In 2003, I had just completed my MSc in Information Security. I was excited about my future career prospects as I believed I had obtained at least the minimum level of knowledge needed to enter the information security field.
I soon realized how wrong I was. As I embarked on my job search, I was frequently asked about the certifications I had. I had none. With the market becoming more and more competitive, it soon became apparent that to even be considered for a security role, I would need to obtain my CISSP.
In 2004, I started working as an assistant data protection officer. I did this for several years before I realized I wanted more hands-on, direct experience in the security world. At that point, I decided to get my CISSP.
As I started to look for my next role, I realized the market had become even more competitive. Recruitment agencies were not just asking for a CISSP, they wanted vendor-specific certifications, which I did not have.
I had been hearing about the CISA for a while, and I decided that with the audit experience I had, this certification would demonstrate my skillset in the IT audit field. I obtained my CISA. At the time, it felt like everyone else had the CISA, too. Among the security professionals I talked to, the CISSP and CISA were the two certifications most people had. At that point, with my MSc, my CISSP and my CISA, I thought I stood out from the crowd. Again, I was mistaken.
I knew early in my career that I wanted to focus my career in the Governance, Risk and Compliance space. So, I sought to obtain a certification that would show I had several years’ experience managing security programs. This is when I decided that the CISM was the best certification for me.
My manager at the time, who was a great supporter for me and a huge advocate of ISACA certifications, gave me his support to pursue the CISM. He had just earned his certification the year before and felt that the knowledge it would give me would set me apart and demonstrate that I was at a more senior level than my previous certifications established.
I achieved my CISM in 2007. In the 10-plus years that followed, I have seen it grow in popularity. In a recent Forbes article, the CISM is listed as the second most sought-after cybersecurity certification after CISSP, and I can see why. It is an advanced level certification that demonstrates you have the knowledge to manage security programs while building on the foundational skills you achieve from the CISSP. CISM is a certification that I frequently recommend to my teams, especially after they have obtained the CISSP. The CISSP is broad enough to cover multiple domain areas in security, while the CISM is more focused and challenges you to think about how you successfully manage security programs.
To achieve the CISM you need five years of verified experience with at least three years experience in a few of the job practice areas. Achieving the CISM is a great demonstration of knowledge, skill and career level, and I would recommend it to everyone who is looking to take the next step in his or her security career path.