Certifiably Secure: CISM After Year One
It may still be a bit too early to tell for sure, but it looks like the Information Systems Audit and Control Association’s (ISACA’s) Certified Information Security Manager (CISM) is doing well, but isn’t necessarily exploding, growth-wise. This credential is brought to you by the organization behind the Certified Information Systems Auditor (CISA) credential, which today boasts more than 35,000 members in its certified population.
Let me explain how I came to the conclusion that CISM is doing well but not superbly, from a numbers perspective:
- On its home page, ISACA site thanks “the nearly 15,000 candidates who sat for the CISA and CISM exams.”
- On its home page, in the CISA blurb section, ISACA indicates, “more than 13,000 individuals registered for the 2005 CISA exam.”
To me, this means it’s unlikely that more than 2,000 to 2,500 individuals took the CISM, unless there’s a significant difference between those who register and those who actually take the exam. For a once-a-year exam that costs anywhere from $295 to as much as $495 (depending on when you register and your ISACA membership status), I’m guessing that the number of no-shows is less than 5 percent. Given even a 100 percent passing rate for CISMs—somewhat unlikely, for an exam that includes 200 questions and lasts four hours—this is still pretty modest growth of 2,000 to 2,500 a year (but probably more like 1,800 to 2,000 per year).
Compare this to monthly certification rates for the Microsoft Certified Systems Administrator (MCSA), which run between 1,800 and 2,700 per month for Windows Server 2003 and 2000, respectively, or the Microsoft Certified Systems Engineer (MCSE), which run from 1,250 to 3,000. Consider also that the Certified Information Security Systems Professional (CISSP) population has grown from a little over 5,000 in September 2002 to more than 20,000 by June 2004. In the 21 months between the two reporting dates, that translates into about 714 per month, or more than 8,500 per year, roughly four times the CISM rate.
On the other hand, different organizations have different ways of defining success, so it’s also important to consider the following: Given that ISACA has certified more than 35,000 CISAs and that it’s been doing so since 1978, total average yearly rate since day 1 is about 1,350 per month. Of course, recent rates outstrip that number significantly, as evidenced by the registration figures for the CISA already mentioned, just as early rates probably didn’t come close to the average for some while. But for the CISM to beat the cumulative average for CISA in just one year helps account for the brightly positive outlook emanating from the ISACA about its new credential.
Personally, I don’t think the CISM is at all bad for a new cert in general, and a new security cert in particular. But it’s smart to put it in perspective with the overall cert market and the infosec cert market as well. Even if CISM doubles every year for the next three years, it won’t pass annual rates for 2004 for CISSP by 2007 (and in the meantime, CISSP isn’t standing still, either).
If you visit ISACA, you’ll find lots of information about the CISM available:
- CISM requirements
- CISM Candidate Guide (will be revised in time for Sept ’04 registration for 2005 exam, please revisit Web site)
- CISM Preparation: pointers to examination guide, review manual, review Q&A and training (all items are available for a fee only).
My slightly different take on the organization’s relative success is meant only to put things in perspective for the broader market. It doesn’t mean I think CISM is poorly designed (it’s not) or that the intellectual value of the cert is in question (it’s not). But the marketplace jury is still out, and it will be a while yet before its real value in the eyes of hiring managers and employers can be properly assessed. All that said, interested parties are invited to investigate further and help ISACA improve its odds in the relentless numbers game!