Shostack + Friends Blog Archive


Why I Don't Like CRISC

Recently, ISACA announced the CRISC certification.  There are many reasons I don’t like this, but to avoid ranting and in the interest of getting to the point, I’ll start with the main reason I’m uneasy about the CRISC certification:

We’re not mature enough for a certification in risk management.

Don’t believe me?  Good for you, I like critical thinkers.  So let me offer up a little challenge in using ISACA’s own religion as my proof.

I challenge you to show me, in valid scale and using publicly available models, the impact of COBIT adoption on an organization’s exposure to risk.

If you can do that, then I’m all for certifying that someone can “get” risk management and that a certification might actually mean something.  But until you can,  I can’t for the life of me figure out what you are actually certifying and why having the letters “C, R, I, S, & C” together in someone’s title actually means I should value their certification – more or less how this certification would actually end up in having someone “see, risk”.


  1. Answers of “some things can’t be measured” will be considered to prove the point.
  2. Answers of “COBIT is governance, not risk management” will also be considered evidence that proves the point.
  3. Jack Jones & disciples, Russell Cameron Thomas – I believe you could give it a go.  In the interest of not wasting your time or exposing your IP, I hereby disqualify you from this challenge for being too dang cool.

At some point later in the week, I’ll post more on CRISC and I’ll also include alternate, more useful strategies for the CISO than sending people to CRISC school.

74 comments on "Why I Don't Like CRISC"

  • shrdlu says:

    My best argument for the certification is that I could become a CRISC Officer. And then I’d be great for making pie crusts.

  • jared pfost says:

    shrdlu – best comment all day. Just remember to pay your dues and attend enough vendor lunches for your CPEs. Otherwise you’ll forget how to bake and won’t be flaky anymore…

    couldn’t resist.

  • Chris says:

    Somebody needs to call ISACA and ask if they have a non-hydrogenated certification available.

  • Patrick Bryant, CISSP, CISA says:

    I have yet to meet anyone (besides in the mirror..) who is working in the IT Audit or Information Security space who has read an entire book on risk management.

    There are other industries with much more mature risk management processes and knowledge. I learned what I know in the aviation industry, where human factors (usually pilot error) are the primary causative factors in losses and accidents. With very few rare exceptions (such as the recent incident where Captain “Sully” Sullenberger was at the helm), nearly all accidents in aviation are due to “cumulative act effect” (an error chain). But just start talking about human factors such as “normalization of deviance” (as in the Space Shuttle Challenger disaster) – or any of the many forms of cognitive bias with your average IT type – and watch for the blank stares of complete incomprehension.

    I would value more someone who took the initiative to acquire cross-over knowledge from another industry like aerospace or medical diagnostics.

    My advice: do some original research, write a good white paper on the applicability to IT practices of risk management concepts from another more mature and risk averse industry — and then present THAT to your next potential employer — instead of a cert from an immature industry such as IT.

    • Musashi says:

      Hi Patrick
      Thank you for your precise feedback which I do fully support. However I would like to add some points for the sake of IT and IT Security people out there.
      I was able (fortunately or unfortunately depending on the view) to study Crisis and Disaster Management which gave a brought theoretical knowledge combined with practical experience over different branches, concepts and approches to deal with Risk Management, BCM and DR. In addition I am in IT and IT security hands-on as well as strategic since 20 years now.
      You are right that approaches in the IT field were somehow stuporous in the past and IT could learn a lot from different branches like aerospace and apply risk concepts like Reason’s Swiss Cheese model.
      However there are two points where I deem any existing certification in approaching IT Risks crucial and I am not sure if a CRISC will focus on that:
      – Awareness: Its (nearly) all about people and people’s awareness. If management in a company is not aware of their risks (and this is what I find quite too often) then the CRISC consultant needs to make them aware which is a painful process since a lot in management prefer to just close their eyes and pretend the risk is not there or neglectable. So, the CRISC consultant would need in addition to skills the social ability to nearly support as a psychologist.
      – Risk estimation: As we know risk is the product from likelyhood, damage and human factor (=1 if not present). I have not seen (maybe you did) any IT department where a) either historical incident data was appropriately collected and analyzed in order to establish likelyhood and/or b) damage resulting in a component/process outage from i.e. hacker attack or virus outbreak was calculated without more or less guessing the figures. However there is often a lack in understanding in between IT and other business departments which does not benefit a common exchange of information in order to establish a BIA. This then goes back to what I said in awareness where the CRISC consultant has to act as facilitator.
      Overall I deem any professional approach (i.e. certification) which can bring proper skills/tools and proper people together in order to develop less riskier IT and business envrionments a step in the right direction. But for now I will follow your advice and think about the release of a good white paper 🙂
      Hope not too much got lost in translation.
      Kind regards from Germany.

  • David Casey, CISSP/CISM says:

    I have no idea what this certification provides other then an extended signature line. I’ve read the mailing, and the first thing that comes to mind is a $$$ generator for ISACA. No one in my organization would see any value in such an obsecure certification. Add to that the ability to grandfather into it, gives it even less meaning. I predict that a bunch of glorified account admins will apply under the grandfather clause and be accepted, then think they are security professionals.

    Just interviewed two people for a Sr. Security Analyst on my team. One has a CISSP and CISM but could not properly describe the simple difference between a stateful inspection and packet filtering firewall, didn’t understand how NIDS were connected to a network, and could not explain the basic TCI/IP handshake sequence. The other candidate had security auditing background, was ISO certified in Info System Security, yet knew nothing about anti-virus heuristic scans, none of the above items, and had never touched a firewall, IDS, or network switch.

