Sunday, July 17, 2022

My CISM Journey - The True Value of Certifications

 Certifications can be important for many different reasons. Perhaps you need a certification for a certain job or to be promoted. Or perhaps you have a commitment to continuous improvement. Maybe you just like collecting them like an alphabet soup Pokemon challenge. 

My reason was different. I have worked in cyber security for decades. I have toiled in the trenches, built authentication systems, lived through breaches, sold infosec investments to budget-minded leaders, built cyber security teams, and most importantly led in the cybersecurity area. All while being a CIO or in a technology leadership role.  Hell yes, I want credit for all that. So I decided to demonstrate all my competence by grabbing the Certified Information Security Manager (CISM) cert from ISACA. One of the two or three most respected cybersecurity certifications. Piece of cake. I know all this.  

Thats how it started. That is not how it ended. As they say it is the journey, not the event. 

The first thing I noticed was that the certification covered a wide range of material. Some of which I was not deep in. Whoops. No worries, I can read up on that and round it out. I scheduled the exam, studied up on that one area and took a practice test. I scored 65%. I will never forget that number. Imagine my horror. This is supposed to be material to validate my experience, not call it into question. 

I needed a new plan. I purchased recent editions of the recommended study manual. I like videos, so I subscribed to LinkedIn Learning (not an endorsement, just a fact) and listened to 13 hours and 8 minutes of Mike Chappel tell me what I needed to know. I organized my notes in OneNote, highlighted the exam hints, organized it, etc. That took over a month. Now I'm ready. Even Mike says I am ready and Mike is the MAN. Another practice exam. This time I scored 75%. 

What? I almost gave up at this point. With decades of experience and all these videos with this really smart guy Mike, and I still don't have a lock on this?   

Being hard-headed is one of my traits. I hate to give up. I took a fresh look at the certification and realized something. The certification wasn't about validating my experience. It was about demonstrating my knowledge of the ISACA "way", which represents the industry best practice. It dawned on me that I was not as good with "industry best practice" as I thought I was. 

I invested in one of the "official" study guides. Read all 500+ pages of it, highlighting as I went. I also subscribed to an online testing service for exam practice, taking at least 4 simulated exams. This took another 3 months, all on personal time. 

My practice exams were scoring me in the 85% range. I thought I was ready, so I stopped delaying the on-line home-video enabled proctored exam and took it the day before a beach vacation, and two weeks before they were scheduled to change the content of the exam. No pressure. The at-home proctored exam experience should be the subject of another blog post. Hint: Proctor and Proctologist share more than a common root word in the ancient greek. 

So I passed. I cannot tell you how relieved I was. ISACA makes it almost impossible to tell how well you did. I don't think I killed it, but I did well enough. It was 5 months almost to the day from when I started studying.

What worked for me as I prepared was using a variety of materials. The videos helped, but they were not enough. The book was great, but didn't have the hints the videos did. The online testing was invaluable as a simulation of the exam, but didn't have background material. It took all of them to prepare me. 

I work in a shop where I am very fortunate to have a talented CISO and a great cybersecurity staff. I noticed along my certification journey that I started asking different questions and appreciating their approaches to problems. "You have been reading up, right?" is what one of them asked. This is when I started seeing my growth. 

My mistake was in thinking I had nothing left to learn. I learned a ton in this process and I started applying it before I passed the exam. My employer, my staff and my customers have noticed the difference. As a leader in IT, ask yourself what role certifications play in the development of the people that you lead. 

Growth is the true value in certifications. Not validation. It took me 5 months to figure this out. It all starts with a commitment to professional growth. If you have to ask yourself if you really need to get a certification, then you probably don't. If you ask yourself about whether you need to grow in your career, then certifications should be part of your journey. 



No comments: