Editor’s note: ISACA’s Certified Information Security Manager (CISM) certification is now in its 20th year, with more than 65,000 people earning the globally respected credential during that time. To mark the anniversary, we spoke with 20 CISM-holders to collect their commentary on what has changed for the better in infosec since CISM came on the scene in 2002. Tomorrow, part two of this series will feature perspectives on what has become more challenging for infosec managers. See an infographic highlighting the past 20 years in information security here, and find out more about the CISM credential, including updates to the exam upcoming on 1 June, here.
“In my experience working in tech, I feel the landscape of an information security manager has changed positively. Over the past 20 years, there has been a significant increase of focus in data protection, which has led companies to be less hesitant in making investments in security programs. While 20 years ago it would have been a challenge for an information security manager to secure a budget, security has now become a top priority in board discussions.” – Gary Carrera, MBA, CISA, CISM, CDPSE, HITRUST CCSFP ISO27001 Internal Auditor, Manager in the Global Data Protection Program at Meta
“Information security managers now have a seat at the table in most boardrooms and cybersecurity is largely viewed as an organizational issue, rather than simply an IT concern. Going back 10 or 20 years, it was not uncommon to see security driven by compliance, which often resulted in doing the minimum instead of proactively developing a robust program. Thankfully, that former mentality has shifted dramatically, though it unfortunately took catastrophic breaches to generate more support for security.” – Josh Hamit, CISM, CISSP, CCSP, CIE, Senior Vice President & CIO, Altra Federal Credit Union and member of ISACA Emerging Trends Working Group
“As an information security manager, I believe the guidance and resources to understand the alignment of business value and information technology strategy has helped to increase awareness of making a risk-based decision for reduced risk. This has also helped us understand the tools necessary to assist the business and its security professionals in building strategies such as secure development and zero trust architecture that integrate cybersecurity and risk management to help organizations protect against cyber adversaries.” – Marilyn Moux, MSc, CDPSE, CISA, CISM, CRISC, CISSP-ISSEP, CEH-CNDA, Manager, Technology Consultant, Cybersecurity
“Organizations have moved on from being either alarmist or complacent regarding security. Thus, we have moved to a more realistic understanding and response in security matters.” – Sandeep Godbole, CISM, CISA, CISSP, CGEIT, Information Security Professional and Author
“Companies freely performing personal information gathering, tracking, profiling and generating revenues from users was a lot easier 20 years ago. Not so much now with global rules and regulations like the GDPR protecting individuals’ rights to their personal data. Data privacy has now become something that information security professionals need to understand, as well as how closely tied information security is to data privacy. ISACA has been leading the way over the last 20 years, keeping up to date with the emerging risks, and creating new certifications to help information professionals keep up to date and grow their skills.” – Jason Lau, CGEIT, CRISC, CISM, CISA, CDPSE, CISSP, FIP, CIPP/E, CIPM, CIPT, CISO, Crypto.com
“Fifteen years ago, when people asked what I did and I said I worked in Information Security, they would look at me blankly; What does that mean? Now when I tell people what I do, they understand and, instead, look at me with general disinterest – but the budgets and wages are now much bigger – so there’s that.” – Raef Meeuwisse, CISM, CISA, Cybersecurity Author
“The wonderful support for women and minorities by organizations like One In Tech has enabled a far more diverse population in cybersecurity, and this has not only helped with our global talent shortage, but it has brought different ways of thinking that enable us to solve complex problems.” – Sushila Nair, CISA, CISM, CDPSE, CRISC, CCSK, CISSP, CCAK, Vice President, Security Services at NTT DATA Services and member of ISACA Emerging Trends Working Group
“Security tools and frameworks are progressing to help us mitigate the risks as much as possible: AI and machine learning (ML) have become critical technologies in information security, as they are able to quickly analyze millions of events and identify many different types of threats – from malware exploiting zero-day vulnerabilities to identifying risky behavior that might lead to a phishing attack. The old antivirus that has been our main weapon for the last 20 years is no longer sufficient to fight cutting-edge sophisticated attacks from the ever-present threats and malicious activities. AI and ML, by analyzing and correlating events, help to deal with the new sophisticated attacks. The leveraging of ML/AI on cloud threats is growing since the attackers are also using new tools at their disposal. AI is changing the game for cybersecurity, analyzing massive quantities of risk data to speed response times and assist under-resourced security operations.” - Symeon Gkrekas, CISM, CISA, Information Security Consultant
