Thats great for you. I work at a director level for a “major financial institution” with 17 analysts reporting to me.

A – There is no “there there” around the CRISC so Im not sure what you mean when you say it is applicable/appropriate.

B – As such, and given my current knowledge of the curriculum (admittedly sparse and due to change), a CRISC would not only NOT preoare you for a job in my team, but would probably inhibit your interview process by giving you a false sense of security.

Can anyone recommend a better certification for someone looking to be certified in Risk Management?

Thanks

I jumped at the opportunity for the CRISC cert. I am a CISSP, CISM and have several networking certs. I learned risk management from the banking industry (FFIEC). I am technical and I work in mixed DOD/commercial environments.

Unlike CISM which is almost purely management CRISC is geared towared design and implementation. Which is a cert we needed, hell I practically begged for it. So much money is wasted on addressing the wrong infosec risks it makes me sick.

Unlike mature fields that have a depth of data to draw from InfoSec is problematic due to the advent of more mature IT programs, but by using comparative analysis and WAGs it is at least possible to identify higher priority assets. This understanding in and of itself justifies the emergence of the CRISC program.

Before there was IT there was InfoSec, and in the commercial world the CRISC helps to identify the controls necessary for good operational security. Of course it helps if the CRISC practitioner has practical experience (and my application was a pain to fill out), and in fact experience is a requirement, but I find that it is much more important at this stage of our collective maturity level to know what to do, how to do it then becomes a task instead of a mission.

I can’t tell you the number of times some IT manager wanted the firewall, AV and IDS configured as if those three controls were all that mattered. (And I am a former IT manager and can do all that) Seriously, most IT manager have never even heard of an information security risk assessment. (And what the hell is IT doing being responsible for infosec risk anyway?)

My 2cents.

An earlier comment made here now paraphrased: new certs are “a start” and better-refined in their body of knowledge 3 to 5 years after their creation.

THEREFORE, I feel that ISACA should change its grandfathering provision to allow the candidate to only keep it for 3 years and then they HAVE TO take the exam to keep it. Only thereafter the CPE rule would apply. Might cut into residual revenue for the credentialing organization – but that’s all the more incentive to develop its BOK and get industry buy-in and not waste time with things that are flashy but hollow.

Next, on the cert .vs. hands-on issue, in the world of corporate types, there are specialists and generalists. Author Geoffrey Moore observes that IT is a “competence” culture where specialists thrive because at the end of the day the person who knows the most technically, hits the most balls over the fence, and works the longest hours, gets to be the boss.

Generalists don’t think that way which is why they’re needed as supervisors over the teckies to keep things from turning into sweat-shop.

Corporate cultures that allow staff to make hire decisions rather than unit managers will have a problem with diversity. They’ll also give lip-service to being a “learning organization” but ultimately will hire for skill in the moment rather than overall talent. The Gallup Organization has written multiple books on this issue in the last 10 years.

It’s a waste of time for mid-career professionals as job candidates, who have a credential but only “related experience” in the new field they seek to enter, to interview with a specialist in a “competence” culture. If that’s the deal-breaker, then AVOID these organizations as their overall corporate culture is likely ad-hoc rather than managed.

Best Wishes,
Frank

I think you’ll find my “vehemence” for CRISC is directly proportional to my love of Information Risk Management.

As for your comments about ISACA, again, I urge you to address your concerns to ISACA, they are after all the ones best placed to answer you. Also, refer to the ITGI (established in 1998), affiliated to ISACA, as one of the numerous ways that ISACA encourages debate and innovates. Getting the facts will then prevent a whole lot of conjecture.