ISACA CISM changes: Less focus on management, more on security

[00:00:00] Chris Sienko: Did you know ISACA’s Certified Information Security Manager or CISM certification made a big change in June of 2022? Still four domains, but the weight of those four domains has shifted dramatically from the management side over to our old pal security. Want to make sure you're putting your valuable study time in the right place? Veteran InfoSec instructor, Leighton Johnson, has the answers for you. So stay tuned, listen close, and listen quick because it's a Cyber Work mini.

[00:00:31] CS: Welcome to a new series of short videos from InfoSec. The purpose of these videos is to give you quick, clear, and actionable answers to the questions that you have been asking about cybersecurity and learning cybersecurity. Today's guest is InfoSec instructor and InfoSec skills author, Leighton Johnson. Leighton was my very first guest on Cyber Work, and I'm always happy to have him back and get his insight. So Leighton told me that the CISM exam has made a major change in 2022, and that change could have a huge effect on your focus of study on the exam. So let's find out more about that.

Welcome, Leighton.

[00:01:05] Leighton Johnson: Good morning, Chris.

[00:01:07] CJ: Leighton, as you noted previously, ISACA has changed their Certified Information Security Manager or CISM certification around a bit in 2022. Can you talk about the change in focus that you saw?

[00:01:19] LJ: Sure, absolutely. On the first of June, they updated their CISM requirements and levels of support for their four areas, four domains. They kept the four domains. They didn't change those, but they changed the percentage dramatically. The first domain, which was governance, has dropped from 24% down to 17%. The second domain, which was originally the most important, 30% around risk management, has dropped to 20%.

What has jumped are the other two. The first one is security program development and running the security program. That went from 27% up to 33%, and a major change is in incident management. As we, of course, see in the cybersecurity world, we clearly see that that's one of the major focuses. So it jumped. From just 19%, it was the low one on the totem pole before, to up to 30% now.

[00:02:22] CS: Wow. So what do you think brought on this change in focus on ISACA’s part?

[00:02:26] LJ: Well, clearly, of course, their job task analysis reflects that security managers are having to be incident management liaisons or managers themselves. They have to pay attention to all of the things about recovery, and have to pay attention to all the things about incidents and what are they and where are they coming from, with the proliferation of ransom ware and all the other things that have been going on in the community for the last several years. It's clearly that that's where the focus is for security managers today.

[00:02:26] CS: Yeah. I guess security managers have always been that sort of liaison between the security department and management and the board and so forth. So they're just basically shifting the line over to say, “You need to know more of what security you need to do it.”

[00:03:10] LJ: You need to know more. You need to apply more. I think it's not so much that they know more. It’s that they have to apply more and, therefore, become the translator to the senior management. Because as defined by ISACA, the security manager is the liaison to senior management about all those things that go on. So they turn to them first to ask the questions. Are we safe? Are we secure? That type of thing because that's their job as information security managers.

[00:03:42] CS: So knowing about this change in the exam and the certification, how should people approach studying for the CISM, and how should they change their study focus? Is there something they should spend more time on? And what if anything, should they deemphasize or skim a little more?

[00:04:00] LJ: Okay. Well, in a program development and program operations around security, they've added tremendously on the technology side of what does the security manager need to know as far as oversight. They expect, of course, the security professionals underneath the security manager to be doing the work. But in order to do proper translation, in order to understand what the security program needs, they have a lot of changes around technology. So they've jumped that dramatically, including current type technologies like SIEMs and SOAR and other areas. So that's one.

The second thing is to understand about incident management. They approach it from an incident management component, which breaks out into incident handling, incident response, disaster recovery, and business continuity. So they put all of those in domain four together. There was a small emphasis before. Now, it's much stronger. In fact, it's literally one-third to one-half.

The incident management area is around that construct that incident management has as what it wants to do business continuity, and it has what it's wanted to do, which is recovery. Get everything back to working. So they tie all of it together through the recovery construct because that's the last step of all of them. In doing that, they've expanded their coverage on continuity. They've expanded their coverage on disaster and disaster recovery, whether it be natural or manmade, etc.

Those are the two big areas that require more emphasis. The lower emphasis around governance is probably – I mean, it dropped seven percent. I assume and what I see out in the community, it's that there's other people now involved in governance, that type of thing. So it's not merely a focus of the security manager.

As well as risk management dropping 10%, I can see that now other players, other managers, other senior executives, are paying more attention to it, probably because of the increase around enterprise risk management for whole organization, as well as all the reporting mechanisms that senior management have to do these days, which means they need to pay attention to risks. Because of that, I see those decline to some degree. Although the general contract content is still the same, it has reduced in its full range of scope.

[00:06:47] CS: So obviously, InfoSec is all about helping you pass your certification exams, and we're not necessarily trying to like stuff everything into your short-term memory, just so you can tell the exam. We want to make sure you retain that info and use it to level up your skills and your career. So what aspect of the information on the exam would you say is crucial to continue learning and practicing to keep your skills at the top of the heap in this role?

[00:07:11] LJ: Number one, understand current technologies. They've increased a great range of that. Used to be it was a lot of old stuff. Honestly, it was, and a lot of that has been removed, the old things. They've modernized their approach dramatically to what is covered, number one.

Number two, understand that the recovery is always the end step of whether it's incident response, disaster recovery, or business continuity. It's always getting the business back to normal operations as the final crux area in those. So understand how recovery is recovery, no matter which way you look at it. How you got to having to do recovery is where the different feeds come in, and understand how that works.

Then also understand follow on after recovery because they talk about testing. They talk about training for recovery. They talk about doing forensics for recovery. The malware analysis around the ransom ware and those types of things are now addressed, which weren't in there before.

[00:08:27] CS: All right. Well, this has been very informative, and I hope all CISM aspirants or people who are even just thinking about it got a lot out of this. So to wrap up, for our listeners who are ready to get back to their studies and apply these security concepts, tell them where they can find more of you, Leighton Johnson, on the InfoSec platform. What are some of your boot camps, classware, and where they can learn more?

[00:08:46] LJ: Well, InfoSec is an ISACA-authorized training organization. I do teach ISACA courses for InfoSec. I have for 10 years. CISM, CISA, CRISC, etc. Number one, of course, on skills platform. I, to this day, get more and more requests for security architecture components. That seems to be the most popular one that I get questions directly about. InfoSec has a great program around what they do in conjunction with ISACA with their efforts, and I always enjoy working with them in that way.

[00:09:32] CS: Leighton Johnson, thank you for your time and insights today. This has been a lot of fun.

[00:09:35] LJ: All right. Thank you, Chris.

[00:09:37] CS: And thank you all for watching this episode. This is the start of an ongoing series of videos that will be released every Thursday. So check back soon for many more. And until then, we'll see you next time.

[00:09:49] CS: Hey, if you're worried about choosing the right cybersecurity career, click here to see the 12 most in-demand cybersecurity roles. I ask experts working in the field how to get hired and how to do the work of these security roles, so you can choose your study with confidence. I'll see you there.