Alphabet Soup: Understanding the Qualifications of Risk Management Professionals

Imagine you’ve just received an email from a potential vendor looking to make a connection. You notice that after his name in the signature block he has listed five abbreviations, all intended to make him appear qualified, reputable and knowledgeable. But what do the abbreviations actually mean? Are they relevant to the service you're trying to procure? The answer is that it depends. Some certifications are mandatory for some jobs, while others are just nice to have. Most often, certification requirements are based on the needs of the project.

Look at it this way: a pilot’s license is crucial for a commercial airline pilot, but it's irrelevant for practicing law. Similarly, technical certifications are necessary for members of your IT department, but they aren't as relevant when you need someone to issue a Service Organization Control Report.

If you need to provide a SOC Report to your clients or customers, regardless of the version you need, you’ll need a CPA. You might also need additional specialized certifications, such as Pulse and STAR requiring a Certified TR-39 Auditor, to perform ATM and PCI Pin compliance audits.  

Who issues certifications for Cyber Risk Management Professionals?

Everyone’s heard a story about someone being ordained by an internet church in order to officiate at a wedding. Unlike ordination from the "Church of Bob," credentials for cyber risk management professionals are issued by ISACA, an independent, nonprofit, global association engaged in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems.

When it comes to mission critical work being performed for your firm, you want to make sure the certifying organization is established, creditable, and respected. ISACA is the standard for IT governance certifications. Here are a few ISACA certifications you should be aware of:

  • Certified Information Systems Auditor (CISA) is a globally recognized certification for IT audit control, assurance, and security.
  • Certified in Risk and Information Systems Control (CRISC) is for IT professionals focused on IT and enterprise risk management.
  • Certified in the Governance of Enterprise IT (CGEIT) is a certification held by individuals from management to the C-suite level. It focuses on enterprise IT governance principles and practices, as well as strategic alignment.

The American Institute of Certified Public Accountants offers the Certified Information Technology Professional, which is only available to CPAs. It combines information assurance and business insight to bridge management and technology. The CITP certification demonstrates that the CPA has a deep understanding of technology, including the ability to understand the technology risks that can impact financial statements, can perform data analytics to reveal vital insights for business plans, and is able to evaluate security programs and policies.

While certification is important, understanding the experience of the individual is equally important.

Certifications ensure a baseline knowledge and understanding, but experience matters. If you need heart surgery, would you choose the young doctor who just finished his residency or a seasoned journeyman surgeon who has completed hundreds of successful operations? 

Be aware, however, that certifications are not one-size-fits-all. Your organization has unique needs, challenges and opportunities. Make sure you entrust access to your financial and technology systems to professionals who have the appropriate credentials, experience and depth of knowledge. Evaluating and selecting the appropriate vendor for each business need will have concrete, measurable results.


For weekly insights into enterprise complexity, please sign up here:

Subscribe to the Waypoints Blog

Topics: Risk, Risk Management

Leave A Comment

Related Posts