    Hands-on experience is the only true qualifier. Certifications are pretty tho… Looks great on a resume and business card.

    • Jamil Siddique says:


      You seems [sic] to knw nthng abt Infrmtn Scurty Mngmnt nd Gvrnnce.

      I wld qstn yr CISM crdntls thn ppl y ntrvwd

      [Disemvoweled by Adam for being content free.]

    • Larry says:

      What troubles me is that some of the discussions of the CRISC grandfathering clause is incorrect.

      ISACA did offer the grandfather clause for the CRISC through October 31, 2010 but the applicant did have to prove his skills which required independent verification by another individual. So while ISACA did offer a grandfathering clause it wasn’t as simple as “pay a fee, get a cert.” A minimum skill level (by years of experience) was required to qualify.

      We need to make sure that we have the right facts before criticizing CRISC.

      • Alex says:


        Wouldn’t independent verification just be the blind leading the naked? At *best* we’d have “hey, I verify this guy should be a CRISC because he knows that our methods for creating risk expression are usually pure hokum, too.”

        • Larry says:


          First, I am not justifying the CRISC. I am merely clarifying the requirements under the grandfather clause. Is what I posted correct or incorrect? I think you make some valid points regarding the CRISC but I thought that some clarification regarding the grandfather clause was in order.

          Regarding your response, how is asking your former manager or co-worker for verification of your work experience a form of the “blind leading the naked?” For your statement to be true, your hiring manager would have to be completely clueless of your job requirements.

          • Alex says:

            I didn’t say you were justifying CRISC or anything of that nature. I wasn’t trying to make a hostile comment there, just ask a question. If (as I assert) InfoRisk is a very immature field, what’s the use of having a peer vouch for you?

            IMHO it is, at best, a statement that this person knows enough to know they don’t know anything conclusive about the subj.

  • Hi David,

    You seem to assume that Technical skills are the end-all, be-all of a security person. Perhaps they are for the role you’re hiring, but don’t confuse “Technical Security” or “IT Security Operations” with “Information Security,” which is a field that predates computing, period, much less any of the technologies you’re interested in.

    It sounds to me like you’re just irritated that you interviewed two non-technical people for a technical role. Was that a failure of your job description or the screening process?

    For example, I’ve never touched a network switch. I dare you to argue that makes me Not A Security Person.

    And, yes, there are way too many unqualified security people (technical or otherwise) out there, but don’t confuse lack of specific technical skills with “knows nothing about security.” I find that there are invariably many more unqualified than qualified people for pretty much any job I’ve ever hired for–security, development, operations, or even retail.

    • Supriyo Mandal says:

      I agree with Chandler, I am working as Manager Information Security and all I am concerned is how to make my environment compliant to the norms. We as information security professionals need to know that inorder to achieve X, Y needs to be done. How it needs to be done can be done by the technical guy(actual implementation).
      These certification definitely add value. Not a must have but good to have.

  • Blue dot says:

    I was considering CRISC, maybe it could turn out to be a bit helpful in Risk management. Maybe after a few upgrades to the current scope.

  • Don Nelson says:

    @ David Casey…
    David I think you are being overly critical. First and foremost; Information Security is not a firewall, IDS or antivirus; but rather a set of processes (policies) and tools (standards, guidelines, procedures etc.) layered to create a security foundation and framework. I am really surprised to hear your comments about the CRISC, “Add to that the ability to grandfather into it, gives it even less meaning.”

    Are you aware in 2002/2003 the CISM (first released) was initially offered through a grandfathering program? Per your name tag, it appears you hold the CISM???

    A grandfathering program is standard operating procedure for ISACA and other organizations. Also, I think your assessment of your candidates was unfair (This based on your description.). The CISSP is not a technical certification, although it touches on technical subject matter. You would have an argument if you stated a candidate came in and interviewed for a firewall admin position and holds a CCSE, CCSP, CCIE Security or JNICS-FW and could not explain the difference between a SPI firewall and a proxy filter.

    Education is just as important as hands-on experience. The two together makes for a trained, experienced and well rounded candidate.

  • A. J. Strive says:

    I can remember when the CISSP and CEH certs brought gales of laughter from practicing professionals. The fact of the matter is that the creation of a certification standard frequently offers a starting point for establishing formal criteria for the subject matter. It is always immature at the start and frequently becomes pompous in maturity but that is the way it is. While the CRISC focuses on information risk, I agree that there are much more mature industry risk frameworks; Aerospace for example that should be drawn on as practice and knowledge sources. At the end of the day, experience rules, certification can provide acknowledgement of that experience and a minimal means of vetting an individuals potential.

  • Phillip Sparks says:

    Lets be PROACTIVE instead of critical. I would love to hear about what CAN be a better job practice and skill set that is needed. I am working on both the commercial and Department of Defense and develop programs for training and coaching the skills from MBA to IT Audit and all of technical security for our Certification of Information Assurance Workforce and conduct all the CISM/CISA training and review courses for ISACA in both commercial and military environments. I have worked on Risk Management for years at ERM as well as IT Security/Risk, and A common theme in all of this is RISK MANAGEMENT. When I discuss the Value of IT with MBA students or discuss CMMI with MIS students or development houses, or discuss why ITIL/Cobit or other discuss with business managers what will keep them from reaching their goals and objectives, it is ALL risk management put into a different taxonomy that that particular audience can understand.

    I have not been impressed with the current Risk Management certifications that are available. I did participate in the job task analysis of ISACA (which is a VERY positive thing about how ISACA keeps their certifications) more aligned to practice. It is also not perfect, but I think it is a start. If we contribute instead of just complain, it can get better, or we can create something better. What can be better?

