As a risk practitioner, I've become familiar with risk assessments and reporting on risk over the years. However, one challenge many of us experience is speaking the same language when defining risk. For example, some people call threats such as ransomware “risks,” and others call unpatched systems, which are technically vulnerabilities, “risks.” A risk is present when you introduce a threat, like malware, to a vulnerability.
Threat x Vulnerability = Risk
Additionally, when we discuss threats, how do we define them? Do we split them into two categories, the first being external threats to my organization and the second being internal threats to my organization? My colleagues and I frequently discuss this topic and debate the appropriate risk management strategy. When we believe we have been making progress or think we understand “risk,” we become frustrated by the misunderstandings and differences of opinions and definitions when defining threats, vulnerabilities, and risks.
One of my goals in achieving the Certified in Risk and Information Systems Control (CRISC) credential was to learn a common body of knowledge on risk terminology, mainly focusing on the Risk Response and Reporting Domain, since that domain was my Achilles heel in 2019 when I first attempted the CRISC exam. Like many of you reading this blog, I appreciate metrics and numbers, so I will share my scores and provide commentary on my experience, from missing the mark by 19 points to topping the passing score of 450 by 72 points.
Domain | 2019 | 2024 |
---|---|---|
Governance | 444 | 594 |
IT Risk Assessment | 428 | 531 |
Risk Response and Reporting | 373 | 486 |
Information Technology and Security | 549 | 477 |
Total Scaled Score | 431 FAIL | 522 PASS |
In December 2018, my employer hosted a boot camp for the Certified Information Systems Security Professional exam, which I passed. As you can see with my 2019 score of 549 in the Information Technology and Security domain, my score reflects my knowledge at the time. In 2024, my Information Technology and Security score dropped 72 points to 477, which still demonstrates my understanding*, but I believe my score decreased because of my change in focus from the security area to the risk assessment and governance area in my cybersecurity consultant role in the healthcare industry.
Our new leadership intentionally identified threats prevalent in our industry and focused on mitigating our organization's exposure. As any good coach says, we focus on the fundamentals, and we still track and monitor corrective action plans identified by various assessments. We took a deeper dive when we prioritized items based on impact and probability to the organization. This reminds me of the adage, “If everything is a priority, nothing is a priority.” Organizations have limited resources in terms of personnel and budget, so focusing on the top risks became our mission.
As professionals, we learn about our organization’s workflows, technology, and culture through on-the-job training and from managers, mentors, and peers. Fortunately, my employer offers an annual training budget to learn from industry leaders such as ISACA. In 2022 and 2023, many of my colleagues were attaining their Certified Information Systems Auditor (CISA) and Certified Data Privacy Solutions Engineer (CDPSE) credentials from ISACA, as well as other industry certifications such as ISC2’s CISSP. Their wins inspired me to pursue the CRISC with a better strategy than I used in 2019. I used the following resources:
- ISACA CRISC Official Review Manual, 7th Edition
- ISACA CRISC Online Review Course
- CRISC Review Questions, Answers, Explanations database
- CRISC Exam Candidate Guide
Once or twice a week, for 30 to 60 minutes per session, a colleague and I met to review the quizzes or play the various card games available on the ISACA Online Study Guide module. This process helped us overcome biases in our daily thinking. We analyzed the question through our organizational lens or perspective, and when we selected the incorrect answer, we realized we were not thinking the “ISACA way.” Like the phrase “This Is the Way” in the television series The Mandalorian, the ISACA way embodies how ISACA exam writers believe organizational leadership should answer the various questions presented. This means you might need to discard how you would respond through your organization’s lens or way of thinking and reprogram your brain based on the ISACA study material.
Here are eight takeaways from my experience that helped me pass the CRISC on my second attempt:
- I opted to take the exam at a testing center versus taking the exam from home since it would introduce too many distractions with family members, work, and door-to-door salespeople.
- I rescheduled twice. Do not be ashamed to admit you are not ready yet. Practice exams are the clearest indicator of whether you are ready or not. I scored 80% or greater on the practice exams and then focused on the questions I got wrong to prepare for the exam.
- I arrived 45 minutes early, so I did not feel rushed, and I reviewed my notes and study guides in my car while sipping a cup of coffee.
- For unfamiliar topics, like the balanced scorecard, I read all the ISACA resources multiple times related to a particular topic and watched YouTube videos to really lock in my understanding.
- I took my time on the exam and intentionally read each word in the question to distill what ISACA was really asking. Do not jump to conclusions too early – it could lead to a wrong answer.
- Separate the “signal from the noise,” meaning find the important words versus the embedded distraction words or phrases.
- I reviewed the test a second time and the questions I was unsure of at least three or four times. I found that I could correctly answer several questions based on my answers to other questions.
- I celebrated my achievement with a nice dinner with my family since their support and love were critical to my success.
As I stated in my LinkedIn post, the timeframe between my first attempt at the CRISC in 2019 and my second attempt in 2024 was five years. Many people have completed four years of military service, obtained a bachelor’s degree, married a loved one, had children, and accomplished amazing and life-changing goals and achievements during that time. My journey consisted of on-the-job training as a risk practitioner while soaking up knowledge from my mentors, peers, and industry best practices on how to properly identify, assess, and manage risk within our organization.
The ISACA CRISC materials will challenge your bias and help you mature as a risk practitioner. Best of luck to you all pursuing your CRISC and remember to think the ISACA Way!
Author’s note: Below is the ISACA interpretation of the scores and their guidance:
A score below 375 indicates that you did not demonstrate an understanding of this area and a substantial review is recommended.
A score between 375 and 450 indicates that you demonstrated an understanding of the area, but additional review is recommended.
A score above 450 indicates that you demonstrated an understanding of the area, and limited review is recommended.
About the author: Jim Lamadrid is a cybersecurity consultant specializing in risk management in the healthcare industry. Jim served for over 10 years as an FBI Special Agent focusing on Cyber investigations. He served 14 years in the U.S. Military and is currently deployed in Germany, supporting the conflict in Ukraine as a U.S. Navy Information Warfare Officer.