Meeting summary for SIP Study Group - 12th March 2025 (12/03/2025)

Quick recap

Winton discussed the importance of the Certified Information Security Manager (CISM) certification, its benefits, and the process of obtaining it. He also emphasized the significance of verifying work experience, maintaining good relationships with previous employers, and the importance of achieving compliance in business operations. Lastly, Winton discussed the importance of aligning information security strategy with business objectives, the need for clear roles, accountability, and effective communication in security governance, and the process of developing a security strategy.

Next steps

• Winton to create a comprehensive study guide for the CISM exam, focusing on key concepts and practice questions.

• Attendees to consider pursuing the CISM certification if they have 3-5 years of experience in information security.

• Attendees to study for at least 2-3 months before taking the CISM exam, focusing on the official QAE database.

• Attendees interested in more information to connect with Winton on LinkedIn, mentioning they found him through the Safer Internet Project.

• Winton to prepare and deliver a session on Domain 2 of the CISM exam next week.

Summary

CISM Certification: Risk Assessment and Governance

Winton led a discussion on the Certified Information Security Manager (CISM) certification, emphasizing its importance as one of the Big 3 cybersecurity certifications. He shared his recent success in passing the exam and applying for the certification. Winton outlined the CISM's focus on risk assessment, effective governance, incident response, and strategic information security management. He also mentioned the inclusion of emerging technologies like AI and blockchain, alongside standard technologies.

CISM Certification Benefits and Preparation

Winton discussed the benefits of obtaining the CISM certification, including increased salary, career advancement, and recognition in the information security industry. He highlighted that the certification is globally accepted and recognized, and can be beneficial for mid to higher level roles. Winton shared his personal experience of studying for the exam, taking practice questions daily and weekly practice exams, and passing the exam within two months. He emphasized that the certification can provide confidence and a different perspective on the industry beyond purely technical roles.

Certification Process and Work Experience

Winton discussed the process of obtaining a certification, which requires passing an exam and proving employment and education requirements. He mentioned that the certification process involves four domains and requires at least three years of work experience. Winton also highlighted that a master's degree can waive two years of the requirement, while a bachelor's degree can waive one year. He emphasized the importance of discipline and energy in studying for the exam and suggested that pursuing a degree while working could help reduce the time needed for certification. Winton also mentioned that the certification process involves five certifications and that the program allows studying at one's own pace.

Verifying Work Experience for Career Advancement

Winton discussed the importance of verifying work experience and maintaining good relationships with previous employers for career development. He emphasized the value of hands-on skills, certifications, and work experience in career advancement. Winton shared his personal experience of how obtaining the CISM certification helped him stand out in a job application process and secure a new job. He also highlighted the difficulty of the CISM exam and its expert-level coverage across various domains in information security.

Exam Strategy and Study Guide

Winton discussed the four domains of the exam, with a focus on Domain One, which is about information security governance and culture. He emphasized that this domain is only 17% of the exam, while the other three are more heavily weighted. Winton also mentioned that he will provide a strategy for preparing for the exam and a comprehensive study guide. He highlighted the importance of considering legal, regulatory, and contractual requirements, as well as strategic planning from a top-down perspective.

Compliance and Strategy in Business

Winton discussed the importance of achieving compliance in business operations, emphasizing the need to weigh the costs of compliance against potential penalties for noncompliance. He used the example of a SOC 2 report to illustrate how compliance can build trust with clients and other businesses. Winton also explained the top-down structure of organizational strategy, IT strategy, and information security strategy, highlighting the importance of considering both long-term and short-term impacts on the business. He introduced key terms such as governance, strategy management, enterprise governance, and information security governance, emphasizing their roles in setting direction and managing operations.

Cybersecurity Frameworks and Risk Assessment

Winton discusses common cybersecurity frameworks such as NIST 853, PCI DSS, COBIT, ISO 27001, and HIPAA. He then presents a practice question about resolving a disagreement between an information security manager and a business department manager regarding risk assessment results. Winton explains his approach to analyzing multiple-choice questions and concludes that the best solution is to review the risk assessment with executive management for final input. He emphasizes the importance of understanding the reasoning behind the correct answer when studying for certification exams.

Risk Assessment and Organizational Culture

Winton emphasized the importance of thinking before acting, especially in high-pressure situations. He advised against creating new risk assessment options and instead suggested reviewing existing ones. Winton also highlighted the significance of understanding organizational culture and its influence on employee actions. He stressed the need to identify applicable legal, regulatory, and contractual requirements, define roles and responsibilities, and periodically review and update policies.

Aligning Security Strategy With Business Objectives

Winton discusses the importance of aligning information security strategy with business objectives. He emphasizes the need for clear roles, accountability, and effective communication in security governance. Winton explains the process of developing a security strategy, including risk assessments, defining measurable objectives, and establishing governance structures. He also highlights the importance of prioritizing initiatives, using frameworks like NIST CSF, and conducting gap analyses to identify discrepancies between current and desired security postures.