ISACA Turns 50 Next Year, But Isn’t Too Old to Reinvent

Teamwork concept

The Information Systems Audit and Control Association has become a household name in the IT governance space and is now known and self-identified only by its acronym ISACA. ISACA will proudly celebrate its 50th anniversary as a training and certifying body next year. Although ISACA is a well-established organization serving more than 135,000 members in nearly two hundred countries, it continues to reinvent its core competences and redefine its role within the information technology and governance ecosystem, most recently by introducing a comprehensive cybersecurity performance test to validate technical skills and bridge the gap in today’s high-demand/low-supply security job market. The CSXP, or Cybersecurity Nexus Practitioner, certification is an aggressive departure from the flagship Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) designations. The CSXP is ISACA’s first fully focused cybersecurity certification and training initiative. “CSXP is very different from our other certifications,” admits Kim Cohen, director of certifications who has been with ISACA since 2000. “The largest section of our membership is audit driven, and with CSXP we are entering into a new market while also up-training the existing membership.” CSXP also departs from the CISA and CISM in test-taking methodology. The CISM and CISA exams provide experienced-based multiple choice questions, while the CSXP is comprised of hands-on and tactical scenario-based evaluations. Students will be tasked with accessing a virtual network and asked to do things like creating firewall rules, blocking an attack or executing a system recovery. CSXP is aimed at first responders and addresses skills across five security functions and modalities: identification, protection, detection, response and recovery. The CSXP was developed from survey feedback showing that ISACA members and the IT community at large yearned for a more vocational certification for broad cybersecurity proficiency. “There are tons of niche cybersecurity certifications on the market, so with CSXP we took a different approach, identified wide gaps in skill sets and aimed to fill them,” states Jonathan Brandt, senior manager of cybersecurity exams at ISACA and passionate spearhead for the CSXP program. And it is not about memorizing content: “CSXP is a performance assessment and requires an individual to actually demonstrate competence by performing tasks,” says Brandt. “You can be a great test taker, but can you actually do work with open source tools? That is what CSXP will validate.” The certification has transitioned to remote proctor delivery allowing candidates greater scheduling flexibility without the hassle of traveling to a test center. ISACA also offers cybersecurity skills-based training and an exam prep course. Training modules are self-guided. According to Brandt and Cohen, the CSXP is valuable to all levels of cyber talent but generally targeted to professionals with less than five years’ experience in the space. Achievement of the CSXP certification is based purely on passing the test, unlike the CISSP from (ISC)², the CIPM from IAPP or ISACA’s own CISA/CISM, which all have minimum years of professional experience requirements for accreditation. For medium to small businesses where IT talent is required to wear many hats, the CSXP may be the perfect approach to leveling-up and repurposing existing employees within the company. For larger corporate enterprises with broader compartmentalized talent resources in security, CSXP aims to help validate and evaluate newer entry-level hires. All technology taught and mastered in preparation for taking the CSXP exam is open source software, except for the Microsoft applications that are heavily integrated into the program. “Our program does not bully you into using expensive tools,” says Brandt, whose philosophy centers on the assumption that most—if not all—proprietary tools are based on some open source architecture. Grounded in the belief that “security doesn’t have to be expensive,” Brandt also adds that, “pricing for CSXP is extremely competitive.” There are a number of competitors to ISACA in the cyber certification marketplace, namely SANS and (ISC)². Brandt, who holds a wealth of ISACA and non-ISACA alphabet certs including the CCISO, CISSP, CFR, CISM, CySA+ and PMP, poses a compelling question based on his observations and personal experience exploring and obtaining a variety of certifications in the space: “If all the certifications claiming hands-on cyber training were effective, wouldn’t the skill shortage be in a steady state instead of showing a growing gap of unqualified talent? The gap is getting bigger, not staying the same.” According to multiple sources including Cybersecurity Ventures, Forbes, and CyberSeek, the shortage of needed security talent is indeed widening from an estimated one-million-person gap to a projected 2.5- to 3-million-person gap by 2020. Part of what Brandt attributes this growing gap to is the lack of hands-on skills in undergraduate and graduate students entering the workforce post-university. “Academia is just as important as certifications,” says Brandt, “but within the cyber space specifically, many college grads with degrees in cybersecurity are struggling with articulating and executing on the vocational skills required for entry-level talent.” Cybersecurity is a big media buzzword and academia wants to respond by offering education that entices buyers, but because there is no university-level standardization on education and training, everyone is approaching it differently, creating a fractured and incongruous talent landscape at the first responder level. Brandt admits he may be biased and attributes his professional growth and success to his “real-world experience,” attesting that the same real-world experience is what students will get training for with the CSXP. “There is a place for everyone,” adds Brandt, when commenting on both competitors to ISACA’s brand as well as baccalaureate pursuits in cybersecurity. “The only way to attack the skills shortage right now, however, is for academia to accept vocational models as essential.” Jared Coseglia is the founder and CEO of TRU Staffing Partners, an Inc 5000 Fastest Growing American Company 2016 & 2017 and National Law Journal's #1 Legal Staffing Agency, and has over 15 years of experience representing thousands of professionals in e-discovery and cybersecurity throughout the world.