Research

Numbers: ISACA Says Survey Illustrates Benefits of CISM Cert

A recent survey backs the notion that CISMs are in a better position to deal with a growing emphasis on business needs over technology, an ISACA official says.

By Bill Brenner, Senior Editor

June 05, 2008 —

IT professionals who obtained ISACA's information security managers certification (CISM) are in a better position to deal with the growing emphasis on business needs over technology, according to a recent survey of more than 1,400 CISMs in 83 countries.

One could find the survey results biased, since the poll was conducted by ISACA, the IT security governance organization that administers the certification. However, the cert's value has been reflected elsewhere, including Certification Magazine's 2007 Salary Survey, which listed the CISM as the second-highest paid certification with an average salary of $115,720 a year.

ISACA, which established the CISM designation in 2002, surveyed 1,426 CISMs in November. Participants indicated they work in such sectors as banking and financial services, consulting, technology, government and healthcare.

The survey results indicate that the top five most-common activities performed by information security managers in their current positions are risk management, security program management, data security, policy creation, maintenance and regulatory compliance. Asked about previous job duties, only 54.8 percent of respondents said they had responsibility for risk management. In the positions they've attained since becoming CISMs, however, 76.6 percent said they are responsible for this business-related function.

Network security was the third most-frequently-performed activity in prior positions, but a majority of respondents said that has dropped to eighth place in their current roles.

Asked what their next career step will be, 40.6 percent said they plan to step into an executive management role. Of those, 27.1 percent see themselves in a chief information security officer (CISO) role.

In a telephone interview, CISM Certification Board Chairman Evelyn Susana Anton said the results are a clear indication that the certification is ideal for who want to move up to positions where IT security is approached from more of a business perspective than a technological one.

"It is clear that CISMs are experiencing career growth and moving up higher into management," she said. "This shows that these functions are vital business drivers and are receiving increased attention from boards of directors and executive management."

The survey results reflect the growing trend where security is becoming a routine part of the larger business process. That is especially true for companies grappling with the potential business consequences of an IT security compromise.

CISM is one of several certifications available to security professionals. Others include the Certified Information System Security Professional (CISSP) designation offered by (ISC)2, and the Global Information Assurance Certification (GIAC) designation offered by the SANS Institute.

Like ISACA, these organizations tout the value of their offerings by pointing to the higher salaries certified professionals earn.