ISACA’s website states that “membership sets you apart from other IT professionals by signifying that you are:
- Dedicated to best practices and successful results
- Committed to professional growth and advancement
- Helping to advance your profession
- A seeker of professional knowledge and a problem solver
- Serious about continuing education
- Connected with a highly regarded organization
- Part of a global network of peers”I wanted to see if this was true in the UK.
My reason is that CISA and CISM are widely known—more so than ISACA itself. Many organizations know COBIT and many additional firms use the framework but may not know it comes from ISACA. CGEIT and CRISC are not quite as well known, in comparison, but as a professional organization we have an opportunity to promote these as a substantial solution to better manage cyber-security threats, which have finally hit the board agenda.
ISACA certifications provide a virtuous circle. By getting the governance framework right, it is easier to identify the risks to implement solutions, many based on security controls, and provide value-added assurance from executives and auditors.
The ISACA London Chapter works with Hays, a recruiting firm, to connect professionals and employers. Their UK IT job websiteshows CISA, CISM and ITIL are ‘must haves.’
This means ISACA reason #3 is true, but do employers recognize the rest?
I asked Hays staff what they thought. They see the expectation for IT audit and security employees at all levels to possess relevant certification. The weighting of certifications depends on several factors:
- Internal audit divisions expect CISA or CISM of their IT auditors to ensure teams have sufficient IT-related knowledge to hold useful conversations with auditees.
- More stress is placed on certifications if the team is lean, but…
- … less if the role is senior management, where others skills and experiences come into play.
- The certifications requested often reflect those held by the hiring manager.
- CRISC is becoming important for second line of defense roles, but…
- …CSX is not as well known yet since it is early days
It also seems that, in the UK, salaries are related to the role, not the certification. Certifications provide opportunities to obtain roles rather than salary increases. A variation on this is that a strong candidate for a junior role, without certification, may be encouraged to study for one through company sponsorship in lieu of a lower salary. A lapsed certification counts for nothing and is seen as not being committed to the industry. It is worse than not having had it.
An interesting UK trend is an increasing demand for focused, technical knowledge mixed with interpersonal and business knowledge. A range of certifications help here, as IT auditors grapple with complex security controls, for example, or go beyond efficiency in ‘value-for-money’ reviews, such as safety, quality and relevance. In banking, this trend happens at a junior level because the regulatory environment demands assurance and compliance. Outside that industry, a mix of management, professional and business skills happens at a more senior level.
COBIT is well-loved but sometimes treated as a teddy bear—there when you need it and tragic if lost. Thus, the explicit need to show COBIT qualifications is rarely part of the job spec. But it turns out that COBIT is the de facto standard, so deeply entrenched in corporate assurance that there is no need to shout about it. That means experienced IT auditors are expected to be well-versed in COBIT.
Globally, recognition and employer demand for globally recognized certifications seems greater than in the UK. This may be cultural or due to regulatory requirements. In some cases, if opportunities to gain relevant experience are limited, certification is proof of knowledge not obtainable elsewhere.
All well and good, but this is a recruiter’s view. I wanted the employer’s view, which I found at a CISO meeting in London. They said that having no certifications would not automatically exclude a candidate. The choice of certification, and how many, came down to the individual, their aspirations and complementary skillsets.
Slightly contradictory was the expectation that staff with four years’ experience have certifications. They expected less experienced staff not to have them – no time or experience to obtain them – but expected junior staff to study for certifications. More senior roles required broader and/or deeper skillsets. For management, MBAs and professional management programs can help broaden skillsets. The issue was those remaining in technical roles – what professional qualifications were there outside a master’s or doctorate? There seemed to be a gap in the ‘professional training’ market for experienced staff.
The CISOs said the increasing integration between IT and non-IT activity has narrowed so most IT professionals need to understand business and develop interpersonal and communication skills. Knowing how the business runs—being able to have conversations between IT and non-IT—help get IT right.
It comes down to keeping up to date with trends. Employers look for knowledgeable, experienced professionals who keep abreast of daily organizational IT changes and challenges. Continuing professional education, which is demanded of certification holders, provides comfort to employers. Their staff not only stays up to date, but also have many resources to apply within the organization. ISACA membership benefits support this. We should take full advantage of them.
Editor’s note: As part of ISACA’s celebration of Women in Technology Month this June ISACA is seeking women in tech to guest blog on the subject of their choice. If you are interested in learning more, please contact firstname.lastname@example.org.
Sue Milton, Managing Director, SSM Governance Associates, and Past President, ISACA London Chapter
[ISACA Now Blog]