Certifications, oh dear. Those are the modern-day requirements for those who wish to establish their value in the field of cybersecurity. Try juggling three enormous certifications—CISM, CRISC, and CISA—and you thought killing dragons or reading the Rosetta Stone were difficult. Get ready for a ride filled with terror, bewilderment, and, finally, salvation.
First Act: The End Is Nigh
At first, it was rather harmless. “You ought to acquire certification,” they said. “It will provide opportunities,” they claimed. Obliviously, I paid attention. I vowed to become a Certified Information Systems Auditor (CISA), Certified Information Risk and Information Systems Control (CRISC), and Certified Information Security Manager (CISM)—the holy trinity of ISACA. Surely it’s not that difficult, is it? Let me give you a hint: it’s more difficult than just finding out how to silence your Zoom microphone.
Once you register, you’re granted access to the sacred ISACA Question Bank. This treasure trove of obscure questions is supposedly your key to success. What they don’t tell you is that it’s also a Pandora’s Box of existential dread.
For CRISC, I was presented with scenarios that sounded like they were ripped from a cyber-horror novel: “If a malicious insider bypasses your firewall with a rogue IoT device, what’s the first control you would implement? (Hint: Pray.)”
CISM’s questions read like a philosophy exam disguised as cybersecurity: “What is more important, confidentiality or availability? Explain using the tears of your broken soul.”
CISA? Oh, that’s just a history test on every audit framework known to mankind, from the days of punch cards to the blockchain apocalypse.
An Epic Choice
Determining a starting point was the primary obstacle. With each credential comes the promise of greatness:
CISM: For individuals who aspire to lead teams and oversee information security programs.
CRISC: For the courageous individuals who are willing to face constraints and hazards (and likely torment themselves over it).
For those who enjoy the pain of auditing, compliance, and the question, “Did you follow the process?” CISA is a great option.
Still, how do I prioritise them? For weeks, I consulted the stars, read blog postings, and participated in online forums. At last, I decided on CISM because, hey, it had a management sound to it, and who doesn’t want to feel important?
The CISM Adventure in Act 2
The CISM experience was like dating a really attractive but completely out of your league partner: exciting at first, then overpowering, and then crushing. A combination of incident response, risk management, and governance made up the course outline. It doesn’t sound complicated, does it? Totally incorrect.
For weeks, I tried to get my brain cells to work along with the study materials and committed ideas like “ensuring alignment between security and business objectives” to memory. Practice questions were made to make you doubt your life choices, and the study guides were thicker than a data centre.
I was about to master it when I ran across the feared scenarios. There was a novel for every question, and every response could have been a twist in the story. What should I do? Evaluate the situation or escalate it? What the heck? And I certainly don’t.
Weeks passed into months, and then days into weeks again. From coffee shops to bedtime and even family gatherings, I began to bring my study guides with me everywhere. I started getting questions from my relatives about if ISACA was a cult that I had joined. “Yes,” I was going to say, “and the initiation ritual is this endless book of practice questions.”
Months of studying and drinking enough coffee to power a small nation later, I managed to pass the test. Success, isn’t it? Once again, incorrect. Reason being, we needed to jump into CRISC now.
The CRISC Disaster in Act 3
Comparable to changing roles from captain to weatherman, moving from CISM to CRISC was difficult. Out of nowhere, my role shifted from security management to risk identification, assessment, and control implementation. It was like switching roles in a restaurant: from chef to critic.
Control design, residual risk, and risk appetite were all whirled around in the CRISC study. Even the most jaded cybersecurity expert would have been overwhelmed by the sheer volume of acronyms and jargon. I started to ponder the big concerns of life, including, “Am I reducing danger, or am I the danger?”
There seemed to be a contradiction between every subject I researched. For instance, I was reassured in one chapter that controls are crucial. My second realisation is that without an appropriate level of risk tolerance, controls are only advisory. “Risk appetite,” I whispered to myself occasionally, “sounds more like a diet plan than a framework.”
Just as painful were the exam questions. The focus of CRISC was on calculated guesswork, in contrast to CISM’s scenarios. It was as if every response was both right and wrong. I didn’t know if I had passed or merely survived the exam when it was over.
Yet I managed to stay alive. Warning: I did not pass. In observance, I gorged myself on a whole pizza by myself and watched all three seasons of a program that completely avoided discussing ISACA, controls, or hazards. Unfortunately, my happiness was fleeting, as the formidable CISA awaited us next.
Act 4: The Mystery of CISA
While CISM and CRISC presented some difficulties, CISA was an ordeal in and of itself. From managing security to mitigating risks to auditing systems, my responsibilities have been steadily increasing over the years. Like a character in a Kafka story, I felt like I was always playing a different part but never quite fitting in.
Taking the CISA exam was a masochistic endeavour. Auditing, compliance, and governance were all part of the course outline. Reliving CISM and CRISC with a checklist and a magnifying glass was the best way to describe it. Learning to examine logs, evaluate controls, and compose audit reports was a labour of love for me. Great moments.
Worst aspect? Technical terms. A completely new set of words was introduced to me by CISA. “Control self-assessment,” “material misstatement,” “compliance testing.” With every new term, I felt like I was entering a whole new cybercrime nightmare.
The exam questions were particularly wicked. While all four of the given responses made sense, only one could be considered the “most correct.” As I awoke in a cold sweat, muttering, “Segregation of duties,” my dreams began to revolve around audit procedures.
My coworkers and friends continued to question, “Why do you need all three certifications?” which only made things worse. Can’t we just have one?” They were perplexed. I wasn’t in it for the laughs. My motivations were to complete the ISACA trifecta and, maybe, to show myself that I could accomplish it.
Exam day finally arrived after what seemed like an endless wait. I felt a mixture of fear and acceptance as I entered the testing facility. It was as if the test questions were written to test my self-assurance. By the time I pressed the last “Submit” button, I still wasn’t sure whether I’d actually passed or whether I was having a hallucination.
Chapter 5: What Remains
I felt like I had aged a decade by the time I finished all three qualifications. I felt like my head was a defragmented hard drive, my coffee addiction was out of control, and my social life was a complete disaster. I was renamed to CISM, CRISC, and CISA, which are all really cool acronyms.
I would gently bring them up in subsequent discussions for weeks. Oh, so you’re in need of audit assistance? Allow me to get my CISA notes. That is, “Risk assessment?” Fortunately, I have my CRISC certification. It was trivial, but fulfilling.
A Forgiveness
Did it have any value? Actually, it is. The information I obtained was priceless, but the procedure was painful. I gained a fresh outlook with each credential:
Strategic thinking on information security is something I learnt how to do in CISM.
My knowledge of risk management was greatly enhanced by my time at CRISC.
I improved my auditing and compliance abilities through CISA.
These credentials, when combined, made me a more complete cybersecurity expert. From someone who only “worked in IT” to someone who could confidently confront GRC difficulties, my role has evolved significantly.
Last Remarks
Be ready for a trip of bewilderment, anger, and uncertainty if you’re thinking about CISM, CRISC, or CISA. Be ready, nevertheless, for development, insight, and professional progress as well. Earning these credentials is more than simply showing off; it’s a path to being a formidable force in the cybersecurity industry.
Was that a terrifying tale, then? In a word, yes. There was a happy ending, though, as there always is in good horror stories. You have my word that you will make it through this test of wills.
