Cybertactix's Enterprise InfoSec Blog

January 9, 2011

Personal InfoSec Certification: Which 1st?

Filed under: Career Skills,Certification,CGEIT,CISA,CISM,CISSP — cybertactix @ 4:38 PM

One of the questions I often see on the groups I am part of on LinkedIn, and a question I am also asked by fellow InfoSec professionals and auditors is “which certification is easier to pass, CISSP, CISM or CISA?”

BLUF (Bottom Line Up Front): It depends… on what your professional background and experience, and or in some cases your lack of experience, are.

My back ground is technical, I provided support for a number of years to banking trading floors, not the open outcry trading pits of the commodities exchanges or the NYSE, rather row upon row of traders with a phone in their hand bent over screens that are constantly flickering as the commodities or stocks they follow change prices and their own “books” (records of the financial positions they hold) are updated to show current value.  In order to keep all of this running (downtime can quickly result in large losses) I had to become a jack of all trades in technology (voice, market data, personal computers and desktop workstations, servers of all types, mainframe communications, and multiple network medias and protocols).  Much of my knowledge was picked up on-the-fly from rubbing shoulders with people, usually vendors or consultants, who specialized in each of these areas interspersed with occasional whirlwind classroom training sessions.

As things got more complicated more staff were needed to keep all of this running and because of my breadth of knowledge I found myself “managing” the help desk for a large trading floor.  Due to an audit finding I was suddenly “promoted” to Information Security Officer and in charge of re-building an InfoSec program that had been un-monitored for several years.  As a result I got a crash course in information security which was an eye opening experience.  Once the program was on track I turned over BAU to an unwilling associate (her words of “I don’t know anything about information security” were met with a “Steve will teach you” response from management) when the Continuity of Business expert was stricken with a sudden (and ultimately fatal) illness.  When management decided that we needed to have certified staff to show the regulators that we took InfoSec seriously, this experience combined with my technical knowledge gave me the necessary background to be able to pass the Certified Information Security Systems Professional (CISSP) exam.  Over a year prior to taking the exam I took a one week (40 hour course) CISSP exam prep course to help me focus on the elements the exam was likely to cover but seeing as this was the first exam I had written in quite a few years I was hesitant to take the exam.  

As part of changes being put in place to meet greater demands from regulators and the marketplace I became more involved in developing compliance monitoring processes and ultimately in helping to develop risk based models for governance.  Moving from a model of “OMG there’s a vulnerability, we have to fix it” we began to focus on “what is the risk and what will it cost to fix it/should we fix it/what are the compensating controls?”.  This is the essence of risk management, and this along with a corporate focus on becoming partners with the businesses we supported and understanding/working to meet their requirements gave me the basis of the knowledge I needed to pass the Certified Information Security Manager (CISM) exam.  Two months prior to taking the exam I took a one week (40 hour course) CISM exam prep course to help me focus on the elements the exam was likely to cover.

As a result of all this experience I qualified to be grandfathered into my CGEIT (Certified in the Governance of Enterprise Infrastructure Technology).  The Grandfathering process didn’t require me to take an exam but it did require that I provide ISACA with an essay on my significant experience across the various areas covered by the CGEIT knowledge base.

In December of 2009 I took my Certified Information Systems Auditor (CISA) exam. In preparation for this, starting two months before the exam, I took a 40 hour (5 weekends) course with my local ISACA chapter.  In addition to the course I called on my experience as an Information Security Officer, a role in which I had to detect, assess, report and provide guidance on remediating broken/ineffective processes and technology, then start all over once the remediation action was taken, in essence auditing without calling it an audit.  Because of my experiences it wasn’t difficult for me to master the material, although it did require me to stop and change my mindset somewhat to see all the questions from the point of view of an auditor.

While all of my experience in technology and InfoSec was a huge benefit in taking these exams it was also a hindrance.  All of my experience was colored by the corporate environment in which I work, by our policies, our standards and our culture.  These were all things which the certifying body can’t take into account when scoring my answers.  The thing to remember when taking any of these exams is that no matter what you think the answer is, the only one that counts is what the certifying body says it is.  During my preparation for the CISA exam I was in a a class with a number of seasoned and experienced auditors, some of whom had taken the exam previously but not achieved the passing score.  One told the story of how, when her company mandated that staff take training and attempt the exam, several interns still in college with no audit experience, decided to study for and take the exam.  The result, a number of the experienced auditors failed but the interns passed.  Why? Because the auditors answers were colored by their own experiences while the interns answers were straight out of the material provided by ISACA without the benefit of any practical, real world experiences.

So before you ask which certification is easiest, perhaps you should ask “which is most appropriate to my current or future role?”, chances are that is the certification that will be easiest for you.

WordPress Tags: InfoSec,Certification,CISSP,CISM,CISA,CGEIT,ISACA

music note While writing this, I was listening to "Michael Tozzi’s".


1 Comment »

  1. Useful article, no doubts. It’s a question about what you do need vs. what is easier. CISSP is the IT Security standard that is required by DoD. If someone has at least 3 years of experience in the security field, the CISSP cert is a choice number 1.

    Comment by ben — January 10, 2011 @ 8:42 AM | Reply

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at

%d bloggers like this: