Why I Don't Like CRISC
Recently, ISACA announced the CRISC certification. There are many reasons I don’t like this, but to avoid ranting and in the interest of getting to the point, I’ll start with the main reason I’m uneasy about the CRISC certification:
We’re not mature enough for a certification in risk management.
Don’t believe me? Good for you, I like critical thinkers. So let me offer up a little challenge in using ISACA’s own religion as my proof.
ALEX’S CRISC CHALLENGE TO ISACA
I challenge you to show me, in valid scale and using publicly available models, the impact of COBIT adoption on an organization’s exposure to risk.
If you can do that, then I’m all for certifying that someone can “get” risk management and that a certification might actually mean something. But until you can, I can’t for the life of me figure out what you are actually certifying and why having the letters “C, R, I, S, & C” together in someone’s title actually means I should value their certification – more or less how this certification would actually end up in having someone “see, risk”.
- Answers of “some things can’t be measured” will be considered to prove the point.
- Answers of “COBIT is governance, not risk management” will also be considered evidence that proves the point.
- Jack Jones & disciples, Russell Cameron Thomas – I believe you could give it a go. In the interest of not wasting your time or exposing your IP, I hereby disqualify you from this challenge for being too dang cool.
At some point later in the week, I’ll post more on CRISC and I’ll also include alternate, more useful strategies for the CISO than sending people to CRISC school.