    So Alex I welcome a personal dialog with you or others on what and how we can do it better. I can host a web conference and invite all who want to participate (upto 100 attendee capacity).

    best regards,

    • Debbie, PMP, CRISC says:


    • Angelo Gallo, CISSP, CISA, CRISK says:

      Ditto to the Ditto…

    • Alex says:

      Uh, Phillip, the point is that there is no “better”. Our understanding of risk is soooo immature that it doesn’t make any sense!

      CRISC certifications are lik taking a neanderthal, teaching them how to plug in a lightbulb, and then certifying them as a master electrician. Except the concept of electricity is still theoretical. Just doesn’t make sense.

      • Then lets create it (the better understanding of risk).

        I am trying to agree with your statement of “taking a neanderthal, teaching them how to plug in a lightbulb…”, but I find that people already know risk management, they do it everyday according to their own tolerances, preferences, methods, and group culture. Unfortunately, we do not give them credit for that intelligence and instead expect them to just forget IT risk and turn it over to the IT staff instead of taking responsibility (as in RACI) defined job roles and responsibilities.

        I do not want to see anyone certify someone at CRISC to be a master electrician just because he knows ONE task…i.e. plug in a light bulb. The ISACA CRISC has a few job practice domains and clear job tasks listed.
        I do agree that maybe the grandfather clause is too easy and that the certification may not actually be strict enough or related to the jobs we need the “certified” risk managers to perform, but that is why there is option to give feedback to the CRISC programs and why they change the job practice from time to time as required by ISO 17024 certification.

        In classes and when consulting, I go all the way down to teaching Risk of IT by getting examples of users performing risk management as a daily process of making their meetings on time and delivering their projects on time. Cobit and any other control is just the same as someone taking the effort to put a spare tire in the car incase there is a flat and they can still make it to their destination on time, or are not stranded in middle of nowhere. Risk tolerance is different for other people and there is a culture of risk that is also organzational. I know people who will jump out of airplanes with nothing but a thin fabric of silk slowing their decent. I also know people who will not go into a plane for fear of a crash because they saw it happen on the news. Statistics are not important to them. Just like Cobit, ISO 27001, NIST, CNSSI 1253, they are tools and controls.

        Risk categories can be almost anything, so I simplify it to a simple chunk: Risk is not FORSALE:
        Financial, Operational, Reputational, Strategic, Asset loss, Legal, Environmental.

        To start, from your experience, list just
        7 things that people should know what to do about risk management (job tasks), and what knowledge levels they must have by listing
        3 topics of Awareness,
        Must be aware of:
        Must be aware of:
        Must be aware of:
        (for example aware of the ISO 31000, ISO 73, NIST standards, aware of the different COSO and ERM current direction, Aware of the risk management required by Stock Markets for any public company).

        3 Knowledge that they must be able to List, Comprehend, and Apply, and
        List the X _______ related to risk management
        List the 5 standard functions of risk management according to the ISO 31000 Standard.
        List the three (3) most important steps in conducting a risk based audit:

        In the following scenario what would you do as a risk management personnel:
        Scenario: xxxxxx
        Option A:
        Option B:
        Option C:

        Why A is proper or not for comprehension
        Why B is proper or not for comprehension
        Why C is proper or not for comprehension

        7 specific skills that they should be able to do on the job.
        To be a risk management certified peronal you should be able to do the following:

        Several Risk Management certifications have tried to sell classes, and I agree that we do not really have a clear understanding of how to apply risk, but I think we can solve that problem by do the above task and defining what we as a community define as a job practice.

        I am more than willing to share my CertME structure and worksheet with you to get more effective and mature risk management understanding. It will help me give better feedback to the ISACA CRISC and DoD risk management process that helps everyone.

        This may be the “research” that you were looking for in a later posting. If we can get 10,000 risk practictioners completing a survey like that above, would that be less “Horseshit” and more practical to having a real certification.

        How about if I put together a live environment of typical IT infrastructors and we list the 7 top skills that risk professionals should be able to perform on a network, and we give the the task, conditions and standards expected. Give them a remote login to the resources, access to all the standards, and tools a practitioner normally has and see if they can actually perform the tasks, in the stated conditions, and in the standard defined.

        I.e. Example of Just ONE of many scenarios that could be perhaps a better performance based Certified Risk Management Professional for Information Systems.
        Scenario: You are a risk manager responsible for the determination of the current risk of the IT infrastructure and must report to Senior management on the findings with recommended countermeasures and cost benefit analysis according to the standard selected by the organization (i.e. Cobit, ISO 27001, NIST, CNSSI, GMP).
        Conditions: Given a 3 tier network system consisting of Web servers, database servers, file servers, workstations and routers, you must conduct a risk analysis and identify all current vulnerabilities and threats present. You will be given a selection of automated scanning tools normally available to any risk manager to conduct vulnerability scans as the file, server, application and network levels. You will be given a standard report format to complete and present in PowerPoint format.
        Standard: You will scan, analyze and produce the assessment report of the given environment of 10 devices in 2 hours with a 80% accuracy of found vulnerabilities, and a listing of priority that can include no more than 2 items out of order in terms of priority from given scenario based upon cost benefit analysis.

        If you have other ideas, I would love to hear them and see if we can get to the maturity level for an IT Risk management certification program.


        • adam says:

          This may be the “research” that you were looking for in a later posting. If we can get 10,000 risk practictioners completing a survey like that above, would that be less “Horseshit” and more practical to having a real certification.

