Career Watch: A certification for risk professionals

Q&A: Allan Boardman

The chair of ISACA's Credentialing Board talks about the organization's Certified in Risk and Information Systems Control certification.

What does a certification in risk and information systems control cover? CRISC is for professionals who have experience in developing effective controls to manage IT risk. They are the individuals in an enterprise who provide guidance to management on the impact of risk and its effect on business operations and the overall health of the enterprise. They are also responsible for communicating the risk to others throughout the business by establishing a common language for the enterprise.

CRISC, which is based on independent market research and the input of subject-matter experts around the world, is designed to help meet the rising demand for professionals who understand business risk and have the technical knowledge to help achieve effective controls. CRISC-certified professionals have the tools and knowledge to develop a common perspective and language for IT risk within an enterprise.

How does certifying help fill an IT skills gap? Certification provides the enterprise with the confidence that those holding certifications share a similar level of experience and knowledge. Certification can help hiring managers more quickly categorize job candidates by skill level, which is especially important in areas where there are skills gaps or high-growth areas with a large volume of job applicants, not all of whom are equally qualified.

The CRISC professional is able to provide value to an organization by providing insight from an overall organizational perspective on both IT risk and control. The CRISC certification is recognition of that skill and knowledge.

What sort of background is helpful for this type of certification? The CRISC credential is for those who are experienced in both risk and control. The areas of the job practice cover five domains: Risk identification, assessment and evaluation; risk response; risk monitoring; information systems control design and implementation; and IS control monitoring and maintenance.

Experience is required to become certified. Individuals need verified evidence of at least three years of work experience in three of the domains for risk management and IS control.

How might this training and certification help a person understand IT risk management as it applies to overall business process? The focus of the CRISC certification is on the IT risk professional gaining the tools and knowledge to evaluate the enterprise as a whole. Effective enterprise risk management requires an integrated and holistic approach. The first three domains that CRISC focuses on -- risk identification, assessment and evaluation; risk response; and risk monitoring -- provide the framework, from an organizational perspective, for managing and mitigating IT risk across business processes and technology. In addition, CRISC gives risk professionals a common language for communicating within IT and with the greater enterprise about risk. Based on the input from the CRISC professional, enterprises are then able to make effective risk-based decisions and prioritize efforts and resources to those areas that are most at risk.

Silicon Alley Surging

A study called "New Tech City" makes the case that New York is becoming an important hub of the digital economy. The report, from the Center for an Urban Future, notes that, while there is no way to know how many digital startups have been formed in the city, 486 that were founded in the past five years have received angel, seed or venture capital funding. The report's authors estimate that the actual number of technology startups is well above 1,000. Overall, Silicon Alley is still well behind Silicon Valley as a center of technology entrepreneurship, but New York has surpassed Boston as the No. 2 tech hub in the country.

One metric that shows the rise in prominence for technology in the city is employment growth, with IT growth outstripping the average for the city and many of its traditional economic mainstays. Similarly, a comparison of venture capital activity in New York and other U.S. technology centers offers a sense of the area's economic vitality.

New York Job Growth, 2007-12

IT vs. other sectors

  • IT: 28.7%
  • City average: 3.6%
  • Broadcasting: 0.4%
  • Securities industry: -5.9%
  • Legal services: -7%
  • Publishing: -15.8%
  • Manufacturing: -29.5%

Growth in Venture Capital Deals by Region,


  • New York: 32%
  • U.S. average: -11%
  • Silicon Valley -1%
  • Los Angeles/Orange County: -8%
  • New England: -14%
  • Texas: -17%
  • San Diego: -38%

Source: The Center for an Urban Future's "New Tech City" report, May 2012

Copyright © 2012 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon