Risk certification answers a clear demand


The magic of IT professionals historically rested in their mastery of hard skills--the skills that seem so out-of-reach to everyone outside the field. It's somewhat ironic that what the business world says the IT profession needs now are soft skills, such as how to handle things like relationships, politics, team dynamics and risk. 

That the profession is embracing the need to understand risk is backed up by the 16,000 individuals who have signed up with ISACA since 2010 to be certified in risk and information control. Last week I talked with Shawna Flanders, productivity specialist at PSCU Financial Services and a member of ISACA's Certified in Risk and Information Systems Control (CRISC) committee. She explained that conducting a risk assessment is not necessarily something a typical IT education includes, which leaves well-educated IT pros lacking in some of the knowledge businesses deem imperative to the job.  

"I believe a lot of what's causing the widening in the skills gap is the difference between what's being taught in school and what businesses are looking for," Flanders told me. "Anybody in technology today does need to have very strong soft skills."

There is no area of IT that couldn't benefit from knowing how to assess risk, Flanders said, but application development teams and information security teams should be at the front of the line. Many companies today fail to include a serious risk assessment in technology assessments. "The business will come out, and usually as part of a business impact analysis or project requirement they'll ask what the risks are. That's usually a five-minute discussion, and it may or may not get addressed in the course of the project," she said.

Business analysts, project managers, CIOs and CISOs are good candidates for the training as well, in Flanders's view. She said she has seen enrollees from all industries, but those sending the greatest number of employees for the CRISC certification are technology services/consulting, financial services/banking and government/military.

The CRISC certification is a practitioner certification at its core, and it takes a broad view of information technology, Flanders said. "One of the beauties of this program is that we're looking at all of the major areas of IT," she said. "We're making sure the candidates that become CRISC have some general understanding of servers, telecommunications, project management, disaster recovery and more."

Although it's still very new, with just two exams under its belt so far, the risk and information control certification clearly is answering a big demand. - Caron