          I don’t think such a survey (by itself) helps. By analogy, we could survey 10,000 people on what a Picasso looks like. If it turns out 1,000 are blind and 1000 are professional artists, then what did we learn?

          We need to understand the links between such understandings, the tasks they drive, the environments in which they’re applied, and the outcomes which they produce.

        • Alex says:


          Here’s your three topics of awareness:


          IT Risk as everyone else practices it may just be the act of trying to create point probabilities for a complex adaptive system. Currently, many people who are experts in complexity theory believe this is impossible. Those who don’t believe it’s impossible have yet to really be successful in proving the other folks wrong.

          What this means is that even if all your pretty standards were to have sane risk equations (hint: they don’t) those risk statements your standards tell you to make are unicorn dung. Fake horseshit.

          This is not to say that the concept of risk management is useless, it just means that the cottage industries our field is creating to generate money for consultants is a complete lie. You are being hornswoggled. The good news is that if you’re willing to not listen to the charlatans, there are other approaches that are/will be useful.


          If you create a statement about risk, and you have to refer to some standards “domain” for it to be applicable rather than just going over to the asset owner/administrator/control operator with a simple sentence or two statement – you’re not doing risk management, you’re doing bureaucracy. If you’re creating bureaucracy, you’re just making problems, not solutions.


          Any one given scenario you can think of will have to be so specific in actors and their actions in order to create probabilities that it will be fairly worthless as an actionable probability statement. But will give you a warm, fuzzy feeling that you actually did something. Hopefully your boss will feel that way, too.

          So if you’re really going to create a risk register that is intellectually honest, the outcome has to be a near infinite list. This will be useless to executives and will create a disdain for risk management rather than help them make decisions.

  • Oliver says:

    >>I challenge you to show me, in valid scale and using publicly available models, the impact of COBIT adoption on an organization’s exposure to risk.<<

    CobIT allows to segregate what is called IT in analysable parts.
    Different Risk models apply to those parts. e.g. Information Security, Architecture, Project management. In certain areas the risk models are more mature (Infosec / Project Management) and in certain they are not (software distribution). That is for the risk modelling part.

    For risk identification and KRIs, an internal control framework which is based on cobit allows an adequate and comprehensive net of indicators for risk assessment based on operational performance

    If you think that "some things can't be measured" will prove your thesis, you don't know Risk Management at all. There is no mathematical voodoo to model a risk exposure which is 100% correct. You have to keep the purpose in mind and also use professional judgment based on your experience (which CRISC by the way tries to attestate)

    You fight against an attestation which takes into full consideration your own challenge. Namely, that Risk Management in IT is currently getting mature and the according professional judgment is proven by experience. Needless to say that the way it is being done in IT further enables IT to the next level of being mature. And in doing in turn further develops the requirements of a CRISC certification.

  • alex says:

    Oliver. You’ve completely missed it and have no idea what my point was. My response is here –

  • Lam says:

    To David Casey,
    It appears that not all CISSP or CISM are alike. I also hold both certifications (and more) and I don’t agree with your comment. I certainly don’t think it was right for you to critic those candidates. They could have been great candidate but perhaps they were interviewed by the wrong person for the wrong job. I too don’t remember how TCP/IP handshake works but who care as long as it connects.

  • Dave says:

    I started out in one of the fields (Critical Care Medicine) that has a mature Risk Management capability. I am old enough to remember the time (1970’s) when CCM was very immature and the concept of risk management did not exist in any meaningful way. Only with the advent of the professional organizations, professional standards, and certifications (and peer pressure) did we manage to make any meaningful advances. By the way, we used the Grandfather concept as well and as soon as things started to come under control, there were a number of people who realized that CCM was not their true calling.

    • alex says:


      CCM even at the time, had a very practical, medical-oriented approach to “risks”. In addition, the ability to perform and share information in that industry was/is pretty simple compared to infosec. So while I would love it to be wonderfully analogous, it’s just not.

      Bottom line, no one can show me how much risk COBIT adoption reduces (or even introduces), so my initial challenge stands. If ISACA can’t even show me, even *roughly* the risk reducing value of their won previous efforts – then maybe a better starting point would be for them to do you know, actual *research* before certifying people on horseshit.

      • Sid says:


        Just imagine (or try at your own risk) this –

        Step 1. Carry out risk assessment
        Step 2. In your organisation, boycott all COBiT recommendations / requirements for 3-6 months
        Step 3. Carry out risk assessment again

        Do you see increase in risk? If Yes, then you will agree that adoption of Cobit has reduced the risk for you so far.

        You might argue that its ‘a Control’ that ultimately reduces risk & not Cobit.. however I sincerely feel that ‘effectiveness’ of the control can be greatly improved by adopting cobit governance framework & Improvement of controls can be translated into reduced risk.

        I can go on writting about how cobit also governs your risk universe, but I am sure you are experienced enough to understand these overlapping concepts without getting much confused.


  • Alex says:


    That’s as maybe. But the point is that our ability to understand risk is incredibly immature. We multiply things measured in ordinal scales, we ignore determinants for the sake of crayola colors, we use the term likelihood in a manner that would make a first year stats student weep (or laugh). But, I loved your comment and used it to write a post:

    Hope you enjoy!

  • Sid says:

    You are right Alex. I also think, other than computation technique there are bigger shortcomings in our traditional risk assesment methodology…PEOPLE.

    Traditional risk management relies on identifying risks based on the experience of the teams involved in the enterprise. If the risk is outside the experience of the group it is unlikely to be considered. The exercise may either be too narrow, by staying within the comfort zones of the participants, or too broad by considering risks that are not relevant to your business. In addition, the negative connotations of the word “risk” means that people have to change the way in which they think in order to identify negative events.

