Tag Archives: security certification

The Certification Conundrum

The world of certifications opened up to me in 1999, when one of my colleagues, a security manager, earned his CISSP. That is my earliest knowledge of IT professional certifications to the best of my recollection. This was when I made my pivot from IT engineering to security engineering and, soon after, later security management.

Image courtesy Britannica.com

Immersed in IT security over several years, I already had the background and the experience, and passed my CISSP exam in November 2000 on the first attempt. Two years later, I studied for and earned my CISA. At the time, I thought that these two certs would be all that I would ever need. Funny how plans can go awry.

EC-Council released its CCISO (Certified Chief Information Security Officer) certification in 2011-2012 and offered me an opportunity to earn it through grandfathering. As is typical for security-related certifications, earning a certification through grandfathering involves a good deal of paperwork, documenting one’s experience in one or more domains, and having one’s current and former supervisors attesting in writing that the experience is genuine.

My reasons for obtaining the CCISO certification were two-fold: first, I wanted to show that I had the chops to be a security leader – a CISO. Second, I wanted to someday have a job where that was my job title, and I believed that having the cert would demonstrate that I had the background for such a job.

Four years later, I reached that goal, as the CISO for a Los Angeles-based public company, on a contracting basis, for two and one-half years. Mission accomplished.

A couple of years later, during certification renewal season, I re-evaluated all of my certifications and decided, for each, whether to renew them or not. For only the second time, I decided not to renew a certification, and I let my CCISO certification lapse.

Here was my thought process: I had had CISO in my job title for over two years, a testament that I had not only the desire, but the experience, of being a CISO. The CCISO cert felt like a proxy that was no longer necessary, since I had the real thing. For me, getting CISO after my name involved either the certification or the job title, and having both did not seem to add value.

I want to be clear on one thing: EC-Council is a fine organization, and my experience with them has been nothing but positive. This article is not a hit-piece on the organization or the certification, and I can understand that other security professionals may have different reasons for choosing to earn and retain the CCISO.

Insights into CRISC certification quality

ICRISC.h2 spent the previous Friday+weekend at ISACA HQ in Chicago at a workshop. The objective: to examine about 360 candidate exam questions for the CRISC (Certified in Risk and Information Systems Control) certification.

There were about 30 of us that worked in three independent groups that consisted of a facilitator (Richard Norman, a security manager in the UK), a scribe (Kim Cohen, the Certification Exam Development Manager at ISACA), and 8 risk management experts from many different organizations including Bank of America, Caterpillar, Premera Blue Cross, and Verizon Business.

We had our work cut out for us. Each group had about 120 exam questions to examine, discuss, edit, and ultimately determine whether it’s a good question based on many different quantitative and qualitative measurements. Oftentimes our discussion of the question became a discussion about how a security or risk management practices (including what companies should be doing and what they are actually doing). Richard, our facilitator, and Kim, our scribe, kept us on task and on pace.

The hard work began long before the three day weekend. Going back to May 2013, we each began our training on writing certification exam questions for ISACA, and over a four or five week period we each wrote a total of twenty exam questions.  Anyone who thinks this is an easy task does not understand the rules and the discipline required for the task. It is quite difficult.

I’ve been trained by two other certification organizations in exam question writing, but ISACA has really upped the game.  The rigor and quality that ISACA puts into certification exam question development is impressive. There are several levels of review, by different teams, on each question, by vetted subject matter experts, before it sees the light of day. And the analysis does not stop after the exam question has been finalized and approved. Analysis on how test takers answer the question continue throughout the life of the exam question.  It is no wonder that CRISC won the Certification of the Year Award from SC Magazine.

ISACA has been in the certification business longer than just about anyone in information technology. ISACA itself started in the 1960s, and the CISA certification began in the 1980s; tens of thousands of security and IS audit professionals have earned the CISA certification, and it remains one of the top IT security certifications today.

Showcase your cloud security knowledge with a CCSK cert

There are risks associated with the use of any new technology. Moving applications and data to the cloud has its economic benefits, but there are potential risks that organizations need to be aware of. Security professionals need to do their part and identify any risks associated with an organization’s desired move to the cloud, and manage those risks through the usual risk treatment.

