Shostack + Friends Blog Archive


CRISC? C-Whatever

Alex’s posts on Posts on CRISC are, according to Google, is more authoritative than the CRISC site itself:

Not that it matters.  CRISC is proving itself irrelevant by failing to make anyone care.  By way of comparison, I googled a few other certifications for the audit and security world, then threw in the Certified Public Accountant (CPA) for good measure.

Needless to say, CPA crushed the audit and security certs with ?30,700,000 Google hits.   CISM & CISA had 15,400,000 and 15,000,000, respectively.  The CISSP showed a not-disrespectable 9,390,000.

Then we got into what I will kindly call the “add-on” certs, even though they are frequently intended to be extensions or specialist certifications.  I chose the ISSAP and ISSMP, the post-CISSP Architecture & Security Management certifications from ISC^2.  ISSAP had 181,000 hits, ISSMP had only 69,000 hits, making it the only certification I checked that fared worse than CRISC.

Now that the data is out of they way, I can get to the real question.

Does no one care about CRISC because no one cares about yet-another-super-specialized-certification?  And/Or does no one care about CRISC because no one cares about risk assessment?

Well, given that googling “Risk Assessment” (in quotes) got me 12,400,000 hits, I’m going to go with yes on the first question and no on the second.

Now, combining Alex’s CRISC-O post with something Nick Selby said in a conversation he and I had a while back, “You can’t manage a risk you don’t understand,” then all a Risk Assessment Certification can even potentially do is imply that the holder knows how to follow a process–which I would argue is the least intellectually challenging and valuable part of any knowledge work activity.

Personally, I care a great deal about Risk Assessment, both as an interesting intellectual problem and also as a tool for solving real-world problems, even if I generally lack the time to do it right.  I certainly don’t have time to get certified as a Risk Assessor, nor do I feel the need.  Given my opinion that certifications are just a signalling mechanism in the hiring process, that should come as a surprise to no one.

4 comments on "CRISC? C-Whatever"

  • dutcher says:

    No to be an ISACA apologist, but your googlemetrics may be skewed by the fact that, since there hasn’t been a CRISC exam, there are no CRISC exam prep courses yet, and hence no web pages dedicated to commercial ventures to exploit the certification. And the CPA has got a 100 or so year head start. (And to add another datapoint – PMI-RMP established June 2008 – 94,900)

    And to be maybe a mild ISACA apologist, I think there may be some good in RiskIT, but plugging it into a Cobit-style framework may not be the way to go. From what I hear, the next version of Cobit will include ISACA’s ValIT and RiskIT.

  • alex says:

    “From what I hear, the next version of Cobit will include ISACA’s ValIT and RiskIT.”

    Dooomed, Doomed I tells ya!

  • @dutcher–perhaps. Googling for “CRISC Boot camp”, “CRISC Practice Exam”, etc. all yielded a couple hundred hits or less each–actually *better* than those queries for the ISSAP and ISSMP, despite their having been out there for a few years now.

    “CISA Boot Camp” and “CISM Boot Camp” produced 36,000 and 25,800 hits each. “CISSP Boot Camp” produced 102,000 hits, so there doesn’t seem to be too strong a correlation between overall volume and bootcamp volume.

    Switching away from the supply side, I decided to see how the various certs faired on CISSP was simply “>1000,” CISM was 279 and CISA was 665. So no correlation there, either, and which, to some extent, shoots down my theory that people primarily use certifications as an employment signaling mechanism.

Comments are closed.