    The solution is to make people aware on RA expectations. Cources like CRISC intend to fill this Gap by creating risk awareness. Yes they are making money, but they are taking steps towards creating risk awareness. Thats why I like CRISC.

    To summarise, I think the problem is not with risk calculation methods.. its with inaccurate or inadequate inputs people give in terms of threat, vulnerability, impact & likelyhood.

    PS : Annual performance review will start in couple of months. My CRISC GF application got approved yesterday. $625. Big boss is very impressed. Do you want more justification? 😉

    • Alex says:

      “Traditional risk management relies on identifying risks based on the experience of the teams involved in the enterprise. If the risk is outside the experience of the group it is unlikely to be considered. The exercise may either be too narrow, by staying within the comfort zones of the participants, or too broad by considering risks that are not relevant to your business. In addition, the negative connotations of the word “risk” means that people have to change the way in which they think in order to identify negative events.

      The solution is to make people aware on RA expectations. Cources like CRISC intend to fill this Gap by creating risk awareness. Yes they are making money, but they are taking steps towards creating risk awareness. Thats why I like CRISC.”

      So if I understand what you’re saying Sid, it’s we suck at risk, so something like CRISC, which certifies our suckitude, is useful.

      Congratulations. We now have a cottage industry trumpeting how stupid we are (which is kind of the point of my post).

  • Alex says:


    Just because you can codify a standard or practice doesn’t mean that this practice is sane. There’s plenty of documentation around homeopathy, astrology, biorhythms, and other pseudosciences, but that doesn’t make them any more real.

    In other words, just being able to reference a document for repeatability does not make the outcome of those acts real or valid. Almost everyone in this thread has focused on our industry’s ability to create documentation, not on the fundamental problems of creating a defensible method for risk expression.

  • Vasant says:


    I find it amazing the debates about certification — specifically whether its good, bad or ugly. As A.J.Strive pointed out there was time when both CISSP and CEH were (and are still) laughed upon. (Investigate closely and you will find most of these guys are people who don’t have the ‘courage’ to give the exam). Personally I’m amazed when certifications are treated as a end-all. I mean neither ISACA, ISC2, SANS or any certification body claims that once you have any of their certs, means you are master of that subject. Its just a starting point isn’t it.

    You mentioned the pseudo-sciences like Homeopathy etc .. some people believe in it, some don’t, in some countries this is officially not recognised and some countries you could be an official doctor. In the countries where it recognised they need a way to know whether a person as the knowledge as compared to someone who doesn’t. Certification is just that. Whether I choose to go to a particular doctor is my choice and the way they treat me. There are some GPs who can treat me better than others. All of them will have the medical degrees, some of them will be good, some of them won’t. Once I know who is good, I will go to them — but I’m not going to start questioning the medical degree.

    Regarding your point about maturity of the risk management field, its relative isn’t it. I mean can we call the field of IT mature? (Let us take a retrospective of CFOs and the business cases they were presented about IT projects and lets see if those IT projects delivered those promises). Obviously there will good projects, some bad ones and some really ugly ones. What I’m trying to say is that maturity is question of the time-frame we belong in. If I research any topic on an on-going basis over time, I will be more ‘knowledgeable’ and therefore slightly more mature the next day than the previous. So do I wait till I mature before I doing something in that area. In fact my participation in that area whether its meeting other people and discussing that topic, implementing whatever models are currently available and constantly evolving it, implementing new thoughts / models are all contributing to the maturity of the process.

    In the context of CRISC, ISACA saw an opportunity to offer a certification. Now IMHO that is also a way/ mechanism to mature the field of risk management. Nobody is claiming CRISC = Master of Risk Management — its just another certification, a quick way to say that I have some knowledge as required by another independent and recognised body — that’s all. Whether that knowledge is deemed to be adequate or not is a matter between certification valuer (e.g. employer, other organisations before they take consultants etc) and the certification holder. Heck, if a diamond is valued at $$$K by a valuer, would you really go and blindly pay that amount. Why not? Why do jewellers offer discounts then. If the jeweller thinks the diamond could be sold for much less, then do we go sue the valuer? Why not?

    We have certified financial planners — how many billionaires / of today went to one. Do we issue their association “show me one billionaire that one of your associate has created”. If not the entire financial planning theory sucks.

    Having any certification or degree is not going to mean that you won’t ‘suck’ (to use your word) in that area. It is just meant to be a differentiator in the grey world that we live in. What value you attach to it will differ from person to person. You have a point in saying the field is not mature and that your view and valuation.

    ISACA is the business of certifications and creating a body of knowledge around IT Assurance they see it differently. Now if some people think its for $$$ well I wonder what is their main motivation behind “working” (in contrast to being on a holiday every day, which everyone just dreams about). If somebody increases their knowledge due to them attempting this certification (whether its enough i.e. valuation is another issue) is a good thing right. Worst case, somebody reads about the state of risk management as it exists and hopefully get them to think about it a little bit this field a little bit more.

    BTW, Alex why are so negative about the state of risk management today? I get your point that its immature, but don’t you agree all that we do today including your contribution is someway contributing to the body of knowledge that someone will study/ research in the future to their benefit and help mature it. Different people are doing it different ways — you teach, write books and blogs. ISACA thought of a certification.


    ps: Thoroughly enjoying your book — wish it came out 20 years ago, but there wouldn’t be an old school then, would there, 🙂

  • Larry says:

    Alex: “I wasn’t trying to make a hostile comment there, just ask a question.”

