Editor’s note: ISACA’s Certified Information Security Manager (CISM) certification is now in its 20th year, with more than 65,000 people earning the globally respected credential during that time. To mark the anniversary, we spoke with 20 CISM-holders to collect their commentary on the biggest challenges that have emerged in infosec since CISM came on the scene in 2002. This is part two of our CISM anniversary blog series; previously, we explored the progress that has been made over the past two decades. See an infographic highlighting the past 20 years in information security here, and find out more about the CISM credential, including updates to the exam upcoming on 1 June, here.
“We are in an era of almost an infinite number of platforms, technologies and tools. Racing to learn and adapt to the dynamic environment has become quite difficult. Simply vetoing a technology or solution is not an acceptable response. The expectation is to secure whatever is being developed or used.” – Sandeep Godbole, CISM, CISA, CISSP, CGEIT, Information Security Professional and Author
“Digital transformation has opened the doors to huge cyber risks such as ransomware, taking down massive companies. Many of these cases stem from phishing, and one of the worst issues in my opinion is how prevalent phishing has become as the method of attack for threat actors to get their foot in the door. The human element of security is the single biggest risk for many organizations, and many do not focus enough on this area, so it will remain one of the biggest challenges going forward.” – Jason Lau, CGEIT, CRISC, CISM, CISA, CDPSE, CISSP, FIP, CIPP/E, CIPM, CIPT, CISO, Crypto.com
“Simply speaking – remote work, data everywhere. Since March 2020 more companies have had to manage remote work than ever before. This has required a huge adjustment (and investment) that had companies scrambling to make sure they could protect their assets the best they could. With remote work, phones and laptops accompany their users wherever they go (home, traveling, beach, cars, etc.), not just the office. Many have moved to the cloud, which is good, but this, too, has its own challenges.” – Karen Tulloh, PMP, CISSP, CISM, Senior Technical Cybersecurity Project Manager at AT&T
“The certification and accreditation landscape has become overly localized. As someone who aims to work global security, I am thankful for the stable, global security certifications, but what I observe is that many organizations shoot themselves in the foot by going to a security market that has scarce and picky resources and asking for parochial credentials that no capable security professional would ever bother to obtain.” - Raef Meeuwisse, CISM, CISA, Cybersecurity Author
“The constant change with cybersecurity and data privacy regulations and the constant battle against sophisticated, relentless threats. Not only do we need skilled technical resources to secure our environments, but we also need to take a multidisciplinary approach to develop sophisticated information security solutions to demonstrate trust with our customers, stakeholders and community.” – Michael Podemski, CISA, CISM, CRISC, CDPSE, Senior Director - IT Audit
“The advancements in technology have brought up a large variety of sophisticated criminal schemes focused on data exfiltration. For information security managers, understanding the criminal activity, players involved, and the mechanisms used to monetize the exfiltration of confidential or sensitive data is an ongoing battle. There is also a higher risk of data breaches with the increasing number of unsecured cloud services available out there; not all cloud providers and/or cloud customers are mindful of following industry-standard best practices to protect their services and the data stored in them.” – Gary Carrera, MBA, CISA, CISM, CDPSE, HITRUST CCSFP ISO27001 Internal Auditor, Manager in the Global Data Protection Program at Meta
“Business-aligned, risk-based information security is critical to any size organization. The breadth of what now is included under the information security umbrella makes it hard to remain focused on what matters. Having a trusted source of peer networking and timely information from ISACA provides support for a clearer vision.” – Lisa R. Young, CISA, CISM, CISSP
“The increased demands of work affecting mental health and well-being. Global events and attacks increase the concerns of customers over their supply chain, which ultimately increases the workload of information security managers to alleviate these concerns. With the pandemic affecting how we work, this can lead to burnout from working longer hours and mental health issues, which has contributed to the large number of vacancies in recent months.” – Simon Backwell, CISM, Information Security Manager
“The newest entrance to the theater of warfare – cyberspace – has joined land, sea, air and space to become the fifth domain. Nation-state attacks have become the norm with the narrowest of gaps lying between criminals for hire and government funded activity. Fake news and manipulation have resulted in global political unrest and widespread belief in dangerous falsehoods. The decision of how to recognize the truth in a world where social media and digital communication allow us to rewrite the past and persuade us of an untrue present is perhaps the biggest danger that democracy faces today.” - Sushila Nair, CISA, CISM, CDPSE, CRISC, CCSK, CISSP, CCAK, Vice President, Security Services at NTT DATA Services and member of ISACA Emerging Trends Working Group
