Auditors vs. Managers:
Finding Common Ground with CISA and CISM Certs
If the CISA (Certified Information Systems Auditor) certification is for InfoSec auditors assuring information security controls and the CISM (Certified Information Security Manager) certification is for cybersecurity managers, what do we make of the rare breed of practitioners that earn both certifications? Or are they on to something special? CISA certification holders who also earn a CISM understand the benefit of adding an additional lens to the way they see the world of information security. Let’s explore three reasons why CISAs should strongly consider earning the CISM certification.
Career advancement is one of the most common reasons to gain any certification as you seek to meet hiring requirements to be considered for new positions. Both the CISA and CISM convey to hiring managers that you have validated your knowledge and experience.
Initially earning your CISA demonstrates your commitment to the field, shows you can apply your knowledge to the difficult and broad range of content required for IT auditing, and that you have the capacity to apply your skills to bring value to your organization by assessing the effectiveness of its internal controls. But there’s still room for growth.
Because IT auditing is often a gateway into other focus areas, such as threat intelligence or risk management, many audit practitioners look to transition at some point in their careers. After all, it’s a thin line between assessing a program and evaluating the overall potential risk and developing and implementing the program itself. Adding the CISM certification to your list of credentials can provide you a means to your transition. This is particularly true for anyone looking to secure a role within the government due to the certification requirements of Department of Defense Directive 8570 (DoDD 8570) and the more recent DoDD 8140 or in other similar directives within the other departments and agencies.
Deep Understanding of Risk
To minimize risk, we diversify our portfolios; the same holds to true here. A professional who holds both a CISA and CISM has the unique ability to design, manage, and oversee an information security program in the context of their organization’s risk with a much wider scope and alternative perspective. While having the ability to identify and measure risks is important, the ability to create and implement a set of actionable security controls in the context of the greater business impact of these vulnerabilities to the organization is invaluable. This is even more critical given the importance and business practicality of developing an information security program based on how to manage to an acceptable level of risk.
A well-rounded manager can approach protecting an organization using the CISA’s ability to identify critical issues and evaluate controls, while using the CISM’s ability to manage and design systems technology to mitigate the risk. Adding the CISM mindset to the CISA skill set provides the additional insight to understand what you’re auditing and how that information shapes your approach to identify potential pitfalls.
Communication - Upstream and Downstream
Practitioners who hold both certifications understand the importance of assessing risk, but can also look at that risk with a deeper understanding of the impact of those vulnerabilities. They can then communicate that risk up to senior management, laterally across departments, and down to their direct reports. These dual certification holders have shifted their mindset to include both perspectives. This greater understanding teaches the security professional how to better communicate risk, regardless of their role, and gives them insight into their peers’ concerns and decision drivers. Additionally, this unique blend of technical knowledge and experience with a strong understanding of risk management and strong communication is one of the most in demand talent requests right now. Being able to use this information, and experience from time in the trenches, allows you to communicate on your colleagues’ level and bridge the gap across the leadership of the organization.
Should I Earn Both?
So does earning both your CISA and CISM certification make you a better auditor? Yes. Does earning both credentials afford you more opportunity to transition into a hot security field position? Yes. Not only does it open up your career opportunities and chances of advancement, but the knowledge and perspective gained from each certification give you the ability to take a holistic approach to assessing risk along with the ability to effectively communicate identified risks up and down within your organization.
Keep in mind this knowledge and skills transfer is bilateral. Current CISMs can also benefit from the perspective of the CISA cert.
If you are ready to demonstrate your commitment to information security management by pursuing the CISM certification, CyberVista would love to partner with you on that journey.