    I understand that, Alex. I didn’t sense any type of hostility from your past comment. In fact, I’m enjoying the conversation. This question needs to be raised.

    Alex: “If (as I assert) InfoRisk is a very immature field,”

    I agree with you. It is an immature field which is why I question the value of the CRISC as well. For the record, I currently hold a CISSP and CISA cert.

    Alex: “what’s the use of having a peer vouch for you?”

    All the peer is doing is confirming that you worked at the company in question under the assigned role that was stated on the application form. For example, if I was Director of Security Operations at company X, the verification would confirm that my position at company X was true. The verifier doesn’t list your experience using a specific scale.

  • Alex says:



    Well OK, then. I thought the purpose implied competency.

  • Anthony says:

    Alex – I think that the point has been well made that today all Certifications (e.g. CISSP, CISM, CISA, etc.) have been marginalized, and that CRISC should not be the sole example. If desired any Neanderthal can attend a 3, 5, or 7 day boot camp, pass a test and claim a right of prestige and higher salary, much to the dismay of those of us who’ve worked long and hard in our fields.

    I think your energy would be best served in making an example of ISACA, ISC^2 and other certifying bodies, for allowing their cert.’s to be so marginalized by thrid party’s that are only interested in a buck. Not the inherent immaturity that every certification in existence has evolved from.

  • PostNoBills says:

    I remember way back when ISACA and CISSP was first being formed.. and the CISSP was offered as ‘grandfathered’ too. I place no value in CISSP, some of the stupidest people I have met are CISSP’s. If you have good rote memory you can read the books, take a bootcamp and pass the test.

    “Show me what you know, not what paper you have”

  • Chandler says:

    The CISM was grandfathered. The CISSP was not.

    That’s not to say that there aren’t issues with both cert’s, but understanding the limits to the value of a cert. I, too, have met people that I wouldn’t trust to feed my cats holding everything from a CISSP to a police badge. But part of utilizing that fact is just like utilizing any other piece of information about a person.

    • IS Expert says:


      There are 2 reasons why you feel that someone sound stupid whom you met in term of thier knowledge.

      1. They know more than you. Since you have ever heard that concept in life they sound stupid/less knowledgeable to you.

      2. They really don’t know anything which obv not possible because even to pass exam you need to read and understand. But these type of ppl atleast need a chance in field because of thier seroius attempt.

      So it is always important to know which category of ppl you are talking abt and always re-check b4 u confirm.


  • Risky business says:

    The writer of this blog article is proof why perhaps they should do the CRISC cert. (saying this with not having done this by as a Risk Professional) in order for them to understand how to calculate the change in the exposure to business risk by implementing COBIT. Unpack COBIT and calculate the risk exposure (impact and probability) to the business of no control. I am concerned if IT professionals out there, especially in management positions do not grasp the concept of risk management. The IT industry is way more mature for this than the operational/business side as it is by far more structured.

    I find many IT professionals still in today’s age resist the meaning of control and love the gung-ho attitude to implementation – just get it done, fix this, change this without adequate / appropriate consideration to a business that they support.

    • Adam says:

      The writer of this blog article is proof why perhaps they should do the CRISC cert.

      Dear Risky,

      You’re coming dangerously close to ad-hominum here. We reserve the right to mock such behavior, and those displaying it, mercilessly. We also disemvowel, etc.

      We love debate and encourage it as a means of advancing the field. But please keep it civil.


      • Risky business says:

        “I challenge you to show me, in valid scale and using publicly available models, the impact of COBIT adoption on an organization’s exposure to risk.”

  • Alex says:

    @Risky Business

    I’m a little slow sometimes – I have no idea what you are trying to say.

    > “saying this with not having done this by as a Risk Professional”

    Are you implying that I’m “not a risk professional”? Are you saying that you’re not “a risk professional”? Are you saying there’s no good idea as to what a “risk professional” is but by golly if anyone can tell us, ISACA is capable of doing so?

    “Unpack COBIT and calculate the risk exposure (impact and probability) to the business of no control.”

    What do you mean by “the business of no control?” Do you mean “calculate the risk of not having *any* controls”?

    Finally, I’m guessing that in you last sentence of the first paragraph, you’re saying that you’re concerned that IT professionals don’t understand risk management. Awesome. I’m in agreement. I’m just also saying that ISACA probably doesn’t understand risk management, either.

  • Risky business says:

    fair comment on my language skills and not getting the message across…I hope your initial question gets answered. I am a risk professional. I have a very good idea what a risk professional is. Every human being is one 🙂

  • Alex
    I’m sure that if you contact ISACA directly, more specifically the CRISC working group, they would be more than happy to entertain your concerns and questions.

    As for not liking, or liking a particular accreditation, it’s a call we all have to make, and one which we are entitled to, i.e. there are MBA’s and there are MBA’s. Same can be said about most qualifications.

    My personal decision was to look for affiliation with organisations that added value, had good standing, encouraged innovation and debate, that where not stagnant and required on going learning. This filled my own personal needs. Others may be different as you are by expanding your knowledge and seeking answers via this conversation and other social media. It’s all good.

    I leave you with this quote “Be an opener of doors for such as come after thee, and do not try to make the universe a blind alley”. ~Ralph Waldo Emerson

  • Alex says:

    @Shaugn –

    When you said “I’m sure that if you contact ISACA directly, more specifically the CRISC working group, they would be more than happy to entertain your concerns and questions.”

    I think you missed the whole point of the article. The point is that the industry, in how we understand and express risk, isn’t ready to have certifications and standardization on anything.

    So ISACA is driving us to premature standardization, and the lessons we have from bureaucratic theory states that regardless of how useless the policy, it will be difficult to change. Hooray! Nothing like stifling innovation for the sake of revenue.