“Information security is no longer seen as some back-office technology function. Information security is seen as a differentiator in how organizations operate and demonstrate trust with their customers, stakeholders and community.” – Michael Podemski, CISA, CISM, CRISC, CDPSE, Senior Director - IT Audit
“With the explosion of digital transformation in the last decade came great risks and opportunities, which opened up the door for cybersecurity to play a major role in enabling the business in that space.” - Juman Doleh-Alomary, CISA, CISM, CRISC, CDPSE, ISO27001 Lead Auditor, Director of Cyber Security, Little Caesars Enterprises
“Twenty years ago, we had limited or no online collaboration platforms for meetings, conferences and social networking to help people interact with their families, friends and co-workers across the globe. Now we have several, and I can work with my team located in different geographical regions. We can share and utilize the knowledge across borders easily.” – Andrea Szeiler, CISA, CISM, CISSP, CEH, Global CISO Transcom/President WITSEC
“Identifying candidates for leadership roles based on demonstrated and verifiable work experience has become easier as the internet has matured.” – Dave Bowden, CISM, CDPSE, CIPM, CIPT, PMP, CSM, CISO and VP of IT, Frontdoor, Inc.
“The cybersecurity field is finally getting the attention it needs to evolve into an academic discipline and profession.” – Dr. Blake Curtis, Sc.D, CGEIT, CRISC, CISM, CISA, CISSP, CDPSE, COBIT, Cybersecurity Governance Adviser & Research Scientist
“The one thing that has changed for the better is the buy-in from senior management to security matters, due to the increase in cyberattacks globally and not wishing to fall victim.” – Simon Backwell, CISM, Information Security Manager
“The positive change for CISMs is that (finally!) cyber awareness was raised high enough to require the skills and expertise of a CISM across most organizations.” – Chris Moschovitis CSX, CISM, CGEIT, CDPSE, CIPP.
“There is increased awareness of the importance of information security culture as matured organizations globally become more digitized, which led to improvements in areas such as software development, as shown for instance from the changes in the ranking of vulnerabilities in the OWASP top 10 list of 2021. It can be seen as well that there are more representations of information security champions on the organization’s board of directors. All these translate to an increase in maturity of information security knowledge in organizations, which helped facilitate securing senior management buy-in to drive the right processes improvement and technology implementation.” – Goh Ser Yoong, CISA, CISM, CGEIT, CRISC, CDPSE, CISSP, MBA
“There seems to be a lot more awareness among the general public. Over the years, the public has begun to catch on to some of the things security professionals have been talking about for years. People are starting to understand some of the implications of not being protective of their information (not answering those silly Facebook questions), using multi-factor authentication, being alert to phishing, and more. Security is no longer a ‘foreign language’ to many, although I think we still have a long way to go.” – Karen Tulloh, PMP, CISSP, CISM, Senior Technical Cybersecurity Project Manager at AT&T
“The growth of the great content, especially the @ISACA publication, in the information security space provides practitioners in the field with real-world tips and tricks to help us succeed in our roles.” – Lisa R. Young, CISA, CISM, CISSP
“The overall buzz and interest in the discipline as well as an understanding of the importance of having a strong information security program in place. Most people you talk to understand how important protecting your company’s assets is and the potential for long-lasting impacts if you become compromised. Attackers are extremely smart and have evolved just as information security programs have, so it is critically important to continuously assess and review your controls to ensure they are incorporating the emerging threats.” – David E. Nickles, CISM, CGEIT, CRISC, CDPSE, Global FSI Security, Risk, Compliance, & Audit Program Manager
“Consumerization around security and the increasing rate of security incidents have shifted the paradigm in considering information security first and foremost as a business enabler.” – Ejona Preci, CISM, CRISC, ITIL, Information Security Risk Manager