“As much as companies wish to onboard emerging technologies rapidly and effectively to gain more of a competitive advantage, there are potential security concerns that information security managers need to help their organizations navigate through due to operational complexity, visibility of data and processes controls. The balancing act has certainly grown much harder around maintaining the Confidentiality, Integrity and Availability (CIA) triage for information security managers with the emerging technology adoption trends.” – Goh Ser Yoong, CISA, CISM, CGEIT, CRISC, CDPSE, CISSP, MBA
“We’re still fighting the illusion that having a CISM equates to cyber SECURITY! It is actually the right step toward cyber resiliency, which most organizations like to interpret as ‘unhackable!’ Then, when faced with the inevitable cyberincident, they panic, blame, and fire their CISO! It’s become an insider’s joke: ‘CISO’s Life Expectancy = two years or first incident (whichever comes first!).’ - Chris Moschovitis CSX, CISM, CGEIT, CDPSE, CIPP
“It has become laborious to keep pace with what’s happening in information security, not to mention the upward trend in threats, vulnerabilities, compliance requirements and interconnected devices over the past 20 years. Perhaps now more than ever, relationships with trusted partners and peers, and learning and growing through others, is essential to aid information security managers in effectively protecting and enabling the business.” – Karey L. Barker, CISM
“Our inability to keep up with technological advancements and the lack of procedural knowledge (hands-on training) in both the certification and academic areas.” – Dr. Blake Curtis, Sc.D, CGEIT, CRISC, CISM, CISA, CISSP, CDPSE, COBIT, Cybersecurity Governance Adviser & Research Scientist
“Defending against cyberattacks that have advanced in their level of sophistication and scale of impact. Twenty years ago, the worst that might happen was typically a fast-spreading virus that was designed to cause some level of interruption. As attacks progressed, data exfiltration and cyber espionage became more prominent. Now we’re seeing the prevalence of ransomware, zero-day vulnerabilities, and supply-chain attacks that are extremely well resourced, difficult to detect and enormously disruptive.” – Josh Hamit, CISM, CISSP, CCSP, CIE, Senior Vice President & CIO, Altra Federal Credit Union and member of ISACA Emerging Trends Working Group
“There is a tendency to assume that outsourcing or cloudsourcing will dispense the board and C-Suite from their responsibility.” – Michael Lambert, CISA, CISM, CGEIT, CRISC, CDPSE, Director of Consulting Services at In Fidem, member of Atos group
“The quantity of risks, issues and threats has increased dramatically in 20 years. Keeping up with everything is a larger challenge and involves a deeper understanding of systems, infrastructure and software so protective decisions can be prioritized and made more effectively.” – Dave Bowden, CISM, CDPSE, CIPM, CIPT, PMP, CSM, CISO and VP of IT, Frontdoor, Inc.
“Twenty years ago, it was hard to work from home; now we are utilizing it more and more, which makes companies more vulnerable to attacks via their endpoints and employees. The new-age CISMs should rethink and reshape their protections, introduce zero trust, and so on. Most companies are not yet in position to protect themselves against such risks.” – Andrea Szeiler, CISA, CISM, CISSP, CEH, Global CISO Transcom/President WITSEC
“Locating and developing professionals with the skills to provide coverage for all the requirements of an effective information security program. The demand for talent has exponentially grown at a faster rate than the available talent pool. We have seen cybersecurity programs emerge as undergraduate disciplines, but the whole information security community must collaborate to continue building talent pools aligned to the various information security activities. We need to do a better job providing on-the-job training as well that provides experienced professionals the opportunity to transition seamlessly into information security-focused roles when they have those passions. The effort to grow our professional community requires all hands on deck!” – David E. Nickles, CISM, CGEIT, CRISC, CDPSE, Global FSI Security, Risk, Compliance, & Audit Program Manager
“The difficult part is to cope with evolving information security threats and striking a balance between exploiting emerging technologies and keeping the associated risks within acceptable limits.” – Ravikumar Ramachandran, CISA, CISM, CGEIT, CRISC, CDPSE, OCP-Oracle Cloud Architect, CISSP-ISSAP, SSCP, CAP, PMP, CIA, CRMA, CFE, FCMA, CIMA-Dip.MA, CFA, CEH, ECSA, CHFI, MS (Fin), MBA (IT), COBIT-5 Implementer, Certified COBIT Assessor, ITIL 4 -Managing Professional, Vice President| Senior Auditor-II, BNY Mellon, Chennai, India
What has become more difficult is twofold: one being the lack of baking in security into utilizing cloud and IoT devices and procedures – this usually leads to headaches in patch management, maintenance and management. Second is the inability of people to obtain cybersecurity roles. There are so many people who are eager to support cybersecurity but may not have a lot of experience. Cybersecurity needs those people who have the passion and drive.” – Cory Missimore, CISM, CDPSE, CIPP, CISSP, Sr. Manager Technology Advisory, Avanade. Inc.