    “organisations that added value, had good standing, encouraged innovation and debate, that where not stagnant and required on going learning.”

    What part of the past 10 years has ISACA been innovative or encouraged debate?

    Finally, the irony of your quote is lost on you? CRISC is, if nothing else, a “blind alley”.

  • Thanks Alex, the vehemence of your reply though gives me a sense that there are under currents here of a nature only known to you.
    However, I respect your views, even though they differ from mine.

    As for your comments about ISACA, again, I urge you to address your concerns to ISACA, they are after all the ones best placed to answer you. Also, refer to the ITGI (established in 1998), affiliated to ISACA, as one of the numerous ways that ISACA encourages debate and innovates. Getting the facts will then prevent a whole lot of conjecture.

  • Alex says:


    I think you’ll find my “vehemence” for CRISC is directly proportional to my love of Information Risk Management.

  • frankly frank says:

    Greetings. I love ISACA – but I *hate* grandfathering in the way it’s done now. I’ll also share a thought further below on some people’s stuck-up view of people who have certs but lesser hands-on experience.

    An earlier comment made here now paraphrased: new certs are “a start” and better-refined in their body of knowledge 3 to 5 years after their creation.

    THEREFORE, I feel that ISACA should change its grandfathering provision to allow the candidate to only keep it for 3 years and then they HAVE TO take the exam to keep it. Only thereafter the CPE rule would apply. Might cut into residual revenue for the credentialing organization – but that’s all the more incentive to develop its BOK and get industry buy-in and not waste time with things that are flashy but hollow.

    Next, on the cert .vs. hands-on issue, in the world of corporate types, there are specialists and generalists. Author Geoffrey Moore observes that IT is a “competence” culture where specialists thrive because at the end of the day the person who knows the most technically, hits the most balls over the fence, and works the longest hours, gets to be the boss.

    Generalists don’t think that way which is why they’re needed as supervisors over the teckies to keep things from turning into sweat-shop.

    Corporate cultures that allow staff to make hire decisions rather than unit managers will have a problem with diversity. They’ll also give lip-service to being a “learning organization” but ultimately will hire for skill in the moment rather than overall talent. The Gallup Organization has written multiple books on this issue in the last 10 years.

    It’s a waste of time for mid-career professionals as job candidates, who have a credential but only “related experience” in the new field they seek to enter, to interview with a specialist in a “competence” culture. If that’s the deal-breaker, then AVOID these organizations as their overall corporate culture is likely ad-hoc rather than managed.

    Best Wishes,

  • Rich says:

    I could get it because I had my own company and then got hired to be the Director of Security so it makes me look good. I never take exams just go for grandfather certifications.

  • John Barchie says:


    I jumped at the opportunity for the CRISC cert. I am a CISSP, CISM and have several networking certs. I learned risk management from the banking industry (FFIEC). I am technical and I work in mixed DOD/commercial environments.

    Unlike CISM which is almost purely management CRISC is geared towared design and implementation. Which is a cert we needed, hell I practically begged for it. So much money is wasted on addressing the wrong infosec risks it makes me sick.

    Unlike mature fields that have a depth of data to draw from InfoSec is problematic due to the advent of more mature IT programs, but by using comparative analysis and WAGs it is at least possible to identify higher priority assets. This understanding in and of itself justifies the emergence of the CRISC program.

    Before there was IT there was InfoSec, and in the commercial world the CRISC helps to identify the controls necessary for good operational security. Of course it helps if the CRISC practitioner has practical experience (and my application was a pain to fill out), and in fact experience is a requirement, but I find that it is much more important at this stage of our collective maturity level to know what to do, how to do it then becomes a task instead of a mission.

    I can’t tell you the number of times some IT manager wanted the firewall, AV and IDS configured as if those three controls were all that mattered. (And I am a former IT manager and can do all that) Seriously, most IT manager have never even heard of an information security risk assessment. (And what the hell is IT doing being responsible for infosec risk anyway?)

    My 2cents.

  • School says:

    Heya i?m for the first time here. I found this board and I find It truly useful & it helped me out much. I am hoping to give something again and help others such as you aided me.

  • Mustafa says:


    Can anyone recommend a better certification for someone looking to be certified in Risk Management?


  • Conrad says:

    I perform Information Technology risk assessment for a major financial institution. I am CISA certified and will be sitting for CISSP examination spring 2012. CRISC is wholly applicable/appropriate for people in my particular line of work. I would agree its not a broad spectrum certification track..but why should it have to be?

  • Alex says:


    Thats great for you. I work at a director level for a “major financial institution” with 17 analysts reporting to me.

    A – There is no “there there” around the CRISC so Im not sure what you mean when you say it is applicable/appropriate.

    B – As such, and given my current knowledge of the curriculum (admittedly sparse and due to change), a CRISC would not only NOT preoare you for a job in my team, but would probably inhibit your interview process by giving you a false sense of security.

  • IT AUDIT says:

    I know an IT Auditor who was just given the CRISC Cert because he is a member of ISACA, when they introduced the cert so he was grandfathered the CERT. and this guy knows nothing of IT, has no IT background, and from working with him I think he makes stuff up that he thinks is validate his existence here. I think he is a member of ISACA, and now a Chapter leader to have something to account for him of nothing at all.

  • Dave says:

    Well said bro.

    I really got irritated when ppl just put the certs signature on their title CISA, CISSP, CRISC , got into interview, breeze thru everything and become Director / Associate Manager for Big 4 firm, but when come to Audit, they dont even know what is Windows GPO, Windows AD and how IDS works! WTF!

