New security certification launched

With an increased focus on security throughout the industry, there is a move to add a designation specific to security managers.

The Rolling Meadows, Ill.-based, Information Systems Audit and Control Association (ISACA) recently introduced a Certified Information Security Manager (CISM) designation.

The CISM designation is aimed at “security professionals who may want some recognition for the years of knowledge and experience that they have built up as security managers” said Robert Coles, a London-based partner with KPMG.

“It will help these individuals in the job market by giving them an edge on the potential competition, and it will help employers, many of whom are senior business managers in other unrelated fields, select the right candidates,” Coles said.

It can also help potential customers understand the value of the service they are purchasing, said Bill O’Brien, the associate director of corporate security systems with Bell Canada in Ottawa. “When they buy your expertise, they have nothing to measure you by,” he said. The CISM designation may help address that, he added.

Companies can often fork out millions of dollars for security solutions, with little ability to assess core competencies of those they are hiring.

Coles agreed that this could be a problem. “The dot-com boom fuelled a large increase in the number of people that claimed that they were security professionals…but who did not have the breadth or depth of knowledge to undertake a security (management) role.”

In fact, a perusal through the bios of many corporate chief security officers (CSO), the ideal CISM candidate, according to New York-based Ernst & Young partner Marios Damianides, shows a huge array of educational experience and backgrounds. Many of today’s CSOs have worked up through the corporate ranks, so the company knows exactly what level of experience it is hiring for the position. But with Canadian companies looking to hire CSOs, the advent of a professional designation specific to the management side of security should help streamline the hiring process for those companies looking to go outside the corporate ranks to fill the position.

The CISM exam will be offered starting in 2003. Applicants will have to adhere to a code of ethics and submit verified evidence of at least five years of information security work experience, with at least three of those years in management, according to ISACA.

There will also be a grandfather clause allowing those with a minimum of eight years in information security and five years in management to get the CISM designation without taking the exam. Applicants for the grandfather clause must be certified by the end of 2003.

O’Brien may contemplate getting certified but he doesn’t see too much of an advantage in it.

“It isn’t an add-on for me, let me be clear about that. There is not much that they are ever going to teach me in that designation,” he said. In fact, as a Bell employee, O’Brien has constant access to education. Right now he is getting certified in cellular technology code division multiple access (CDMA). O’Brien said he wants the certification, not because he is going to work in it, rather because he has to understand it in order to properly secure it.

He also said that as an employee of Bell there is not necessarily an advantage of getting CISM certified for the customer’s sake. “Most people in the industry know exactly what we are good at,” he said.

Other than helping companies fill the CSO position, Coles does see other advantages to having a CISM designation.

It will help to define the security profession overall, he said. However, by providing a structure to assess skill and knowledge of security managers, providing educational resources and a code of professional ethics, CISM can speed up the maturing of what is still a very young profession, he said.