For Chief Information Security Officer (CISO) which certification should I take?

I have a Management background and I am an IT lover (I don't know programming, though). I was an IT Auditor for almost 5 years, then I had more than 10 years in the Finance area, always using my knowledge as an IT Auditor. My last relevant work was 6 years ago, where I was a kind of Internal Auditor and I helped implementing a new software (Netsuite). I am trying now to go back to work as a Chief Information Security Officer (CISO) or IT Auditor, because this is the work that I really like.

As an IT Auditor, my chief and some colleagues took the CISA (as per the year 1996). For personal reasons, I never got the opportunity to do the same.

: At this point I question if I should take the CISA certification

: or if there is another better certification, for the position

CISO, which I am applying.

I am living in Holland, for some more months, and as per July 2016, I will go to Atlanta-GA-US. This CISO position will start here and later in Atlanta. If I don't get this job, I still want to work in Compliances in the US. Here in Holland I have the language barrier (my Dutch is not good enough, and English market is limited). In the US, language is not a problem

Thanks in advance for your help!

Find more posts tagged with

Comments

MariadfdCruz

This CISO position has a requirement of the Certification in CRCM. I don't think this certification is really the best for me. Or even for the job, because they need Risk Management Assessment, as well as internal audits Certified Regulatory Compliance Manager (CRCM)

TechGuru80

You should be getting your CISSP and or CISM...preferably both. The CISA won't do you as much good if you want to be a CISO because you can hire those people.

Do you know what compliance realm you want to do? PCI, HIPAA...there are several and they vary by industry. Not sure how challenging it will be if you haven't worked in those though.

MariadfdCruz

TechGuru80 wrote: »

You should be getting your CISSP and or CISM...preferably both. The CISA won't do you as much good if you want to be a CISO because you can hire those people.

Do you know what compliance realm you want to do? PCI, HIPAA...there are several and they vary by industry. Not sure how challenging it will be if you haven't worked in those though.

I just took a test "CCISO" that is a kind of Certification of CISO and it is very technical. The industry is Banking Software, so PCI, for example.
I have some knowledge, though it seems very few for this position.

Now, I don't know very well what to do. Maybe is better sticking as IT Auditor and learning more technical knowledge meanwhile.

TechGuru80

Being the most technical person won't get you the most bang for your buck. Again, as a CISO you are running the security of an organization. You are creating strategic goals and policy, while the how-to is pushed to lower levels. That is why certifications like CISSP and CISM exist because they make sure you have technical knowledge but the main point is managing the department not running a compliance tool or configuring a system.

MariadfdCruz

Thanks, TechGuro80! You really helped.

I am going to have the interview for CISO, in a couple of hours, and let's see! I know now what I should say.
I have been also around the CISSP certification. I started checking the official CISSP Guide, and following a Certification will wait.

dustervoice

These certs will help: CRISC, CISSP, CISM, CGEIT. Good luck and keep us updated.

636-555-3226

Good luck to you. FWIW, I wouldn't hire or work under a CISO that doesn't have years of security experience under their belt. If you're entering the infosec world cold you're going to have a hard time keeping up with the modern world. 10 years ago you'd have time to learn the ropes and mature as a security leader. Nowadays you've only got a few weeks to ramp up and understand a very vast, complex world that literally can shift under your feet from minute to minute.

MariadfdCruz

Thanks dustervoice! Here I am with an update.
636-555-3226 Simpson guy: Thanks for the wishes of good luck and I understand you. It is an IT Company, so they have all the tech professionals in house. I am good about checking risks by a different way, by the output. There will be there someone to make sure of the security. I can't do it all, that is the goal.

Update: My interview was good. It was pointed out that I could deal with policies and procedures, reporting compliances and risk assessment, as well as vendors contracts. I have the IT knowledge to make a bridge between business/finance/management and IT, though the IT security technical part would have to be dealt by an IT profissional, with knowledge in this specific part. Me and the recruiter agree that one person can't do all the job.

I have to say this is not a very big company and this CISO position was pretended to be one person, and not a complete team. Also, because the company is an IT company, they have all the IT professionals. So, at this point this kind of CISO position is been done in part-time by a finance person.

I got the impression that I have good changes to get this job. If I don't, I hope they get someone with all the qualifications I don't have. I will be good for organising tasks, talking with people, doing the policy and procedures manual, trustable professional, and some more. Though, no certifications and extra IT knowledge for this position. My experience has been IT Auditor, Finance Director, Controller and General Director of my own Company. So, business like I really know a lot. I am not an IT professional, and I am sorry I missed this knowledge. I love IT but I am not IT.