  • charlie says:

    I have had my CISA cert for several years now and I am sitting for the CRISC exam in two weeks.
    They are both of value.

    It would appear based on the comments – that some cannot differentiate between, IT audit, IT management/governance and IT analysis functions. HELLO they are not the same. Any organization looking or hands-on IT analyst that advertises for a IT management person or IT auditor is displaying a lack of IT industry knowledge and IT internal organizational maturity.

  • André says:

    Well, I´m late for the topic, very late, but here is my cent.

    I don´t work directly with risk of IT assets in deep like configs, firewall rules, proxys, SBCs and etc. This is all in my past.
    I work with risk assessment with focus on the entire organization. When someone conduct a Risk Assessment in a factory, lab, telecommunication company, government companies and etc. there will always be something different that no book, no cert, no course will teach.
    The responsible for the assessment must have a open mind and this is something this cert won´t give.

    Maybe for a IT thinker, this cert MIGHT be good. In my opinion, it must be viewed with caution. I agree that the fact that someone has ANY cert, doesn´t make him/her better than someone who doesn´t.

    Usually people with certs which are driven by them, kind of think the same way. Risk assessment MUST be a combination of many factors and vectors and an IT driven cert, again, wont´t give that. My opinion.

  • Tony says:

    a CISSPer could not understand NIDS/AV/TCP/IP?

    No, I believe they just forget…

    I can tell you CISSP cover every single concept of security field. I(CISSP,CISA,CISM,CEH) have more than 10 years security experience and I could NOT see even one piece security concept that CISSP could not mentioned so far.

  • Travis says:

    Certifications of any kind do not label you as a master of anything. What it does is let employers know that a person had the dedication to study and complete a tough exam AND has the desire to be in the field. When I’m hiring someone, certifications let me know that the candidate is serious about being in the position. The cert should give them broad knowledge, but the LAST thing I want is to hire someone who isn’t sure if they like the field and five months later quit because they realize they don’t like it.

    ALL education credentials, be it college or certs, should NEVER be a tool for anyone to assess someone’s knowledge. They should only be used to make sure you are hiring someone who’s made the commitment to the industry and that they are willing to learn more to further their scope of knowledge. Someone may not know the details of how a NIDS should be placed in a network because they never had to do it before, but a good hiring Manager can ask the right questions to find out if the person has the capacity to learn it. That’s what the pieces of paper are for…degrees, certs, etc. It means the person can learn new ideas, technologies, etc. to get the job done. Combine that with their past work experience and a candidate’s “portrait” paints itself.

    Any of you who are using these pieces of paper as proof of the skills a person has are doing yourself and your organization a disservice.

  • Abe says:

    I am a CISSP, CEH, CCNA (and Security), Security+ and a few Firewall certifications but I love the CRISC material. I am only half way through it and I do think that this certification is a great one to have. I have been in the security industry for 10 years and while I am very technical, I appreciate this material, it is eye opening and very informative.

  • Bill Clancy says:

    Recently I came to the conclusion that most IT people have no clue of what risk actually is. Sitting in a meeting about a new project, I asked about risk…Risk? Who cares about risk, this is cool! Really? This isn’t a science project, it’s a government sponsored IT system. So I began to study risk for myself. After several rather dull books and articles, I decided the people who knew the most about risk were the insurance guys. They bet on risk on every policy and factor in time just to keep ahead of the curve and still make money.
    IT guys…no way! We use risk as a lever to either get what we want or to ward off projects we are afraid of. I applaud ISACA in their effort to codify risk, but I also realize we’re a long way off. I feel that any effort is good and a certification will often scare off the naysayers who offer straw man arguments against best practice. It just needs time to mature, and it will get better.

  • Junaid says:

    What about ISO 27005 certified risk manager ? any thoughts/comments ?

  • Riska says:

    Is the consensus still the same that CRISC is still not worth it?

  • Fred Shapiro thinks that “the typical theory that ‘hacker’ originally was a benign term and the malicious connotations of the word were a later perversion is incorrect.” He learnt that the harmful undertones existed at MIT in 1963 already (quoting The Tech, an MIT trainee newspaper) then described unauthorized users of the telephone network, [11] [12] that is, the phreaker movement that developed into the computer system security hacker subculture these days.

  • Sukhamoy Jana says:

    What is important is the way you observe and act! There is nothing wrong in CISSP/CRISC/any other certification.
    Because, it is a common body of knowledge(CBK) which brings a value addition to the individual knowledge by sharing all the past experiences.
    Neither Maturity comes in a day nor any “thumb rule” can do.
    Rather, I believe that if we can develop new thinking based on the CBK will be much effective.
    The certifications help you to build a base of knowledge and align yourself towards the right approach. But it should never be taken as a guaranteed, nowhere it does.
    I am a CISSP and considering CRISC/any other risk management certification. It’s not only to add another cert in my portfolio but also a way to enhance the knowledge and skill sets.
    No cert/degree can guarantee to produce a good professional. It is us who are responsible to upheld the quality and professionalism.

  • JK says:

    If you are planning to do any work with risk management CRISC is great. It will not to do the work for you but it will tremendously help in structuring the proper approach. I have seen a lot of commentary about the certificates vs the experiences. While the certificates are good, they should not be confused as having the right experiences. When hiring someone you need to do your due diligence, and hire the folks with proven track record. I personally found certification is a great way to keep myself challenged on a specific topic as it requires substantial personal time but the reward is equally good. Rather than complaining try to be positive and do something that you enjoy. The positive addiction described in William Glasser’s books .

Comments are closed.