Passing ISACA’s Certified Information Security Manager certification exam isn’t easy — even the author of the CISM test guide admits it.
“I thought I really had mastered that content. But I took the exam and just felt defeated at the end,” said Peter Gregory, author of CISM: Certified Information Security Manager Practice Exams published by McGraw-Hill. “Then, when I clicked to see the results and saw I passed — what a relief that was!”
The CISM certification is a worthy addition to the resume for anyone aspiring to work in security management or risk management, Gregory added, but they must be prepared to work for it.
Together with infosec pro Bobby Rogers and a fleet of copywriters and editors, Gregory wrote the certification guide to help test-takers fortify their knowledge and master the exam, which involves answering 150 multiple-choice questions in a four-hour window.
Here, Gregory offers advice on who should pursue CISM certification, common problem areas he sees among test-takers and why the CISM role is essential for companies’ risk assessment and analysis.
Who should consider taking the CISM test, and how will certification help them succeed in their career path?
Peter Gregory: The CISM certification is good for professionals who are decision-makers in infosec or aspire to have responsibilities in any of the core activities in the certification. This includes security management, risk management or building a business case to introduce new security technology or processes into an organization.
Overall, the certification is a demonstration that you have the knowledge and experience and that you’re serious about career growth in the field.
When should infosec pros choose CISM over other certifications?
Gregory: People ask me this question a lot. They say, ‘I have the CISSP. What should I get next?’ or ‘I have this cert. What should I get next?’ My answer is always this: ‘What do you want to be doing in five years or 10 years? What are your career goals? Don’t tell me you want to make more money — what is it you want to do? Do you want to continue being a technologist, or do you want to get into risk management or security management? Do you want to work with business leaders and make business decisions about cybersecurity?’
If the answer to the latter is yes, the CISM is a good certification to go for. It’s all about building a security program, building a risk management program, hiring staff and directing staff to do tasks with regards to security, architecture, security controls, security operations and so forth.
Which areas of the CISM exam do you see tripping up test-takers?
Gregory: Historically, security professionals grew out of IT professionals for the most part, and IT professionals tend to be pretty technology-centric. IT or security professionals who want to get into security management need to realize that their success has little to do with their technology acumen and a lot more to do with their understanding of business and business decisions — how businesses and business processes work and how middle and upper management make business, risk and cybersecurity decisions. All these things have nothing to do with technology and are some of the areas where good cybersecurity specialists can either succeed or fail in security management roles. It’s really based on their ability to communicate clearly with nontechnical people in a way that makes sense to them.
An excerpt of your book on SearchSecurity offers test questions from Chapter 3, ‘Information Risk Management,’ which covers policies, standards, requirements and reporting. What is your top advice in this area?
Gregory: Any technologist can write a policy statement that’s clear and succinct. However, knowing whether that policy statement is appropriate for the business — and whether the business will comply with it — is not as easy to discern.
A security professional who needs to develop or update security policies must be keenly aware of how upper management thinks about security and risk. They also have to be keenly aware of the ability and the willingness of the audience for a given policy to understand it and to be willing and able to comply it. They also have to be aware of any effort or costs related to the policies.
This is the soft skills side of security management that a lot of technology people may not appreciate or be aware of.
What surprises you about how companies today approach risk management?
Gregory: In the last six years, I’ve done deep dives into dozens of small and big companies and their security programs. By the numbers, most organizations do not practice any kind of formal risk management. They make decisions based on gut feel, based on what other companies are doing or based on some conversation they had with a vendor. They don’t make decisions based on any kind of a risk management process that would prioritize the risk and lead them to the right kind of decision about where to spend or where to apply resources. This is an important skill emphasized greatly in CISM: A good security leader needs to recognize that gap and fill it with a risk management process that will help the organization make better decisions about cybersecurity.
A typical conversation I might have would be talking to a security leader, security architect or someone in a company about their tooling — they’ll have firewalls, antimalware, an intrusion prevention system and a few other things. Then, they may have a tool — let’s say they have a DLP [data loss prevention] discovery tool, for example. I’ll ask, ‘Why did you buy that?’ and they’ll answer, ‘Well, you know, lots of organizations have DLP; we need to know what information might be out on our file shares.’ Then, I’ve asked, ‘Have you done any kind of risk assessment or risk analysis that led you to make that decision?’ They’ll often answer that a lot of companies have it, and they felt they had a gap and that they needed it, too.
The main reason a lot of organizations today buy tooling is either because other people are doing it or because they have a hunch, not based on actual risk analysis. Organizations either don’t know how to do risk analysis or risk assessment, or it just doesn’t occur to them that that’s even an activity that’s important to do.