testament that I had not only the desire, but the experience, of being a CISO. The CCISO cert felt like a proxy that was no longer necessary, since I had the real thing. For me, getting CISO after my name involved either the certification or the job title, and having both did not seem to add value.

I want to be clear on one thing: EC-Council is a fine organization, and my experience with them has been nothing but positive. This article is not a hit-piece on the organization or the certification, and I can understand that other security professionals may have different reasons for choosing to earn and retain the CCISO.

Insights into CRISC certification quality

Leave a reply

I CRISC.h2 spent the previous Friday+weekend at ISACA HQ in Chicago at a workshop. The objective: to examine about 360 candidate exam questions for the CRISC (Certified in Risk and Information Systems Control) certification.

There were about 30 of us that worked in three independent groups that consisted of a facilitator (Richard Norman, a security manager in the UK), a scribe (Kim Cohen, the Certification Exam Development Manager at ISACA), and 8 risk management experts from many different organizations including Bank of America, Caterpillar, Premera Blue Cross, and Verizon Business.

We had our work cut out for us. Each group had about 120 exam questions to examine, discuss, edit, and ultimately determine whether it’s a good question based on many different quantitative and qualitative measurements. Oftentimes our discussion of the question became a discussion about how a security or risk management practices (including what companies should be doing and what they are actually doing). Richard, our facilitator, and Kim, our scribe, kept us on task and on pace.

The hard work began long before the three day weekend. Going back to May 2013, we each began our training on writing certification exam questions for ISACA, and over a four or five week period we each wrote a total of twenty exam questions. Anyone who thinks this is an easy task does not understand the rules and the discipline required for the task. It is quite difficult.

I’ve been trained by two other certification organizations in exam question writing, but ISACA has really upped the game. The rigor and quality that ISACA puts into certification exam question development is impressive. There are several levels of review, by different teams, on each question, by vetted subject matter experts, before it sees the light of day. And the analysis does not stop after the exam question has been finalized and approved. Analysis on how test takers answer the question continue throughout the life of the exam question. It is no wonder that CRISC won the Certification of the Year Award from SC Magazine.

ISACA has been in the certification business longer than just about anyone in information technology. ISACA itself started in the 1960s, and the CISA certification began in the 1980s; tens of thousands of security and IS audit professionals have earned the CISA certification, and it remains one of the top IT security certifications today.

CISA forum guides certification candidates

7 Replies

The CISA Forum is an online community whose purpose is to assist CISA candidates in their studies towards the Certified Information Systems Auditor certification. The forum, started in 2002 by Peter H Gregory, CISA, CISSP, is hosted by Yahoo Groups and has more than 3,000 members.

“The forum has helped many achieve their certification through lively discussions about the security audit profession and the CISA exam itself,” Gregory states. “I started this forum as a way to help new CISA candidates and to provide a platform for others to help these new candidates.” Gregory encourages newly-minted CISA holders to stay on the van and help others on their way.

The CISA Forum is open to all who possess the CISA certification or are interested in attaining it.

http://groups.yahoo.com/group/CISAforum/

The CISA certification is owned and managed by the Information Systems Audit and Control Association. ISACA does not endorse or sponsor the CISA Forum. Read more about the CISA certification here.

About ISACA. With more than 65,000 members in more than 140 countries, ISACA (www.isaca.org) is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor (CISA) designation, earned by more than 55,000 professionals since 1978; the Certified Information Security Manager (CISM) designation, earned by 7,000 professionals since 2002; and the new Certified in the Governance of Enterprise IT (CGEIT) designation.

CISA is a registered trademark of ISACA.

Security+ Study Guides

Leave a reply

There are several books in print that the Security+ candidate can use as a study aid for the Security+ exam.

CompTIA Security+ Study Guide: Exam SY0-101 by Mike Pastore and Emmett Dulaney