Recently, ISACA announced the CRISC certification. There are many reasons I don’t like this, but to avoid ranting and in the interest of getting to the point, I’ll start with the main reason I’m uneasy about the CRISC certification:
We’re not mature enough for a certification in risk management.
Don’t believe me? Good for you, I like critical thinkers. So let me offer up a little challenge in using ISACA’s own religion as my proof.
ALEX’S CRISC CHALLENGE TO ISACA
I challenge you to show me, in valid scale and using publicly available models, the impact of COBIT adoption on an organization’s exposure to risk.
If you can do that, then I’m all for certifying that someone can “get” risk management and that a certification might actually mean something. But until you can, I can’t for the life of me figure out what you are actually certifying and why having the letters “C, R, I, S, & C” together in someone’s title actually means I should value their certification – more or less how this certification would actually end up in having someone “see, risk”.
Note:
- Answers of “some things can’t be measured” will be considered to prove the point.
- Answers of “COBIT is governance, not risk management” will also be considered evidence that proves the point.
- Jack Jones & disciples, Russell Cameron Thomas – I believe you could give it a go. In the interest of not wasting your time or exposing your IP, I hereby disqualify you from this challenge for being too dang cool.
At some point later in the week, I’ll post more on CRISC and I’ll also include alternate, more useful strategies for the CISO than sending people to CRISC school.
My best argument for the certification is that I could become a CRISC Officer. And then I’d be great for making pie crusts.
shrdlu – best comment all day. Just remember to pay your dues and attend enough vendor lunches for your CPEs. Otherwise you’ll forget how to bake and won’t be flaky anymore…
couldn’t resist.
Somebody needs to call ISACA and ask if they have a non-hydrogenated certification available.
I have yet to meet anyone (besides in the mirror..) who is working in the IT Audit or Information Security space who has read an entire book on risk management.
There are other industries with much more mature risk management processes and knowledge. I learned what I know in the aviation industry, where human factors (usually pilot error) are the primary causative factors in losses and accidents. With very few rare exceptions (such as the recent incident where Captain “Sully” Sullenberger was at the helm), nearly all accidents in aviation are due to “cumulative act effect” (an error chain). But just start talking about human factors such as “normalization of deviance” (as in the Space Shuttle Challenger disaster) – or any of the many forms of cognitive bias with your average IT type – and watch for the blank stares of complete incomprehension.
I would value more someone who took the initiative to acquire cross-over knowledge from another industry like aerospace or medical diagnostics.
My advice: do some original research, write a good white paper on the applicability to IT practices of risk management concepts from another more mature and risk averse industry — and then present THAT to your next potential employer — instead of a cert from an immature industry such as IT.
Hi Patrick
Thank you for your precise feedback which I do fully support. However I would like to add some points for the sake of IT and IT Security people out there.
I was able (fortunately or unfortunately depending on the view) to study Crisis and Disaster Management which gave a brought theoretical knowledge combined with practical experience over different branches, concepts and approches to deal with Risk Management, BCM and DR. In addition I am in IT and IT security hands-on as well as strategic since 20 years now.
You are right that approaches in the IT field were somehow stuporous in the past and IT could learn a lot from different branches like aerospace and apply risk concepts like Reason’s Swiss Cheese model.
However there are two points where I deem any existing certification in approaching IT Risks crucial and I am not sure if a CRISC will focus on that:
- Awareness: Its (nearly) all about people and people’s awareness. If management in a company is not aware of their risks (and this is what I find quite too often) then the CRISC consultant needs to make them aware which is a painful process since a lot in management prefer to just close their eyes and pretend the risk is not there or neglectable. So, the CRISC consultant would need in addition to skills the social ability to nearly support as a psychologist.
- Risk estimation: As we know risk is the product from likelyhood, damage and human factor (=1 if not present). I have not seen (maybe you did) any IT department where a) either historical incident data was appropriately collected and analyzed in order to establish likelyhood and/or b) damage resulting in a component/process outage from i.e. hacker attack or virus outbreak was calculated without more or less guessing the figures. However there is often a lack in understanding in between IT and other business departments which does not benefit a common exchange of information in order to establish a BIA. This then goes back to what I said in awareness where the CRISC consultant has to act as facilitator.
Overall I deem any professional approach (i.e. certification) which can bring proper skills/tools and proper people together in order to develop less riskier IT and business envrionments a step in the right direction. But for now I will follow your advice and think about the release of a good white paper
Hope not too much got lost in translation.
Kind regards from Germany.
Peter
I have no idea what this certification provides other then an extended signature line. I’ve read the mailing, and the first thing that comes to mind is a $$$ generator for ISACA. No one in my organization would see any value in such an obsecure certification. Add to that the ability to grandfather into it, gives it even less meaning. I predict that a bunch of glorified account admins will apply under the grandfather clause and be accepted, then think they are security professionals.
Just interviewed two people for a Sr. Security Analyst on my team. One has a CISSP and CISM but could not properly describe the simple difference between a stateful inspection and packet filtering firewall, didn’t understand how NIDS were connected to a network, and could not explain the basic TCI/IP handshake sequence. The other candidate had security auditing background, was ISO certified in Info System Security, yet knew nothing about anti-virus heuristic scans, none of the above items, and had never touched a firewall, IDS, or network switch.
Hands-on experience is the only true qualifier. Certifications are pretty tho… Looks great on a resume and business card.
