Is the CISM Worth It?

In any job and any career field, there comes a point in most people's careers when they choose whether they're going to stay on the technical side of the house or move over into a managerial position. It's something you see a lot in Information Technology/Information Security (IT/IS) jobs. Of course, there's a lot to be said for spending 30 years becoming an excellent technical mind and becoming familiar with hundreds of different tools, utilities and technologies. But some people have a different aptitude – not for specific configs or administrative tasks, but for managing operations and maintaining oversight.

The Certified Information Security Manager, or CISM, certification from ISACA is the ideal tool for an IT professional who wants to move their career in a managerial direction – especially data security professionals. A professional certification in IT/IS management like the CISM doesn't just help you understand IT operations more completely, certifications like CISM make you a much more attractive candidate in job searches.

What is the CISM?

The Certified Information Security Manager, or CISM, is a premier, specialized certification from ISACA. ISACA used to stand for Information Systems Audit and Control Association, but they rebranded to just ISACA in response to how much more complex and in-depth not only the IT/IS industry has become, but how much more ISACA covers. Now, they certify information security professionals at all levels of expertise and in many different specialties.

Like you might imagine from seeing its name, the CISM is an industry certification that's earned by IT professionals who are focusing their careers on managerial positions in information security. Unlike many ISACA certifications, the CISM isn't very technical – it's much more focused on managerial knowledge and knowing how to coordinate and orchestrate information security operations.

The CISM is vendor-agnostic and primarily focused on four concepts in information security management: managing information security and information risk, program management for information security programs, and responding and handling information security incidents.

Earning the CISM certification requires passing only one exam which is just referred to as the CISM exam. 

What Does the CISM Exam Test?

The CISM exam is a challenging, 4-hour exam that has four primary work-related domains:

• Domain 1: Information Security Governance

• Domain 2: Information Risk Management

• Domain 3: Information Security Program Development & Management

• Domain 4: Information Security Incident Management

Note that the words "management" or "governance" are present in each of those four domains. What that means is that the CISM exam isn't interested in your technical ability or knowledge of cybersecurity technology configurations. The CISM exam tests if you can identify legal requirements and business needs for a security program and then document compliance, monitor program metrics, and propose appropriate adjustments.

How Much Does the CISM Exam Cost?

The CISM exam costs either $575 for ISACA members, or $760 for nonmembers. If you want to become a member of ISACA before taking the exam, that costs you $135. So, if you're currently not a member of ISACA, you could take the CISM exam for $710 by just paying for a membership before you take the exam. Once you've earned the CISM, you'll have to pay $45 annual maintenance as well as earn 120 hours of continuing education over three years.

What Experience do You Need for the CISM?

The CISM is not an easy certification to earn – and not for the reason many IT certifications are challenging. Where other IT certifying exams demand a lot of highly technical and precise information about devices, hardware, and software, passing the CISM exam means proving you have a broad understanding of IT managerial roles and responsibilities (and the ability to do them).

You should have extensive experience in all four areas of the CISM exam before you take the exam. And because the CISM is vendor-agnostic and the questions on its exam aren't about any one technology or configuration, you'll want to take a CISM training course that shows you what the exam will be like.

Specifically, you should have at least five years of applicable experience in information security governance, program development and management, incident management and risk management. In fact, five years of documented job experience in information security management is the only hard prerequisite for taking the CISM exam.

Who Should Take the CISM?

The CISM is a good choice for IT professionals who want to move away from technical parts of their job and get started in managerial positions. It's also a good certification for experienced program managers who want to specialize their career in IT.

CISM for Security Engineers

Network security engineers should seriously consider earning the CISM. Although most security engineers are highly experienced technical experts in specific technologies, earning the CISM can open up a number of possibilities for your future. 

First, as you advance in your career, you'll be more and more responsible for planning entire network security implementations. As that happens, knowing how to interface with less technically minded managers will help enormously. Also, you can develop and plan a better network when you can read the managerial documentation companies use.

Second, experienced security engineers make excellent security managers because they bring a level of understanding and familiarity to a job that's normally about numbers and graphs. Earning the CISM opens up an entirely different set of career options and a new trajectory for your career.

CISM for Experienced Network Administrators

Whether or not a network administrator will directly benefit from the CISM depends a lot on their situation and where they want to take their career. If you find yourself struggling with or not enjoying the more technical parts of network administration and want to move toward a more abstracted, managerial position, your experience could help you a lot with that and the CISM would show you how to make it there.

But if you really excel at the technical parts of network administration and want to become more technically proficient, the CISM might not be worth it early in your career. Network administrators who want technical expertise should look to their network's primary vendor (i.e. Cisco, Juniper) or a trusted certification provider in the field (i.e. CompTIA, (ISC)2).

CISM for an IT/IS Security Manager

Undoubtedly yes – the CISM is definitely worth it for IT/IS security managers. There aren't many industry certifications that apply directly to information security managers in a vendor-agnostic way. Some technology vendors have programs that cover managing their hardware or software in an IS context, but the CISM is the best choice for managers of IT/IS teams and security teams.

The CISM isn't a technical certification, so it will only apply to security managers who are squarely in project management and security governance world. For security managers who work in a technical capacity on a regular basis, the CISSP (Certified Information Systems Security Professional) certification from ISACA might be a better choice before the CISM.

Is the CISM Worth It?

ISACA's CISM is a good certification for IT/IS professionals who work in the governance and managerial side of IT work. The CISM is definitely worth it for anyone who wants to advance their career in Information Security management. For IT/IS professionals who already have an excellent technical foundation and want to move in a managerial direction, the CISM is worth it. Keep in mind, however, that the CISM and its exam are vendor-agnostic – the CISM isn't about technical implementations or specific configurations – and usually requires a significant amount of preparation.

Using CISM to Learn Skills

The world of Information Technology/Information Security (IT/IS) changes so rapidly and so frequently that staying familiar with governance requirements and risk management policies can feel more like drowning. IT professionals who want to learn how to establish a program around information security governance and management can use the life preserver that is CISM and CISM training.

Because the CISM is about managerial knowledge and responsibilities, preparing for the CISM can help an IT/IS professional learn what actually goes into planning, managing and maintaining a good security infrastructure. 

Last, because it's vendor-agnostic, preparing for the CISM means you'll learn information risk management methods and program management techniques that apply to networks of any size and any technology foundation. Taking CISM training and preparing for the CISM is a good way to see the whole picture of information security management while you learn how to test, review and revise the documents and infrastructure plans that meet a company's security needs.

Using CISM to Validate Skills

It's not just difficult for IT professionals to know with confidence that they understand information security management principles and techniques well enough to do their jobs – it's even harder for employers to know who does and who doesn't. The CISM validates skills in information security governance, program development and management, and incident and risk management. The CISM might just be the world's best tool for proving that you can step into a network's security operations and keep your head above water as you manage operations, expectations and technical limitations.