Can anyone recommend a better certification for someone looking to be certified in Risk Management?

Thanks

I jumped at the opportunity for the CRISC cert. I am a CISSP, CISM and have several networking certs. I learned risk management from the banking industry (FFIEC). I am technical and I work in mixed DOD/commercial environments.

Unlike CISM which is almost purely management CRISC is geared towared design and implementation. Which is a cert we needed, hell I practically begged for it. So much money is wasted on addressing the wrong infosec risks it makes me sick.

Unlike mature fields that have a depth of data to draw from InfoSec is problematic due to the advent of more mature IT programs, but by using comparative analysis and WAGs it is at least possible to identify higher priority assets. This understanding in and of itself justifies the emergence of the CRISC program.

Before there was IT there was InfoSec, and in the commercial world the CRISC helps to identify the controls necessary for good operational security. Of course it helps if the CRISC practitioner has practical experience (and my application was a pain to fill out), and in fact experience is a requirement, but I find that it is much more important at this stage of our collective maturity level to know what to do, how to do it then becomes a task instead of a mission.

I can’t tell you the number of times some IT manager wanted the firewall, AV and IDS configured as if those three controls were all that mattered. (And I am a former IT manager and can do all that) Seriously, most IT manager have never even heard of an information security risk assessment. (And what the hell is IT doing being responsible for infosec risk anyway?)

My 2cents.

An earlier comment made here now paraphrased: new certs are “a start” and better-refined in their body of knowledge 3 to 5 years after their creation.

THEREFORE, I feel that ISACA should change its grandfathering provision to allow the candidate to only keep it for 3 years and then they HAVE TO take the exam to keep it. Only thereafter the CPE rule would apply. Might cut into residual revenue for the credentialing organization – but that’s all the more incentive to develop its BOK and get industry buy-in and not waste time with things that are flashy but hollow.

Next, on the cert .vs. hands-on issue, in the world of corporate types, there are specialists and generalists. Author Geoffrey Moore observes that IT is a “competence” culture where specialists thrive because at the end of the day the person who knows the most technically, hits the most balls over the fence, and works the longest hours, gets to be the boss.

Generalists don’t think that way which is why they’re needed as supervisors over the teckies to keep things from turning into sweat-shop.

Corporate cultures that allow staff to make hire decisions rather than unit managers will have a problem with diversity. They’ll also give lip-service to being a “learning organization” but ultimately will hire for skill in the moment rather than overall talent. The Gallup Organization has written multiple books on this issue in the last 10 years.

It’s a waste of time for mid-career professionals as job candidates, who have a credential but only “related experience” in the new field they seek to enter, to interview with a specialist in a “competence” culture. If that’s the deal-breaker, then AVOID these organizations as their overall corporate culture is likely ad-hoc rather than managed.

Best Wishes,
Frank

I think you’ll find my “vehemence” for CRISC is directly proportional to my love of Information Risk Management.

As for your comments about ISACA, again, I urge you to address your concerns to ISACA, they are after all the ones best placed to answer you. Also, refer to the ITGI (established in 1998), affiliated to ISACA, as one of the numerous ways that ISACA encourages debate and innovates. Getting the facts will then prevent a whole lot of conjecture.

When you said “I’m sure that if you contact ISACA directly, more specifically the CRISC working group, they would be more than happy to entertain your concerns and questions.”

I think you missed the whole point of the article. The point is that the industry, in how we understand and express risk, isn’t ready to have certifications and standardization on anything.

So ISACA is driving us to premature standardization, and the lessons we have from bureaucratic theory states that regardless of how useless the policy, it will be difficult to change. Hooray! Nothing like stifling innovation for the sake of revenue.

“organisations that added value, had good standing, encouraged innovation and debate, that where not stagnant and required on going learning.”

What part of the past 10 years has ISACA been innovative or encouraged debate?

Finally, the irony of your quote is lost on you? CRISC is, if nothing else, a “blind alley”.

As for not liking, or liking a particular accreditation, it’s a call we all have to make, and one which we are entitled to, i.e. there are MBA’s and there are MBA’s. Same can be said about most qualifications.

My personal decision was to look for affiliation with organisations that added value, had good standing, encouraged innovation and debate, that where not stagnant and required on going learning. This filled my own personal needs. Others may be different as you are by expanding your knowledge and seeking answers via this conversation and other social media. It’s all good.

I leave you with this quote “Be an opener of doors for such as come after thee, and do not try to make the universe a blind alley”. ~Ralph Waldo Emerson