MariadfdCruz

636-555-3226 wrote: »

Good luck to you. FWIW, I wouldn't hire or work under a CISO that doesn't have years of security experience under their belt. If you're entering the infosec world cold you're going to have a hard time keeping up with the modern world. 10 years ago you'd have time to learn the ropes and mature as a security leader. Nowadays you've only got a few weeks to ramp up and understand a very vast, complex world that literally can shift under your feet from minute to minute.

I got a strange interview and I would love that this company would think in this way. I would be OK with it and understand. This is one way of looking at Compliances Position or CISO. Though, after a 1st interview and I made very clear I am not an IT, I got a 2nd interview at their office with an IT Software Development Manager and the interview was basically IT questions related to the life cycle of the software development. Ouch!

I felt so down answering, sorry I don't know that. I am an IT Auditor, not an IT professional and even less an Information Security professional with specific knowledge of Life Cycle Software Development.

From my interview, scheduled 1/2 days before and I was the one choosing to have it 2 days after they called me, I just got a bad feeling and thinking ... OK I will keep on on my IT Auditor path and bye-bye CISO positions, except if they ask for CISA certification.

I still think it is strange a CISO would answer to "Manager Software Development R&D" position, because it seems this is the case, due my interview was with the person in this position.

636-555-3226

Don't fret, most companies don't know where to put security pros. You're lucky they're even hiring a security guy!

OctalDump

MariadfdCruz wrote: »

I still think it is strange a CISO would answer to "Manager Software Development R&D" position, because it seems this is the case, due my interview was with the person in this position.

Well, it's not really a CISO position then. CISO is C level, you work with other C levels, under direction of CEO, and report to the board (a little variation on this, depending on country, but basically you are one step from the top, and sometimes could 'out rank' if top banana is doing bad things). You need the authority to be able to say, "Sorry Mr Manager Software Development, but this is the Security Policy and you are in violation". Possibly, this Manager could be a large source of security violations so it would be a conflict to work under them. The CISO also has strategic responsibilities, and often needs to communicate sensitive information direct to the board. It can't ever be some middle management functionary.

It might be that they weren't sure how to interview, or what exactly your role would be, so just stuck you with someone who could only ask questions from their area of expertise. I think the normal thing in these situations is to get an outside expert to help with the process, and even interview.

You might have dodge a bullet, there.

LollyBaggins

dustervoice wrote: »

These certs will help: CRISC, CISSP, CISM, CGEIT. Good luck and keep us updated.

Seconded!

Danielm7

Just because one person interviewed you doesn't mean that person will be above you either. When we hired a infosec manager/architect, we didn't have one before. Same with a CISO, they had to be interviewed by HR, other IT managers, some compliance people. We were basically interviewing our future boss.

E Double U

Our CISO has CISSP, CISA, GCIH, and GCWN along with a masters.

Mike7

As Danielm7 mentioned, this may be a case of them interviewing their future manager, so they are probably looking for someone with a broad knowledge base, knows the different infosec roles and is able to speak their language be it compliance, application development, infra and/or networking.

The "CRISC, CISSP, CISM, CGEIT" certs are great certs, and I do think CISA will be great for you as it validates your IT auditing experience. Information Security is always changing. Recent security breaches are due to vulnerabilities in web applications so some knowledge of application development helps. A CISO may need to explain (in plain English) to management how their custom eCommerce website was compromised via SQL injection vulnerability, how user data was stolen and what they can do to prevent this from happening in future. At the very least be able to get necessary information from application development manager, and convey in simple English to top management.

Just my 2 cents.

renacido

A CISO needs to understand the big picture and needs to understand business. They need to understand risk, ROSI, compliance, and security program management very well. They also need to understand the company's core business, their industry, and how to find the "Goldilocks zone" where security controls mitigate the calculated risk to acceptable levels at the lowest cost without interrupting or impeding the utility of the company's technology investment. In short, they are half business exec, half IT security exec.

I'd do the CISA, get a job in security doing compliance monitoring/auditing since that's where the bulk of your experience is. Otherwise, you will be starting over at 0.

From that compliance/auditing position you can get better acquainted with the adjacent security roles and expand your skills and experience from there.

Normally a CISO has several years of recent experience as an IT security manager or security architect, and prior to that, experience in lower-level security roles.

OctalDump

The other part of the CISO role is to take responsibility/accountability from CEO and other C levels. As the company officer responsible for security, when there is the inevitable breach, it is your neck on the line, rather than CIO or CSO or CTO or CEO. They can all say "the CISO said they had it under control". It's one response to SOX etc, just hire a sacrificial lamb.

It's all explained here.

TechGuru80

Not necessarily...there is no question that responsibility hits all c-level but sometimes more than others. Part of security is due care and due diligence but in a lot of situations security is more of a consultant role. If you do nothing you better believe you will be in hot water but the CISO is not always where the blame falls.

numberfive

As it was mentined, you cant go wrong with CRISC, CISSP, CISM in your case, since you are the only officer there will be.