Security professionals are in high demand as companies look to protect critical assets and frustrate attacker efforts. The result? Along with cybersecurity job postings, the variety and volume of certifications are also on the rise. From delivering generalized systems defense to deploying specific IT controls to meeting essential compliance requirements, there’s no shortage of infosec training opportunities for interested technology staff.
The challenge? Deciding which courses are worth your time — and which ones your current employer might be willing to pay for — as this market continues to evolve.
One of the most popular infosec certifications available for experienced IT professionals looking to improve their security qualifications is the Certified Information Systems Auditor (CISA). But what does this course entail? How do IT pros get certified? Moreover, is CISA training worth the investment?
Here’s what you need to know.
What is CISA?
As noted by TechTarget, the CISA certification “is a globally recognized standard for appraising an IT auditor’s knowledge, expertise, and skill in assessing vulnerabilities and instituting IT controls in an enterprise environment.”
In practice, CISA-certified professionals are often called on to audit information systems, identify key weak points and propose effective remediation practices. They’re also tasked with creating audit frameworks and ensuring these frameworks both align with corporate strategy and meet critical compliance requirements.
Companies typically look for multiple certifications when hiring security personnel; as a result, CISA-certified staff are responsible for monitoring and evaluating key IT practices, including:
- Risk Management — Are critical assets safe? What technologies are required to improve overall security?
- Resource Management — Does the current resource management match expected outcomes? How can IT portfolios be improved to meet evolving demand?
- IT Policies and Practices — What security standards exist in the organization? Do best practices align with current security expectations?
- End-User Operations — How are end-users interacting with IT resources? What controls must be deployed to limit accidental or malicious data exposure?
The result? While CISA is an audit-focused certification, qualified IT pros are often tasked with large-scale security management and oversight.
The State of Security
With certifications diversifying, is CISA worth the investment?
According to Security Boulevard, the cybersecurity “skills gap” continues to grow: 83 percent of HR professionals report hiring difficulties, and 52 percent say the skills shortage has worsened. This means that at a basic level, CISA as security training is worth it: Organizations are looking for skilled security professionals and understand the need for competitive salaries to attract top-tier talent.
However, there’s also a growing need for talented security auditors, especially as hackers increase the sophistication and speed of their attacks. Consider a recent Science Daily piece detailing new approaches to detecting advanced malware: Power fluctuations. By analyzing power anomalies, security teams were able to ID embedded malware and reduce total risk.
This speaks to the emerging need for CISA-trained professionals: IT experts capable of thinking outside the box to track down new malware strains and improve network security.
Getting CISA Certified
The CISA certification is designed for professionals who have at least five years’ experience across information systems auditing, control, assurance, or security.
Certain substitutions are allowed: One year of non-IS experience can account for one year of CISA-approved experience, while 60 university credit hours or a master’s degree in security or information technology may also replace one year each of experience. In total, three years of experience may be replaced by non-IS work or education — the remaining two must be direct experience in relevant IT positions.
Obtaining certification requires IT pros to complete a 150-question, 4-hour long exam with a score of 450/800 or better. Candidates must then apply for official certification, agree to honor the CISA code of professional ethics and complete at least 20 contact hours of continuing professional education (CPE) per year. To remain certified, CISA holders must finish 120 contact hours total over three years.
Is CISA Really Worth It?
Salaries for those with CISA certifications range from just over $50,000 at entry-level to more than $150,000 for C-suite positions. Additional certifications such as Certified Ethical Hacker (CEH) and Certified Information Systems Security Professional (CISSP) can both boost professional skill sets and command larger salaries.
In addition, CISA-certified professionals enjoy different opportunities depending on where they choose to apply their skills. For example, the state of Maryland says it’s “open for business” in cybersecurity by encouraging partnerships between tech firms, universities and tech-savvy workers to drive low-cost, high-impact infosec operations.
CISA also meets the requirements for DOD Directive 8140, giving certified IT pros a head start on DHS and other government security jobs in the competitive Washington DC area. And in Virginia, a new billion-dollar “innovation campus” under construction at Virginia Tech combined with massive local investment from IT giants like Amazon make this a top-tier location for security talent.
The CISA certification remains in demand as companies look to boost infosec impact and bridge the cybersecurity skills gap. While successful CISA completion requires substantial education and experience, the long-term career benefits are worth the overall cost.
Ready? Get started with CISA today.