Hi David,
You seem to assume that Technical skills are the end-all, be-all of a security person. Perhaps they are for the role you’re hiring, but don’t confuse “Technical Security” or “IT Security Operations” with “Information Security,” which is a field that predates computing, period, much less any of the technologies you’re interested in.
It sounds to me like you’re just irritated that you interviewed two non-technical people for a technical role. Was that a failure of your job description or the screening process?
For example, I’ve never touched a network switch. I dare you to argue that makes me Not A Security Person.
And, yes, there are way too many unqualified security people (technical or otherwise) out there, but don’t confuse lack of specific technical skills with “knows nothing about security.” I find that there are invariably many more unqualified than qualified people for pretty much any job I’ve ever hired for–security, development, operations, or even retail.
I agree with Chandler, I am working as Manager Information Security and all I am concerned is how to make my environment compliant to the norms. We as information security professionals need to know that inorder to achieve X, Y needs to be done. How it needs to be done can be done by the technical guy(actual implementation).
These certification definitely add value. Not a must have but good to have.
I was considering CRISC, maybe it could turn out to be a bit helpful in Risk management. Maybe after a few upgrades to the current scope.
@ David Casey…
David I think you are being overly critical. First and foremost; Information Security is not a firewall, IDS or antivirus; but rather a set of processes (policies) and tools (standards, guidelines, procedures etc.) layered to create a security foundation and framework. I am really surprised to hear your comments about the CRISC, “Add to that the ability to grandfather into it, gives it even less meaning.”
Are you aware in 2002/2003 the CISM (first released) was initially offered through a grandfathering program? Per your name tag, it appears you hold the CISM???
A grandfathering program is standard operating procedure for ISACA and other organizations. Also, I think your assessment of your candidates was unfair (This based on your description.). The CISSP is not a technical certification, although it touches on technical subject matter. You would have an argument if you stated a candidate came in and interviewed for a firewall admin position and holds a CCSE, CCSP, CCIE Security or JNICS-FW and could not explain the difference between a SPI firewall and a proxy filter.
Education is just as important as hands-on experience. The two together makes for a trained, experienced and well rounded candidate.
I can remember when the CISSP and CEH certs brought gales of laughter from practicing professionals. The fact of the matter is that the creation of a certification standard frequently offers a starting point for establishing formal criteria for the subject matter. It is always immature at the start and frequently becomes pompous in maturity but that is the way it is. While the CRISC focuses on information risk, I agree that there are much more mature industry risk frameworks; Aerospace for example that should be drawn on as practice and knowledge sources. At the end of the day, experience rules, certification can provide acknowledgement of that experience and a minimal means of vetting an individuals potential.
Lets be PROACTIVE instead of critical. I would love to hear about what CAN be a better job practice and skill set that is needed. I am working on both the commercial and Department of Defense and develop programs for training and coaching the skills from MBA to IT Audit and all of technical security for our Certification of Information Assurance Workforce and conduct all the CISM/CISA training and review courses for ISACA in both commercial and military environments. I have worked on Risk Management for years at ERM as well as IT Security/Risk, and A common theme in all of this is RISK MANAGEMENT. When I discuss the Value of IT with MBA students or discuss CMMI with MIS students or development houses, or discuss why ITIL/Cobit or other discuss with business managers what will keep them from reaching their goals and objectives, it is ALL risk management put into a different taxonomy that that particular audience can understand.
I have not been impressed with the current Risk Management certifications that are available. I did participate in the job task analysis of ISACA (which is a VERY positive thing about how ISACA keeps their certifications) more aligned to practice. It is also not perfect, but I think it is a start. If we contribute instead of just complain, it can get better, or we can create something better. What can be better?
So Alex I welcome a personal dialog with you or others on what and how we can do it better. I can host a web conference and invite all who want to participate (upto 100 attendee capacity).
best regards,
Phillip
>>I challenge you to show me, in valid scale and using publicly available models, the impact of COBIT adoption on an organization’s exposure to risk.<<
CobIT allows to segregate what is called IT in analysable parts.
Different Risk models apply to those parts. e.g. Information Security, Architecture, Project management. In certain areas the risk models are more mature (Infosec / Project Management) and in certain they are not (software distribution). That is for the risk modelling part.
For risk identification and KRIs, an internal control framework which is based on cobit allows an adequate and comprehensive net of indicators for risk assessment based on operational performance
If you think that "some things can't be measured" will prove your thesis, you don't know Risk Management at all. There is no mathematical voodoo to model a risk exposure which is 100% correct. You have to keep the purpose in mind and also use professional judgment based on your experience (which CRISC by the way tries to attestate)
You fight against an attestation which takes into full consideration your own challenge. Namely, that Risk Management in IT is currently getting mature and the according professional judgment is proven by experience. Needless to say that the way it is being done in IT further enables IT to the next level of being mature. And in doing in turn further develops the requirements of a CRISC certification.
Oliver. You’ve completely missed it and have no idea what my point was. My response is here –
http://newschoolsecurity.com/2010/07/isaca-crisc-a-faith-based-initiative-or-i-didnt-expect-the-spanish-inquisition/
To David Casey,
It appears that not all CISSP or CISM are alike. I also hold both certifications (and more) and I don’t agree with your comment. I certainly don’t think it was right for you to critic those candidates. They could have been great candidate but perhaps they were interviewed by the wrong person for the wrong job. I too don’t remember how TCP/IP handshake works but who care as long as it connects.