To be effective, security professionals need to be acutely aware of the technologies involved, so that they may effectively identify and manage risk. Like so many specialties, there is now a certification available, Certified in Cloud Security Knowledge, or CCSK.  This certification is offered by the Cloud Security Alliance, the same organization that published its seminal Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 (PDF download).

Candidates who wish to earn the CCSK must take a 50 question, one hour exam as a test of their knowledge about cloud security. More information on earning the certificate is available here.

CISA forum guides certification candidates

Bookmark This (opens in new window)

CISA ForumThe CISA Forum is an online community whose purpose is to assist CISA candidates in their studies towards the Certified Information Systems Auditor certification.  The forum, started in 2002 by Peter H Gregory, CISA, CISSP, is hosted by Yahoo Groups and has more than 3,000 members.

“The forum has helped many achieve their certification through lively discussions about the security audit profession and the CISA exam itself,” Gregory states.  “I started this forum as a way to help new CISA candidates and to provide a platform for others to help these new candidates.”  Gregory encourages newly-minted CISA holders to stay on the van and help others on their way.

The CISA Forum is open to all who possess the CISA certification or are interested in attaining it.


The CISA certification is owned and managed by the Information Systems Audit and Control Association.  ISACA does not endorse or sponsor the CISA Forum.  Read more about the CISA certification here.

About ISACA.   With more than 65,000 members in more than 140 countries, ISACA (www.isaca.org) is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor (CISA) designation, earned by more than 55,000 professionals since 1978; the Certified Information Security Manager (CISM) designation, earned by 7,000 professionals since 2002; and the new Certified in the Governance of Enterprise IT (CGEIT) designation.

CISA is a registered trademark of ISACA.

Security+ Study Guides

Bookmark This (opens in new window)

There are several books in print that the Security+ candidate can use as a study aid for the Security+ exam.

CompTIA Security+ Study Guide: Exam SY0-101CompTIA Security+ Study Guide: Exam SY0-101 by Mike Pastore and Emmett Dulaney

The Ultimate Security+ Certification Exam Cram 2 Study Kit (Exam SYO-101) (Exam Cram 2)The Ultimate Security+ Certification Exam Cram 2 Study Kit (Exam SYO-101) (Exam Cram 2) by Que Certification

Security+ Certification All-in-One Exam GuideSecurity+ Certification All-in-One Exam Guide by Gregory White

Security+ Guide to Networking Security Fundamentals, Second Edition by Mark Ciampa

Security+ Study GuideSecurity+ Study Guide by Ido Dubrawsky, Jeremy Faircloth, Michael Gregg, and Eli Faskha

Security+ Certification for DummiesSecurity+ Certification for Dummies by Lawrence H. Miller and Peter H. Gregory

A Real World Guide to CompTIA Security+ SkillsSecurity Administrator Street Smarts: A Real World Guide to CompTIA Security+ Skills by Michael Gregg and David Miller

CISM exam study guides

There are a few books in print that the CISM (Certified Information Security Manager) candidate can use as a study aid for the CISM exam.

CISM All-In-One Exam Guide by Peter H Gregory

CISM Review Review Manual 2007, 15th Ed by ISACA

The CISM Prep Guide: Mastering the Five Domains of Information Security Management by Ronald L. Krutz and Russell Dean Vines

Complete Guide to CISM Certification by Thomas R. Peltier and Justin Peltier
CISA exam study guides


CISA exam study guides

There are now several books in print that the CISA (Certified Information Systems Auditor) candidate can use as a study aid for the CISA exam.

CoverFront200xCISA Certified Information Systems Auditor All-In-One Study Guide, 3rd ed

CISA: Certified Information Systems Auditor Study Guide, 2nd edition
by David Cannon

CISA: Certified Information Systems Auditor Study Guide by David L. Cannon, Timothy S. Bergmann, and Brady Pamplin

CISA Exam Cram 2 : Certified Information Systems Auditor by Allen Keele and Keith Mortier

CISA Exam Prep: Certified Information Systems Auditor (ACM Press) by Michael Gregg

IT AUDIT: A Practical Guide To the CISA Exam by Trony Clifton

CISM exam study guides