Main image of article Cyberattacks Focus Employers on Security Certifications
Continuing cyberattacks like those mounted against Target, eBay and Apple are pressuring companies to emphasize security even more than they have been to date. When it comes to hiring, that’s adding to the importance of certifications in IT audit, security, governance and risk. In many cases, that importance is translating into pay premiums for professionals that hold the credentials. Click here to see security jobs. Among the certifications in greatest demand are those from ISACA, an international association that focuses on IT governance. Indeed, according to the most recent IT Skills and Salary Survey from Global Knowledge and Penton, the top three of 2014’s highest-paying certifications come from the group’s stable:
  • CRISC: Certified in Risk and Information Systems Control ($118,253 average salary)
  • CISM: Certified Information Security Manager ($114,844average salary)
  • CISA: Certified Information Systems Auditor ($112,040average salary)
Here’s a rundown on these, as well as the CGEIT, which covers the governance of enterprise IT.

CISA: Certified Information Systems Auditor

Created in 1978, the CISA is essentially required for the likes of IT auditors and IS engineers, says Mark P. Aiello, President of Wakefield, Mass.-based Cyber 360 Solutions, a cybersecurity contract and staffing firm. The credential is often listed as a necessity for professionals working in and around IT security management. More than 100,000 people currently hold the designation, adds Robert E. Stroud, Vice President of Strategy and Innovation at CA Technologies and ISACA’s International President-Elect. The CISA isn’t for novices. “It shows that you understand systems, infrastructure, applications and management, and that the systems adhere to industry best practices and regulatory standards enterprise-wide,” explains Jerry Irvine, CIO of Chicago-based outsourcer Prescient Solutions. A minimum of five years of professional information systems auditing, control or security experience is required. That can include work in governing and managing IT; information systems acquisition, development and implementation; IS operations, maintenance and support; and protection of information assets. Depending on other, relevant expertise, substitutions and waivers for experience can be had.

CISM: Certified Information Security Manager

The CISM is ISACA’s second most popular certification, with about 25,000 people holding the designation. They include tech professionals working in information security governance, information risk management and compliance, information security program development and management, and information security incident management. At least five years of work experience is required to obtain the designation, with a minimum of three years in IS management. Again, substitutions and waivers are available for work experience. Anna Greer, recruiting team lead at SWC Technology Partners, an Oak Brook, Ill., IT solutions company, says the certification is particularly popular with IT security and compliance managers. “There are people who might say they’re security experts, but the certification tells employers that you have the formalized training and experience to understand the vulnerabilities out there today,” she explains.

CRISC: Certified in Risk and Information Systems Control

Introduced in 2010, the CRISC is designed for risk professionals working in and around IT and enterprise risk management. About 17,000 people currently hold it. Among its requirements are three years of cumulative work experience in at least three pertinent areas including risk identification, assessment and evaluation; risk response; risk monitoring; information systems control design and implementation; and IS control monitoring and maintenance. Despite being new, the CRISC is quickly gaining traction and attention, working as the follow-on to the CISA, according to Irvine. “It’s a certification for IT professionals who are becoming more business-oriented—looking to tie IT risk management to the business goals,” he says. It’s also a certification meant for people on the management track.

CGEIT: Certified in the Governance of Enterprise IT

Increasingly a prerequisite for professionals involved with enterprise IT governance, the CGEIT is also a good credential to have if you aim to move into the C suite. To obtain the CGEIT, you’ll need at least five years of experience in IT governance, either managing, serving in an advisory or oversight role or otherwise supporting it. Specifically, applicants must have expertise in areas including strategic management, benefits realization, risk optimization and resource optimization. The CGEIT isn’t only important from the hiring perspective, but also from the “getting clients” perspective, notes James Sinclair, co-founder at EnterpriseJungle, a Los Angeles enterprise analytics and workforce intelligence platform. “We are actively hiring sales professionals and experts and so the CGEIT is something that adds credibility as part of the overall sales process,” he says. “It shows, despite being a startup, we are actually a team of very experienced professionals.”

Related Articles

Image: Maksim Shmeljov/