The ISACA Certified Information Security Manager (CISM) is a signature certification created by the reputable ISACA...
professional organization. Since its introduction in 2003, the CISM has evolved and is now ranked as one of the top five certifications in 2015 for information security professionals. ISACA -- founded in Los Angeles in 1969 and currently headquartered in Rolling Meadows, Illinois -- has 140,000 members and 208 chapters worldwide. ISACA has morphed from a focus on information security auditing to include Governance, Risk and Compliance (GRC) and, more recently, cybersecurity. Today, there are 24,000 CISM certification holders. In February 2014, ISACA introduced their Cybersecurity Nexus (CSX) program.
This tip takes a closer look at the ISACA Certified Information Security Manager certification, the value it provides career security professionals, how it compares with other certifications and what the CSX program offers.
What is the ISACA CISM?
The ISACA CISM is a certification intended for information security managers, aspiring managers or IT consultants who support information security program management. The first-ever exam was administered on June 14, 2003 at 95 locations in 47 countries. Applicants could submit a grandfather application before the end of 2003. Candidates had to submit evidence of eight years of information security work experience. Five of those eight years must have been in the role of information security manager, and must be verified by an immediate supervisor or someone else of higher rank in the organization.
It is not as technical of a certification as the Certified Information Systems Security Professional (CISSP) or other specialized SANS Institute certifications. CISM is comprised of four domains: Information Security Governance, Risk Management and Compliance, Security Program Development and Management, and Information Security Incident Management.
This common body of knowledge (CBK) is critical for the chief information security officer (CISO) and information security manager. CISM is a vendor-neutral, information security management examination.
Technical information security knowledge specializing in network security, encryption, operating systems, authentication, penetration studies, malware reverse engineering and other areas of expertise are left to SANS, EC-Council and others.
Value of the ISACA CISM
The CISM is of great value to the designation holder. It relays the message to enterprises hiring information security managers or CISOs that the holder has knowledge of risk, governance, incident response and the information security program. This is evidenced by its worldwide acceptance. For the first years after its introduction, some information security professionals could grandfather into the program.
Robert E. Stroud2014-2015 ISACA International President
In 2006, Microsoft included the CISM as an accepted security credential for the Security Solutions Competency in the Microsoft Partner Program. The U.S. Department of Defense (DoD) has the CISM approved as baseline certification for the DoD Information Assurance Management program. More recently, the Payment Card Industry began to require all Qualified Security Assessor candidates' résumés to include one of the following certifications: CISM, CISSP, CISA, GSNA, ISO 27001, IRCA, ISMS or CIA.
Because of the CISM's focus on business and risk management issues associated with information security, it continues to be a required -- if not desired -- certification for CISOs, directors and managers of information security.
CISM compared to other certifications
According to Ron Hale, chief knowledge officer for ISACA International, "The CISM does not compete with the CISSP or SANS courses. They are complementary."
The cybersecurity professional can be either very technical or a generalist. Managers can be technical, but they also need to understand the business. Today, we need cybersecurity professionals who can do both. The CISM -- coupled with technical designations -- accomplishes this need.
It's been said that the information security professional is a jack-of-all-trades and a master-of-none. An information security professional can be a jack-of-all-trades, but he also needs to be a master of at least one. The question is, which one?
The recent State of Cybersecurity: Implications for 2015, an ISACA and RSA survey taken by RSA conference attendees and holders of the CISM designation, reports 84% of the 900 respondents state that 50% of current candidates lack the skills for cybersecurity positions. It also reported that over 82% of respondents expect to experience a cyberattack in 2015.
ISACA introduced the Cybersecurity Nexus program in February 2014, starting with the CSX Fundamentals Certificate. "Over the past several years, ISACA has been developing several specialties. University to practitioners, career professionals need some assistance in the area of cybersecurity," Hale said. CSX, announced at the 2015 RSA conference, now offers four certification programs that will be available in 2015:
- CSX Fundamentals Certificate (CSX-F) provides education and verification of skills in cybersecurity for those with less than three years' experience -- currently available.
- CSX Practitioner (CSX-P) certification demonstrates your ability to serve as a first responder for those with 5 to 6 years of experience -- available in June 2015.
- CSX Specialists (CSX-S) offers you the opportunity to pursue a certification in a specialty area -- available Fall 2015.
- CSX Experts (CSX-E) establishes a master-level security professional capable of identifying, analyzing, responding to and mitigating the most complex cybersecurity incidents -- available Fall 2015.
ISACA has developed CSX for providing skills-based training and performance-based examinations designed to help build, test and showcase skills in critical areas of cybersecurity. Additionally, CSX conferences -- such as the North America CACS scheduled for October 2015 -- will offer more than 70 sessions on multiple cybersecurity topics.
"There is a growing need for valuable guidance, credentials, tools, networking and training for professionals in this fast-moving field. Cybersecurity is everybody's business, and it is necessary that we work together to close the skills gap and protect our enterprises," said Robert E. Stroud, the 2014-2015 ISACA international president.
Having a certification does not guarantee the holder is an expert in the area of information security it covers. That unfortunately holds true, as security managers have all seen those that have certifications are not always experts. But without the certification, the non-holder, who is an expert, may never have the opportunity to demonstrate his expertise. Certifications provide assurance that the holder has the foundation -- the CBK -- for the covered area; it opens doors.
ISACA is providing that foundation and is meeting the demand for information security professional training, certifications and skilled resources as reflected in recent cybersecurity surveys, such as the CSX State of Cybersecurity, RSA Cybersecurity Poverty Index and others. It will be interesting to see how the CSX program evolves, but given ISACA's track record, it is predictively impactful to the industry. Experience ultimately remains the best qualifier for CISOs and cybersecurity professionals, but CISM continues with wide acceptance for management and the CSX appears to fill that much-needed void in cybersecurity.
About the author:
Miguel (Mike) O. Villegas is vice president for K3DES LLC, a payment and technology-consulting firm. Mike has been a CISO for a large online retailer, partner for a "Big Four" consulting firm, VP of IT Risk Management, IT Audit Director for large commercial banks and owner of an information security professionals firm over a span of 30 years.
Find out more about the ISACA 2015 Global Cybersecurity Status Report
Learn more about ISACA's entry-level security training program and certification